~alip/exherbo-dev

Sydbox 3.23.0 Released

Ali Polatel <alip@hexsys.org>
Details
Message ID
<_CrmfSxW6tGKqVgOa2hPDaKEZdDRlM4-W_K7ZXOEnE6XcG8SH3aVxrLsFaoDYCB9kY-6YwtI89_GaVFo2AvlDtNWsPYmlFcQbr8W7v5mA7c=@hexsys.org>
DKIM signature
pass
Download raw message
3.23.0:

	* Upgrade `nix` crate from `0.26` to `0.29`.
	* Upgrade `procfs` crate from `0.15` to `0.16`.
	* Upgrade `bitflags` crate from `1.3` to `2.6`.
	* Add new option `time:<offset>` to set clock monotonic and boottime offset in
	  Time namespace. Implies `unshare/time:1`.
	* Avoid self reexecution when entering namespaces.
	* Support time namespace and add the option `unshare/time:1`.  With
	  `unshare/time:1`, Syd resets the boot-time clock such that `uptime`
	  will report container uptime rather than host uptime.
	* Deny access for the creation of namespaces by default, and
	  add `trace/allow_unsafe_namespace` to relax the restriction.
	  This option accepts a comma-separated list of namespace types
	  to allow.
	* Add `segvguard/filter` to filter SegvGuard violations by globs.
	* Add `default/` options for each sandboxing type and SegvGuard to
	  configure default action which typically defaults to Deny or Kill.
	* Require absolute paths in globs.
	* Extend sandbox actions with `warn`, `stop`, `kill`, and `exit`.
	* Remove the option `trace/allow_safe_kvm`.
	* Remove the option `trace/allow_unsafe_ioctl`.
	* Implement [Ioctl
	  sandboxing](https://man.exherbolinux.org/syd.7.html#Ioctl_Sandboxing).
	* Enable the [literal
	  separator](https://docs.rs/globset/0.4.14/globset/struct.GlobBuilder.html#method.literal_separator)
	  option on glob matching. This means a literal `/` is required to
	  match a path separator in globs. `*`, and `?` will not match `/`.
	* Add
	  [`trace/force_cloexec`](http://man.exherbolinux.org/syd.2.html#trace/force_cloexec)
	  option to enforce the `O_CLOEXEC` flag on all _open_(2), _openat_(2),
	  and _openat2_(2) calls.  Refer to the [Force
	  Close-on-Exec](http://man.exherbolinux.org/syd.7.html#Force_Close-on-Exec)
	  section of the [_syd_(7)](http://man.exherbolinux.org/syd.7.html)
	  manual page for more information.
	* Ensure open and socket handlers always opens files with the `O_CLOEXEC` flag.
	* Improve _syd-tor_(1)'s socket performance by setting `TCP_NODELAY`,
	  `SO_KEEPALIVE`, `TCP_QUICKACK`, and buffer sizes for reduced latency
	  and improved data transfer efficiency.
	* Ensure no file descriptors leak from the Syd process into the
	  _syd-tor_(1) process other than the fds specifically passed.
	* Deny syscalls for Memory protection keys by default, and add the
	  option
	  [`trace/allow_unsafe_pkey`](http://man.exherbolinux.org/syd.2.html#trace/allow_unsafe_pkey)
	  to relax the restriction. Refer to the [Restricting Memory Protection
	  Keys System
	  Calls](http://man.exherbolinux.org/syd.7.html#Restricting_Memory_Protection_Keys_System_Calls)
	  section of the [_syd_(7)](http://man.exherbolinux.org/syd.7.html)
	  manual page for more information.
	* Deny syscalls for Kernel keyring access by default, and add the option
	  [`trace/allow_unsafe_keyring`](http://man.exherbolinux.org/syd.2.html#trace/allow_unsafe_keyring)
	  to relax the restriction. Refer to the [Kernel Keyring Access
	  Restriction](http://man.exherbolinux.org/syd.7.html#Kernel_Keyring_Access_Restriction)
	  section of the [_syd_(7)](http://man.exherbolinux.org/syd.7.html)
	  manual page for more information.
	* Deny syscalls for CPU emulation functionality by default, and add the
	  option
	  [`trace/allow_unsafe_cpu`](http://man.exherbolinux.org/syd.2.html#trace/allow_unsafe_cpu)
	  to relax the restriction. Refer to the [Restricting CPU Emulation
	  Syscalls](http://man.exherbolinux.org/syd.7.html#Restricting_CPU_Emulation_System_Calls)
	  section of the [_syd_(7)](http://man.exherbolinux.org/syd.7.html)
	  manual page for more information.
	* Fix a race condition in Crypt sandboxing which causes **data
	  corruption** when handling concurrent writes to the same encrypted
	  file. Encrypted files affected by the issue have corrupt
	  blocks which are in a practically unrecoverable state.
	  To reduce the likelihood of the issue reappearing
	  in later versions, we have written [82 integration
	  tests](https://gitlab.exherbo.org/sydbox/sydbox/-/blob/b332c892c504cef3f1205c386b760d6a8d5e73e9/src/t/test.rs#L337-418)
	  to verify correct functioning of Crypt sandboxing. However, users
	  should know this is only tested on the architectures "x86\_64",
	  "x86", "aarch64", and "armv7". Users running Syd on other architectures
	  are _strongly recommended_ to run integration tests using the tool
	  [_syd-test_(1)](https://man.exherbolinux.org/syd-test.1.html)
	  before any usage of Syd. In addition, package maintainers are
	  _strongly recommended_ to install Syd's installable integration
	  tests by installing the two utilities "syd-test" and "syd-test-do"
	  along with Syd and advise the user to run the tests with a
	  post-install message. This ensures Syd is, to the
	  extent possible, verified to work on the target system. These
	  utilities come with no additional dependencies and their size
	  is negligible taken into account the total size.
	* Fix an issue with _utimensat_(2) handler on 32-bit systems.
	* Fix an issue with _truncate_(2) handler on 32-bit systems.
	* _syd-cp_(1) no longer overwrites the destination file by default.
	  The command line argument `-f` can be used to force overwrite.
	* _syd-cp_(1) learned to read from standard input when only the
	  destination file is passed via command line parameters.
	* Make the encryption thread more efficient and drop the _write_(2)
	  batching workaround which is no longer necessary.
	* Block Crypt readers/writers when a subsequent write is in progress
	  rather than failing with `EBUSY`.
	* _syd-aes_(1), _syd-cp_(1), and _syd-tor_(1) have been promoted to core
	  tools, as such they're installed even with the utils feature disabled.
	* _syd-aes_(1) learned `-v` argument to periodically print progress
	  report on standard error.
	* Ensure files configured for encryption are processed even
	  if Read & Write sandboxing is off.
	* Increase stack size of encryption threads from 4k to 64k.
	* Improve lock usage in `ptrace` exit handler.
	* Improve lock usage in `stat` system call handlers.
	* The setting `trace/force_umask` no longer applies to
	  directory creation for convenience.
	* Make `trace/force_umask` override POSIX ACLs during
	  _umask_(2) calculation.
	* Hook into `fchmod` and `fchown` and check for write access.
	  In addition `trace/force_umask` is applied for `fchmod`.
	* Add `-b <bufsiz>` argument to _syd-tor_(1) to specify pipe
	  buffer size.
	* Improve Crypt sandboxing and _syd-tor_(1) throughput by setting pipe
	  buffer sizes to the maximum value allowed by the system where errors
	  are handled gracefully and reverts to the old default `PIPE_BUF` which
	  is typically 4096 bytes.
	* Apply the noexec-memfd restriction regardless of the state
	  of sandboxing.
	* Fix a TOCTOU in socketcall (32-bit) handler when handling
	  the _socket_(2) subcall.
	* Add Netlink support to Network sandboxing which allows
	  the user to filter on netlink family. The new
	  [`allow/net/link`](https://man.exherbolinux.org/syd.2.html#allow/net/link)
	  setting can be used to add/remove items to the allowlist.
	* Confine _syd-tor_(1) process further utilizing namespaces
	  if available and permitted.
	* Fix PID recycling issue of clone which happens during
	  re-exec when namespaces are enabled.
	* Sanitize environment of the _syd-tor_(1) process.
	* Make file descriptor tracking of _syd-tor_(1) more efficient.

Download:

    * Cargo:  https://crates.io/crates/syd (cargo install syd)
    * Source: https://git.sr.ht/~alip/syd/archive/v3.23.0.tar.gz
    * Binary: https://distfiles.exherbolinux.org/sydbox/syd-3.23.0.tar.xz
              https://distfiles.exherbolinux.org/sydbox/syd-3.23.0.tar.xz.sha512sum
              https://distfiles.exherbolinux.org/sydbox/syd-3.23.0.tar.xz.sha512sum.asc
    * Binary release is signed with the following key: https://keybase.io/alip/pgp_keys.asc

This release contains 267 commits.

In addition we've also released libsyd-3.3.0 and pandora_box-0.10.0.

Best,
alip
Reply to thread Export thread (mbox)