Feature #15299: Restrict access to onionkit via D-Bus

Feature #15299

Restrict access to onionkit via D-Bus

Added by segfault 2018-02-10 10:36:05 . Updated 2019-07-19 22:04:38 .

Status:

Confirmed

Priority:

Normal

Assignee:

segfault

Category:

Target version:

Start date:

2018-02-10

Due date:

% Done:

Feature Branch:

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Server

Deliverable for:

Description

The new backend of Tails Server, onionkit, is accessed via D-Bus. We don’t want unauthorized programs to be able to access onionkit, because it allows performing privileged actions (e.g. starting and stopping services) and gives access to sensitive information (e.g. onion addresses and server passwords).

The polkit currently shipped in Debian Stretch and Buster only allows creating rules based on unix usernames and groups, because it still uses the old-style .pkla rules. So polkit can be used to restrict access to amnesia, but we also don’t want all programs running as amnesia to be able to access onionkit.

The new JavaScript based .rules would allow more fine-grained access control, for example by using the program name (action.lookup("program")).

Subtasks

History

#1 Updated by intrigeri 2018-02-11 06:51:29

Note: fine-grained D-Bus mediation via AppArmor has good chances to land in Linux mainline this year. I can keep you updated if you want.

#2 Updated by segfault 2018-08-05 19:24:25

Target version deleted (~~Tails_3.9~~)

#3 Updated by segfault 2019-07-19 22:04:38

Affected tool set to Server