~alip/exherbo-dev

Sydbox 3.19.0 Released

Ali Polatel <alip@hexsys.org>
Details
Message ID
<4NXuH_17Zd8Ls9NxEF1qp6_4m_fodW1J5-O_E-71ZGFkZQmINt5iI2BG0hmyWJG4_Wkoz8b5Blqgs5315_Eptz-1RYarTtodVH8aG0SlnZk=@hexsys.org>
DKIM signature
pass
Download raw message
3.19.0:

    * Add new utility syd-poc to demonstrate proof of concepts for various
    sandbox break vectors.
    * Add trace/allow_unsafe_debug:1 to the paludis profile.
    * Add trace/allow_safe_kvm:1 to allow a predefined set of KVM ioctls. This
    is necessary to run qemu(1) under sandbox with hardware acceleration.
    Previously this was only possible with the unsafe trace/allow_unsafe_ioctl:1
    which allows the whole ioctl request space.
    * Make trace/allow_unsafe_debug:1 imply trace/allow_unsafe_memory:1 in
    addition to trace/allow_unsafe_exec:1. This is necessary to make valgrind(1)
    work in the sandbox.
    * Unify trace/allow_unsafe_p{erf,trace} options into
    trace/allow_unsafe_debug. This option is going to be a general way to allow
    debugging and tracing tools such as gdb, perf, strace, valgrind in the
    sandbox. The manual page clearly states they should only be used in trusted
    environments as it allows the sandbox process to trivially break from the
    sandbox.
    * Re-add trace/allow_unsafe_perf command to allow perf inside the sandbox.
    * Re-add trace/allow_unsafe_ptrace command to allow ptrace inside the sandbox.
    * oci: Do not pass-through the capabilities specified by the container
    engine. This is done to adhere the goal to be secure by default. To honour
    the capabilities specified by the container engine, user may configure Syd
    with trace/allow_unsafe_caps:1. The recommended way, however, is to specify
    only the minimum needed set of capabilities using the various "allow_unsafe"
    options such as trace/allow_unsafe_bind:1 to retain CAP_NET_BIND_SERVICE,
    trace/allow_unsafe_socket:1 to retain CAP_NET_RAW,
    trace/allow_unsafe_syslog:1 to retain CAP_SYSLOG, trace/allow_unsafe_time:1
    to retain CAP_SYS_TIME.
    * Add trace/allow_unsafe_open:1 to the paludis profile.
    * Mitigate open(2) O_PATH TOCTOU by turning O_PATH into O_RDONLY by default
    and add trace/allow_unsafe_open:1 to disable this. See BUGS for more
    information.
    * trace/allow_unsafe_tkill has been renamed to trace/allow_unsafe_kill which
    is a breaking change.
    * trace/allow_unsafe_adjtime has been renamed to trace/allow_unsafe_time
    which is a breaking change.
    * Extend ptrace detection mitigator seccomp filter to turn all ptrace
    operations into no-ops rather than just PTRACE_TRACEME.
    * syd-test and syd-test-do learned -h CLI argument to list test cases.
    * Drop CAP_CHOWN even with SafeSetID. CAP_SET[UG]ID is still kept for
    SafeSetID.
    * Ensure ptrace is not in ambient and inheritable caps before fork.
    * test-do: sort tests by name in help output.
    * More than one namespace can be turned on/off using the syntax
    unshare/type,type...:state and queried using the syntax
    unshare/type,type...? now (e.g.: unshare/user,pid:1, unshare/mount,net?).
    * More than one sandboxing type can be turned on/off using the syntax
    sandbox/type,type...:state and queried using the syntax
    sandbox/type,type...? now (e.g: sandbox/read,stat,write:on,
    sandbox/net,lock:off). This is simple, intuitive and similar to the syntax
    for specifying multiple glob rules with e.g: allow/read,stat,exec+/usr/***.
    See the SHORTCUTS section of the syd(2) manual page for more information.

Download:

    * Cargo:  https://crates.io/crates/syd (cargo install syd)
    * Source: https://git.sr.ht/~alip/syd/archive/v3.19.0.tar.gz
    * Binary: https://distfiles.exherbolinux.org/sydbox/syd-3.19.0.tar.xz
              https://distfiles.exherbolinux.org/sydbox/syd-3.19.0.tar.xz.sha512sum
              https://distfiles.exherbolinux.org/sydbox/syd-3.19.0.tar.xz.sha512sum.asc
    * Binary release is signed with the following key: https://keybase.io/alip/pgp_keys.asc

This release contains 73 commits.

In addition, I want to announce an article I wrote with the title
"TOCTOU||GTFO: State of Sandboxing in Linux" which is at the following address:
https://git.sr.ht/~alip/syd/tree/main/item/doc/toctou-or-gtfo.md
I appreciate and welcome all kinds of feedback, be it in the form of patches,
comments, or even poems ;-).

Best,
alip
Reply to thread Export thread (mbox)