Re: Limiting the power of packages

To: debian-devel@lists.debian.org
Subject: Re: Limiting the power of packages
From: Laurent Bigonville <bigon@debian.org>
Date: Fri, 5 Oct 2018 14:22:59 +0200
Message-id: <[🔎] 4a4b0b62-af48-e86e-3455-1a112ee5bd53@debian.org>
In-reply-to: <[🔎] 20181003171917.GB2043@exolobe1.liw.fi>
References: <[🔎] 20181003171917.GB2043@exolobe1.liw.fi>

Lars Wirzenius wrote:

* default: install files in /usr only
* kernel: install files in /boot, trigger initramfs
* core: can install files anywhere, trigger anything
* maintained-by-liw: full power to do anything

This might be implemented in various ways. For example, dpkg could
create a temporary directory, and bind mount the directories the
profile indicates are needed, into a temporary shadow of the full
system. Maintainer scripts would be run in the shadow environment.
Thus, if they try to do something that isn't allowed by the packages
profile, they can't.

This can be done with SELinux as well, the maintainer scripts can be labeled and dpkg will run them in the desired context.

Reply to:

Follow-Ups:
- Re: Limiting the power of packages
  - From: David Bremner <david@tethera.net>

References:
- Limiting the power of packages
  - From: Lars Wirzenius <liw@liw.fi>

Prev by Date: Re: Limiting the power of packages
Next by Date: Re: Limiting the power of packages
Previous by thread: Re: Limiting the power of packages
Next by thread: Re: Limiting the power of packages
Index(es):
- Date
- Thread