On Sat, Nov 04, 2017 at 06:23:00AM +0000, Niels Thykier wrote: > Joost van Baal-Ilić: > > Hi Niels, > > > > Thanks for your bugreport! > > > > Hi, :) > > > On Fri, Nov 03, 2017 at 07:37:12AM +0100, Niels Thykier wrote: > >> Package: release-notes > >> Severity: wishlist > >> > >> --- News for apt (libapt-pkg5.0 libapt-inst2.0) --- > >> apt (1.6~alpha1) unstable; urgency=medium > >> > >> All methods provided by apt except for cdrom, gpgv, and rsh now > >> use seccomp-BPF sandboxing to restrict the list of allowed system > >> calls, and trap all others with a SIGSYS signal. Three options > >> can be used to configure this further: > >> > >> APT::Sandbox::Seccomp is a boolean to turn it on/off > >> APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap > >> APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to > >> allow > >> > >> Also, sandboxing is now enabled for the mirror method. > >> > >> -- Julian Andres Klode <j...@debian.org> Mon, 23 Oct 2017 01:58:18 +0200 > >> > >> Seems like it would be prudent to mention that in the release-notes > >> for buster. > > > > > > Are https and debtorrent "methods provided by apt", or are these methods > > shipped in other optional packages and not yet sandboxed? > > > > The https method is (now) provided directly by apt and is covered by the > sandboxing (implementation-detail: It is in fact the same binary as the > "http" method). > > As for debtorrent: I /think/ it is a "third-party" method (from apt's > PoV) and therefore not covered by the built-in rules. CC'ing deity to > confirm that.
That's correct. > > > Is the mirror method now using the same sandboxing implementation? > > > > That is my understanding. > > > The text could be more clear; for some answers to these questions a proposed > > enhanced text is: > > > > All methods provided by apt (e.g. http, https, debtorrent, ...) except for > > cdrom, gpgv, and rsh now use seccomp-BPF sandboxing as supplied by the > > Linux > > kernel to restrict the list of allowed system calls, and trap all others > > with a > > SIGSYS signal. > > [...] > > > > Also, this sandboxing is now enabled for the mirror method. > > > > > > Bye, > > > > Joost > > > > As per above, I think it need a s/debtorrent, //. > > I was also wondering whether we should document it in "whats-new" or > "issues". The latter clearly makes sense as it can cause issues that > people need to know how to solve. On the other side, I think it would > be nice to document that apt has been hardened even further (and that, > IMO, would fit "Whats new" better than "Issues"). Why not just both? Add it to what's new and add a link to issues saying "also the <a>new sandboxing features in apt</a> might cause some issues." -- Debian Developer - deb.li/jak | jak-linux.org - free software dev Ubuntu Core Developer de, en speaker
