#exherbo — Public Fediverse posts

#Sydbox containers are not affected by the new LPE #Fragnesia because: 1. Unprivileged user/network namespaces are denied unless trace/allow_unsafe_namespace:user,net 2. Kernel algorithm (AF_ALG) sockets are denied unless trace/allow_unsafe_kcapi:true 3. Socket option TCP_ULP is denied unless trace/allow_unsafe_setsockopt:true. You may sleep in peace: https://raw.githubusercontent.com/v12-security/pocs/d4043edc2acbd75d093e3f5795751b678c66b259/fragnesia/fragnesia.c #exherbo #linux #security

#Sydbox containers are not affected by the new LPE #Fragnesia because: 1. Unprivileged user/network namespaces are denied unless trace/allow_unsafe_namespace:user,net 2. Kernel algorithm (AF_ALG) sockets are denied unless trace/allow_unsafe_kcapi:true 3. Socket option TCP_ULP is denied unless trace/allow_unsafe_setsockopt:true. You may sleep in peace: https://raw.githubusercontent.com/v12-security/pocs/d4043edc2acbd75d093e3f5795751b678c66b259/fragnesia/fragnesia.c #exherbo #linux #security

#Sydbox containers are not affected by the new LPE #Fragnesia because: 1. Unprivileged user/network namespaces are denied unless trace/allow_unsafe_namespace:user,net 2. Kernel algorithm (AF_ALG) sockets are denied unless trace/allow_unsafe_kcapi:true 3. Socket option TCP_ULP is denied unless trace/allow_unsafe_setsockopt:true. You may sleep in peace: https://raw.githubusercontent.com/v12-security/pocs/d4043edc2acbd75d093e3f5795751b678c66b259/fragnesia/fragnesia.c #exherbo #linux #security

#Sydbox containers are not affected by the new LPE #Fragnesia because: 1. Unprivileged user/network namespaces are denied unless trace/allow_unsafe_namespace:user,net 2. Kernel algorithm (AF_ALG) sockets are denied unless trace/allow_unsafe_kcapi:true 3. Socket option TCP_ULP is denied unless trace/allow_unsafe_setsockopt:true. You may sleep in peace: https://raw.githubusercontent.com/v12-security/pocs/d4043edc2acbd75d093e3f5795751b678c66b259/fragnesia/fragnesia.c #exherbo #linux #security

I made an #asciicast showcasing Ghost Mode of #sydbox: https://asciinema.org/a/1039185 #exherbo #linux #security

#Sydbox 3.53.0 is released! This is a feature release improving sandbox categories walk, stat, and adding the new category list for directory listing which allows easy use of walk+list categories for path hiding. readlink is also split from stat category which is by far the most common syscall so this helps with overhead of other categories. We also have bunch of security fixes. Full story, as always, is in the ChangeLog, thanks for flying Syd: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3530 #exherbo #linux #security

News from #Sydbox #git: New option trace/force_wx_open: Specify whether creating/writing open(2) family system calls for executables should be denied regardless of path. This option is restricted to creat, open, openat, and openat2 syscalls and may be combined with trace/force_umask option to confine filesystem as Write XOR Execute. New profile "wx" combines the new option with trace/force_umask:7177 to confine filesystem as W^X. User profile includes wx profile. #exherbo #linux #security

#Sydbox 3.52.0 is released! I've just merged 428 commits from next to main to make this release. It includes no new features, only bug fixes. Some of these bug fixes are security critical and you're recommended to upgrade as soon as possible. Full story, as always, is in the ChangeLog, thanks for flying Syd: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md #exherbo #linux #security

Mitigation against copy.fail in upcoming #Sydbox: Syd will reject to open SUID files regardless of mode unless the option trace/allow_unsafe_open_suid:1 is set. This does not prevent exploitation altogether as the attacker can write to files such as /etc/passwd, however it raises the bar with very little added cost. #exherbo #linux #security

#GVisor supports only x86_64, arm64 yet they claim they run everywhere. #Sydbox passes tests on x86_64, i686, x32, arm64, armv7, ppc64, ppc64le, ppc, s390x, loongarch64, mips64el, and mipsel but I won't claim we are portable until we have mips64, mips, m68k and sparc! Huge thanks to Compile Farm people for enabling us to test Syd on various different architectures! #exherbo #linux #security

Correction: I was wrong about copy.fail and #sydbox earlier: Force sandboxing and Crypt sandboxing _imply_ the option trace/allow_safe_kcapi:1 so when these two are in use the sandbox process can abuse the AEAD issue in the #Linux #kernel. With #sydbox 3.52.0 to be released very soon, we rename the trace/allow_safe_kcapi option to trace/allow_unsafe_kcapi and Force/Crypt sandboxing are no longer going to imply this option, rather allow only Syd's use of AF_ALG sockets. #exherbo #linux #security

New #container breakout: https://copy.fail/ #sydbox containers aren't affected because Syd denies access to Kernel Cryptography API (KCAPI, AF_ALG sockets) by default unless trace/allow_safe_kcapi:1 is specified at startup. Crypt Sandboxing is also not affected because we don't use AEAD but CTR(AES). #exherbo #linux #security

#Sydbox is on #Radicle with ID rad:z38HCnbmcDegA2BMxuPaPRPMdp6wF seed it and share the love! Huge thanks to #HardenedBSD folks for seeding! #exherbo #linux #security #git

News from #sydbox git: Starting next release, we're going to be signing binary releases with #OpenBSD signify rather than #GnuPG. To enable practical signing in #Exherbo #Gitlab CI, I wrote an #ISC licensed, pure portable #POSIX shell implementation of #OpenBSD signify. signify.sh has no external dependencies and runs with PATH=. It has unit tests embedded which may be run with --test option: https://gitlab.exherbo.org/sydbox/sydbox/-/raw/next/dev/signify.sh #exherbo #linux #security

#gVisor recently got its own #ASLR implementation. OTOH, #Sydbox uses ASLR provided by the #Linux #kernel and enforces PIE executables. #HardenedBSD has a sysctl to enforce PIE as well: https://man.exherbo.org/syd.7.html#Enforcing_Position-Independent_Executables_(PIE) #exherbo #linux #security

Reading this made me reconsider switching #Sydbox from GPL-3 to AGPL-3: https://www.onlyoffice.com/blog/2026/03/onlyoffice-flags-license-violations-in-euro-office-project-by-nextcloud-and-ionos WDYT? #exherbo #linux #security #poll

#Sydbox is NOT hosted on #Github and this is an ethical decision. Main repository is the #Exherbo #Gitlab, we have mirrors on #Sourcehut and #Codeberg. Having said that, the code is GPL-3 and I can't legally prevent anyone from mirroring it on Github. I can just kindly ask not to...: https://github.com/tamaroning/sydbox/issues/1 #exherbo #linux #security

Here is #rustlang bindings for Redis' #radix tree: https://crates.io/crates/redix New #sydbox uses this for path canonicalization which sufficiently reduces its userspace overhead. Let me know if sydbox-3.51.1 is too fast for you and I'll add some random sleeps around the code ;) #exherbo #linux #security

#Sydbox has a new #tutorial: https://man.exherbo.org/sydtutorial.7.html #exherbo #linux #security

#Sydbox 3.51.0 is out: #Security update fixing multiple Crypt Sandboxing race conditions, an ioctl(2) truncation bypass, and a MIPS ptrace(2) bug. Force Sandboxing now uses the Kernel Crypto API (AF_ALG) for zero-copy hashing. #Landlock sandboxing is on by default. wordexp(3) confinement hardened. pandora 0.20.0 generates #Landlock rules. Sydbox is a rock solid application #kernel to sandbox applications on #Linux: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3510 #exherbo

News from #sydbox git: Force sandboxing (binary verification) now uses #Linux #kernel cryptography. You may use any hash algorithm your kernel supports and checksumming process happens with zero-copy without copying data into Syd's process space. This ensures performance and privacy. Syd is hash-algorithm agnostic and makes no choice of a default. Pandora learned to autoselect best avaliable algorithm. Refer to the manual page for more information: https://man.exherbo.org/syd.7.html#Force_Sandboxing #exherbo #security

Is it a red flag that #sydbox is developed mainly by a single person in their free time rather than bigcorp? #exherbo #linux #security

New hardening in #Sydbox 3.50.0: "Immutable Sticky Bit" where Syd enforces the immutability of the sticky bit at chmod(2) boundary for directories. Sticky bit on dirs such as /tmp is a critical security primitive that restricts file deletion/renaming to file/directory owner or root. This also helps raise the bar for trusted symlink bypasses. On by default, disable with trace/allow_unsafe_sticky:1. Refer to the manual page for more information: https://man.exherbo.org/syd.7.html#Immutable_Sticky_Bit #exherbo #linux #security

#FreeBSD #Jail chroot escape via fd exchange with a different jail! Both #OpenBSD pledge(2) and #Sydbox prevent sending directory file descriptors over #unix sockets which prevents this vector: https://www.freebsd.org/security/advisories/FreeBSD-SA-26:04.jail.asc #exherbo #linux #security

News from #Linux #kernel: io_uring gains filtering support with _unprivileged_ cBPF which means unprivileged sandboxers such as #sydbox can selectively allow io_uring without any escape vectors going forward. cBPF is NOT eBPF and it's available to unprivileged processes on Linux. Filtering with cBPF is simple yet powerful. Cherry on the cake is you may filter on socket(2) domains, open(2)/openat(2) flags, and openat2(2) resolve flags: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=591beb0e3a03 #exherbo #security

You know I'm born to lose, and sandboxing is for fools but that's the way I like it baby I don't want to live forever! #sydbox 3.49.0 is released with a long list of bugfixes and hardenings. #sydbox is a rock-solid application kernel to sandbox applications on #Linux. Refer to the ChangeLog for the list of changes: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3490 #exherbo #security #motörhead

Name ideas for upcoming #sydbox book: "Das Syd", referring to the "Das Kapital" of Mr. #Marx with a subtitle: Like das kapital but with less capital, #free as in #freedom! So "Der Syd" is Syd Barrett and "Das Syd" is the #sandbox. #exherbo #linux #security #joke

Fellow #Exherbo developer Johannes Nixdorf submitted a patch to #lkml yesterday, fixing a nasty race condition in #seccomp: https://lkml.org/lkml/2025/7/23/1174 #security #sydbox

Latest #sydbox will come with a novel use of #seccomp: Using unused syscall arguments as random cookies. Read here for more information: https://man.exherbo.org/syd.7.html#Syscall_Argument_Cookies #exherbo #linux #security

Updated #sydbox to 3.35.0: hardened #Landlock, empty mount namespaces using pivot_root and root:tmpfs a la #bubblewrap, many bug fixes thx to LTP, many bug/portability fixes thx to #alpine #linux folks. New utilities #syd-fd and #syd-x. See the release mail for more information: https://is.gd/syd_3_35_0 #exherbo #hacking #security

syd-3.13.1 has been released: fixes readlink path issues, boosts stat sandboxing with readlink enhancements, updates MSRV to 1.71, secures /proc magiclinks against sandbox escapes, and strengthens container security with advanced resolution strategies. See https://man.exherbolinux.org. Want to test your hacking skills? Check out syd #ctf at https://ctftime.org/event/2178 #exherbo #gnu #linux #seccomp #landlock #container #rust #rustlang

SydB☮x-3.11.1 has been released: new syd-run tool to run commands inside syd containers, hardening of sandbox process environment, and many minor fixes. syd-ldd - syd's secure alternative to ldd(1) - now uses the stricter 'immutable' profile rather than the 'container' profile ... see: https://sydbox.exherbolinux.org #sydbox #exherbo #gnu #linux #seccomp #landlock #container #rust #rustlang

SydB☮x-3.10.0 has been released: trace mode to automatically generate sandboxing profiles, support for immutable containers and private /tmp, ... see: https://sydbox.exherbolinux.org #sydbox #exherbo #gnu #linux #seccomp #landlock #container #rust #rustlang