[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

APT seccomp-BPF sandboxing

Does Whonix 15 have optional APT hardening applied by default? (we should note it if that’s the case in release notes or whatever)

https://www.debian.org/releases/buster/amd64/release-notes/ch-whats-new.en.html#apt-sandboxing

2.2.3. Optional hardening of APT

All methods provided by APT (e.g. http, and https) except for cdrom, gpgv, and rsh can make use of seccomp-BPF sandboxing as supplied by the Linux kernel to restrict the list of allowed system calls, and trap all others with a SIGSYS signal. This sandboxing is currently opt-in and needs to be enabled with:

  APT::Sandbox::Seccomp is a boolean to turn it on/off

Two options can be used to configure this further:

  APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
  APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow
3 Likes

Not yet enabled. To check:

apt-config dump | grep -i sandbox

Currently:

APT::Sandbox "";
APT::Sandbox::User "_apt";

Good find. Will test and consider.

2 Likes

Weird this hasn’t been enabled by default. It will probably break some things.

1 Like