On 2019-03-29 11:18:10 +0000 (+0000), Matthew Booth wrote: [...]
I suspect out of expediency in the initial forklift from rootwrap, we've lost this critical principal of moving security-critical logic into privsep itself. [...]
Yes, the expectation was that once the privsep framework was available, services relying on rootwrap would rework sensitive calls to operate within privsep and minimally limit those services' ability to influence their execution in dangerous ways. Nova isn't the only one still in this state (either with far-too-dangerous privsep functions exposed or still mostly relying on really lax rootwrap filters). This could make for an excellent cross-project effort, perhaps even a cycle goal, so I've added the [tc] tag to the subject. I've also tagged it for the [security-sig] as members there may have an interest in assisting with the effort. -- Jeremy Stanley