On Wed, Oct 03, 2018 at 08:19:17PM +0300, Lars Wirzenius wrote:
A suggestion: we restrict where packages can install files and what
maintainer scripts can do. The default should be as safe as we can
make it, and packages that need to do things not allowed by the
default should declare they that they intend to do that.
I think this is a great idea.
This could be done, for example, by having each package labelled with
an installation profile, which declares what the package intends to do
upon installation, upgrade, or removal.
And the user's local policy determines what happens? e.g. allow, deny,
prompt/log...
This might be implemented in various ways. For example, dpkg could
create a temporary directory, and bind mount the directories the
profile indicates are needed, into a temporary shadow of the full
system. Maintainer scripts would be run in the shadow environment.
Thus, if they try to do something that isn't allowed by the packages
profile, they can't.
This could more easily be achieved* (IMHO) using mount namespaces, and
more generally the collection of technologies (namespaces, seccomp
filters, etc.) that are collectively described as "containers".
I think an important step for figuring out what to contain would be
to audit all existing {pre,post}inst scripts and categorize them by
what they do (areas of the filesystem they read or write to; network
access; device access; etc.)
* on Linux, at least. Not sure about KFreeBSD.
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.
