Restrict access to onionkit via D-Bus
The new backend of Tails Server, onionkit, is accessed via D-Bus. We don’t want unauthorized programs to be able to access onionkit, because it allows performing privileged actions (e.g. starting and stopping services) and gives access to sensitive information (e.g. onion addresses and server passwords).
The polkit currently shipped in Debian Stretch and Buster only allows
creating rules based on unix usernames and groups, because it still uses
.pkla rules. So polkit can be used to restrict access to
amnesia, but we also don’t want all programs running as
be able to access onionkit.
.rules would allow more fine-grained access
control, for example by using the program name
IIUC, using polkit it's not possible to allow some application to perform an action and
deny some other application run by the same user to perform the same action.
program variable is set by
pkexec, and its set to the program that
tries to execute, which doesn't help for our use case.
D-Bus mediation via AppArmor would help, but it's still not in Linux mainline.
Parent Task: #5688 (closed)