1 |
On Fri, 22 Sep 2017 12:38:54 +0100 |
2 |
Sergei Trofimovich <slyfox@g.o> wrote: |
3 |
|
4 |
> On Fri, 22 Sep 2017 12:57:21 +0200 |
5 |
> Alexis Ballier <aballier@g.o> wrote: |
6 |
> |
7 |
> > On Fri, 22 Sep 2017 06:07:18 +0200 |
8 |
> > Michał Górny <mgorny@g.o> wrote: |
9 |
> > |
10 |
> > > W dniu czw, 21.09.2017 o godzinie 15∶41 -0700, użytkownik Matt |
11 |
> > > Turner napisał: |
12 |
> > > > On Thu, Sep 21, 2017 at 2:25 PM, Michał Górny |
13 |
> > > > <mgorny@g.o> wrote: |
14 |
> > > > > Given that sandbox is utterly broken by design, I don't really |
15 |
> > > > > want to put too much effort in trying to make it a little |
16 |
> > > > > better. I'd rather put the minimal effort required to make it |
17 |
> > > > > not-much-worse. |
18 |
> > > > |
19 |
> > > > You said in your initial email that you weren't an expert in its |
20 |
> > > > internals, but here you say it's broken by design. Why do you |
21 |
> > > > think that? |
22 |
> > > > |
23 |
> > > |
24 |
> > > Because it uses LD_PRELOAD which is a huge hack and which causes |
25 |
> > > guaranteed issues we can't really fix. All we can do is disable |
26 |
> > > it for emacs, for compiler-rt and I'm afraid this list will grow |
27 |
> > > because overriding random library functions is never a good idea. |
28 |
> > > |
29 |
> > |
30 |
> > I think we're all ears for a better solution. There are probably |
31 |
> > much better ways to do sandboxing these days than 15 years ago. |
32 |
> > |
33 |
> > LD_PRELOAD does not work with static binaries. Hence the non |
34 |
> > portable ptrace stuff. Hence bugs. Etc. The point is, that's the |
35 |
> > best we have now. |
36 |
> |
37 |
> Some other distros try harder to isolate build environment either |
38 |
> through chroot and/or private mount/user/network namespace that |
39 |
> contains only explicitly specified files in build environment. |
40 |
> |
41 |
> That would require more cooperation from package manager to fetch |
42 |
> list of all visible depends. |
43 |
> |
44 |
> Don't know if drop-in relacement could be implemented for sandbox |
45 |
> that way. I like clear sandbox error reporting. |
46 |
|
47 |
|
48 |
We definitely do need a kind of drop-in replacement since PMS |
49 |
mandates some parts of the sandbox API (addwrite/addpredict & co for |
50 |
instance) |