2024-10-11T19:32:09+02:00 #sydbox-3.27.0 has been released! This release adds support to set secure-execution mode (aka AT_SECURE) and IP blocklists which can be used to build application level firewalls. #sydbox is a rock-solid #unikernel to #sandbox apps on #Linux >=5.19 written in #rustlang: https://is.gd/syd_3_27_0 #exherbo 2024-10-10T01:36:53+02:00 Features cooking in #sydbox #git: Syd is going to set AT_SECURE by default! 2024-10-10T01:36:27+02:00 Features cooking in #sydbox #git: IP Blocklists and Application Level Firewalling! 2024-08-18T09:06:52+02:00 #sydbox uses #landlock, however we're not affected by CVE-2024-42318 because we deny the keyctl system call by default, secure defaults #ftw: https://www.cve.org/CVERecord/?id=CVE-2024-42318 #sandbox #break 2024-07-08T06:05:05+02:00 #wisdom of the day: if you're manually dropping in #rustlang, you're most likely doing it wrong. 2024-06-26T21:48:55+02:00 Announcing #sydbox 3.23.0 with Time namespace support and new security options! Highlights: set clock offset in Time namespace, deny namespace creation by default and new Ioctl sandboxing to contain GUIs and AI/ML workloads. Fixes: Crypt sandboxing race condition resolved and better handling of memory file descriptors. Features: new option to Force Close-on-Exec and Netlink support. #sydbox is a rock-solid #unikernel to #sandbox apps on #Linux >=5.19 written in #rustlang: https://is.gd/x4xtkD 2024-06-15T11:42:05+02:00 Announcing #sydbox 3.22.0 with Proxy sandboxing! Introducing syd-tor, a secure SOCKS proxy forwarder, set to 127.0.0.1:9050 by default, perfect for #Tor. Syd-tor features #seccomp filters and #Landlock (if available) for strict confinement, and offers full #async operations with edge-triggered epoll and zero-copy data transfer using splice. #sydbox is a rock-solid user-space #kernel to #sandbox apps on #Linux >=5.19 written in #rustlang: https://is.gd/w9LqZS 2024-06-13T00:14:32+02:00 today i've packaged #podman v5.1.1 for #exherbo. 2024-06-08T09:26:02+02:00 Announcing #sydbox 3.21.0 with Trusted Path Execution (TPE) sandboxing and stricter symlink handling. Key updates: improved umask handling honouring POSIX ACLs, new sidechannel mitigations, SafeSetID improvements, better symlink handling, and upgraded #mimalloc library. We've also published our #CTF profile for transparency. #sydbox is a rock-solid user-space #kernel to #sandbox apps on #Linux >=5.19 written in #rustlang: https://is.gd/iOWnNi 2024-05-30T23:00:42+02:00 Announcing #sydbox 3.20.0 which includes Crypt Sandboxing for transparent #AES-CTR file #encryption and Ghost Mode for enhanced confinement like #Seccomp Level 1. Fixes include proper read-write open sandboxing and #youki updates which fix #podman exec for syd-oci. New utilities: syd-key for AES-CTR keygen, syd-cp for efficient file copying, and syd-aes for {en,de}cryption. #sydbox is a rock-solid user-space #kernel to #sandbox apps on #Linux >=5.19 written in #rustlang: https://is.gd/2tczYu 2024-05-20T17:33:06+02:00 Try to write the rule "allow/read,stat,exec+/{etc,dev,proc,usr,var,lib*}/***", by your favourite #sandbox, be it #selinux or #apparmor or #firejail, you'll quickly notice what #sydbox saves you from ;). #sydbox is a rock-solid user-space #kernel to #sandbox apps on #Linux >=5.19 written in #rustlang: https://crates.io/crates/syd 2024-05-19T01:41:17+02:00 I've written an #article titled "TOCTOU||GTFO: State of Sandboxing in Linux" where I shared my thoughts on the current state of user-space sandboxing on #Linux based on my observations on two prime examples of sandbox: #Gentoo's #sandbox and #Exherbo's #sydbox. I appreciate and welcome all kinds of feedback, be it in the form of patches, comments, or even poems: https://git.sr.ht/~alip/syd/tree/main/item/doc/toctou-or-gtfo.md 2024-05-19T01:29:51+02:00 #sydbox 3.19.0 released! Highlights include the new syd-poc utility to demonstrate #sandbox break vectors, improved #paludis profile, and safe #KVM ioctls for #QEMU. Enhanced debugging and tracing options, unified trace/allow_unsafe_debug, and mitigated O_PATH TOCTOU. Enhanced namespace and sandboxing type controls, plus more. #sydbox is a rock-solid user-space #kernel to #sandbox apps on #Linux >=5.19 written in #rustlang: https://is.gd/l7QUE1 2024-05-12T17:49:43+02:00 #sydbox v3.18.13 is out which doesn't permit execution of libraries: It's no longer possible to bypass Exec #sandboxing with e.g. /lib/ld-linux.so.1 /deny/listed/binary. Note, this breaks ldd which is an insecure tool. syd-elf utility is provided as a safe alternative to ldd which reads only and the option trace/allow_unsupp_exec:1 is provided to relax the restriction. #sydbox is a rock-solid user-space #kernel to #sandbox apps on #Linux >=5.19 written in #rustlang: https://crates.io/crates/syd 2024-05-05T02:25:26+02:00 With version 3.18.0 released today, #sydbox joins the family of #OCI container runtimes! The new syd-oci utility is largely based on #youki and provides a thin layer between the Syd #sandbox and #containers. It supports all the common commands and is compatible with both #Docker and #Podman. #sydbox is a rock-solid user-space #kernel to #sandbox apps on #Linux >=5.19 written in #rustlang. Read more about syd-oci here: https://man.exherbolinux.org/syd-oci.1.html 2024-05-03T19:35:48+02:00 #sydbox 3.17.4 is out! This release focuses on improved #security by denying access to paths containing control characters and sanitizing these characters when #logging paths. These enhancements enhance the #security of #logging activities and prevent #exploitation of terminal-based vulnerabilities. #sydbox is a rock-solid user-space #kernel to #sandbox apps on #Linux >=5.19 written in #rustlang. Read more here: http://man.exherbolinux.org/syd.7.html#Enhanced_Path_Integrity_Measures 2024-05-03T12:18:32+02:00 Version 3.17.3 of #sydbox is released, adding a #vim syntax script for syd profiles: #sydbox is a rock-solid user-space #kernel to #sandbox apps on #Linux >=5.19 written in #rustlang: https://crates.io/crates/syd 2024-05-02T02:58:28+02:00 Version 3.17.0 of #sydbox is released, introducing Enhanced Execution Control (EEC) to block critical syscalls after exec, refining default locking to auto-enable for increased #security. Updates include advanced syscall #hardening, #kernel-level #seccomp enhancements, and #performance optimizations in #locking mechanisms. #sydbox is a rock-solid user-space #kernel to #sandbox apps on #Linux >=5.19 written in #rustlang: https://crates.io/crates/syd 2024-04-22T16:41:04+02:00 The recent GSM #Linux kernel exploit does not work under #sydbox because the GSM* ioctls are not in syd's default ioctl allowlist which is a fairly restricted subset. Read more on how #sydbox restricts ioctl request space here: http://man.exherbolinux.org/syd.7.html\#Restricting_ioctl_request_space_and_trace/allow_unsafe_ioctl #exherbo #rustlang 2024-04-18T14:17:16+02:00 New #sydbox features cooking in #git (2): Now, syd, by default, only allows execution of ELF binaries and scripts which excludes binfmt_misc binaries. This may be overriden with trace/allow_unsupp_binfmt:1. In addition, Force Sandboxing (aka binary verification), now also verifies the dynamic libraries for dynamically linked executables. 2024-04-18T14:16:55+02:00 New #sydbox features cooking in #git: trace/deny_elf32:1 prevents execution of 32-bit bins. trace/deny_elf_static:1 prevents execution of statically linked bins. trace/deny_elf_dynamic:1 prevents execution of dynamically linked bins. trace/deny_scripts prevents scripts. All these can be changed at runtime which provides ways to harden (e.g. , deny_scripts, ). 2024-04-14T10:28:46+02:00 #sydbox hit 300k downloads @ https://crates.io/crates/syd today! Thanks everyone for the interest! 2024-04-12T20:08:09+02:00 nice writeup on #Linux capabilities: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities 2024-04-10T17:53:28+02:00 Upcoming #sydbox 3.16.0 has an effective mitigation for exec(2) TOCTOU, making binary verification and exec sandboxing secure. Binary verification, aka force sandboxing, is similar to #netbsd's veriexec and #hardenedbsd's integriforce. Read more here: http://man.exherbolinux.org/syd.7.html#TOCTOU #exherbo #rustlang 2024-03-30T01:50:23+01:00 supply chain attacks are a thing: https://www.openwall.com/lists/oss-security/2024/03/29/4 2024-03-29T15:21:42+01:00 Hardened Exherbo desktop profile is going to ship XFCE desktop environment. 2024-03-29T13:51:08+01:00 Hardened Exherbo profile passes -ftrivial-auto-var-init=zero to CFLAGS via make.defaults now. Stage4 is rebuilt successfully with the added flag. 2024-03-29T13:50:00+01:00 RTFM: https://clangbuiltlinux.github.io/CBL-meetup-2020-slides/glider/Fighting_uninitialized_memory_%40_CBL_Meetup_2020.pdf 2024-03-29T13:39:21+01:00 #security is mostly an illusion without W^X for memory and filesystem. 2024-03-29T13:37:08+01:00 Hardened Exherbo desktop profile will ship Firefox with JIT disabled so that it works under MDWE protections. When there is a choice between secure vs fast, we prefer secure. 2024-03-29T10:46:54+01:00 sydbox is not affected by CVE-2024-1086 because we prevent user subnamespaces: https://github.com/notselwyn/cve-2024-1086 2024-03-28T18:29:58+01:00 Hardened Exherbo now ships with sinit patched to apply MDWE unless mdwe=0 was passed on boot. 2024-03-28T18:29:18+01:00 Hardened Exherbo now ships with openntpd & nginx configured to run under sydbox. 2024-03-28T05:01:36+01:00 Exherbo is about choice. Hardened Exherbo is about secure defaults. 2024-03-28T04:46:00+01:00 Exherbo manifest generation in progress, these repos are done: arbor, dev/alip, hardware, net, perl, python, ruby, rust, selinux, x11, gnome and kde 2024-03-28T04:44:06+01:00 For a primer on manifest generation on Exherbo, read this: https://www.kepstin.ca/blog/manifest-generation-in-exherbo/ 2024-03-28T04:28:43+01:00 Hardened Exherbo kernel is shipping CaitSith 0.2.11 2023/05/27 2024-03-28T04:22:28+01:00 First Hardened Exherbo Kernel built latest Linux stable 6.8.2 with LLVM=1, CFI (Control Flow Integrity), with latest CaitSith and signed modules. This kernel boots hexsys.org atm, the patchset is here: https://gitlab.exherbo.org/hex/hex-kernel kernel tarball is here: https://distfiles.exherbolinux.org/sydbox/linux-6.8.2-hex-g3dcacd393faf.tar.xz (append .asc to the url for gpg signature). 2024-03-28T03:54:57+01:00 Generating SHA512 distfile manifests for Exherbo, Hardened Exherbo will have them required. 2024-03-28T03:43:13+01:00 Hello world! This is Hardened Exherbo twtxt feed.