clone 877199 -1 reassign -1 libpipeline retitle -1 libpipeline: add enough support to allow caller to set up seccomp filter thanks
On Fri, Sep 29, 2017 at 11:35:35AM -0400, John Lenton wrote: > We talked with Jamie and Colin about this, and agreed I'd file this > bug report to track the work: > > It would be nice if man & etc leveraged seccomp, to minimise the risk > of Bad Things happening if one were to blindly add manpages from > untrusted sources to its search path. > > I believe both Colin and Jamie have a rough idea of how they want to > achieve this. I had a brief initial look, and I think we'll need a bit more support in libpipeline for this. We could consider having explicit support there for installing a seccomp filter in a child. That would probably mean an extra dependency on libseccomp, which I'm not wild about, so we could just add support for a per-command post-fork handler in addition to the process-wide one; that would be enough to allow the application to do it itself. (Alternatively, we could have man fork and install the seccomp filter before it goes anywhere near libpipeline, but I'd rather not. To my mind the main thing to do is to confine groff.) -- Colin Watson [cjwat...@debian.org]
