Hi Christoph,
On Fri, Jul 26, 2019 at 03:35:23PM +0200, Christoph Biedl wrote:
> However, once we (as in Debian) promote seccomp, users will assume it's
> available. Silently disabling it in in a way not obvious at all ... for
> me it's like disabling the security belt in a car as soon as traffic
Helmut Grohne wrote...
[ Disable seccomp if LD_PRELOAD is set ]
> It may be broad, but we used to live without this security feature and
> the approach should reliably fix the regressions.
However, once we (as in Debian) promote seccomp, users will assume it's
available. Silently disabling it in
Hi Christoph,
I've also Cced Kees Cook as he's done a lot of hardening in Linux and
Debian and I'd like his input on this matter, because we're talking
about trade-offs here. (Context: "fakeroot file ./foo" fails due to
seccomp)
On Tue, Jul 23, 2019 at 12:52:55PM +0200, Christoph Biedl wrote:
> >
Control: reopen 932762
Control: severity 932762 important
Control: retitle 932762 Needs a sane solution for running under LD_PRELOAD like
fakeroot
[ Taking Niels into the loop. I'm sorry the first approach didn't work out. ]
With the problem preliminary fixed, the whole story needs some
consider
Hi Christoph,
On Tue, Jul 23, 2019 at 01:13:51AM +0200, Christoph Biedl wrote:
> Hm, let's give this a quick fix as a sound one. My plan is to whitelist
> all the syscalls used by fakeroot. Are you aware of other environments
> that might be caught by the same issue? Or in other words, which
> sys
Control: tags 932762 pending
Helmut Grohne wrote...
> Package: file
> Version: 1:5.37-3
> Severity: serious
> Control: affects -1 + src:unbound
>
> file no longer works under fakeroot. For example:
(...)
> Can we please disable seccomp until a solution for fakeroot is found?
Hm, let's give this
Package: file
Version: 1:5.37-3
Severity: serious
Control: affects -1 + src:unbound
file no longer works under fakeroot. For example:
$ fakeroot file /bin/true
Bad system call
$ echo $?
159
$
This is relevant when packages that still require root for building use
fakeroot and then call file. aut
7 matches
Mail list logo