{"guid":"1fb562d0-6fe4-5015-9423-128b5711401f","title":"WIP: Sandboxing APT","subtitle":null,"slug":"all-systems-go-2023-198-wip-sandboxing-apt","link":"https://cfp.all-systems-go.io/all-systems-go-2023/talk/8CGF9L/","description":"A short case study on where we are with sandboxing APT; what gaps there are and what technologies we looked at.\n\nDownloading packages, verifying packages, installing packages, protecting user data from snoopy or broken maintainer scripts. A package manager has a lot of places that can need some sort of sandboxing.\n\nAPT currently employs a minimal sandbox using a separate user for downloading, and optionally seccomp. This talk will explore that, the caveats and some more avenues like landlock, running apt in systemd isolation (useful for our apt-based .service units), file descriptor passing into sandbox.","original_language":"eng","persons":["Julian Andres Klode"],"tags":["asg2023","198","2023"],"view_count":81,"promoted":false,"date":"2023-09-13T16:30:00.000+02:00","release_date":"2023-09-14T00:00:00.000+02:00","updated_at":"2026-03-28T00:00:05.247+01:00","length":1315,"duration":1315,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2023/198-1fb562d0-6fe4-5015-9423-128b5711401f.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2023/198-1fb562d0-6fe4-5015-9423-128b5711401f_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2023/198-1fb562d0-6fe4-5015-9423-128b5711401f.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2023/198-1fb562d0-6fe4-5015-9423-128b5711401f.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2023-198-wip-sandboxing-apt","url":"https://api.media.ccc.de/public/events/1fb562d0-6fe4-5015-9423-128b5711401f","conference_title":"All Systems Go! 2023","conference_url":"https://api.media.ccc.de/public/conferences/asg2023","related":[],"recordings":[{"size":42,"length":1315,"mime_type":"video/webm","language":"eng","filename":"asg2023-198-eng-WIP_Sandboxing_APT_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2023-09-14T12:52:55.871+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2023/webm-sd/asg2023-198-eng-WIP_Sandboxing_APT_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/70386","event_url":"https://api.media.ccc.de/public/events/1fb562d0-6fe4-5015-9423-128b5711401f","conference_url":"https://api.media.ccc.de/public/conferences/asg2023"},{"size":92,"length":1315,"mime_type":"video/webm","language":"eng","filename":"asg2023-198-eng-WIP_Sandboxing_APT_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2023-09-14T12:29:34.469+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2023/webm-hd/asg2023-198-eng-WIP_Sandboxing_APT_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/70366","event_url":"https://api.media.ccc.de/public/events/1fb562d0-6fe4-5015-9423-128b5711401f","conference_url":"https://api.media.ccc.de/public/conferences/asg2023"},{"size":33,"length":1315,"mime_type":"video/mp4","language":"eng","filename":"asg2023-198-eng-WIP_Sandboxing_APT_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2023-09-14T02:11:34.520+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2023/h264-sd/asg2023-198-eng-WIP_Sandboxing_APT_sd.mp4","url":"https://api.media.ccc.de/public/recordings/70325","event_url":"https://api.media.ccc.de/public/events/1fb562d0-6fe4-5015-9423-128b5711401f","conference_url":"https://api.media.ccc.de/public/conferences/asg2023"},{"size":20,"length":1315,"mime_type":"audio/mpeg","language":"eng","filename":"asg2023-198-eng-WIP_Sandboxing_APT_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2023-09-14T01:51:03.061+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2023/mp3/asg2023-198-eng-WIP_Sandboxing_APT_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/70306","event_url":"https://api.media.ccc.de/public/events/1fb562d0-6fe4-5015-9423-128b5711401f","conference_url":"https://api.media.ccc.de/public/conferences/asg2023"},{"size":12,"length":1315,"mime_type":"audio/opus","language":"eng","filename":"asg2023-198-eng-WIP_Sandboxing_APT_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2023-09-14T01:48:56.554+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2023/opus/asg2023-198-eng-WIP_Sandboxing_APT_opus.opus","url":"https://api.media.ccc.de/public/recordings/70304","event_url":"https://api.media.ccc.de/public/events/1fb562d0-6fe4-5015-9423-128b5711401f","conference_url":"https://api.media.ccc.de/public/conferences/asg2023"},{"size":85,"length":1315,"mime_type":"video/mp4","language":"eng","filename":"asg2023-198-eng-WIP_Sandboxing_APT_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2023-09-14T01:25:45.167+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2023/h264-hd/asg2023-198-eng-WIP_Sandboxing_APT_hd.mp4","url":"https://api.media.ccc.de/public/recordings/70271","event_url":"https://api.media.ccc.de/public/events/1fb562d0-6fe4-5015-9423-128b5711401f","conference_url":"https://api.media.ccc.de/public/conferences/asg2023"}]}