Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: run scriptlets in selective filesystem isolation #2665

Closed
pmatilai opened this issue Sep 15, 2023 · 0 comments · Fixed by #2666
Closed

RFE: run scriptlets in selective filesystem isolation #2665

pmatilai opened this issue Sep 15, 2023 · 0 comments · Fixed by #2666
Assignees
@pmatilai
Labels
containers Containers and related technologies RFE

Comments

@pmatilai
Copy link
Member

Inspired by #2617:

Scriptlets sometimes use /tmp insecurely, on platforms that support it (Linux at least) we could run scriptlets with private /tmp to enforce the matter.

Another,a kind of an opposite, use-case could be protect /home against naughty packages trying to peek in there (which they have absolutely zero business doing): just give scriptlets a private /home.

This could be easily made configurable so people can tune + protect for local needs.

To cover all scriptlets, we'd need #2635 first. Whether that's an actual blocker is a separate question, it doesn't have to be an all-or-nothing thing.
@pmatilai pmatilai added RFE containers Containers and related technologies labels Sep 15, 2023
pmatilai added a commit to pmatilai/rpm that referenced this issue Sep 15, 2023
@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
c6e2d7a 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Fixes: rpm-software-management#2632
Fixes: rpm-software-management#2665
pmatilai added a commit to pmatilai/rpm that referenced this issue Sep 15, 2023
@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
c3ecab5 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Note that at this time, scriplets executed with the embedded Lua
interpreter are not covered by this because they run inside the main rpm
process instead of forking (rpm-software-management#2635).

Fixes: rpm-software-management#2632
Fixes: rpm-software-management#2665
@pmatilai pmatilai self-assigned this Sep 15, 2023
@pmatilai pmatilai mentioned this issue Sep 15, 2023
Merged
pmatilai added a commit to pmatilai/rpm that referenced this issue Sep 15, 2023
@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
587e778 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Note that at this time, scriplets executed with the embedded Lua
interpreter are not covered by this because they run inside the main rpm
process instead of forking (rpm-software-management#2635).

Suggested-by: Johannes Segitz <jsegitz@suse.de>

Fixes: rpm-software-management#2632
Fixes: rpm-software-management#2665
pmatilai added a commit to pmatilai/rpm that referenced this issue Sep 15, 2023
@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
17718d9 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Note that at this time, scriplets executed with the embedded Lua
interpreter are not covered by this because they run inside the main rpm
process instead of forking (rpm-software-management#2635).

Suggested-by: Johannes Segitz <jsegitz@suse.de>

Fixes: rpm-software-management#2632
Fixes: rpm-software-management#2665
pmatilai added a commit to pmatilai/rpm that referenced this issue Sep 28, 2023
@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
788d513 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Note that at this time, scriplets executed with the embedded Lua
interpreter are not covered by this because they run inside the main rpm
process instead of forking (rpm-software-management#2635).

Add a testcase for private /tmp

Suggested-by: Johannes Segitz <jsegitz@suse.de>

Fixes: rpm-software-management#2632
Fixes: rpm-software-management#2665
pmatilai added a commit to pmatilai/rpm that referenced this issue Sep 28, 2023
@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
d19343c 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Note that at this time, scriplets executed with the embedded Lua
interpreter are not covered by this because they run inside the main rpm
process instead of forking (rpm-software-management#2635).

Add a testcase for private /tmp

Suggested-by: Johannes Segitz <jsegitz@suse.de>

Fixes: rpm-software-management#2632
Fixes: rpm-software-management#2665
pmatilai added a commit to pmatilai/rpm that referenced this issue Oct 9, 2023
@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
2d79259 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Note that at this time, scriplets executed with the embedded Lua
interpreter are not covered by this because they run inside the main rpm
process instead of forking (rpm-software-management#2635).

Add a testcase for private /tmp

Suggested-by: Johannes Segitz <jsegitz@suse.de>

Fixes: rpm-software-management#2632
Fixes: rpm-software-management#2665
pmatilai added a commit that referenced this issue Oct 11, 2023
@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
fd8eaa5 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Note that at this time, scriplets executed with the embedded Lua
interpreter are not covered by this because they run inside the main rpm
process instead of forking (#2635).

Add a testcase for private /tmp

Suggested-by: Johannes Segitz <jsegitz@suse.de>

Fixes: #2632
Fixes: #2665
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pmatilai pmatilai

Labels
containers Containers and related technologies RFE
Projects
RPM
Status: Done
Scriptlet isolation
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add a new plugin to enable Linux-specific namespace functionality pmatilai/rpm
1 participant
@pmatilai