APT seccomp-BPF sandboxing

Does Whonix 15 have optional APT hardening applied by default? (we should note it if that’s the case in release notes or whatever)


2.2.3. Optional hardening of APT

All methods provided by APT (e.g. http, and https) except for cdrom, gpgv, and rsh can make use of seccomp-BPF sandboxing as supplied by the Linux kernel to restrict the list of allowed system calls, and trap all others with a SIGSYS signal. This sandboxing is currently opt-in and needs to be enabled with:

  APT::Sandbox::Seccomp is a boolean to turn it on/off

Two options can be used to configure this further:

  APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
  APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow

Not yet enabled. To check:

apt-config dump | grep -i sandbox


APT::Sandbox "";
APT::Sandbox::User "_apt";

Good find. Will test and consider.


Weird this hasn’t been enabled by default. It will probably break some things.

1 Like

It allows the user to attach a system call filter to a process and all its descendants, thus reducing the attack surface of the kernel.