Bug 1642840

Summary: Please add a safe buildsys-only setting to dnf config
Product: [Fedora] Fedora Reporter: Nicolas Mailhot <nicolas.mailhot>
Component: dnfAssignee: Miroslav Suchý <msuchy>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jmracek, mblaha, mhatina, packaging-team-maint, rpm-software-management, vmukhame
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-01 08:59:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1641187, 1641191    

Description Nicolas Mailhot 2018-10-25 08:02:11 UTC
In https://pagure.io/fesco/issue/2004 mizdebsk worries that enabling the pm request mock extension on Fedora build systems (copr and koji) would lead to evil, and that attackers could use it to convince mock to pass dangerous commands to dnf.

One could (and will) add some argument filtering mock-side, but that assumes mock devs are perfectly aware of all the settings added to dnf over time, and identify correctly and timely the dangerous combinations.

Therefore, from a security point of view, doing it at the mock level is a losing situation.

Please add a security jail setting to dnf, that could be put in the *repo files mock uses, and basically forbids dnf from doing anything except:
* installing/upgrading packages to the mock chroot or container from the repositories configured in the *repo files
* executing the corresponding scriptlets with the mock chroot or container

And that, no matter what CLI parameter overrides an attacker manages to get passed to dnf.

Regardless of what FESCO decides in the pagure ticket the same config is running on packager systems today, the mock on those systems is Fedora's first line of defense against compromised upstream sources, so it needs to be secured properly.

Comment 1 Jaroslav Mracek 2018-10-29 12:46:27 UTC
Please msuchy can you look at the request?

Comment 2 Nicolas Mailhot 2018-11-06 12:06:15 UTC
So, to build on the ideas raised in https://pagure.io/fesco/issue/2004 and https://github.com/rpm-software-management/mock/issues/218

Have a safe/restricted/secure dnf switch with a directory as switch argument that basically says:

"from now on only take into account the dnf config/repo files in directory, only perform install/updates, only use packages taken from the repos defined here, ignore any further argument that says otherwise"

Comment 3 Miroslav Suchý 2021-06-01 08:59:12 UTC
I am going to close this due to inactivity. I assume we will have not time for this in upcoming years. This will need to have external contribution and due its nature probably several rejected PR which would be just placeholder for discussion how to correctly implement it. :(