home.social

#sydbox — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #sydbox, aggregated by home.social.

  1. #Sydbox containers are not affected by the new LPE #Fragnesia because: 1. Unprivileged user/network namespaces are denied unless trace/allow_unsafe_namespace:user,net 2. Kernel algorithm (AF_ALG) sockets are denied unless trace/allow_unsafe_kcapi:true 3. Socket option TCP_ULP is denied unless trace/allow_unsafe_setsockopt:true. You may sleep in peace: raw.githubusercontent.com/v12- #exherbo #linux #security

  2. #Sydbox containers are not affected by the new LPE #Fragnesia because: 1. Unprivileged user/network namespaces are denied unless trace/allow_unsafe_namespace:user,net 2. Kernel algorithm (AF_ALG) sockets are denied unless trace/allow_unsafe_kcapi:true 3. Socket option TCP_ULP is denied unless trace/allow_unsafe_setsockopt:true. You may sleep in peace: raw.githubusercontent.com/v12- #exherbo #linux #security

  3. #Sydbox containers are not affected by the new LPE #Fragnesia because: 1. Unprivileged user/network namespaces are denied unless trace/allow_unsafe_namespace:user,net 2. Kernel algorithm (AF_ALG) sockets are denied unless trace/allow_unsafe_kcapi:true 3. Socket option TCP_ULP is denied unless trace/allow_unsafe_setsockopt:true. You may sleep in peace: raw.githubusercontent.com/v12- #exherbo #linux #security

  4. #Sydbox containers are not affected by the new LPE #Fragnesia because: 1. Unprivileged user/network namespaces are denied unless trace/allow_unsafe_namespace:user,net 2. Kernel algorithm (AF_ALG) sockets are denied unless trace/allow_unsafe_kcapi:true 3. Socket option TCP_ULP is denied unless trace/allow_unsafe_setsockopt:true. You may sleep in peace: raw.githubusercontent.com/v12- #exherbo #linux #security

  5. #Sydbox 3.53.0 is released! This is a feature release improving sandbox categories walk, stat, and adding the new category list for directory listing which allows easy use of walk+list categories for path hiding. readlink is also split from stat category which is by far the most common syscall so this helps with overhead of other categories. We also have bunch of security fixes. Full story, as always, is in the ChangeLog, thanks for flying Syd: gitlab.exherbo.org/sydbox/sydb #exherbo #linux #security

  6. #Sydbox 3.53.0 is released! This is a feature release improving sandbox categories walk, stat, and adding the new category list for directory listing which allows easy use of walk+list categories for path hiding. readlink is also split from stat category which is by far the most common syscall so this helps with overhead of other categories. We also have bunch of security fixes. Full story, as always, is in the ChangeLog, thanks for flying Syd: gitlab.exherbo.org/sydbox/sydb #exherbo #linux #security

  7. #Sydbox 3.53.0 is released! This is a feature release improving sandbox categories walk, stat, and adding the new category list for directory listing which allows easy use of walk+list categories for path hiding. readlink is also split from stat category which is by far the most common syscall so this helps with overhead of other categories. We also have bunch of security fixes. Full story, as always, is in the ChangeLog, thanks for flying Syd: gitlab.exherbo.org/sydbox/sydb #exherbo #linux #security

  8. #Sydbox 3.53.0 is released! This is a feature release improving sandbox categories walk, stat, and adding the new category list for directory listing which allows easy use of walk+list categories for path hiding. readlink is also split from stat category which is by far the most common syscall so this helps with overhead of other categories. We also have bunch of security fixes. Full story, as always, is in the ChangeLog, thanks for flying Syd: gitlab.exherbo.org/sydbox/sydb #exherbo #linux #security

  9. News from #Sydbox #git: New option trace/force_wx_open: Specify whether creating/writing open(2) family system calls for executables should be denied regardless of path. This option is restricted to creat, open, openat, and openat2 syscalls and may be combined with trace/force_umask option to confine filesystem as Write XOR Execute. New profile "wx" combines the new option with trace/force_umask:7177 to confine filesystem as W^X. User profile includes wx profile. #exherbo #linux #security

  10. News from #Sydbox #git: New option trace/force_wx_open: Specify whether creating/writing open(2) family system calls for executables should be denied regardless of path. This option is restricted to creat, open, openat, and openat2 syscalls and may be combined with trace/force_umask option to confine filesystem as Write XOR Execute. New profile "wx" combines the new option with trace/force_umask:7177 to confine filesystem as W^X. User profile includes wx profile. #exherbo #linux #security

  11. News from #Sydbox #git: New option trace/force_wx_open: Specify whether creating/writing open(2) family system calls for executables should be denied regardless of path. This option is restricted to creat, open, openat, and openat2 syscalls and may be combined with trace/force_umask option to confine filesystem as Write XOR Execute. New profile "wx" combines the new option with trace/force_umask:7177 to confine filesystem as W^X. User profile includes wx profile. #exherbo #linux #security

  12. News from #Sydbox #git: New option trace/force_wx_open: Specify whether creating/writing open(2) family system calls for executables should be denied regardless of path. This option is restricted to creat, open, openat, and openat2 syscalls and may be combined with trace/force_umask option to confine filesystem as Write XOR Execute. New profile "wx" combines the new option with trace/force_umask:7177 to confine filesystem as W^X. User profile includes wx profile. #exherbo #linux #security

  13. #Sydbox 3.52.0 is released! I've just merged 428 commits from next to main to make this release. It includes no new features, only bug fixes. Some of these bug fixes are security critical and you're recommended to upgrade as soon as possible. Full story, as always, is in the ChangeLog, thanks for flying Syd: gitlab.exherbo.org/sydbox/sydb #exherbo #linux #security

  14. #Sydbox 3.52.0 is released! I've just merged 428 commits from next to main to make this release. It includes no new features, only bug fixes. Some of these bug fixes are security critical and you're recommended to upgrade as soon as possible. Full story, as always, is in the ChangeLog, thanks for flying Syd: gitlab.exherbo.org/sydbox/sydb #exherbo #linux #security

  15. #Sydbox 3.52.0 is released! I've just merged 428 commits from next to main to make this release. It includes no new features, only bug fixes. Some of these bug fixes are security critical and you're recommended to upgrade as soon as possible. Full story, as always, is in the ChangeLog, thanks for flying Syd: gitlab.exherbo.org/sydbox/sydb #exherbo #linux #security

  16. #Sydbox 3.52.0 is released! I've just merged 428 commits from next to main to make this release. It includes no new features, only bug fixes. Some of these bug fixes are security critical and you're recommended to upgrade as soon as possible. Full story, as always, is in the ChangeLog, thanks for flying Syd: gitlab.exherbo.org/sydbox/sydb #exherbo #linux #security

  17. Mitigation against copy.fail in upcoming #Sydbox: Syd will reject to open SUID files regardless of mode unless the option trace/allow_unsafe_open_suid:1 is set. This does not prevent exploitation altogether as the attacker can write to files such as /etc/passwd, however it raises the bar with very little added cost. #exherbo #linux #security

  18. Mitigation against copy.fail in upcoming #Sydbox: Syd will reject to open SUID files regardless of mode unless the option trace/allow_unsafe_open_suid:1 is set. This does not prevent exploitation altogether as the attacker can write to files such as /etc/passwd, however it raises the bar with very little added cost. #exherbo #linux #security

  19. Mitigation against copy.fail in upcoming #Sydbox: Syd will reject to open SUID files regardless of mode unless the option trace/allow_unsafe_open_suid:1 is set. This does not prevent exploitation altogether as the attacker can write to files such as /etc/passwd, however it raises the bar with very little added cost. #exherbo #linux #security

  20. Mitigation against copy.fail in upcoming #Sydbox: Syd will reject to open SUID files regardless of mode unless the option trace/allow_unsafe_open_suid:1 is set. This does not prevent exploitation altogether as the attacker can write to files such as /etc/passwd, however it raises the bar with very little added cost. #exherbo #linux #security

  21. #GVisor supports only x86_64, arm64 yet they claim they run everywhere. #Sydbox passes tests on x86_64, i686, x32, arm64, armv7, ppc64, ppc64le, ppc, s390x, loongarch64, mips64el, and mipsel but I won't claim we are portable until we have mips64, mips, m68k and sparc! Huge thanks to Compile Farm people for enabling us to test Syd on various different architectures! #exherbo #linux #security

  22. #GVisor supports only x86_64, arm64 yet they claim they run everywhere. #Sydbox passes tests on x86_64, i686, x32, arm64, armv7, ppc64, ppc64le, ppc, s390x, loongarch64, mips64el, and mipsel but I won't claim we are portable until we have mips64, mips, m68k and sparc! Huge thanks to Compile Farm people for enabling us to test Syd on various different architectures! #exherbo #linux #security

  23. #GVisor supports only x86_64, arm64 yet they claim they run everywhere. #Sydbox passes tests on x86_64, i686, x32, arm64, armv7, ppc64, ppc64le, ppc, s390x, loongarch64, mips64el, and mipsel but I won't claim we are portable until we have mips64, mips, m68k and sparc! Huge thanks to Compile Farm people for enabling us to test Syd on various different architectures! #exherbo #linux #security

  24. #GVisor supports only x86_64, arm64 yet they claim they run everywhere. #Sydbox passes tests on x86_64, i686, x32, arm64, armv7, ppc64, ppc64le, ppc, s390x, loongarch64, mips64el, and mipsel but I won't claim we are portable until we have mips64, mips, m68k and sparc! Huge thanks to Compile Farm people for enabling us to test Syd on various different architectures! #exherbo #linux #security

  25. #GVisor supports only x86_64, arm64 yet they claim they run everywhere. #Sydbox passes tests on x86_64, i686, x32, arm64, armv7, ppc64, ppc64le, ppc, s390x, loongarch64, mips64el, and mipsel but I won't claim we are portable until we have mips64, mips, m68k and sparc! Huge thanks to Compile Farm people for enabling us to test Syd on various different architectures! #exherbo #linux #security

  26. Correction: I was wrong about copy.fail and #sydbox earlier: Force sandboxing and Crypt sandboxing _imply_ the option trace/allow_safe_kcapi:1 so when these two are in use the sandbox process can abuse the AEAD issue in the #Linux #kernel. With #sydbox 3.52.0 to be released very soon, we rename the trace/allow_safe_kcapi option to trace/allow_unsafe_kcapi and Force/Crypt sandboxing are no longer going to imply this option, rather allow only Syd's use of AF_ALG sockets. #exherbo #linux #security

  27. Correction: I was wrong about copy.fail and #sydbox earlier: Force sandboxing and Crypt sandboxing _imply_ the option trace/allow_safe_kcapi:1 so when these two are in use the sandbox process can abuse the AEAD issue in the #Linux #kernel. With #sydbox 3.52.0 to be released very soon, we rename the trace/allow_safe_kcapi option to trace/allow_unsafe_kcapi and Force/Crypt sandboxing are no longer going to imply this option, rather allow only Syd's use of AF_ALG sockets. #exherbo #linux #security

  28. Correction: I was wrong about copy.fail and #sydbox earlier: Force sandboxing and Crypt sandboxing _imply_ the option trace/allow_safe_kcapi:1 so when these two are in use the sandbox process can abuse the AEAD issue in the #Linux #kernel. With #sydbox 3.52.0 to be released very soon, we rename the trace/allow_safe_kcapi option to trace/allow_unsafe_kcapi and Force/Crypt sandboxing are no longer going to imply this option, rather allow only Syd's use of AF_ALG sockets. #exherbo #linux #security

  29. Correction: I was wrong about copy.fail and #sydbox earlier: Force sandboxing and Crypt sandboxing _imply_ the option trace/allow_safe_kcapi:1 so when these two are in use the sandbox process can abuse the AEAD issue in the #Linux #kernel. With #sydbox 3.52.0 to be released very soon, we rename the trace/allow_safe_kcapi option to trace/allow_unsafe_kcapi and Force/Crypt sandboxing are no longer going to imply this option, rather allow only Syd's use of AF_ALG sockets. #exherbo #linux #security

  30. Correction: I was wrong about copy.fail and #sydbox earlier: Force sandboxing and Crypt sandboxing _imply_ the option trace/allow_safe_kcapi:1 so when these two are in use the sandbox process can abuse the AEAD issue in the #Linux #kernel. With #sydbox 3.52.0 to be released very soon, we rename the trace/allow_safe_kcapi option to trace/allow_unsafe_kcapi and Force/Crypt sandboxing are no longer going to imply this option, rather allow only Syd's use of AF_ALG sockets. #exherbo #linux #security

  31. New #container breakout: copy.fail/ #sydbox containers aren't affected because Syd denies access to Kernel Cryptography API (KCAPI, AF_ALG sockets) by default unless trace/allow_safe_kcapi:1 is specified at startup. Crypt Sandboxing is also not affected because we don't use AEAD but CTR(AES). #exherbo #linux #security

  32. New #container breakout: copy.fail/ #sydbox containers aren't affected because Syd denies access to Kernel Cryptography API (KCAPI, AF_ALG sockets) by default unless trace/allow_safe_kcapi:1 is specified at startup. Crypt Sandboxing is also not affected because we don't use AEAD but CTR(AES). #exherbo #linux #security

  33. New #container breakout: copy.fail/ #sydbox containers aren't affected because Syd denies access to Kernel Cryptography API (KCAPI, AF_ALG sockets) by default unless trace/allow_safe_kcapi:1 is specified at startup. Crypt Sandboxing is also not affected because we don't use AEAD but CTR(AES). #exherbo #linux #security

  34. New #container breakout: copy.fail/ #sydbox containers aren't affected because Syd denies access to Kernel Cryptography API (KCAPI, AF_ALG sockets) by default unless trace/allow_safe_kcapi:1 is specified at startup. Crypt Sandboxing is also not affected because we don't use AEAD but CTR(AES). #exherbo #linux #security

  35. New #container breakout: copy.fail/ #sydbox containers aren't affected because Syd denies access to Kernel Cryptography API (KCAPI, AF_ALG sockets) by default unless trace/allow_safe_kcapi:1 is specified at startup. Crypt Sandboxing is also not affected because we don't use AEAD but CTR(AES). #exherbo #linux #security

  36. #Sydbox is on #Radicle with ID rad:z38HCnbmcDegA2BMxuPaPRPMdp6wF seed it and share the love! Huge thanks to #HardenedBSD folks for seeding! #exherbo #linux #security #git

  37. #Sydbox is on #Radicle with ID rad:z38HCnbmcDegA2BMxuPaPRPMdp6wF seed it and share the love! Huge thanks to #HardenedBSD folks for seeding! #exherbo #linux #security #git

  38. #Sydbox is on #Radicle with ID rad:z38HCnbmcDegA2BMxuPaPRPMdp6wF seed it and share the love! Huge thanks to #HardenedBSD folks for seeding! #exherbo #linux #security #git

  39. #Sydbox is on #Radicle with ID rad:z38HCnbmcDegA2BMxuPaPRPMdp6wF seed it and share the love! Huge thanks to #HardenedBSD folks for seeding! #exherbo #linux #security #git

  40. #Sydbox is on #Radicle with ID rad:z38HCnbmcDegA2BMxuPaPRPMdp6wF seed it and share the love! Huge thanks to #HardenedBSD folks for seeding! #exherbo #linux #security #git

  41. Symbolic links bite again! This time it's #NixOS did you know #sydbox has trace/force_no_symlinks and trace/force_no_magiclinks options to disable following symlinks/magiclinks? You can even change them at runtime to achieve #pledge like confinement: discourse.nixos.org/t/nix-secu #nix #linux #security

  42. Symbolic links bite again! This time it's #NixOS did you know #sydbox has trace/force_no_symlinks and trace/force_no_magiclinks options to disable following symlinks/magiclinks? You can even change them at runtime to achieve #pledge like confinement: discourse.nixos.org/t/nix-secu #nix #linux #security