#seccomp — Public Fediverse posts

OpenAI says Windows lacked the sandboxing tools Linux already had

https://web.brid.gy/r/https://nerds.xyz/2026/05/openai-linux-windows-codex-sandbox/

OpenAI says Windows lacked the sandboxing tools Linux already had

https://fed.brid.gy/r/https://nerds.xyz/2026/05/openai-linux-windows-codex-sandbox/

OpenAI says Windows lacked the sandboxing tools Linux already had

https://web.brid.gy/r/https://nerds.xyz/2026/05/openai-linux-windows-codex-sandbox/

OpenAI says Windows lacked the sandboxing tools Linux already had

https://fed.brid.gy/r/https://nerds.xyz/2026/05/openai-linux-windows-codex-sandbox/

OpenAI says Windows lacked the sandboxing tools Linux already had

https://web.brid.gy/r/https://nerds.xyz/2026/05/openai-linux-windows-codex-sandbox/

🥤🔒 Ah, the classic showdown: FreeBSD's #Capsicum vs. Linux's #Seccomp. It's the digital equivalent of debating whether a potato is a superior #security measure to a tomato. Spoiler alert: both are vegetables. 🥔🍅
https://vivianvoss.net/blog/capsicum-vs-seccomp #FreeBSD #Linux #Debate #Tech #Humor #HackerNews #ngated

FreeBSD Capsicum vs. Linux Seccomp Process Sandboxing

https://vivianvoss.net/blog/capsicum-vs-seccomp

#HackerNews #FreeBSD #Seccomp #Sandboxing #Capsicum #Linux #Security

Capsicum vs seccomp — capability vs syscall‑based sandboxing #FreeBSD #Linux #capsicum #seccomp
https://vivianvoss.net/blog/capsicum-vs-seccomp

I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

Source code: https://codeberg.org/mark22k/mping-sender

#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng

crazytrace, my network simulation program that generates a crazy topology behind a TAP device to test traceroute implementations, now has an apparmor profile.

Furthermore, I have now implemented capability dropping with libcap-ng, landlock sandboxing (via a blacklist), and seccomp sandboxing (via a blacklist).

https://codeberg.org/mark22k/crazytrace/src/commit/c5eb9eaf8b12266ecad3c3d1e0cd5388f351cc72/apparmor/usr.bin.crazytrace
https://codeberg.org/mark22k/crazytrace/src/commit/c5eb9eaf8b12266ecad3c3d1e0cd5388f351cc72/src/main.cpp

#crazytrace #traceroute #Networking #Programming #Security #apparmor #libcap #libcapng #landlock #seccomp

[Перевод] Как защитить Kubernetes на уровне ядра Linux

Как защитить Kubernetes, если злоумышленник попытается выбраться из контейнера на хост? Рафаэль Натали предлагает многоуровневый подход: настройка Security Context, отказ от лишних прав, запуск контейнеров без root-доступа, а также усиление защиты с помощью AppArmor и seccomp.

https://habr.com/ru/companies/flant/articles/952012/

#security_contexts #apparmor #seccomp #kubernetes #noroot_containers #linux_namespace #runAsUser #безопасность_kubernetes #linux

Строим лабораторию по исследованию вирусов с eBPF и другими

Хабр, всем привет! Когда инфраструктура созрела до состояния персика и уже пора расширять классический SOC или вам всегда было интересно, как работает ВПО, то необходимо переходить к Threat Intelligence! Сегодня мы соберем свою лабу по исследованию вирусни/инструментов и процедур(PoC) в виртуальной среде для Linux-платформ.

https://habr.com/ru/companies/serverspace/articles/944614/

#linux #вирус #песочница #sandbox #ebpf #seccomp #podman #виртуализация #tcpdump #iptables

Строим лабораторию по исследованию ВПО

Хабр, всем привет! Когда инфраструктура созрела до состояния персика и уже пора расширять классический SOC или вам всегда было интересно, как работает ВПО, то пора переходить к Threat Intelligence! Сегодня мы соберем свою лабу по исследованию вирусни/инструментов и процедур(PoC) в виртуальной среде для Linux-платформ. Материал пригодиться, для понимания работы ВПО, написания митигации и детекции против них, а так же поиска паттернов в вашей инфраструктуре! На выходе мы получим список из артефактов, которые сможем использовать в работе.

https://habr.com/ru/companies/serverspace/articles/944056/

#linux #вирусы #песочница #sandbox #ebpf #seccomp #podman #виртуализация #tcpdump #iptables

🤔 Ever wonder how to escape from a container? Or how security tools know what permissions they have from inside that same container? It's nice to have a great script for #enumeration ... but what does it check for and why does it matter?

• Who am I? - Let’s get oriented and figure out what we have in our container. (https://some-natalie.dev/container-escapes-whoami/)

• Our shared kernel - #Containers are processes that share a kernel. What can we see about our host? (https://some-natalie.dev/container-escapes-shared-kernel/)

• Are we capable? - What sort of capabilities do we have? (https://some-natalie.dev/container-escapes-capabilities/)

• Seccomp is your friend - #Seccomp filters what a container can do. Let’s learn what’s been set for us. (https://some-natalie.dev/container-escapes-seccomp/)

• Are we in a microVM? - With #microVM runtimes gaining popularity, how do you know if you’re in a container? (https://some-natalie.dev/blog/microvm-or-container/)

(or, I did a little editing and put my workshop from @appsec_village at #DEFCON33 up) :heart_cybre:

Fellow #Exherbo developer Johannes Nixdorf submitted a patch to #lkml yesterday, fixing a nasty race condition in #seccomp: https://lkml.org/lkml/2025/7/23/1174 #security #sydbox

Latest #sydbox will come with a novel use of #seccomp: Using unused syscall arguments as random cookies. Read here for more information: https://man.exherbo.org/syd.7.html#Syscall_Argument_Cookies #exherbo #linux #security

News from #sydbox: when you configure syd-tor to use a #UNIX domain socket for external #TOR connections which is a new feature it will open an O_PATH fd to the socket, enter into a network+mount+user+... namespace, chroot into /proc/self/fd and access the unix socket using the fd number. This means it will work even if you remove the socket. The socket is duplicated to a random fd to make fd reuse harder. We also apply mdwe, #seccomp and #landlock on top, read more here: https://man.exherbo.org/syd-tor.1.html#SECURITY

О механизмах безопасности OpenSSH: разбираем уязвимости 2024 года

Прошлый год интересно проходил для SSH. Весной — бэкдор в xz-utils (CVE-2024-3094), в результате эксплуатации которого были скомпрометированы системы с systemd. В июле — критически опасная уязвимость «состояния гонки» для систем на базе glibc, получившая название regreSSHion. Спустя еще неделю была опубликована схожая проблема, получившая идентификатор CVE- 2024- 6409. А в августе — еще одна, уже специфичная для FreeBSD, CVE-2024-7589. Как заявляют исследователи, успешная эксплуатация «состояний гонки» позволяет получить RCE (удаленное выполнение кода) на подверженных системах. Более того, regreSSHion — главный баг, ставящий под угрозу безопасность множества SSH-серверов с glibc. Интересно, что эксплуатация уязвимости не требует особой конфигурации сервера (проблема актуальна и для конфигурации по умолчанию). При этом публичного PoC нет до сих пор. Мы решили разобраться в вопросе: так ли страшны эти «состояния гонки», так ли критически опасны? И какие механизмы в sshd призваны не допустить эксплуатации этой уязвимости или хотя бы уменьшить ущерб в случае успешной атаки?

https://habr.com/ru/companies/pt/articles/877102/

#openssh #fsop #glibc #rce #seccomp #regression #состояние_гонки #freebsd #github #malloc

I'd like to announce two new libseccomp releases today: libseccomp v2.5.6 which is a minor maintenance release to the v2.5.z release stream, and libseccomp v2.6.0 which is a new feature release for libseccomp. More details in the link below, but libseccomp v2.6.0 adds support for new architectures, transactional filter updates, and more. Give it a try, you'll like it :)

https://github.com/seccomp/libseccomp/releases/tag/v2.6.0

#seccomp

Изоляция процессов и минимизация привилегий: использование Linux namespaces и seccomp

По статистике, каждые 39 секунд в мире происходит кибератака. Задумайтесь об этом на мгновение. А теперь представьте, что процессы

https://habr.com/ru/companies/selectel/articles/866942/

#selectel #linux #linux_namespace #seccomp #процессы #изоляция_процессов #информационная_безопасность #иб

Interesting research paper comparing #sandboxing features found in #Linux, #OpenBSD and #FreeBSD, respectively #seccomp, pledge/unveil and #Capsicum

https://arxiv.org/abs/2405.06447 by Maysara Alhindi

@op you are mentioned there as gmid was studied :flan_smile:

via @goblin

Snowblind Abuses Android seccomp Sandbox To Bypass Security Mechanisms https://gbhackers.com/snowblind-android-seccomp-bypass/ #CVE/vulnerability #CyberSecurityNews #AndroidMalware #SecurityBypass #SystemCalls #Android #Malware #Seccomp

Announcing #sydbox 3.22.0 with Proxy sandboxing! Introducing syd-tor, a secure SOCKS proxy forwarder, set to 127.0.0.1:9050 by default, perfect for #Tor. Syd-tor features #seccomp filters and #Landlock (if available) for strict confinement, and offers full #async operations with edge-triggered epoll and zero-copy data transfer using splice. #sydbox is a rock-solid user-space #kernel to #sandbox apps on #Linux >=5.19 written in #rustlang: https://is.gd/w9LqZS

#Container security fundamentals part 6: #seccomp https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-6/

Both #seccomp and #landlock are amazing security tools but IMHO we need a standard, friendly DSL to configure them.

syd-3.13.1 has been released: fixes readlink path issues, boosts stat sandboxing with readlink enhancements, updates MSRV to 1.71, secures /proc magiclinks against sandbox escapes, and strengthens container security with advanced resolution strategies. See https://man.exherbolinux.org. Want to test your hacking skills? Check out syd #ctf at https://ctftime.org/event/2178 #exherbo #gnu #linux #seccomp #landlock #container #rust #rustlang

The data isn't fully populated yet, but bincapz can also tell you what syscalls you may need to run a binary in case you are a #seccomp user, #OpenBSD pledge groups, or #Linux capabilities.

The latter two will never be perfect though, as it depends on the arguments passed to the syscalls, but at least it'll give you an idea.

SydB☮x-3.11.1 has been released: new syd-run tool to run commands inside syd containers, hardening of sandbox process environment, and many minor fixes. syd-ldd - syd's secure alternative to ldd(1) - now uses the stricter 'immutable' profile rather than the 'container' profile ... see: https://sydbox.exherbolinux.org #sydbox #exherbo #gnu #linux #seccomp #landlock #container #rust #rustlang

SydB☮x-3.10.0 has been released: trace mode to automatically generate sandboxing profiles, support for immutable containers and private /tmp, ... see: https://sydbox.exherbolinux.org #sydbox #exherbo #gnu #linux #seccomp #landlock #container #rust #rustlang

#sydbox-3.9.12 is released. #sydbox is a #seccomp & #landlock based application #sandbox w\ support for namespaces written in #Rust. Want to test your #hacking skills? Check out our #CTF: https://ctftime.org/event/2178 Now you can /query sydbot on #libera #irc network and start playing right away!

A new minor release of libseccomp, version 2.5.5, is out with support for Linux v6.7-rc3's syscall table.

https://github.com/seccomp/libseccomp/releases/tag/v2.5.5

#seccomp