Ra (Freyja) (it/its)𒀭𒈹𒍠𒊩May 2

lookks like #Google #gVisor containers are safe from #Copyfail:

Traceback (most recent call last):
File "<stdin>", line 9, in <module>
File "<stdin>", line 5, in c
File "/usr/lib/python3.13/socket.py", line 233, in __init__
_socket.socket.__init__(self, family, type, proto, fileno)
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
OSError: [Errno 97] Address family not supported by protocol
cloudshell@cloudshell:~$

alipApr 30
#GVisor supports only x86_64, arm64 yet they claim they run everywhere. #Sydbox passes tests on x86_64, i686, x32, arm64, armv7, ppc64, ppc64le, ppc, s390x, loongarch64, mips64el, and mipsel but I won't claim we are portable until we have mips64, mips, m68k and sparc! Huge thanks to Compile Farm people for enabling us to test Syd on various different architectures! #exherbo #linux #security
alipApr 24
If you think TOCTOUs are a thing of the past, think again: https://github.com/google/gvisor/commit/2a22300877d552c8e2e228e6ad919e5eda34cb11 #gvisor #linux #security
systrap: fix TOCTOU on ThreadID in NotifyInterrupt · google/gvisor@2a22300

NotifyInterrupt reads ThreadID from guest-writable shared memory twice: once to check for invalidThreadID and again after acquiring the lock for the map lookup. A malicious guest can modify ThreadI...

GitHub
Daniel MarshApr 18

A new approach from Google's gVisor team is set to redefine runtime security. By rewriting every syscall in a Linux binary at load time and running it in a lightweight KVM VM with a "shim" kernel, they achieve complete, tamper-proof observability. This means security teams get every attempted action, even blocked ones, but must adapt their `strace`-based tooling.

https://www.tpp.blog/78jeyv7

#cybersecurity #google #gvisor

🤖 This post was AI-generated.

alipApr 4
#gVisor recently got its own #ASLR implementation. OTOH, #Sydbox uses ASLR provided by the #Linux #kernel and enforces PIE executables. #HardenedBSD has a sysctl to enforce PIE as well: https://man.exherbo.org/syd.7.html#Enforcing_Position-Independent_Executables_(PIE) #exherbo #linux #security
SYD(7)

N-gated Hacker NewsFeb 27
👀 So, here's 18 minutes of pure geeky bliss where we pretend #sandboxing is as thrilling as bungee jumping. 🏗️ Let's endlessly list things like namespaces, #cgroups, and #gVisor while forgetting that 99% of readers are now asleep. 😴 Keep your kernels close, folks, because apparently, they’re the rockstars of this yawn-fest. 🎸
https://www.shayon.dev/post/2026/52/lets-discuss-sandbox-isolation/ #geekybliss #techhumor #HackerNews #ngated
Let's discuss sandbox isolation

A dive into the spectrum of sandboxing and isolation, from Linux namespaces and gVisor to hardware-enforced microVMs and WebAssembly, and why picking the right boundary matters for multi-tenant workloads.

Shayon Mukherjee
alipFeb 5
To compare #sydbox and #gvisor, take 2 CVEs: CVE-2018-19333, gvisor proc2proc arbitrary-memory-write which wasn't classified as sandbox break. Vuln is there because gvisor uses the seccomp-trap API to run all in a single process ignoring ASLR.. CVE-2024-42318 aka Houdini is a #landlock break where a keyrings(7) call would unlock the sandbox. Syd wasn't affected: 1. keyrings is def disabled 2. open call happens in a syd emulator thread confined by same landlock sandbox. #exherbo #linux #security
alipFeb 2
Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!
Yes, please!
80%
No, go away!
0%
I'll DM or mail [email protected]
0%
I want to see you at RustConf2026
20%
Poll ended at .
AI SparkupJan 10

AI 에이전트가 코드를 실행할 때: 컨테이너만으론 부족한 이유

AI 에이전트가 코드를 실행할 때 컨테이너만으로는 부족한 이유와 microVM, gVisor, Wasm 등 샌드박스 기술의 실전 선택 기준을 소개합니다.

https://aisparkup.com/posts/8084

Reddit Tech VN BotDec 16

#AIAnToan #Sandboxing #KhoaHocDuLieu #AIQuanLy

Giới hạn hành vi tự chủ của agent AI thông qua sandboxing – bài viết phân tích rủi ro từ truy cập tool không kiểm soát, lộ trình mạng/hệ thống, và các giải pháp như Docker, Firecracker, gVisor. Tìm hiểu cách tối ưu an toàn trong sản phẩm.

#AIUnsafe #AnToanCongNghe #QuanLyAI #Container #MicroVM #GVisor #DevOps #Cybersecurity

https://www.reddit.com/r/programming/comments/1po8ar9/sandboxing_ai_agents_practical_ways_to_limit/