#Sydbox 3.51.0 is out: #Security update fixing multiple Crypt Sandboxing race conditions, an ioctl(2) truncation bypass, and a MIPS ptrace(2) bug. Force Sandboxing now uses the Kernel Crypto API (AF_ALG) for zero-copy hashing. #Landlock sandboxing is on by default. wordexp(3) confinement hardened. pandora 0.20.0 generates #Landlock rules. Sydbox is a rock solid application #kernel to sandbox applications on #Linux: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3510 #exherbo

News from #sydbox git: Force sandboxing (binary verification) now uses #Linux #kernel cryptography. You may use any hash algorithm your kernel supports and checksumming process happens with zero-copy without copying data into Syd's process space. This ensures performance and privacy. Syd is hash-algorithm agnostic and makes no choice of a default. Pandora learned to autoselect best avaliable algorithm. Refer to the manual page for more information: https://man.exherbo.org/syd.7.html#Force_Sandboxing #exherbo #security

Is it a red flag that #sydbox is developed mainly by a single person in their free time rather than bigcorp? #exherbo #linux #security

New hardening in #Sydbox 3.50.0: "Immutable Sticky Bit" where Syd enforces the immutability of the sticky bit at chmod(2) boundary for directories. Sticky bit on dirs such as /tmp is a critical security primitive that restricts file deletion/renaming to file/directory owner or root. This also helps raise the bar for trusted symlink bypasses. On by default, disable with trace/allow_unsafe_sticky:1. Refer to the manual page for more information: https://man.exherbo.org/syd.7.html#Immutable_Sticky_Bit #exherbo #linux #security

#FreeBSD #Jail chroot escape via fd exchange with a different jail! Both #OpenBSD pledge(2) and #Sydbox prevent sending directory file descriptors over #unix sockets which prevents this vector: https://www.freebsd.org/security/advisories/FreeBSD-SA-26:04.jail.asc #exherbo #linux #security

News from #Linux #kernel: io_uring gains filtering support with _unprivileged_ cBPF which means unprivileged sandboxers such as #sydbox can selectively allow io_uring without any escape vectors going forward. cBPF is NOT eBPF and it's available to unprivileged processes on Linux. Filtering with cBPF is simple yet powerful. Cherry on the cake is you may filter on socket(2) domains, open(2)/openat(2) flags, and openat2(2) resolve flags: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=591beb0e3a03 #exherbo #security

Fun #Linux tidbit: If you call stat(2) on an epoll(7) fd you get file type unknown, but if you call it on a memory fd you get file type regular. If you call statfs(2) on a memory fd it'll report tmpfs. This leaves two options to detect memory fds reliably: 1. Get file sealing information using fcntl(fd, F_GET_SEALS), success very likely means you have a memory fd (might change in the future) 2. Call readlink(2) on /proc/self/fd/$memory-fd and check for /memfd: prefix. #exherbo #linux #security

You know I'm born to lose, and sandboxing is for fools but that's the way I like it baby I don't want to live forever! #sydbox 3.49.0 is released with a long list of bugfixes and hardenings. #sydbox is a rock-solid application kernel to sandbox applications on #Linux. Refer to the ChangeLog for the list of changes: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3490 #exherbo #security #motörhead

Name ideas for upcoming #sydbox book: "Das Syd", referring to the "Das Kapital" of Mr. #Marx with a subtitle: Like das kapital but with less capital, #free as in #freedom! So "Der Syd" is Syd Barrett and "Das Syd" is the #sandbox. #exherbo #linux #security #joke

It's never too late to strcpy: Buffer overflow in helpfile option handling affects Vim <9.1.2132. Untrusted helpfiles can take over, update #vim as soon as you can: https://marc.info/?l=oss-security&m=177032301008926&w=2 #exherbo #linux #security