Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx> --- docs/aclpolkit.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/aclpolkit.rst b/docs/aclpolkit.rst index 9b0a374c53..fe825c504b 100644 --- a/docs/aclpolkit.rst +++ b/docs/aclpolkit.rst @@ -70,6 +70,15 @@ to be approved by Polkit before any further APIs can be called. Read-only access is granted to all local users by default, but read/write access needs to be explicitly allowed. +:since:`Since 9.10.0`, these requests will come with the ``granular`` +attribute (see below) set to either ``"true"``, if the Polkit access +driver is enabled, or ``"false"`` otherwise. A policy designed to +work with the Polkit access driver should only allow the +``org.libvirt.unix.manage`` action if the ``granular`` attribute is +set to ``"true"``: failing to do so might result in accidentally +granting full administrative access to libvirt to more users than +intended if the Polkit access driver is later disabled. + Object identity attributes -------------------------- -- 2.42.0 _______________________________________________ Devel mailing list -- devel@xxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
