Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: prevent scriptlet network access #2632

Closed
pmatilai opened this issue Aug 28, 2023 · 0 comments · Fixed by #2666
Closed

RFE: prevent scriptlet network access #2632

pmatilai opened this issue Aug 28, 2023 · 0 comments · Fixed by #2666
Assignees
@pmatilai
Labels
containers Containers and related technologies RFE
Milestone
4.20.0

Comments

@pmatilai
Copy link
Member

pmatilai commented Aug 28, 2023
edited
Loading

Network access in both build and install scriptlets is basically a packaging bug (and a security risk) as the result depends on external factors, and various build-systems already enforce this on top of rpmbuild. I see no reason we could or could not do this on the rpm-level already, both for build and install-time scriptlets. If it turns out to break too much we can always add an configurable option for it.

This is expected to be a Linux-only feature (unshare network namespace from the scriptlets), but other platforms with similar technologies could be supported too.
@pmatilai pmatilai added the RFE label Aug 28, 2023
@pmatilai pmatilai added this to RPM Aug 28, 2023
@github-project-automation github-project-automation bot moved this to Backlog in RPM Aug 28, 2023
@pmatilai pmatilai moved this from Backlog to Todo in RPM Aug 28, 2023
@pmatilai pmatilai added this to the 4.20.0 milestone Aug 28, 2023
@pmatilai pmatilai mentioned this issue Aug 28, 2023
Closed
@pmatilai pmatilai moved this from Todo to Backlog in RPM Aug 30, 2023
pmatilai added a commit to pmatilai/rpm that referenced this issue Sep 15, 2023
@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
c6e2d7a 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Fixes: rpm-software-management#2632
Fixes: rpm-software-management#2665
@pmatilai pmatilai self-assigned this Sep 15, 2023
@pmatilai pmatilai added the containers Containers and related technologies label Sep 15, 2023
pmatilai added a commit to pmatilai/rpm that referenced this issue Sep 15, 2023
@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
c3ecab5 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Note that at this time, scriplets executed with the embedded Lua
interpreter are not covered by this because they run inside the main rpm
process instead of forking (rpm-software-management#2635).

Fixes: rpm-software-management#2632
Fixes: rpm-software-management#2665
@pmatilai pmatilai mentioned this issue Sep 15, 2023
Merged
@pmatilai pmatilai moved this from Backlog to In Review in RPM Sep 15, 2023
pmatilai added a commit to pmatilai/rpm that referenced this issue Sep 15, 2023
@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
587e778 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Note that at this time, scriplets executed with the embedded Lua
interpreter are not covered by this because they run inside the main rpm
process instead of forking (rpm-software-management#2635).

Suggested-by: Johannes Segitz <[email protected]>

Fixes: rpm-software-management#2632
Fixes: rpm-software-management#2665
pmatilai added a commit to pmatilai/rpm that referenced this issue Sep 15, 2023
@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
17718d9 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Note that at this time, scriplets executed with the embedded Lua
interpreter are not covered by this because they run inside the main rpm
process instead of forking (rpm-software-management#2635).

Suggested-by: Johannes Segitz <[email protected]>

Fixes: rpm-software-management#2632
Fixes: rpm-software-management#2665
pmatilai added a commit to pmatilai/rpm that referenced this issue Sep 28, 2023
@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
788d513 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Note that at this time, scriplets executed with the embedded Lua
interpreter are not covered by this because they run inside the main rpm
process instead of forking (rpm-software-management#2635).

Add a testcase for private /tmp

Suggested-by: Johannes Segitz <[email protected]>

Fixes: rpm-software-management#2632
Fixes: rpm-software-management#2665
pmatilai added a commit to pmatilai/rpm that referenced this issue Sep 28, 2023
@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
d19343c 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Note that at this time, scriplets executed with the embedded Lua
interpreter are not covered by this because they run inside the main rpm
process instead of forking (rpm-software-management#2635).

Add a testcase for private /tmp

Suggested-by: Johannes Segitz <[email protected]>

Fixes: rpm-software-management#2632
Fixes: rpm-software-management#2665
pmatilai added a commit to pmatilai/rpm that referenced this issue Oct 9, 2023
@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
2d79259 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Note that at this time, scriplets executed with the embedded Lua
interpreter are not covered by this because they run inside the main rpm
process instead of forking (rpm-software-management#2635).

Add a testcase for private /tmp

Suggested-by: Johannes Segitz <[email protected]>

Fixes: rpm-software-management#2632
Fixes: rpm-software-management#2665
pmatilai added a commit that referenced this issue Oct 11, 2023
@pmatilai
Add a new plugin to enable Linux-specific namespace functionality
fd8eaa5 
A plugin is a convenient place to hide Linux-specific functionality.
Implemented in this initial version are:

- Optional private mounts during scriptlet execution, useful for
  protecting the system from scriptlets (eg /home) and the scriptlets
  from themselves (eg insecure /tmp usage)
- Optionally disable network access during scriptlet execution

Note that at this time, scriplets executed with the embedded Lua
interpreter are not covered by this because they run inside the main rpm
process instead of forking (#2635).

Add a testcase for private /tmp

Suggested-by: Johannes Segitz <[email protected]>

Fixes: #2632
Fixes: #2665
@github-project-automation github-project-automation bot moved this from In Review to Done in RPM Oct 11, 2023
@pmatilai pmatilai moved this to Done in Scriptlet isolation Nov 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pmatilai pmatilai

Labels
containers Containers and related technologies RFE
Projects
RPM
Status: Done
Scriptlet isolation
Status: Done
Milestone
4.20.0
Development

Successfully merging a pull request may close this issue.

Add a new plugin to enable Linux-specific namespace functionality pmatilai/rpm
1 participant
@pmatilai