alipHere is a #landlock oddity I noticed and reported today: https://github.com/landlock-lsm/linux/issues/58 #exherbo #linux #security
Am I a TOCTOU dreaming of a butterfly, or am I a butterfly dreaming of a TOCTOU?: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=286ace1259992bd0c5d9016715833f2e148ac596 #exherbo #linux #security
News from #sydbox git: Starting next release, we're going to be signing binary releases with #OpenBSD signify rather than #GnuPG. To enable practical signing in #Exherbo #Gitlab CI, I wrote an #ISC licensed, pure portable #POSIX shell implementation of #OpenBSD signify. signify.sh has no external dependencies and runs with PATH=. It has unit tests embedded which may be run with --test option: https://gitlab.exherbo.org/sydbox/sydbox/-/raw/next/dev/signify.sh #exherbo #linux #security
#gVisor recently got its own #ASLR implementation. OTOH, #Sydbox uses ASLR provided by the #Linux #kernel and enforces PIE executables. #HardenedBSD has a sysctl to enforce PIE as well: https://man.exherbo.org/syd.7.html#Enforcing_Position-Independent_Executables_(PIE) #exherbo #linux #security
Reading this made me reconsider switching #Sydbox from GPL-3 to AGPL-3: https://www.onlyoffice.com/blog/2026/03/onlyoffice-flags-license-violations-in-euro-office-project-by-nextcloud-and-ionos WDYT? #exherbo #linux #security #poll
GPL-3 > AGPL-3
AGPL-3 > GPL-3
No difference for a sandbox
Strawberry fields forever
Poll ended at .
#Sydbox is NOT hosted on #Github and this is an ethical decision. Main repository is the #Exherbo #Gitlab, we have mirrors on #Sourcehut and #Codeberg. Having said that, the code is GPL-3 and I can't legally prevent anyone from mirroring it on Github. I can just kindly ask not to...: https://github.com/tamaroning/sydbox/issues/1 #exherbo #linux #security
Here is #rustlang bindings for Redis' #radix tree: https://crates.io/crates/redix New #sydbox uses this for path canonicalization which sufficiently reduces its userspace overhead. Let me know if sydbox-3.51.1 is too fast for you and I'll add some random sleeps around the code ;) #exherbo #linux #security
#Sydbox 3.51.0 is out: #Security update fixing multiple Crypt Sandboxing race conditions, an ioctl(2) truncation bypass, and a MIPS ptrace(2) bug. Force Sandboxing now uses the Kernel Crypto API (AF_ALG) for zero-copy hashing. #Landlock sandboxing is on by default. wordexp(3) confinement hardened. pandora 0.20.0 generates #Landlock rules. Sydbox is a rock solid application #kernel to sandbox applications on #Linux: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3510 #exherbo
News from #sydbox git: Force sandboxing (binary verification) now uses #Linux #kernel cryptography. You may use any hash algorithm your kernel supports and checksumming process happens with zero-copy without copying data into Syd's process space. This ensures performance and privacy. Syd is hash-algorithm agnostic and makes no choice of a default. Pandora learned to autoselect best avaliable algorithm. Refer to the manual page for more information: https://man.exherbo.org/syd.7.html#Force_Sandboxing #exherbo #security