[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#880638: release-notes: Document apt sandbox support [buster]

On Sat, Nov 04, 2017 at 06:23:00AM +0000, Niels Thykier wrote:
> Joost van Baal-Ilić:
> > Hi Niels,
> > 
> > Thanks for your bugreport!
> > 
> 
> Hi, :)
> 
> > On Fri, Nov 03, 2017 at 07:37:12AM +0100, Niels Thykier wrote:
> >> Package: release-notes
> >> Severity: wishlist
> >>
> >> --- News for apt (libapt-pkg5.0 libapt-inst2.0) ---
> >> apt (1.6~alpha1) unstable; urgency=medium
> >>
> >>   All methods provided by apt except for cdrom, gpgv, and rsh now
> >>   use seccomp-BPF sandboxing to restrict the list of allowed system
> >>   calls, and trap all others with a SIGSYS signal. Three options
> >>   can be used to configure this further:
> >>
> >>     APT::Sandbox::Seccomp is a boolean to turn it on/off
> >>     APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
> >>     APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow
> >>
> >>   Also, sandboxing is now enabled for the mirror method.
> >>
> >>  -- Julian Andres Klode <jak@debian.org>  Mon, 23 Oct 2017 01:58:18 +0200
> >>
> >> Seems like it would be prudent to mention that in the release-notes
> >> for buster.
> > 
> > 
> > Are https and debtorrent "methods provided by apt", or are these methods
> > shipped in other optional packages and not yet sandboxed?
> > 
> 
> The https method is (now) provided directly by apt and is covered by the
> sandboxing (implementation-detail: It is in fact the same binary as the
> "http" method).
> 
> As for debtorrent: I /think/ it is a "third-party" method (from apt's
> PoV) and therefore not covered by the built-in rules.  CC'ing deity to
> confirm that.

That's correct.

> 
> > Is the mirror method now using the same sandboxing implementation?
> > 
> 
> That is my understanding.
> 
> > The text could be more clear; for some answers to these questions a proposed
> > enhanced text is:
> > 
> >  All methods provided by apt (e.g. http, https, debtorrent, ...) except for
> >  cdrom, gpgv, and rsh now use seccomp-BPF sandboxing as supplied by the Linux
> >  kernel to restrict the list of allowed system calls, and trap all others with a
> >  SIGSYS signal.
> >  [...]
> > 
> >  Also, this sandboxing is now enabled for the mirror method.
> > 
> > 
> > Bye,
> > 
> > Joost
> > 
> 
> As per above, I think it need a s/debtorrent, //.
> 
> I was also wondering whether we should document it in "whats-new" or
> "issues".  The latter clearly makes sense as it can cause issues that
> people need to know how to solve.  On the other side, I think it would
> be nice to document that apt has been hardened even further (and that,
> IMO, would fit "Whats new" better than "Issues").

Why not just both? Add it to what's new and add a link to issues saying
"also the <a>new sandboxing features in apt</a> might cause some issues."

-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev
Ubuntu Core Developer                              de, en speaker
Reply to: