Discussion:
Bug#880638: release-notes: Document apt sandbox support [buster]
(too old to reply)
Niels Thykier
2017-11-03 06:50:01 UTC
Permalink
Package: release-notes
Severity: wishlist

--- News for apt (libapt-pkg5.0 libapt-inst2.0) ---
apt (1.6~alpha1) unstable; urgency=medium

All methods provided by apt except for cdrom, gpgv, and rsh now
use seccomp-BPF sandboxing to restrict the list of allowed system
calls, and trap all others with a SIGSYS signal. Three options
can be used to configure this further:

APT::Sandbox::Seccomp is a boolean to turn it on/off
APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow

Also, sandboxing is now enabled for the mirror method.

-- Julian Andres Klode <***@debian.org> Mon, 23 Oct 2017 01:58:18 +0200


Seems like it would be prudent to mention that in the release-notes
for buster.

Thanks,
~Niels
Joost van Baal-Ilić
2017-11-03 10:00:01 UTC
Permalink
Hi Niels,

Thanks for your bugreport!
Post by Niels Thykier
Package: release-notes
Severity: wishlist
--- News for apt (libapt-pkg5.0 libapt-inst2.0) ---
apt (1.6~alpha1) unstable; urgency=medium
All methods provided by apt except for cdrom, gpgv, and rsh now
use seccomp-BPF sandboxing to restrict the list of allowed system
calls, and trap all others with a SIGSYS signal. Three options
APT::Sandbox::Seccomp is a boolean to turn it on/off
APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow
Also, sandboxing is now enabled for the mirror method.
Seems like it would be prudent to mention that in the release-notes
for buster.
Are https and debtorrent "methods provided by apt", or are these methods
shipped in other optional packages and not yet sandboxed?

Is the mirror method now using the same sandboxing implementation?

The text could be more clear; for some answers to these questions a proposed
enhanced text is:

All methods provided by apt (e.g. http, https, debtorrent, ...) except for
cdrom, gpgv, and rsh now use seccomp-BPF sandboxing as supplied by the Linux
kernel to restrict the list of allowed system calls, and trap all others with a
SIGSYS signal.
[...]

Also, this sandboxing is now enabled for the mirror method.


Bye,

Joost
Niels Thykier
2017-11-04 06:30:01 UTC
Permalink
Post by Joost van Baal-Ilić
Hi Niels,
Thanks for your bugreport!
Hi, :)
Post by Joost van Baal-Ilić
Post by Niels Thykier
Package: release-notes
Severity: wishlist
--- News for apt (libapt-pkg5.0 libapt-inst2.0) ---
apt (1.6~alpha1) unstable; urgency=medium
All methods provided by apt except for cdrom, gpgv, and rsh now
use seccomp-BPF sandboxing to restrict the list of allowed system
calls, and trap all others with a SIGSYS signal. Three options
APT::Sandbox::Seccomp is a boolean to turn it on/off
APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow
Also, sandboxing is now enabled for the mirror method.
Seems like it would be prudent to mention that in the release-notes
for buster.
Are https and debtorrent "methods provided by apt", or are these methods
shipped in other optional packages and not yet sandboxed?
The https method is (now) provided directly by apt and is covered by the
sandboxing (implementation-detail: It is in fact the same binary as the
"http" method).

As for debtorrent: I /think/ it is a "third-party" method (from apt's
PoV) and therefore not covered by the built-in rules. CC'ing deity to
confirm that.
Post by Joost van Baal-Ilić
Is the mirror method now using the same sandboxing implementation?
That is my understanding.
Post by Joost van Baal-Ilić
The text could be more clear; for some answers to these questions a proposed
All methods provided by apt (e.g. http, https, debtorrent, ...) except for
cdrom, gpgv, and rsh now use seccomp-BPF sandboxing as supplied by the Linux
kernel to restrict the list of allowed system calls, and trap all others with a
SIGSYS signal.
[...]
Also, this sandboxing is now enabled for the mirror method.
Bye,
Joost
As per above, I think it need a s/debtorrent, //.

I was also wondering whether we should document it in "whats-new" or
"issues". The latter clearly makes sense as it can cause issues that
people need to know how to solve. On the other side, I think it would
be nice to document that apt has been hardened even further (and that,
IMO, would fit "Whats new" better than "Issues").

Thanks,
~Niels
Julian Andres Klode
2017-11-04 22:00:01 UTC
Permalink
Post by Niels Thykier
Post by Joost van Baal-Ilić
Hi Niels,
Thanks for your bugreport!
Hi, :)
Post by Joost van Baal-Ilić
Post by Niels Thykier
Package: release-notes
Severity: wishlist
--- News for apt (libapt-pkg5.0 libapt-inst2.0) ---
apt (1.6~alpha1) unstable; urgency=medium
All methods provided by apt except for cdrom, gpgv, and rsh now
use seccomp-BPF sandboxing to restrict the list of allowed system
calls, and trap all others with a SIGSYS signal. Three options
APT::Sandbox::Seccomp is a boolean to turn it on/off
APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow
Also, sandboxing is now enabled for the mirror method.
Seems like it would be prudent to mention that in the release-notes
for buster.
Are https and debtorrent "methods provided by apt", or are these methods
shipped in other optional packages and not yet sandboxed?
The https method is (now) provided directly by apt and is covered by the
sandboxing (implementation-detail: It is in fact the same binary as the
"http" method).
As for debtorrent: I /think/ it is a "third-party" method (from apt's
PoV) and therefore not covered by the built-in rules. CC'ing deity to
confirm that.
That's correct.
Post by Niels Thykier
Post by Joost van Baal-Ilić
Is the mirror method now using the same sandboxing implementation?
That is my understanding.
Post by Joost van Baal-Ilić
The text could be more clear; for some answers to these questions a proposed
All methods provided by apt (e.g. http, https, debtorrent, ...) except for
cdrom, gpgv, and rsh now use seccomp-BPF sandboxing as supplied by the Linux
kernel to restrict the list of allowed system calls, and trap all others with a
SIGSYS signal.
[...]
Also, this sandboxing is now enabled for the mirror method.
Bye,
Joost
As per above, I think it need a s/debtorrent, //.
I was also wondering whether we should document it in "whats-new" or
"issues". The latter clearly makes sense as it can cause issues that
people need to know how to solve. On the other side, I think it would
be nice to document that apt has been hardened even further (and that,
IMO, would fit "Whats new" better than "Issues").
Why not just both? Add it to what's new and add a link to issues saying
"also the <a>new sandboxing features in apt</a> might cause some issues."
--
Debian Developer - deb.li/jak | jak-linux.org - free software dev
Ubuntu Core Developer de, en speaker
David Kalnischkies
2017-11-04 23:20:01 UTC
Permalink
Post by Julian Andres Klode
Post by Niels Thykier
As for debtorrent: I /think/ it is a "third-party" method (from apt's
PoV) and therefore not covered by the built-in rules. CC'ing deity to
confirm that.
It has to be noted that debtorrent is no more – it was removed from
Debian 4 years ago, so it should really not be mentioned.

The only third-party apt-transport-* packages I know of existing in
Debian ATM are s3 and spacewalk which indeed don't use any of the
recentish introduced hardening features for methods as they are all
"opt-in".

There is also a-t-tor, but that is maintained by the APT team nowadays,
so not 3rd party – and it uses all the same hardening features as http.
Post by Julian Andres Klode
Why not just both? Add it to what's new and add a link to issues saying
"also the <a>new sandboxing features in apt</a> might cause some issues."
I would expect that by the time we release buster apt has gained some
other noteworthy things to report in "whats new", so that this seccomp
thingy can be kept mostly contained in the issue part as that feature is
ideally a user invisible change and the news entry just points to the
issue section (but to be honest, not sure if its even worthy for issues
as we have bigger issues if we haven't figured out the required syscalls
for all release architectures at buster release time
)


Best regards

David Kalnischkies
Debian Bug Tracking System
2019-03-24 20:00:01 UTC
Permalink
tags -1 moreinfo
Bug #880638 [release-notes] release-notes: Document apt sandbox support [buster]
Added tag(s) moreinfo.
--
880638: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880638
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Paul Gevers
2019-03-24 20:00:01 UTC
Permalink
Control: tags -1 moreinfo

Hi all,
Post by Niels Thykier
Package: release-notes
Severity: wishlist
--- News for apt (libapt-pkg5.0 libapt-inst2.0) ---
apt (1.6~alpha1) unstable; urgency=medium
All methods provided by apt except for cdrom, gpgv, and rsh now
use seccomp-BPF sandboxing to restrict the list of allowed system
calls, and trap all others with a SIGSYS signal. Three options
APT::Sandbox::Seccomp is a boolean to turn it on/off
APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow
Also, sandboxing is now enabled for the mirror method.
Seems like it would be prudent to mention that in the release-notes
for buster.
Thanks,
~Niels
Note tos self/update: The feature is (now) *off* by default (see #890489).
So, should we still mention this? At least it should only go into the
whats-new section now.

Paul
Debian Bug Tracking System
2019-05-09 20:10:02 UTC
Permalink
Your message dated Thu, 9 May 2019 22:00:46 +0200
with message-id <118a5845-8d14-54ec-1c59-***@debian.org>
and subject line Re: Bug#880638: release-notes: Document apt sandbox support [buster]
has caused the Debian Bug report #880638,
regarding release-notes: Document apt sandbox support [buster]
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
880638: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880638
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...