Joost van Baal-Ilić: > Hi Niels, > > Thanks for your bugreport! >
Hi, :) > On Fri, Nov 03, 2017 at 07:37:12AM +0100, Niels Thykier wrote: >> Package: release-notes >> Severity: wishlist >> >> --- News for apt (libapt-pkg5.0 libapt-inst2.0) --- >> apt (1.6~alpha1) unstable; urgency=medium >> >> All methods provided by apt except for cdrom, gpgv, and rsh now >> use seccomp-BPF sandboxing to restrict the list of allowed system >> calls, and trap all others with a SIGSYS signal. Three options >> can be used to configure this further: >> >> APT::Sandbox::Seccomp is a boolean to turn it on/off >> APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap >> APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow >> >> Also, sandboxing is now enabled for the mirror method. >> >> -- Julian Andres Klode <j...@debian.org> Mon, 23 Oct 2017 01:58:18 +0200 >> >> Seems like it would be prudent to mention that in the release-notes >> for buster. > > > Are https and debtorrent "methods provided by apt", or are these methods > shipped in other optional packages and not yet sandboxed? > The https method is (now) provided directly by apt and is covered by the sandboxing (implementation-detail: It is in fact the same binary as the "http" method). As for debtorrent: I /think/ it is a "third-party" method (from apt's PoV) and therefore not covered by the built-in rules. CC'ing deity to confirm that. > Is the mirror method now using the same sandboxing implementation? > That is my understanding. > The text could be more clear; for some answers to these questions a proposed > enhanced text is: > > All methods provided by apt (e.g. http, https, debtorrent, ...) except for > cdrom, gpgv, and rsh now use seccomp-BPF sandboxing as supplied by the Linux > kernel to restrict the list of allowed system calls, and trap all others > with a > SIGSYS signal. > [...] > > Also, this sandboxing is now enabled for the mirror method. > > > Bye, > > Joost > As per above, I think it need a s/debtorrent, //. I was also wondering whether we should document it in "whats-new" or "issues". The latter clearly makes sense as it can cause issues that people need to know how to solve. On the other side, I think it would be nice to document that apt has been hardened even further (and that, IMO, would fit "Whats new" better than "Issues"). Thanks, ~Niels