alipNews from #sydbox #git: We have #Caitsith like Domain Transitions now which allows you to change sandbox policy atomically either manually or upon certain events such as exec, chdir, mmap, bind, connect, accept. One example would be restricten the confinement of a web server upon first bind another example is per-directory sandbox policies. There're many other nice uses, see examples: https://man.exherbo.org/syd.7.html#Domain_Transitions #exherbo #linux #security
#Sydbox 3.54.1 released! Security release with fcntl(2) hardening against SIGIO bypass of #landlock signal scoping. Adds log rate limiting with log/rlimit_interval and log/rlimit_burst options. New deleted file access mediation denies unlinked files through open fds. chown(2) confined to caller's credentials by default, force_umask default now 7000 for setuid/setgid/sticky stripping like #OpenBSD #pledge. Ghost mode implies lock:on. Full story: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md #exherbo #linux #security
#Sydbox containers are not affected by the new LPE #Fragnesia because: 1. Unprivileged user/network namespaces are denied unless trace/allow_unsafe_namespace:user,net 2. Kernel algorithm (AF_ALG) sockets are denied unless trace/allow_unsafe_kcapi:true 3. Socket option TCP_ULP is denied unless trace/allow_unsafe_setsockopt:true. You may sleep in peace: https://raw.githubusercontent.com/v12-security/pocs/d4043edc2acbd75d093e3f5795751b678c66b259/fragnesia/fragnesia.c #exherbo #linux #security
I made an #asciicast showcasing Ghost Mode of #sydbox: https://asciinema.org/a/1039185 #exherbo #linux #security
#Sydbox 3.53.0 is released! This is a feature release improving sandbox categories walk, stat, and adding the new category list for directory listing which allows easy use of walk+list categories for path hiding. readlink is also split from stat category which is by far the most common syscall so this helps with overhead of other categories. We also have bunch of security fixes. Full story, as always, is in the ChangeLog, thanks for flying Syd: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3530 #exherbo #linux #security
News from #Sydbox #git: New option trace/force_wx_open: Specify whether creating/writing open(2) family system calls for executables should be denied regardless of path. This option is restricted to creat, open, openat, and openat2 syscalls and may be combined with trace/force_umask option to confine filesystem as Write XOR Execute. New profile "wx" combines the new option with trace/force_umask:7177 to confine filesystem as W^X. User profile includes wx profile. #exherbo #linux #security
#Sydbox 3.52.0 is released! I've just merged 428 commits from next to main to make this release. It includes no new features, only bug fixes. Some of these bug fixes are security critical and you're recommended to upgrade as soon as possible. Full story, as always, is in the ChangeLog, thanks for flying Syd: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md #exherbo #linux #security
Mitigation against copy.fail in upcoming #Sydbox: Syd will reject to open SUID files regardless of mode unless the option trace/allow_unsafe_open_suid:1 is set. This does not prevent exploitation altogether as the attacker can write to files such as /etc/passwd, however it raises the bar with very little added cost. #exherbo #linux #security