New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clamav privatetmp #33228
Clamav privatetmp #33228
Conversation
Strictly speaking, you can already configure this easily via clamd will naturally be a juicy target, it seems more prudent to never let it see any of the fs, only consuming bytes over a pre-opened file descriptor & sending judgements about those bytes to another fd, or some other configuration where it runs completely "blind" (probably should run on a dedicated machine, even). |
If the motivation is only to share files/whatnot with another daemon, you could try making them share namespace(s) or something. That seems stronger than exposing the system |
I'm assuming using As for clamd being a juicy target, I completely agree with you. Had there been an actually strong protection of the filesystem, I wouldn't even have considered this. But protecting only Then, your comment made me notice the |
Hmm, actually I just tried adding 7a711db to the daemon that runs Did I miss something? |
My comment was more to suggest going in the opposite direction of this PR, i.e. add more not fewer restrictions, I didn't intend to say that we should not merge this in the interim, if there's a need for it. |
In this case I completely agree with you, but maybe patch Actually, I guess that's about the same as most hardening, it's a trade-off between usability and security. I personally deem linux's DAC enough for security and believe that *ns bring in more risks than benefits, but that's just my opinion :) |
I think history proves that ns will never be enough and sometimes can be a liability. A skilled & motivated attacker will "simply" target the kernel if they have to, after all. Perhaps it is a mistake to rely on ns for anything beyond deployment convenience, but lots of people seem to think you can enhance security this way. I'm not qualified to say either way but am hopeful that it helps more than it hurts overall :) |
I've integrated 4314be4 but closing this for now |
Motivation for this change
Allow to disable
clamav
running with a private/tmp
. Turning this on fixesclamdscan
not working for files in/tmp
. Not turningPrivateTmp
off altogether as I'd guess it has been added here for some reason.I also replaced some
mkIf x [y]
withoptional x y
while I was at it.Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)