Hi Christoph, On Tue, Jul 23, 2019 at 01:13:51AM +0200, Christoph Biedl wrote: > Hm, let's give this a quick fix as a sound one. My plan is to whitelist > all the syscalls used by fakeroot. Are you aware of other environments > that might be caught by the same issue? Or in other words, which > syscalls were reported as inacceptable in the kernel log?
The blocked syscall is 68 aka msgget. It is an IPC call used by fakeroot to communicate the faked permissions. I think allowing more syscalls in the sandbox is a bad idea. * You're whitelisting amd64 syscalls now. Other architectures use different numbers and hunting them down for each and every architecture is painful. * fakeroot uses msgget when used with faked-sysv. For use with faked-tcp, you will need socket and connect and stuff. * Blocking IPC or network was exactly the job of seccomp. If you allow these calls, you are significantly weakening the sandbox. * Have you tried faketime, fakechroot, eatmydata, ...? Let me propose a much simpler option: Check for the presence of LD_PRELOAD and imply -S when it is non-empty. Helmut
