On Fri, 9 Dec 2016 07:11:11 +0100, Tomasz Torcz <tomek pipebreaker pl> wrote:
On Fri, Dec 09, 2016 at 01:35:39AM +0100, Michael Biebl wrote:2016-12-06 0:03 GMT+01:00 Michael Catanzaro <mcatanzaro gnome org>:On Mon, 2016-12-05 at 21:31 +0100, Carlos Garnacho wrote:Thanks for the tip :), worth a look indeed, although I'm looking into using seccomp directly.Strongly consider using libseccomp for this!Has it been considered to use the systemd sandboxing features? tracker already ships systemd --user service files, so you'd basically get that for free.Correct me if I'm wrong, but aren't systemd sandboxing features only available to system instance? User systemd sessions lack priviledges to set up separate namespaces etc. Also, in additional to libseccomp, there's https://github.com/projectatomic/bubblewrap for sandboxing. It is suid binary, though.
As long as letting a wrapper binary exec(3) the Tracker extractors, I would go for this solution. Flatpak uses a combination of bubblewrap and libseccomp for sandboxing. Which mean that bubblewrap is getting a good deal of testing already. Despite being setuid it is small enough to allow code reviews, so IMHO the setuid bit is a non-problem (there used to be a capabilities operating mode, but that is gone now [1] because well, it needed a lot of them, so it may as well be setuid!) Cheers, —Adrián -- [1] https://github.com/projectatomic/bubblewrap/commit/aedd6136b7bc1165c164330d02e729e0a95d2487
Attachment:
pgpGBguzMun8C.pgp
Description: PGP signature