alipHere is #rustlang bindings for Redis' #radix tree: https://crates.io/crates/redix New #sydbox uses this for path canonicalization which sufficiently reduces its userspace overhead. Let me know if sydbox-3.51.1 is too fast for you and I'll add some random sleeps around the code ;) #exherbo #linux #security
#Sydbox 3.51.0 is out: #Security update fixing multiple Crypt Sandboxing race conditions, an ioctl(2) truncation bypass, and a MIPS ptrace(2) bug. Force Sandboxing now uses the Kernel Crypto API (AF_ALG) for zero-copy hashing. #Landlock sandboxing is on by default. wordexp(3) confinement hardened. pandora 0.20.0 generates #Landlock rules. Sydbox is a rock solid application #kernel to sandbox applications on #Linux: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3510 #exherbo
News from #sydbox git: Force sandboxing (binary verification) now uses #Linux #kernel cryptography. You may use any hash algorithm your kernel supports and checksumming process happens with zero-copy without copying data into Syd's process space. This ensures performance and privacy. Syd is hash-algorithm agnostic and makes no choice of a default. Pandora learned to autoselect best avaliable algorithm. Refer to the manual page for more information: https://man.exherbo.org/syd.7.html#Force_Sandboxing #exherbo #security
Is it a red flag that #sydbox is developed mainly by a single person in their free time rather than bigcorp? #exherbo #linux #security
Yes
No
Who cares if it's GPL?
Why not MIT? Let bigcorp buy you!
Poll ended at .
New hardening in #Sydbox 3.50.0: "Immutable Sticky Bit" where Syd enforces the immutability of the sticky bit at chmod(2) boundary for directories. Sticky bit on dirs such as /tmp is a critical security primitive that restricts file deletion/renaming to file/directory owner or root. This also helps raise the bar for trusted symlink bypasses. On by default, disable with trace/allow_unsafe_sticky:1. Refer to the manual page for more information: https://man.exherbo.org/syd.7.html#Immutable_Sticky_Bit #exherbo #linux #security
News from #Linux #kernel: io_uring gains filtering support with _unprivileged_ cBPF which means unprivileged sandboxers such as #sydbox can selectively allow io_uring without any escape vectors going forward. cBPF is NOT eBPF and it's available to unprivileged processes on Linux. Filtering with cBPF is simple yet powerful. Cherry on the cake is you may filter on socket(2) domains, open(2)/openat(2) flags, and openat2(2) resolve flags: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=591beb0e3a03 #exherbo #security
Fun #Linux tidbit: If you call stat(2) on an epoll(7) fd you get file type unknown, but if you call it on a memory fd you get file type regular. If you call statfs(2) on a memory fd it'll report tmpfs. This leaves two options to detect memory fds reliably: 1. Get file sealing information using fcntl(fd, F_GET_SEALS), success very likely means you have a memory fd (might change in the future) 2. Call readlink(2) on /proc/self/fd/$memory-fd and check for /memfd: prefix. #exherbo #linux #security
You know I'm born to lose, and sandboxing is for fools but that's the way I like it baby I don't want to live forever! #sydbox 3.49.0 is released with a long list of bugfixes and hardenings. #sydbox is a rock-solid application kernel to sandbox applications on #Linux. Refer to the ChangeLog for the list of changes: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3490 #exherbo #security #motörhead