Do not require the root password to update removable devices

policy/org.freedesktop.fwupd.policy.in

@@ -13,7 +13,7 @@
   <vendor_url>https://github.com/hughsie/fwupd</vendor_url>
   <icon_name>application-vnd.iccprofile</icon_name>
 
-  <action id="org.freedesktop.fwupd.update">
+  <action id="org.freedesktop.fwupd.update-internal">
     <!-- SECURITY:
           - Normal users require admin authentication to update firmware
           - This should not be set to 'yes' as unprivileged users could then
@@ -29,4 +29,18 @@
     </defaults>
   </action>
 
+  <action id="org.freedesktop.fwupd.update-hotplug">
+    <!-- SECURITY:
+          - Normal users should not require admin authentication to update devices
+     -->
+    <_description>Install device firmware update</_description>
+    <_message>Authentication is required to update the firmware on a device</_message>
+    <icon_name>application-vnd.iccprofile</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>no</allow_inactive>
+      <allow_active>yes</allow_active>
+    </defaults>
+  </action>
+
 </policyconfig>

src/fu-common.h

@@ -40,6 +40,7 @@
 #define FU_DEVICE_KEY_VERSION_LOWEST	"VersionLowest"
 #define FU_DEVICE_KEY_VENDOR		"Vendor"
 #define FU_DEVICE_KEY_SUMMARY		"Summary"
+#define FU_DEVICE_KEY_KIND		"Kind"		/* 'internal' or 'hotplug' */
 
 /* if adding values here, remember to register them in fu_error_quark() */
 typedef enum {

src/fu-main.c

@@ -397,7 +397,9 @@ fu_main_daemon_method_call (GDBusConnection *connection, const gchar *sender,
 		GDBusMessage *message;
 		GUnixFDList *fd_list;
 		GVariant *prop_value;
+		const gchar *action_id;
 		const gchar *id = NULL;
+		const gchar *kind;
 		gchar *prop_key;
 		gint32 fd_handle = 0;
 		gint fd;
@@ -481,10 +483,18 @@ fu_main_daemon_method_call (GDBusConnection *connection, const gchar *sender,
 			return;
 		}
 
+		/* relax authentication checks for removable devices */
+		kind = fu_device_get_metadata (helper->device, FU_DEVICE_KEY_KIND);
+		if (g_strcmp0 (kind, "hotplug") == 0) {
+			action_id = "org.freedesktop.fwupd.update-hotplug";
+		} else {
+			action_id = "org.freedesktop.fwupd.update-internal";
+		}
+
 		/* authenticate */
 		subject = polkit_system_bus_name_new (sender);
 		polkit_authority_check_authorization (helper->priv->authority, subject,
-						      "org.freedesktop.fwupd.update",
+						      action_id,
 						      NULL,
 						      POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
 						      NULL,

src/fu-provider-chug.c

@@ -399,6 +399,8 @@ fu_provider_chug_device_added_cb (GUsbContext *ctx,
 					"ColorHug");
 		fu_device_set_metadata (item->device, FU_DEVICE_KEY_GUID,
 					ch_device_get_guid (device));
+		fu_device_set_metadata (item->device, FU_DEVICE_KEY_KIND,
+					"hotplug");
 
 		/* try to get the serial number -- if opening failed then
 		 * poll until the device is not busy */

src/fu-provider-uefi.c

@@ -128,6 +128,7 @@ fu_provider_uefi_coldplug (FuProvider *provider, GError **error)
 		fu_device_set_metadata (dev, FU_DEVICE_KEY_PROVIDER, "UEFI");
 		fu_device_set_metadata (dev, FU_DEVICE_KEY_GUID, guid);
 		fu_device_set_metadata (dev, FU_DEVICE_KEY_VERSION, version);
+		fu_device_set_metadata (dev, FU_DEVICE_KEY_KIND, "internal");
 		if (re.lowest_supported_fw_version != 0) {
 			version_lowest = g_strdup_printf ("%" G_GUINT32_FORMAT,
 							  re.lowest_supported_fw_version);

src/fu-util.c

@@ -248,6 +248,7 @@ fu_util_get_devices (FuUtilPrivate *priv, gchar **values, GError **error)
 		const gchar *value;
 		const gchar *keys[] = {
 			FU_DEVICE_KEY_DISPLAY_NAME,
+			FU_DEVICE_KEY_KIND,
 			FU_DEVICE_KEY_PROVIDER,
 			FU_DEVICE_KEY_GUID,
 			FU_DEVICE_KEY_VERSION,