Re: APT 1.1~exp3 released to experimental: First step to sandboxed fetcher methods
(Adding deity@l.d.o to CC)
On Tue, Oct 07, 2014 at 03:37:54PM +0200, intrigeri wrote:
> Hi,
>
> > Today, we worked, with the help of ioerror on IRC, on reducing the
> > attack surface in our fetcher methods.
>
> \o/
>
> > There are three things that we looked at:
>
> > 1. Reducing privileges by setting a new user and group
> > 2. chroot()
> > 3. seccomp-bpf sandbox
>
> I'm part of the Debian AppArmor team (Cc'd).
>
> Would it be interesting to have AppArmor profiles that ensure that
> e.g. the download methods can only access the files they are supposed
> to access? (I don't have the APT privilege separation big picture
> in mind.)
Sure. Feel free to work on it :)
With the next release it will look like this:
As root: Methods can write to
/var/lib/apt/lists/partial
/var/cache/apt/archives/partial
Sometimes, they also write to directories in /tmp (changelog fetching for
example); and there's apt-get download which downloads to the current
directory.
There might be some other corner cases I am not aware of.
--
Julian Andres Klode - Debian Developer, Ubuntu Member
See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.
Be friendly, do not top-post, and follow RFC 1855 "Netiquette".
- If you don't I might ignore you.
Reply to: