Restrict access to onionkit via D-Bus
The new backend of Tails Server, onionkit, is accessed via D-Bus. We don’t want unauthorized programs to be able to access onionkit, because it allows performing privileged actions (e.g. starting and stopping services) and gives access to sensitive information (e.g. onion addresses and server passwords).
The polkit currently shipped in Debian Stretch and Buster only allows creating rules based on unix usernames and groups, because it still uses the old-style
.pkla rules. So polkit can be used to restrict access to
amnesia, but we also don’t want all programs running as
amnesia to be able to access onionkit.
.rules would allow more fine-grained access control, for example by using the program name (