APT seccomp-BPF sandboxing

torjunkie · July 7, 2019, 6:39am

Does Whonix 15 have optional APT hardening applied by default? (we should note it if that’s the case in release notes or whatever)

https://www.debian.org/releases/buster/amd64/release-notes/ch-whats-new.en.html#apt-sandboxing

2.2.3. Optional hardening of APT

All methods provided by APT (e.g. http, and https) except for cdrom, gpgv, and rsh can make use of seccomp-BPF sandboxing as supplied by the Linux kernel to restrict the list of allowed system calls, and trap all others with a SIGSYS signal. This sandboxing is currently opt-in and needs to be enabled with:
  APT::Sandbox::Seccomp is a boolean to turn it on/off
Two options can be used to configure this further:
  APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
  APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow

Patrick · July 7, 2019, 8:34am

Not yet enabled. To check:

apt-config dump | grep -i sandbox

Currently:

APT::Sandbox "";
APT::Sandbox::User "_apt";

Good find. Will test and consider.

Patrick · July 7, 2019, 9:39am

madaidan · July 7, 2019, 12:23pm

Weird this hasn’t been enabled by default. It will probably break some things.

Holloway1Q · July 16, 2019, 11:26am

It allows the user to attach a system call filter to a process and all its descendants, thus reducing the attack surface of the kernel.