alip Public posts from @alip@mastodon.online https://mastodon.online/@alip/tagged/exherbo https://files.mastodon.online/accounts/avatars/000/194/530/original/0757c39f505e1e33.jpg alip https://mastodon.online/@alip/tagged/exherbo Mon, 08 Jun 2026 06:33:06 +0000 https://files.mastodon.online/accounts/avatars/000/194/530/original/0757c39f505e1e33.jpg Mastodon v4.6.0-nightly.2026-06-12 https://mastodon.online/@alip/116713087757014189 https://mastodon.online/@alip/116713087757014189 Mon, 08 Jun 2026 06:33:06 +0000 <p><a href="https://mastodon.online/tags/Sydbox" class="mention hashtag" rel="tag">#<span>Sydbox</span></a> 3.55.0 is released! Introduces Domain Transitions to change sandbox policy manually or based on a set of events. IPC thread is hardened to set a limit on max connections and disconnect idle connections. Includes some minor security fixes for sandbox capabilities as well. Full story: <a href="https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">gitlab.exherbo.org/sydbox/sydb</span><span class="invisible">ox/-/blob/main/ChangeLog.md</span></a> <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> sydbox exherbo linux security https://mastodon.online/@alip/116709717570321801 https://mastodon.online/@alip/116709717570321801 Sun, 07 Jun 2026 16:16:01 +0000 <p><a href="https://mastodon.online/tags/Sydbox" class="mention hashtag" rel="tag">#<span>Sydbox</span></a> now passes Linux Testing Project tests on <a href="https://mastodon.online/tags/x32" class="mention hashtag" rel="tag">#<span>x32</span></a> architecture. Portability matters, even if x32 is very little in use, it has similarities to architectures such as <a href="https://mastodon.online/tags/mips64n32" class="mention hashtag" rel="tag">#<span>mips64n32</span></a> which we cannot easily test. <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> sydbox x32 mips64n32 exherbo linux security https://mastodon.online/@alip/116708767923188752 https://mastodon.online/@alip/116708767923188752 Sun, 07 Jun 2026 12:14:31 +0000 <p>News from <a href="https://mastodon.online/tags/Sydbox" class="mention hashtag" rel="tag">#<span>Sydbox</span></a> <a href="https://mastodon.online/tags/git" class="mention hashtag" rel="tag">#<span>git</span></a>: As of version 3.55.0, bind mounts are secure by default. Regardless of whether the source is an absolute path or a filesystem type, every bind is mounted with nodev, noexec, nosuid, and nosymfollow options applied. User must therefore explicitly opt back into the relaxed behaviour upfront using the options dev, exec, suid and symfollow: <a href="https://man.exherbo.org/syd.2.html#bind" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="">man.exherbo.org/syd.2.html#bind</span><span class="invisible"></span></a> <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> sydbox git exherbo linux security https://mastodon.online/@alip/116698010293795813 https://mastodon.online/@alip/116698010293795813 Fri, 05 Jun 2026 14:38:43 +0000 <p>News from <a href="https://mastodon.online/tags/Sydbox" class="mention hashtag" rel="tag">#<span>Sydbox</span></a> <a href="https://mastodon.online/tags/git" class="mention hashtag" rel="tag">#<span>git</span></a> for <a href="https://mastodon.online/tags/Emacs" class="mention hashtag" rel="tag">#<span>Emacs</span></a> users: Self-contained syd.el which has full support for the syd(2) API now supports syntax hilighting for syd-3 profiles exactly like Syd&#39;s <a href="https://mastodon.online/tags/vim" class="mention hashtag" rel="tag">#<span>vim</span></a> syntax hilighting. <br /><a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> sydbox git emacs vim exherbo linux security https://mastodon.online/@alip/116696707026040189 https://mastodon.online/@alip/116696707026040189 Fri, 05 Jun 2026 09:07:16 +0000 <p>News from <a href="https://mastodon.online/tags/sydbox" class="mention hashtag" rel="tag">#<span>sydbox</span></a> <a href="https://mastodon.online/tags/git" class="mention hashtag" rel="tag">#<span>git</span></a>: We have <a href="https://mastodon.online/tags/Caitsith" class="mention hashtag" rel="tag">#<span>Caitsith</span></a> like Domain Transitions now which allows you to change sandbox policy atomically either manually or upon certain events such as exec, chdir, mmap, bind, connect, accept. One example would be restricten the confinement of a web server upon first bind another example is per-directory sandbox policies. There&#39;re many other nice uses, see examples: <a href="https://man.exherbo.org/syd.7.html#Domain_Transitions" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">man.exherbo.org/syd.7.html#Dom</span><span class="invisible">ain_Transitions</span></a> <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> sydbox git caitsith exherbo linux security https://mastodon.online/@alip/116663609177075489 https://mastodon.online/@alip/116663609177075489 Sat, 30 May 2026 12:50:03 +0000 <p><a href="https://mastodon.online/tags/Sydbox" class="mention hashtag" rel="tag">#<span>Sydbox</span></a> 3.54.1 released! Security release with fcntl(2) hardening against SIGIO bypass of <a href="https://mastodon.online/tags/landlock" class="mention hashtag" rel="tag">#<span>landlock</span></a> signal scoping. Adds log rate limiting with log/rlimit_interval and log/rlimit_burst options. New deleted file access mediation denies unlinked files through open fds. chown(2) confined to caller&#39;s credentials by default, force_umask default now 7000 for setuid/setgid/sticky stripping like <a href="https://mastodon.online/tags/OpenBSD" class="mention hashtag" rel="tag">#<span>OpenBSD</span></a> <a href="https://mastodon.online/tags/pledge" class="mention hashtag" rel="tag">#<span>pledge</span></a>. Ghost mode implies lock:on. Full story: <a href="https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">gitlab.exherbo.org/sydbox/sydb</span><span class="invisible">ox/-/blob/main/ChangeLog.md</span></a> <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> sydbox landlock openbsd pledge exherbo linux security https://mastodon.online/@alip/116615286374185667 https://mastodon.online/@alip/116615286374185667 Fri, 22 May 2026 00:00:56 +0000 <p>New hardening in <a href="https://mastodon.online/tags/sydbox" class="mention hashtag" rel="tag">#<span>sydbox</span></a> <a href="https://mastodon.online/tags/git" class="mention hashtag" rel="tag">#<span>git</span></a>: Deleted File Access Mediation, inspired by <a href="https://mastodon.online/tags/AppArmor" class="mention hashtag" rel="tag">#<span>AppArmor</span></a> flag PATH_MEDIATE_DELETED: <a href="https://man.exherbo.org/syd.7.html#Deleted_File_Access_Mediation" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">man.exherbo.org/syd.7.html#Del</span><span class="invisible">eted_File_Access_Mediation</span></a> <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> sydbox git apparmor exherbo linux security https://mastodon.online/@alip/116573158490545112 https://mastodon.online/@alip/116573158490545112 Thu, 14 May 2026 13:27:15 +0000 <p><a href="https://mastodon.online/tags/Sydbox" class="mention hashtag" rel="tag">#<span>Sydbox</span></a> containers are not affected by the new LPE <a href="https://mastodon.online/tags/Fragnesia" class="mention hashtag" rel="tag">#<span>Fragnesia</span></a> because: 1. Unprivileged user/network namespaces are denied unless trace/allow_unsafe_namespace:user,net 2. Kernel algorithm (AF_ALG) sockets are denied unless trace/allow_unsafe_kcapi:true 3. Socket option TCP_ULP is denied unless trace/allow_unsafe_setsockopt:true. You may sleep in peace: <a href="https://raw.githubusercontent.com/v12-security/pocs/d4043edc2acbd75d093e3f5795751b678c66b259/fragnesia/fragnesia.c" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">raw.githubusercontent.com/v12-</span><span class="invisible">security/pocs/d4043edc2acbd75d093e3f5795751b678c66b259/fragnesia/fragnesia.c</span></a> <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> sydbox fragnesia exherbo linux security https://mastodon.online/@alip/116563014289657375 https://mastodon.online/@alip/116563014289657375 Tue, 12 May 2026 18:27:27 +0000 <p>I made an <a href="https://mastodon.online/tags/asciicast" class="mention hashtag" rel="tag">#<span>asciicast</span></a> showcasing Ghost Mode of <a href="https://mastodon.online/tags/sydbox" class="mention hashtag" rel="tag">#<span>sydbox</span></a>: <a href="https://asciinema.org/a/1039185" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="">asciinema.org/a/1039185</span><span class="invisible"></span></a> <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> asciicast sydbox exherbo linux security https://mastodon.online/@alip/116562513741722372 https://mastodon.online/@alip/116562513741722372 Tue, 12 May 2026 16:20:09 +0000 <p><a href="https://mastodon.online/tags/Sydbox" class="mention hashtag" rel="tag">#<span>Sydbox</span></a> 3.53.0 is released! This is a feature release improving sandbox categories walk, stat, and adding the new category list for directory listing which allows easy use of walk+list categories for path hiding. readlink is also split from stat category which is by far the most common syscall so this helps with overhead of other categories. We also have bunch of security fixes. Full story, as always, is in the ChangeLog, thanks for flying Syd: <a href="https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3530" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">gitlab.exherbo.org/sydbox/sydb</span><span class="invisible">ox/-/blob/main/ChangeLog.md?ref_type=heads#3530</span></a> <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> sydbox exherbo linux security https://mastodon.online/@alip/116541238581584369 https://mastodon.online/@alip/116541238581584369 Fri, 08 May 2026 22:09:36 +0000 <p>Fun exercise for <a href="https://mastodon.online/tags/Syd" class="mention hashtag" rel="tag">#<span>Syd</span></a> users: Run &quot;PATH= /path/to/syd&quot; and try to break out of the default restricted <a href="https://mastodon.online/tags/bash" class="mention hashtag" rel="tag">#<span>bash</span></a> shell session. You&#39;re in a directory that does not exist and you have no access to external commands. It&#39;s not easy or where&#39;s the fun? <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> syd exherbo linux security bash https://mastodon.online/@alip/116527744051900625 https://mastodon.online/@alip/116527744051900625 Wed, 06 May 2026 12:57:46 +0000 <p>AF_ALG is marked deprecated as response to copy.fail. Somewhat sad to see a useful API die: <a href="https://lore.kernel.org/linux-crypto/20260430011544.31823-1-ebiggers@kernel.org/" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">lore.kernel.org/linux-crypto/2</span><span class="invisible">0260430011544.31823-1-ebiggers@kernel.org/</span></a> <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> exherbo linux security https://mastodon.online/@alip/116505499797317848 https://mastodon.online/@alip/116505499797317848 Sat, 02 May 2026 14:40:46 +0000 <p>News from <a href="https://mastodon.online/tags/Sydbox" class="mention hashtag" rel="tag">#<span>Sydbox</span></a> <a href="https://mastodon.online/tags/git" class="mention hashtag" rel="tag">#<span>git</span></a>: New option trace/force_wx_open: Specify whether creating/writing open(2) family system calls for executables should be denied regardless of path. This option is restricted to creat, open, openat, and openat2 syscalls and may be combined with trace/force_umask option to confine filesystem as Write XOR Execute. New profile &quot;wx&quot; combines the new option with trace/force_umask:7177 to confine filesystem as W^X. User profile includes wx profile. <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> sydbox git exherbo linux security https://mastodon.online/@alip/116501206209790130 https://mastodon.online/@alip/116501206209790130 Fri, 01 May 2026 20:28:51 +0000 <p><a href="https://mastodon.online/tags/Sydbox" class="mention hashtag" rel="tag">#<span>Sydbox</span></a> 3.52.0 is released! I&#39;ve just merged 428 commits from next to main to make this release. It includes no new features, only bug fixes. Some of these bug fixes are security critical and you&#39;re recommended to upgrade as soon as possible. Full story, as always, is in the ChangeLog, thanks for flying Syd: <a href="https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">gitlab.exherbo.org/sydbox/sydb</span><span class="invisible">ox/-/blob/main/ChangeLog.md</span></a> <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> sydbox exherbo linux security https://mastodon.online/@alip/116495249968505898 https://mastodon.online/@alip/116495249968505898 Thu, 30 Apr 2026 19:14:06 +0000 <p>Mitigation against copy.fail in upcoming <a href="https://mastodon.online/tags/Sydbox" class="mention hashtag" rel="tag">#<span>Sydbox</span></a>: Syd will reject to open SUID files regardless of mode unless the option trace/allow_unsafe_open_suid:1 is set. This does not prevent exploitation altogether as the attacker can write to files such as /etc/passwd, however it raises the bar with very little added cost. <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> sydbox exherbo linux security https://mastodon.online/@alip/116494911107379764 https://mastodon.online/@alip/116494911107379764 Thu, 30 Apr 2026 17:47:55 +0000 <p><a href="https://mastodon.online/tags/GVisor" class="mention hashtag" rel="tag">#<span>GVisor</span></a> supports only x86_64, arm64 yet they claim they run everywhere. <a href="https://mastodon.online/tags/Sydbox" class="mention hashtag" rel="tag">#<span>Sydbox</span></a> passes tests on x86_64, i686, x32, arm64, armv7, ppc64, ppc64le, ppc, s390x, loongarch64, mips64el, and mipsel but I won&#39;t claim we are portable until we have mips64, mips, m68k and sparc! Huge thanks to Compile Farm people for enabling us to test Syd on various different architectures! <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> gvisor sydbox exherbo linux security https://mastodon.online/@alip/116494519914608215 https://mastodon.online/@alip/116494519914608215 Thu, 30 Apr 2026 16:08:26 +0000 <p>Correction: I was wrong about copy.fail and <a href="https://mastodon.online/tags/sydbox" class="mention hashtag" rel="tag">#<span>sydbox</span></a> earlier: Force sandboxing and Crypt sandboxing _imply_ the option trace/allow_safe_kcapi:1 so when these two are in use the sandbox process can abuse the AEAD issue in the <a href="https://mastodon.online/tags/Linux" class="mention hashtag" rel="tag">#<span>Linux</span></a> <a href="https://mastodon.online/tags/kernel" class="mention hashtag" rel="tag">#<span>kernel</span></a>. With <a href="https://mastodon.online/tags/sydbox" class="mention hashtag" rel="tag">#<span>sydbox</span></a> 3.52.0 to be released very soon, we rename the trace/allow_safe_kcapi option to trace/allow_unsafe_kcapi and Force/Crypt sandboxing are no longer going to imply this option, rather allow only Syd&#39;s use of AF_ALG sockets. <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> sydbox linux kernel exherbo security https://mastodon.online/@alip/116492667669657030 https://mastodon.online/@alip/116492667669657030 Thu, 30 Apr 2026 08:17:23 +0000 <p>New <a href="https://mastodon.online/tags/container" class="mention hashtag" rel="tag">#<span>container</span></a> breakout: <a href="https://copy.fail/" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="">copy.fail/</span><span class="invisible"></span></a> <a href="https://mastodon.online/tags/sydbox" class="mention hashtag" rel="tag">#<span>sydbox</span></a> containers aren&#39;t affected because Syd denies access to Kernel Cryptography API (KCAPI, AF_ALG sockets) by default unless trace/allow_safe_kcapi:1 is specified at startup. Crypt Sandboxing is also not affected because we don&#39;t use AEAD but CTR(AES). <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> container sydbox exherbo linux security https://mastodon.online/@alip/116477617687048919 https://mastodon.online/@alip/116477617687048919 Mon, 27 Apr 2026 16:29:58 +0000 <p><a href="https://mastodon.online/tags/Sydbox" class="mention hashtag" rel="tag">#<span>Sydbox</span></a> is on <a href="https://mastodon.online/tags/Radicle" class="mention hashtag" rel="tag">#<span>Radicle</span></a> with ID rad:z38HCnbmcDegA2BMxuPaPRPMdp6wF seed it and share the love! Huge thanks to <a href="https://mastodon.online/tags/HardenedBSD" class="mention hashtag" rel="tag">#<span>HardenedBSD</span></a> folks for seeding! <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a> <a href="https://mastodon.online/tags/git" class="mention hashtag" rel="tag">#<span>git</span></a></p> sydbox radicle hardenedbsd exherbo linux security git https://mastodon.online/@alip/116387678720077248 https://mastodon.online/@alip/116387678720077248 Sat, 11 Apr 2026 19:17:19 +0000 <p>Here is a <a href="https://mastodon.online/tags/landlock" class="mention hashtag" rel="tag">#<span>landlock</span></a> oddity I noticed and reported today: <a href="https://github.com/landlock-lsm/linux/issues/58" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">github.com/landlock-lsm/linux/</span><span class="invisible">issues/58</span></a> <a href="https://mastodon.online/tags/exherbo" class="mention hashtag" rel="tag">#<span>exherbo</span></a> <a href="https://mastodon.online/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a></p> landlock exherbo linux security