[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#880638: release-notes: Document apt sandbox support [buster]

On Fri, 03 Nov 2017 07:37:12 +0100 Niels Thykier <niels@thykier.net> wrote:
> Package: release-notes
> Severity: wishlist
> 
> --- News for apt (libapt-pkg5.0 libapt-inst2.0) ---
> apt (1.6~alpha1) unstable; urgency=medium
> 
>   All methods provided by apt except for cdrom, gpgv, and rsh now
>   use seccomp-BPF sandboxing to restrict the list of allowed system
>   calls, and trap all others with a SIGSYS signal. Three options
>   can be used to configure this further:
> 
>     APT::Sandbox::Seccomp is a boolean to turn it on/off
>     APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
>     APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow
> 
>   Also, sandboxing is now enabled for the mirror method.
> 
>  -- Julian Andres Klode <jak@debian.org>  Mon, 23 Oct 2017 01:58:18 +0200
> 
> 
> Seems like it would be prudent to mention that in the release-notes
> for buster.
> 
> Thanks,
> ~Niels
> 
> 

Note tos self/update: The feature is (now) *off* by default (see #890489).

Thanks,
~Niels
Reply to: