Only give the “qubes” group full Polkit access

This is consistent with the rest of qubes-core-agent-passwordless-root,
and helps prevent sandbox escapes by daemons with dbus access.

passwordless-root/polkit-1-qubes-allow-all.rules

@@ -1,2 +1,2 @@
 //allow any action, detailed reasoning in sudoers.d/qubes
-polkit.addRule(function(action,subject) { return polkit.Result.YES; });
+polkit.addRule(function(action,subject) { if (subject.isInGroup("qubes")) return polkit.Result.YES; });