Niels Thykier
2017-11-03 06:50:01 UTC
Package: release-notes
Severity: wishlist
--- News for apt (libapt-pkg5.0 libapt-inst2.0) ---
apt (1.6~alpha1) unstable; urgency=medium
All methods provided by apt except for cdrom, gpgv, and rsh now
use seccomp-BPF sandboxing to restrict the list of allowed system
calls, and trap all others with a SIGSYS signal. Three options
can be used to configure this further:
APT::Sandbox::Seccomp is a boolean to turn it on/off
APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow
Also, sandboxing is now enabled for the mirror method.
-- Julian Andres Klode <***@debian.org> Mon, 23 Oct 2017 01:58:18 +0200
Seems like it would be prudent to mention that in the release-notes
for buster.
Thanks,
~Niels
Severity: wishlist
--- News for apt (libapt-pkg5.0 libapt-inst2.0) ---
apt (1.6~alpha1) unstable; urgency=medium
All methods provided by apt except for cdrom, gpgv, and rsh now
use seccomp-BPF sandboxing to restrict the list of allowed system
calls, and trap all others with a SIGSYS signal. Three options
can be used to configure this further:
APT::Sandbox::Seccomp is a boolean to turn it on/off
APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow
Also, sandboxing is now enabled for the mirror method.
-- Julian Andres Klode <***@debian.org> Mon, 23 Oct 2017 01:58:18 +0200
Seems like it would be prudent to mention that in the release-notes
for buster.
Thanks,
~Niels