Restrict access to onionkit via D-Bus
Originally created by @segfault on #15299 (Redmine)
The new backend of Tails Server, onionkit, is accessed via D-Bus. We don’t want unauthorized programs to be able to access onionkit, because it allows performing privileged actions (e.g. starting and stopping services) and gives access to sensitive information (e.g. onion addresses and server passwords).
The polkit currently shipped in Debian Stretch and Buster only allows
creating rules based on unix usernames and groups, because it still uses
the old-style .pkla
rules. So polkit can be used to restrict access to
amnesia
, but we also don’t want all programs running as amnesia
to
be able to access onionkit.
The new JavaScript based .rules
would allow more fine-grained access
control, for example by using the program name
(`action.lookup("program")
IIUC, using polkit it's not possible to allow some application to perform an action and
deny some other application run by the same user to perform the same action.
The program
variable is set by pkexec
, and its set to the program that pkexec
tries to execute, which doesn't help for our use case.
D-Bus mediation via AppArmor would help, but it's still not in Linux mainline.
Parent Task: #5688 (closed)