More sandboxing

When working on untrusted code or data it's impossible to predict what happens when one does a:

bundle install --path=vendor

or

npm install

Does this phone out your private SSH and GPG keys? Does a

evince Downloads/justdownloaded.pdf

try to exploit the PDF viewer? While you can run stuff in separate virtual machines this can get cumbersome. libvirt-sandbox to the rescue! It allows to sandbox applications using libvirt's virtualization drivers. It took us a couple of years (The ITP is from 2012) but we finally have it in Debian's NEW queue. When libvirt-sandbox creates a sandbox it uses your root filesystem mounted read only by default so you have access to all installed programs (this can be changed with the --root option though). It can use either libvirt's QEMU or LXC drivers. We're using the later in the examples below:

So in order to make sure the above bundler call has no access to your $HOME you can use:

sudo virt-sandbox \
   -m ram:/tmp=10M \
   -m ram:$HOME=10M \
   -m ram:/var/run/screen=1M \
   -m host-bind:/path/to/your/ruby-stuff=/path/to/your/ruby-stuff \
   -c lxc:/// \
   -S $USER \
   -n rubydev-sandbox \
   -N dhcp,source=default \
   /bin/bash

This will make your $HOME unaccessible by mounting a tmpfs over it and using separate network, ipc, mount, pid and utc namespaces allowing you to invoke bundler with less worries. /path/to/your/ruby-stuff is bind mounted read-write into the sandbox so you can change files there. Bundler can fetch new gems using libvirt's default network connection.

And for the PDF case:

sudo virt-sandbox \
  -m ram:$HOME=10M \
  -m ram:/dev/shm=10M \
  -m host-bind:$HOME/Downloads=$HOME/Downloads \
  -c lxc:/// \
  -S $USER \
  -n evince-sandbox \
  --env="DISPLAY=:0" \
  --env="XAUTHORITY=$XAUTHORITY" \
  /usr/bin/evince Downloads/justdownloaded.pdf

Note that the above example shares /tmp with the sandbox in order to give it access to the X11 socket. A better isolation can probably be achieved using xpra or xvnc but I haven't looked into this yet.

Besides the command line program virt-sandbox there's also the library libvirt-sandbox which makes it simpler to build new sandboxing applications. We're not yet shipping virt-sandbox-service (a tool to provision sandboxed system services) in the Debian packages since it's RPM distro specific. Help on porting this to Debian is greatly appreciated.

As a follow up to calendar synchronisation with calypso, syncevolution and the N900 running maemo I finally added contacts to the mix:

on the phone

When you have the calendar sync already running it's as simple as:

First start ssh on the n900 to ease typing:

apt-get install dropbear
echo /bin/sh >> /etc/shells
cd /etc/dropbear && ./run

SSH into the phone and configure contacts synchronization:

cat <<EOF > ~/.config/syncevolution/webdav/sources/addressbook/config.ini
backend = CardDAV
database = https://carddav.example.com/contacts/username
EOF

And perform the initial sync:

syncevolution --sync slow webdav addressbook

From there on you can sync contacts and calendars in one go with:

syncevoluton webdav

Looking at the calypso logs on the server it seems that syncevoluton does not always generate an FN entry and so the card gets skipped. This doesn't harm the overall sync, but I need to have a look how to fix this.

on the laptop

In order to use the contacts im mutt there's pycarddav packaged in Debian. This is basically following upstreams documentation.

sudo apt-get install pycarddav
mkdir -p ~/.config/pycard
cp /usr/share/doc/pycarddav/examples/pycard.conf.sample ~/.config/pycard/pycard.conf
# Edit file as needed

cat ~/.config/pycard/pycard.conf
[Account username]
user: username
resource: https://carddav.example.com/
write_support = YesPleaseIDoHaveABackupOfMyData

[query]
where: vcard

[sqlite]

[default]
debug: False

To use the entries in mutt add the just extend your .muttrc:

cat <<EOF >>~/.muttrc
set query_command="pc_query -m %s"
macro index,pager B "<pipe-message>pycard-import<enter>" "add sender address to pycardsyncer"
EOF

This allows you to query contacts using Q and add new conatcs with CTRL-B in mutt's index and pager.

Calypso Changes

We recently moved calypso's git repository to alioth and started to merge several out of tree patches. More will happen during this years Debian Groupware Meeting including a new upload to Debian.

Debian LTS

February was the tenth month I contributed to Debian LTS under the Freexian umbrella. In total I spent 7 hours (of allocated 11.15 hours) working on squeeze-lts:

• Triage of 17 CVEs for squeeze-lts. I misread the calendar and thought I was on front-desk duty for a couple of days. Fortunately no duplicate work was done.

• Prepared and released DLA-427-1 for nss fixing CVE-2016-1938 after checking that nss is not affected by CVE-2015-7575 since MD5 signatures never got disabled - another good reason why we should have the same nss in all suites.

… and to make sure we have fewer issues that are fixed in squeeze-lts but affect wheezy …

• I prepared patches for CVE-2015-8036 and CVE-2015-5291 for polarssl for jessie including some autpkgtests (wheezy already happened in January) resulting in DSA-3468-1.

• Prepared patches for CVE-2015-1323 affecting apt-daemon (789162) for jessie and wheezy waiting for a review.

On non LTS time I cooked up a script to make it simpler to check if a package has security support in a certain release.

Now that squeeze-lts is history I'd like to thank the Debian Security Team for their help and answers to all the questions related to security tracker, DSAs, DLAs and whatnot. I'm looking forward to wheezy-lts now…

Other Debian stuff

• Uploaded libvirt-python 1.3.1 to unstable.
• Uploaded virt-manager 1.3.2 to experimental.
• Uploaded libvirt 1.3.2-2 to unstable dropping the libvirt-bin transitional package after NMUing gnome-boxes and virt-goodies to remove the dependency.
• Uploaded whatmaps to experimental switching to Python3