Charly Coste 🇫🇷May 7

The recent #Linux page cache write vulnerabilities only bypass one security layer, the traditional file permissions, right? So, any system they can be exploited on lacks defence in depth.

→ More userspace processes should run with NO_NEW_PRIVS.

#CopyFail #DirtyFrag

Show threadCharly Coste 🇫🇷May 7

It's becoming less and less tolerable for the security of other operating systems to be so far behind those of smartphones.

→ Traditional Linux must catch up to Android Linux. All applications must be properly sandboxed.

#Linux #security #Android #sandbox #CopyFail #DirtyFrag

Show threadCharly Coste 🇫🇷May 7

I've been diving into this problem since last month. Along the way I found a vulnerability in a new sandboxing tool (sandlock) and fixed a known vulnerability in a much older tool (firejail).

Sadly, what I haven't found is a tool that could become a de facto standard for Linux userspace security. One of the reasons for this is that the kernel doesn't make it easy to create such a tool.

→ The kernel is missing an important security feature. This might be fixed in the not too distant future.

Show thread(ノಠ益ಠ)ノ彡 ᖇETᖇO ᖇOᗩᗪKIᒪᒪ (ʘ言ʘ╬)
@Changaco flatpak and podman are right there 🧐
May 11 at 8:16pmWeb
Show threadCharly Coste 🇫🇷May 19

For anyone interested in #Linux security, a good explanation of a way to escape from the #Flatpak sandbox has been posted to the oss-security mailing list today: https://www.openwall.com/lists/oss-security/2026/05/19/1

You might also want to read this article from last year: https://www.linuxjournal.com/content/when-flatpaks-sandbox-cracks-real-life-security-issues-beyond-ideal

cc @Seg

#sandboxing #dbus #xdg #freedesktop #wine

oss-security - On the issue of MIME handlers that execute arbitrary code (e.g. Wine)