RFE: ensure unwritable buildroot during %check #3010
Comments
|
There's not much you can do against a malicious upstream. |
|
An idea was floated on fedora-devel to remove tests from packages altogether. I empathetically disagree with that, but maybe it'd be useful to "sandbox" the tests a bit. The test code is often of lesser quality and less reviewed. The basic idea is to make sure that the Either $RPM_BUILD_ROOT could be remounted read-only for the duration of %check, or overlayfs with a throw-away upper layer could be overmounted. In the fedora-devel thread I suggested that All that said, I'm not really sure if it's such a great idea… It might help in some cases, so if it's easy to implement, maybe it'd be worth trying. But if you think it's just not worth the effort and close the issue, I'm fine with that too. |
|
I opened this ticket from the discussion specifically because it's such a no-brainer when you see it: "tests should not be able to affect built binaries". How feasible it is in practise is another story, but it's worth at least investigating. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
|
This issue shows misunderstanding of how the xz backdoor was intended to work. Although its payload was hidden in the test files, it was extracted when running the Of course, we can imagine a situation when some backdoor is injected when running tests, and proposed changes could prevent such a situation. However this wouldn't help against the particular backdoor and it definitely won't help against hypothetical future backdoors targeted at rpm systems because their developers will take into account protections you are going to implement. I think, it only makes sense to implement them if it is easy to do and won't cause additional overhead by copying or hashing numerous files that can be very large in some cases. |
|
I understand the difference between %build and %check, as well as the problem of this could be worked around by future actors. I would still like to understand the potential as a building blocks for hardening. Do you see a path for a hashing-like validation in the %check phase that could be enabled by an additional run time parameter of the tool? This way, feature is available to potential users, but not enabled by default? |
|
There are simpler ways to ensure that |
|
Yes, this approach will never be complete. Something like the proposed feature is only a building block. For the other stages, there could also be the requirement to not modify files that have been available already. IMHO, other attack vectors should be addressed with other tools. What data would you need to be more willing to accept a PR the implements the requested idea? While the hashing approach might be more IO heavy, it seems like a portable solution. Furthermore, this approach does not require extra permissions for additional jailing. |
|
This is not about "preventing XZ", it's just somewhat inspired by it. Hashing the content is not something this ticket is about. |
|
Closing in favor of a more generic #3050 |
On the heels of the xz incident, one of the ideas (from @keszybz it seems) to harden against malicious tests is to make buildroot readonly during %check. Picked from #3009 as a clear actionable item.
The text was updated successfully, but these errors were encountered: