alipNews from #Linux #kernel: io_uring gains filtering support with _unprivileged_ cBPF which means unprivileged sandboxers such as #sydbox can selectively allow io_uring without any escape vectors going forward. cBPF is NOT eBPF and it's available to unprivileged processes on Linux. Filtering with cBPF is simple yet powerful. Cherry on the cake is you may filter on socket(2) domains, open(2)/openat(2) flags, and openat2(2) resolve flags: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=591beb0e3a03 #exherbo #security
You know I'm born to lose, and sandboxing is for fools but that's the way I like it baby I don't want to live forever! #sydbox 3.49.0 is released with a long list of bugfixes and hardenings. #sydbox is a rock-solid application kernel to sandbox applications on #Linux. Refer to the ChangeLog for the list of changes: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3490 #exherbo #security #motörhead
King_of_Ooo@alip I just read a Phoronix article about a new Microsoft project called LiteBox, which is a sandboxing tool written in Rust for Linux/Windows/other environments. From their GitHub repo (https://github.com/microsoft/litebox) description, "LiteBox is a sandboxing library OS that drastically cuts down the interface to the host, thereby reducing attack surface."
I am always excited to see new sandboxing projects. I doubt I will ever use LiteBox, especially with the simplicity and versatility of #sydbox, but regardless I wanted to let you know of its existence.
To compare #sydbox and #gvisor, take 2 CVEs: CVE-2018-19333, gvisor proc2proc arbitrary-memory-write which wasn't classified as sandbox break. Vuln is there because gvisor uses the seccomp-trap API to run all in a single process ignoring ASLR.. CVE-2024-42318 aka Houdini is a #landlock break where a keyrings(7) call would unlock the sandbox. Syd wasn't affected: 1. keyrings is def disabled 2. open call happens in a syd emulator thread confined by same landlock sandbox. #exherbo #linux #security
Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!
Yes, please!
No, go away!
I'll DM or mail alip@chesswob.org
I want to see you at RustConf2026
Poll ended at .
Thanks to everyone for the amazing #FOSDEM You may watch all my #sydbox talks, including the one from #fosdem2026 here: https://www.youtube.com/@AliPolatel #exherbo #linux #security #rustlang
Initial #pdf of my #FOSDEM talk this Sunday, #sydbox Writing an Application Kernel in #rustlang is up: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/next/doc/talks/2026-Syd-FOSDEM/Syd-FOSDEM.pdf?ref_type=heads Curious to read your feedback so please comment if you feel like it :). This is going to be a shorter 25-minute talk and I plan to talk more about the Rust side of things. Everyone is kindly invited, the talk link is here: https://fosdem.org/2026/schedule/event/3AHJPR-rust-syd-application-kernel/ #exherbo #linux #security
#sydbox 3.48.6 is out! Each time I say last release before #FOSDEM I end up doing another one so I don't do that this time :-) Some bug fixes and hardenings, AES encryption threads now run with no access to filesystem and network thanks to a per-thread #landlock sandbox which is somewhat cool. ChangeLog is where the rest of the story is as usual: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3486 #exherbo #linux #security