3.19.0:
* Add new utility syd-poc to demonstrate proof of concepts for various
sandbox break vectors.
* Add trace/allow_unsafe_debug:1 to the paludis profile.
* Add trace/allow_safe_kvm:1 to allow a predefined set of KVM ioctls. This
is necessary to run qemu(1) under sandbox with hardware acceleration.
Previously this was only possible with the unsafe trace/allow_unsafe_ioctl:1
which allows the whole ioctl request space.
* Make trace/allow_unsafe_debug:1 imply trace/allow_unsafe_memory:1 in
addition to trace/allow_unsafe_exec:1. This is necessary to make valgrind(1)
work in the sandbox.
* Unify trace/allow_unsafe_p{erf,trace} options into
trace/allow_unsafe_debug. This option is going to be a general way to allow
debugging and tracing tools such as gdb, perf, strace, valgrind in the
sandbox. The manual page clearly states they should only be used in trusted
environments as it allows the sandbox process to trivially break from the
sandbox.
* Re-add trace/allow_unsafe_perf command to allow perf inside the sandbox.
* Re-add trace/allow_unsafe_ptrace command to allow ptrace inside the sandbox.
* oci: Do not pass-through the capabilities specified by the container
engine. This is done to adhere the goal to be secure by default. To honour
the capabilities specified by the container engine, user may configure Syd
with trace/allow_unsafe_caps:1. The recommended way, however, is to specify
only the minimum needed set of capabilities using the various "allow_unsafe"
options such as trace/allow_unsafe_bind:1 to retain CAP_NET_BIND_SERVICE,
trace/allow_unsafe_socket:1 to retain CAP_NET_RAW,
trace/allow_unsafe_syslog:1 to retain CAP_SYSLOG, trace/allow_unsafe_time:1
to retain CAP_SYS_TIME.
* Add trace/allow_unsafe_open:1 to the paludis profile.
* Mitigate open(2) O_PATH TOCTOU by turning O_PATH into O_RDONLY by default
and add trace/allow_unsafe_open:1 to disable this. See BUGS for more
information.
* trace/allow_unsafe_tkill has been renamed to trace/allow_unsafe_kill which
is a breaking change.
* trace/allow_unsafe_adjtime has been renamed to trace/allow_unsafe_time
which is a breaking change.
* Extend ptrace detection mitigator seccomp filter to turn all ptrace
operations into no-ops rather than just PTRACE_TRACEME.
* syd-test and syd-test-do learned -h CLI argument to list test cases.
* Drop CAP_CHOWN even with SafeSetID. CAP_SET[UG]ID is still kept for
SafeSetID.
* Ensure ptrace is not in ambient and inheritable caps before fork.
* test-do: sort tests by name in help output.
* More than one namespace can be turned on/off using the syntax
unshare/type,type...:state and queried using the syntax
unshare/type,type...? now (e.g.: unshare/user,pid:1, unshare/mount,net?).
* More than one sandboxing type can be turned on/off using the syntax
sandbox/type,type...:state and queried using the syntax
sandbox/type,type...? now (e.g: sandbox/read,stat,write:on,
sandbox/net,lock:off). This is simple, intuitive and similar to the syntax
for specifying multiple glob rules with e.g: allow/read,stat,exec+/usr/***.
See the SHORTCUTS section of the syd(2) manual page for more information.
Download:
* Cargo: https://crates.io/crates/syd (cargo install syd)
* Source: https://git.sr.ht/~alip/syd/archive/v3.19.0.tar.gz
* Binary: https://distfiles.exherbolinux.org/sydbox/syd-3.19.0.tar.xz
https://distfiles.exherbolinux.org/sydbox/syd-3.19.0.tar.xz.sha512sum
https://distfiles.exherbolinux.org/sydbox/syd-3.19.0.tar.xz.sha512sum.asc
* Binary release is signed with the following key: https://keybase.io/alip/pgp_keys.asc
This release contains 73 commits.
In addition, I want to announce an article I wrote with the title
"TOCTOU||GTFO: State of Sandboxing in Linux" which is at the following address:
https://git.sr.ht/~alip/syd/tree/main/item/doc/toctou-or-gtfo.md
I appreciate and welcome all kinds of feedback, be it in the form of patches,
comments, or even poems ;-).
Best,
alip