Allow any admin users to install system firmware without a password

From a security point of view, this is no more scary than allowing admin users
to install a new kernel or glibc package.

contrib/fwupd.spec.in

@@ -47,6 +47,7 @@ make install DESTDIR=$RPM_BUILD_ROOT
 %{_sysconfdir}/dbus-1/system.d/org.freedesktop.fwupd.conf
 %{_datadir}/dbus-1/interfaces/org.freedesktop.fwupd.xml
 %{_datadir}/polkit-1/actions/org.freedesktop.fwupd.policy
+%{_datadir}/polkit-1/rules.d/org.freedesktop.fwupd.rules
 %{_datadir}/dbus-1/system-services/org.freedesktop.fwupd.service
 %{_datadir}/man/man1/fwupdmgr.1.gz
 %dir %{_localstatedir}/lib/fwupd

policy/Makefile.am

@@ -1,3 +1,8 @@
+
+polkit_rulesdir = $(datadir)/polkit-1/rules.d
+dist_polkit_rules_DATA =				\
+	org.freedesktop.fwupd.rules
+
 @INTLTOOL_POLICY_RULE@
 polkit_policydir = $(datadir)/polkit-1/actions
 polkit_policy_in_files = org.freedesktop.fwupd.policy.in

policy/org.freedesktop.fwupd.rules

@@ -0,0 +1,7 @@
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.fwupd.update-internal" &&
+        subject.active == true && subject.local == true &&
+        subject.isInGroup("wheel")) {
+            return polkit.Result.YES;
+    }
+});