From 956d8aee01c3fed8a7a7105fe019ff2df8454f29 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 16 Jan 2024 12:53:39 +0100
Subject: [PATCH] bus-polkit: treat various well-known PK errors as denied

Various recognizable errors from

https://www.freedesktop.org/software/polkit/docs/latest/eggdbus-interface-org.freedesktop.PolicyKit1.Authority.html#eggdbus-errordomain-org.freedesktop.PolicyKit1.Error.

should be considered access failures, hence treat them like that.
---
 src/shared/bus-polkit.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/shared/bus-polkit.c b/src/shared/bus-polkit.c
index ff905d147f8..8564eccce17 100644
--- a/src/shared/bus-polkit.c
+++ b/src/shared/bus-polkit.c
@@ -280,8 +280,13 @@ static int async_polkit_read_reply(sd_bus_message *reply, AsyncPolkitQuery *q) {
 
                 e = sd_bus_message_get_error(reply);
 
-                if (bus_error_is_unknown_service(e))
-                        /* Treat no PK available as access denied */
+                if (bus_error_is_unknown_service(e) ||
+                    sd_bus_error_has_names(
+                                    e,
+                                    "org.freedesktop.PolicyKit1.Error.Failed",
+                                    "org.freedesktop.PolicyKit1.Error.Cancelled",
+                                    "org.freedesktop.PolicyKit1.Error.NotAuthorized"))
+                        /* Treat no PK available as access denied. Also treat some of the well-known PK errors as such. */
                         q->denied_action = TAKE_PTR(a);
                 else {
                         /* Save error from polkit reply, so it can be returned when the same authorization
-- 
2.47.3