#landlock — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #landlock, aggregated by home.social.
-
#Sydbox 3.51.0 is out: #Security update fixing multiple Crypt Sandboxing race conditions, an ioctl(2) truncation bypass, and a MIPS ptrace(2) bug. Force Sandboxing now uses the Kernel Crypto API (AF_ALG) for zero-copy hashing. #Landlock sandboxing is on by default. wordexp(3) confinement hardened. pandora 0.20.0 generates #Landlock rules. Sydbox is a rock solid application #kernel to sandbox applications on #Linux: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3510 #exherbo
-
Linux Landlock — песочница для приложений без root
Landlock — редкий для Linux случай, когда «песочницу» можно включить руками самого приложения: без root, без километров политик и с понятной логикой «по умолчанию запрещено всё». В этой статье разбираем, что это за LSM, какие три системных вызова нужны, как выбрать минимальный набор прав и почему открытые до ограничений файловые дескрипторы способны тихо обнулить всю задумку. Открыть разбор
https://habr.com/ru/companies/otus/articles/1001910/
#Landlock #песочница_приложений #Linux #sandboxing #безопасность_приложений #ограничение_прав #системные_вызовы
-
signify-rs 0.3.0 is released! The main code now runs sandboxed with #capsicum on #FreeBSD, #pledge/#unveil on #OpenBSD, and #landlock on #Linux. File opens are hardened with openat2 on Linux and O_NOFOLLOW on #unix. Resource limits are set for further hardening. Code fixed to create deterministic signatures, bit-exact with the reference implementation. Refer to the ChangeLog for more information: https://git.sr.ht/~alip/signify/tree/main/item/ChangeLog.md #rustlang #security
-
I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.
Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.
Source code: https://codeberg.org/mark22k/mping-sender
#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng
-
crazytrace, my network simulation program that generates a crazy topology behind a TAP device to test traceroute implementations, now has an apparmor profile.
Furthermore, I have now implemented capability dropping with libcap-ng, landlock sandboxing (via a blacklist), and seccomp sandboxing (via a blacklist).
https://codeberg.org/mark22k/crazytrace/src/commit/c5eb9eaf8b12266ecad3c3d1e0cd5388f351cc72/apparmor/usr.bin.crazytrace
https://codeberg.org/mark22k/crazytrace/src/commit/c5eb9eaf8b12266ecad3c3d1e0cd5388f351cc72/src/main.cpp#crazytrace #traceroute #Networking #Programming #Security #apparmor #libcap #libcapng #landlock #seccomp
-
Updated #sydbox to 3.35.0: hardened #Landlock, empty mount namespaces using pivot_root and root:tmpfs a la #bubblewrap, many bug fixes thx to LTP, many bug/portability fixes thx to #alpine #linux folks. New utilities #syd-fd and #syd-x. See the release mail for more information: https://is.gd/syd_3_35_0 #exherbo #hacking #security
-
News from #sydbox: when you configure syd-tor to use a #UNIX domain socket for external #TOR connections which is a new feature it will open an O_PATH fd to the socket, enter into a network+mount+user+... namespace, chroot into /proc/self/fd and access the unix socket using the fd number. This means it will work even if you remove the socket. The socket is duplicated to a random fd to make fd reuse harder. We also apply mdwe, #seccomp and #landlock on top, read more here: https://man.exherbo.org/syd-tor.1.html#SECURITY
-
#sydbox-3.33.0 is released, This work continues the sandbox category rework: "rmdir" category is now split from the "delete" category and the #landlock categories have been refined to be more #openbsd #pledge like. The tool syd-lock also got a rework so landlock categories may be used with that too while the old, easyinterface is still available so your scripts will not break! See the release announcement for more information: https://is.gd/eVxsBt #exherbo
-
Landrun: Sandbox any Linux process using Landlock, no root or containers
https://github.com/Zouuup/landrun
#HackerNews #Landrun #Sandbox #Linux #Landlock #NoRoot #Containers
-
Announcing #sydbox 3.22.0 with Proxy sandboxing! Introducing syd-tor, a secure SOCKS proxy forwarder, set to 127.0.0.1:9050 by default, perfect for #Tor. Syd-tor features #seccomp filters and #Landlock (if available) for strict confinement, and offers full #async operations with edge-triggered epoll and zero-copy data transfer using splice. #sydbox is a rock-solid user-space #kernel to #sandbox apps on #Linux >=5.19 written in #rustlang: https://is.gd/w9LqZS
-
syd-3.13.1 has been released: fixes readlink path issues, boosts stat sandboxing with readlink enhancements, updates MSRV to 1.71, secures /proc magiclinks against sandbox escapes, and strengthens container security with advanced resolution strategies. See https://man.exherbolinux.org. Want to test your hacking skills? Check out syd #ctf at https://ctftime.org/event/2178 #exherbo #gnu #linux #seccomp #landlock #container #rust #rustlang
-
SydB☮x-3.11.1 has been released: new syd-run tool to run commands inside syd containers, hardening of sandbox process environment, and many minor fixes. syd-ldd - syd's secure alternative to ldd(1) - now uses the stricter 'immutable' profile rather than the 'container' profile ... see: https://sydbox.exherbolinux.org #sydbox #exherbo #gnu #linux #seccomp #landlock #container #rust #rustlang
-
SydB☮x-3.10.0 has been released: trace mode to automatically generate sandboxing profiles, support for immutable containers and private /tmp, ... see: https://sydbox.exherbolinux.org #sydbox #exherbo #gnu #linux #seccomp #landlock #container #rust #rustlang
