Your message dated Sun, 3 Dec 2017 12:49:39 +0000
with message-id <[email protected]>
and subject line Re: Bug#877199: have man leverage seccomp
has caused the Debian Bug report #883388,
regarding libpipeline: add enough support to allow caller to set up seccomp
filter
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
883388: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883388
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: man-db
Version: 2.7.6.1-2
X-Debbugs-CC: [email protected], [email protected]
We talked with Jamie and Colin about this, and agreed I'd file this
bug report to track the work:
It would be nice if man & etc leveraged seccomp, to minimise the risk
of Bad Things happening if one were to blindly add manpages from
untrusted sources to its search path.
I believe both Colin and Jamie have a rough idea of how they want to
achieve this.
Thank you,
--- End Message ---
--- Begin Message ---
Source: libpipeline
Source-Version: 1.5.0-1
On Fri, Sep 29, 2017 at 08:43:48PM +0100, Colin Watson wrote:
> I had a brief initial look, and I think we'll need a bit more support in
> libpipeline for this. We could consider having explicit support there
> for installing a seccomp filter in a child. That would probably mean an
> extra dependency on libseccomp, which I'm not wild about, so we could
> just add support for a per-command post-fork handler in addition to the
> process-wide one; that would be enough to allow the application to do it
> itself.
I fixed the libpipeline part of this in version 1.5.0.
libpipeline 1.5.0 (14 November 2017)
====================================
Add `pipecmd_pre_exec' to install a pre-exec handler for a single
command.
--
Colin Watson [[email protected]]
--- End Message ---
