I went through the new D-Bus and Varlink methods, their respective authorization policies, the Polkit check implementations, and had a *cursory* look at the actual method implementations. D-Bus methods: - org.freedesktop.import1.cancel - Implemented in: src/import/importd.c - org.freedesktop.home1.activate-home - Implemented in: src/home/homed-home-bus.c - Explained in commit 336b1f1936ffbc62fa2cb189d8f86fbd982dcf15 Varlink [1] methods: - io.systemd.credentials.encrypt io.systemd.credentials.decrypt - Implemented in: src/creds/creds.c - io.systemd.mount-file-system.mount-image io.systemd.mount-file-system.mount-image-privately io.systemd.mount-file-system.mount-untrusted-image io.systemd.mount-file-system.mount-untrusted-image-privately - Implemented in: src/mountfsd/mountwork.c - org.freedesktop.network1.set-persistent-storage - Implemented in: src/network/networkd-manager-varlink.c - Specifies whether persistent storage for systemd-networkd is available Regarding the image mounting functions, the terminology was a bit unclear to me at first. Trusted vs untrusted refers to the location of the image, i.e. there's a set of trusted directories, defined in `src/shared/discover-image.c`. Likewise, the presence/absence of the "-privately" suffix refers to the namespace the image is mounted in. "mount-*image" mounts into the host ns and "mount-*image-privately" mounts into a private user ns. The latter functions have a more relaxed authorization policy. All in all I see no obvious problem with any of this and we can whitelist it. [1] https://lwn.net/Articles/742675/