home.social
Sign in Create account

#sydbox — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #sydbox, aggregated by home.social.

  1. alip @[email protected] ·

    #Sydbox containers are not affected by the new LPE #Fragnesia because: 1. Unprivileged user/network namespaces are denied unless trace/allow_unsafe_namespace:user,net 2. Kernel algorithm (AF_ALG) sockets are denied unless trace/allow_unsafe_kcapi:true 3. Socket option TCP_ULP is denied unless trace/allow_unsafe_setsockopt:true. You may sleep in peace: raw.githubusercontent.com/v12- #exherbo #linux #security

    #sydbox #fragnesia #exherbo #linux #security
  2. alip @[email protected] ·

    #Sydbox containers are not affected by the new LPE #Fragnesia because: 1. Unprivileged user/network namespaces are denied unless trace/allow_unsafe_namespace:user,net 2. Kernel algorithm (AF_ALG) sockets are denied unless trace/allow_unsafe_kcapi:true 3. Socket option TCP_ULP is denied unless trace/allow_unsafe_setsockopt:true. You may sleep in peace: raw.githubusercontent.com/v12- #exherbo #linux #security

    #sydbox #fragnesia #exherbo #linux #security
  3. alip @[email protected] ·

    #Sydbox containers are not affected by the new LPE #Fragnesia because: 1. Unprivileged user/network namespaces are denied unless trace/allow_unsafe_namespace:user,net 2. Kernel algorithm (AF_ALG) sockets are denied unless trace/allow_unsafe_kcapi:true 3. Socket option TCP_ULP is denied unless trace/allow_unsafe_setsockopt:true. You may sleep in peace: raw.githubusercontent.com/v12- #exherbo #linux #security

    #security #linux #exherbo #fragnesia #sydbox
  4. alip @[email protected] ·

    #Sydbox containers are not affected by the new LPE #Fragnesia because: 1. Unprivileged user/network namespaces are denied unless trace/allow_unsafe_namespace:user,net 2. Kernel algorithm (AF_ALG) sockets are denied unless trace/allow_unsafe_kcapi:true 3. Socket option TCP_ULP is denied unless trace/allow_unsafe_setsockopt:true. You may sleep in peace: raw.githubusercontent.com/v12- #exherbo #linux #security

    #sydbox #fragnesia #exherbo #linux #security
  5. alip @[email protected] ·

    New #container breakout: copy.fail/ #sydbox containers aren't affected because Syd denies access to Kernel Cryptography API (KCAPI, AF_ALG sockets) by default unless trace/allow_safe_kcapi:1 is specified at startup. Crypt Sandboxing is also not affected because we don't use AEAD but CTR(AES). #exherbo #linux #security

    #container #sydbox #exherbo #linux #security
  6. alip @[email protected] ·

    News from #sydbox git: Starting next release, we're going to be signing binary releases with #OpenBSD signify rather than #GnuPG. To enable practical signing in #Exherbo #Gitlab CI, I wrote an #ISC licensed, pure portable #POSIX shell implementation of #OpenBSD signify. signify.sh has no external dependencies and runs with PATH=. It has unit tests embedded which may be run with --test option: gitlab.exherbo.org/sydbox/sydb #exherbo #linux #security

    #sydbox #openbsd #gnupg #exherbo #gitlab #isc
  7. alip @[email protected] ·

    #Sydbox is NOT hosted on #Github and this is an ethical decision. Main repository is the #Exherbo #Gitlab, we have mirrors on #Sourcehut and #Codeberg. Having said that, the code is GPL-3 and I can't legally prevent anyone from mirroring it on Github. I can just kindly ask not to...: github.com/tamaroning/sydbox/i #exherbo #linux #security

    #sydbox #github #exherbo #gitlab #sourcehut #codeberg
  8. alip @[email protected] ·

    Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!

    #dangerzone #flatpak #snap #ai #rustlang #sandbox
  9. alip @[email protected] ·

    Sometimes devil is in the details. #POSIX requires option parsing to terminate when the initial non-option argument is encountered. This is different than the #GNU style which continues parsing arguments until an explicit "--" is encountered. The latter has been susceptible to command line injection attacks. One recent example is in #bubblewrap & #flatpak combo with CVE-2024-32462. Otoh, #sydbox and all its utilities use posixly correct option parsing: nvd.nist.gov/vuln/detail/cve-2 #linux #security

    #posix #gnu #bubblewrap #flatpak #sydbox #linux
  10. alip @[email protected] ·

    Fellow #Exherbo developer Johannes Nixdorf submitted a patch to #lkml yesterday, fixing a nasty race condition in #seccomp: lkml.org/lkml/2025/7/23/1174 #security #sydbox

    #exherbo #lkml #seccomp #security #sydbox
  11. alip @[email protected] ·

    Latest #sydbox will come with a novel use of #seccomp: Using unused syscall arguments as random cookies. Read here for more information: man.exherbo.org/syd.7.html#Sys #exherbo #linux #security

    #sydbox #seccomp #exherbo #linux #security
  12. alip @[email protected] ·

    Updated #sydbox to 3.35.0: hardened #Landlock, empty mount namespaces using pivot_root and root:tmpfs a la #bubblewrap, many bug fixes thx to LTP, many bug/portability fixes thx to #alpine #linux folks. New utilities #syd-fd and #syd-x. See the release mail for more information: is.gd/syd_3_35_0 #exherbo #hacking #security

    #sydbox #landlock #bubblewrap #alpine #linux #syd
  13. alip @[email protected] ·

    News from #sydbox: when you configure syd-tor to use a #UNIX domain socket for external #TOR connections which is a new feature it will open an O_PATH fd to the socket, enter into a network+mount+user+... namespace, chroot into /proc/self/fd and access the unix socket using the fd number. This means it will work even if you remove the socket. The socket is duplicated to a random fd to make fd reuse harder. We also apply mdwe, #seccomp and #landlock on top, read more here: man.exherbo.org/syd-tor.1.html

    #sydbox #unix #tor #seccomp #landlock
  14. alip @[email protected] ·

    Announcing #sydbox 3.22.0 with Proxy sandboxing! Introducing syd-tor, a secure SOCKS proxy forwarder, set to 127.0.0.1:9050 by default, perfect for #Tor. Syd-tor features #seccomp filters and #Landlock (if available) for strict confinement, and offers full #async operations with edge-triggered epoll and zero-copy data transfer using splice. #sydbox is a rock-solid user-space #kernel to #sandbox apps on #Linux >=5.19 written in #rustlang: is.gd/w9LqZS

    #sydbox #tor #seccomp #landlock #async #kernel
  15. alip @[email protected] ·

    SydB☮x-3.11.1 has been released: new syd-run tool to run commands inside syd containers, hardening of sandbox process environment, and many minor fixes. syd-ldd - syd's secure alternative to ldd(1) - now uses the stricter 'immutable' profile rather than the 'container' profile ... see: sydbox.exherbolinux.org #sydbox #exherbo #gnu #linux #seccomp #landlock #container #rust #rustlang

    #sydbox #exherbo #gnu #linux #seccomp #landlock
  16. alip @[email protected] ·

    SydB☮x-3.10.0 has been released: trace mode to automatically generate sandboxing profiles, support for immutable containers and private /tmp, ... see: sydbox.exherbolinux.org #sydbox #exherbo #gnu #linux #seccomp #landlock #container #rust #rustlang

    #sydbox #exherbo #gnu #linux #seccomp #landlock
  17. alip @[email protected] ·

    #sydbox-3.9.12 is released. #sydbox is a #seccomp & #landlock based application #sandbox w\ support for namespaces written in #Rust. Want to test your #hacking skills? Check out our #CTF: ctftime.org/event/2178 Now you can /query sydbot on #libera #irc network and start playing right away!

    #sydbox #seccomp #landlock #sandbox #rust #hacking