Re: Limiting the power of packages

[Jonathan Dowland <jmtd@debian.org>]

On Wed, Oct 03, 2018 at 08:19:17PM +0300, Lars Wirzenius wrote:
> A suggestion: we restrict where packages can install files and what
> maintainer scripts can do. The default should be as safe as we can
> make it, and packages that need to do things not allowed by the
> default should declare they that they intend to do that.

I think this is a great idea.

> This could be done, for example, by having each package labelled with
> an installation profile, which declares what the package intends to do
> upon installation, upgrade, or removal.

And the user's local policy determines what happens? e.g. allow, deny,
prompt/log...

> This might be implemented in various ways. For example, dpkg could
> create a temporary directory, and bind mount the directories the
> profile indicates are needed, into a temporary shadow of the full
> system. Maintainer scripts would be run in the shadow environment.
> Thus, if they try to do something that isn't allowed by the packages
> profile, they can't.

This could more easily be achieved* (IMHO) using mount namespaces, and
more generally the collection of technologies (namespaces, seccomp
filters, etc.) that are collectively described as "containers".

I think an important step for figuring out what to contain would be
to audit all existing {pre,post}inst scripts and categorize them by
what they do (areas of the filesystem they read or write to; network
access; device access; etc.)

* on Linux, at least. Not sure about KFreeBSD.

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.