Bug#880638: release-notes: Document apt sandbox support [buster]

To: Joost van Baal-Ilić <joostvb-debian-bugs-20171103-2@mdcc.cx>, 880638@bugs.debian.org
Cc: apt-maintainers <deity@lists.debian.org>
Subject: Bug#880638: release-notes: Document apt sandbox support [buster]
From: Niels Thykier <niels@thykier.net>
Date: Sat, 04 Nov 2017 06:23:00 +0000
Message-id: <[🔎] c1ee191c-36c4-67ca-5451-3ddf6cde858e@thykier.net>
Reply-to: Niels Thykier <niels@thykier.net>, 880638@bugs.debian.org
In-reply-to: <[🔎] 20171103094229.GS5829@beskar.mdcc.cx>
References: <[🔎] 150969103297.2406.11516580228555447847.reportbug@mangetsu.thykier.net> <[🔎] 20171103094229.GS5829@beskar.mdcc.cx> <[🔎] 150969103297.2406.11516580228555447847.reportbug@mangetsu.thykier.net>

Joost van Baal-Ilić:
> Hi Niels,
> 
> Thanks for your bugreport!
> 

Hi, :)

> On Fri, Nov 03, 2017 at 07:37:12AM +0100, Niels Thykier wrote:
>> Package: release-notes
>> Severity: wishlist
>>
>> --- News for apt (libapt-pkg5.0 libapt-inst2.0) ---
>> apt (1.6~alpha1) unstable; urgency=medium
>>
>>   All methods provided by apt except for cdrom, gpgv, and rsh now
>>   use seccomp-BPF sandboxing to restrict the list of allowed system
>>   calls, and trap all others with a SIGSYS signal. Three options
>>   can be used to configure this further:
>>
>>     APT::Sandbox::Seccomp is a boolean to turn it on/off
>>     APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
>>     APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow
>>
>>   Also, sandboxing is now enabled for the mirror method.
>>
>>  -- Julian Andres Klode <jak@debian.org>  Mon, 23 Oct 2017 01:58:18 +0200
>>
>> Seems like it would be prudent to mention that in the release-notes
>> for buster.
> 
> 
> Are https and debtorrent "methods provided by apt", or are these methods
> shipped in other optional packages and not yet sandboxed?
> 

The https method is (now) provided directly by apt and is covered by the
sandboxing (implementation-detail: It is in fact the same binary as the
"http" method).

As for debtorrent: I /think/ it is a "third-party" method (from apt's
PoV) and therefore not covered by the built-in rules.  CC'ing deity to
confirm that.

> Is the mirror method now using the same sandboxing implementation?
> 

That is my understanding.

> The text could be more clear; for some answers to these questions a proposed
> enhanced text is:
> 
>  All methods provided by apt (e.g. http, https, debtorrent, ...) except for
>  cdrom, gpgv, and rsh now use seccomp-BPF sandboxing as supplied by the Linux
>  kernel to restrict the list of allowed system calls, and trap all others with a
>  SIGSYS signal.
>  [...]
> 
>  Also, this sandboxing is now enabled for the mirror method.
> 
> 
> Bye,
> 
> Joost
> 

As per above, I think it need a s/debtorrent, //.

I was also wondering whether we should document it in "whats-new" or
"issues".  The latter clearly makes sense as it can cause issues that
people need to know how to solve.  On the other side, I think it would
be nice to document that apt has been hardened even further (and that,
IMO, would fit "Whats new" better than "Issues").

Thanks,
~Niels

Reply to:

Follow-Ups:
- Bug#880638: release-notes: Document apt sandbox support [buster]
  - From: Julian Andres Klode <jak@debian.org>

References:
- Bug#880638: release-notes: Document apt sandbox support [buster]
  - From: Niels Thykier <niels@thykier.net>
- Bug#880638: release-notes: Document apt sandbox support [buster]
  - From: Joost van Baal-Ilić <joostvb-debian-bugs-20171103-2@mdcc.cx>

Prev by Date: Bug#880696: debian-refcard: Debian Reference Card translation to russian contains errors in command definitions
Next by Date: Processed: Re: Bug#880696: debian-refcard: Debian Reference Card translation to russian contains errors in command definitions
Previous by thread: Bug#880638: release-notes: Document apt sandbox support [buster]
Next by thread: Bug#880638: release-notes: Document apt sandbox support [buster]
Index(es):
- Date
- Thread