Bug#880638: release-notes: Document apt sandbox support [buster]
- To: 880638@bugs.debian.org, Paul Gevers <elbrus@debian.org>
- Subject: Bug#880638: release-notes: Document apt sandbox support [buster]
- From: Niels Thykier <niels@thykier.net>
- Date: Sun, 05 May 2019 18:00:00 +0000
- Message-id: <[🔎] 32d7964f-a490-d454-e1ca-ce4997585a41@thykier.net>
- Reply-to: Niels Thykier <niels@thykier.net>, 880638@bugs.debian.org
- In-reply-to: <c693d0fd-3c8d-820f-e22a-794b93603ad0@debian.org>
- References: <150969103297.2406.11516580228555447847.reportbug@mangetsu.thykier.net> <150969103297.2406.11516580228555447847.reportbug@mangetsu.thykier.net> <8bf7dcf2-4fee-5ed8-364c-a82cb1eba08e@thykier.net> <8bf7dcf2-4fee-5ed8-364c-a82cb1eba08e@thykier.net> <c693d0fd-3c8d-820f-e22a-794b93603ad0@debian.org> <c693d0fd-3c8d-820f-e22a-794b93603ad0@debian.org> <150969103297.2406.11516580228555447847.reportbug@mangetsu.thykier.net>
On Sun, 24 Mar 2019 20:49:46 +0100 Paul Gevers <elbrus@debian.org> wrote:
> Control: tags -1 moreinfo
>
> Hi all,
>
> On Tue, 12 Feb 2019 21:34:00 +0000 Niels Thykier <niels@thykier.net> wrote:
> > On Fri, 03 Nov 2017 07:37:12 +0100 Niels Thykier <niels@thykier.net> wrote:
> > > Package: release-notes
> > > Severity: wishlist
> > >
> > > --- News for apt (libapt-pkg5.0 libapt-inst2.0) ---
> > > apt (1.6~alpha1) unstable; urgency=medium
> > >
> > > All methods provided by apt except for cdrom, gpgv, and rsh now
> > > use seccomp-BPF sandboxing to restrict the list of allowed system
> > > calls, and trap all others with a SIGSYS signal. Three options
> > > can be used to configure this further:
> > >
> > > APT::Sandbox::Seccomp is a boolean to turn it on/off
> > > APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
> > > APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow
> > >
> > > Also, sandboxing is now enabled for the mirror method.
> > >
> > > -- Julian Andres Klode <jak@debian.org> Mon, 23 Oct 2017 01:58:18 +0200
> > >
> > >
> > > Seems like it would be prudent to mention that in the release-notes
> > > for buster.
> > >
> > > Thanks,
> > > ~Niels
> > >
> > >
> >
> > Note tos self/update: The feature is (now) *off* by default (see #890489).
>
> So, should we still mention this? At least it should only go into the
> whats-new section now.
>
> Paul
>
>
I think it would make sense for two reasons:
1) We had a severe security bug in apt recently and while sandboxing
would not have prevented it, it still shows that the apt developers
have been working on hardening apt in general and against future
threats.
2) We advertise apparmor as a new default/recommendation to harden
Debian. The apt sandboxing would strengthen the image of buster
providing better (opt-in) security compared to stretch.
But yes, it should certainly only be in "whats-new" given it is opt-in.
Thanks,
~Niels
Reply to: