LPE to access to the tps system D-Bus service via sudo

https://git.radicallyopensecurity.com/otf/pen-tails/-/issues/3

User impact

An adversary who can already execute arbitrary code as the amnesia user can leverage this vulnerability to perform all sorts of Persistent Storage operations, such as: create, delete, activate a Persistent Storage volume; activate, deactivate, delete a specific default feature. As far as we can tell, the only security-relevant impact of this is the ability to delete persistent data on which the amnesia user lacks write access, which poses a risk of data integrity and denial of service. All other security-sensitive operations that can be performed via this code path, i.e. deleting amnesia-owned data, can already be done by the adversary at that point, so they don't constitute privilege escalation.

Note, in passing, that impact may be vastly greater if #20184 had been implemented already.

Practical exploitation path

Same as #20701 (closed) due to the need to run sudo.

Proof of concept

cp -af /var/run/user/1000/user-env /tmp/foo && sudo -u tails-persistent-storage ENVFILE=/tmp/foo /usr/local/bin/tails-persistent-storage --gtk-module 1

… demonstrates that --gtk-module is passed through and honored by the GTK app, which allows loading an arbitrary .so file and thus LPE to an environment allowed to connect to the tps D-Bus service on the system bus.

It seems we might have been safe before e23dd723.