crazytrace, my network simulation program that generates a crazy topology behind a TAP device to test traceroute implementations, now has an apparmor profile.

Furthermore, I have now implemented capability dropping with libcap-ng, landlock sandboxing (via a blacklist), and seccomp sandboxing (via a blacklist).

https://codeberg.org/mark22k/crazytrace/src/commit/c5eb9eaf8b12266ecad3c3d1e0cd5388f351cc72/apparmor/usr.bin.crazytrace
https://codeberg.org/mark22k/crazytrace/src/commit/c5eb9eaf8b12266ecad3c3d1e0cd5388f351cc72/src/main.cpp

#crazytrace #traceroute #Networking #Programming #Security #apparmor #libcap #libcapng #landlock #seccomp

I navigated #Linux #libcap and emerged alive on the other side.

Jesus F. Christ. I know the sudoers manpage used to be rough reading, but put together, I wonder if the capabilities- and libcap manpages aren't worse. Brush up on that set theory and propositional logic, because Here Be ̶D̶r̶a̶g̶o̶n̶s̶ Sets.

And when you think you finally got it? When you've started to make sense of the POSIX spec vs the Linux extensions? Does it work? Nope! It means you've graduated to learning about "secbits".