3.23.0:
* Upgrade `nix` crate from `0.26` to `0.29`.
* Upgrade `procfs` crate from `0.15` to `0.16`.
* Upgrade `bitflags` crate from `1.3` to `2.6`.
* Add new option `time:<offset>` to set clock monotonic and boottime offset in
Time namespace. Implies `unshare/time:1`.
* Avoid self reexecution when entering namespaces.
* Support time namespace and add the option `unshare/time:1`. With
`unshare/time:1`, Syd resets the boot-time clock such that `uptime`
will report container uptime rather than host uptime.
* Deny access for the creation of namespaces by default, and
add `trace/allow_unsafe_namespace` to relax the restriction.
This option accepts a comma-separated list of namespace types
to allow.
* Add `segvguard/filter` to filter SegvGuard violations by globs.
* Add `default/` options for each sandboxing type and SegvGuard to
configure default action which typically defaults to Deny or Kill.
* Require absolute paths in globs.
* Extend sandbox actions with `warn`, `stop`, `kill`, and `exit`.
* Remove the option `trace/allow_safe_kvm`.
* Remove the option `trace/allow_unsafe_ioctl`.
* Implement [Ioctl
sandboxing](https://man.exherbolinux.org/syd.7.html#Ioctl_Sandboxing).
* Enable the [literal
separator](https://docs.rs/globset/0.4.14/globset/struct.GlobBuilder.html#method.literal_separator)
option on glob matching. This means a literal `/` is required to
match a path separator in globs. `*`, and `?` will not match `/`.
* Add
[`trace/force_cloexec`](http://man.exherbolinux.org/syd.2.html#trace/force_cloexec)
option to enforce the `O_CLOEXEC` flag on all _open_(2), _openat_(2),
and _openat2_(2) calls. Refer to the [Force
Close-on-Exec](http://man.exherbolinux.org/syd.7.html#Force_Close-on-Exec)
section of the [_syd_(7)](http://man.exherbolinux.org/syd.7.html)
manual page for more information.
* Ensure open and socket handlers always opens files with the `O_CLOEXEC` flag.
* Improve _syd-tor_(1)'s socket performance by setting `TCP_NODELAY`,
`SO_KEEPALIVE`, `TCP_QUICKACK`, and buffer sizes for reduced latency
and improved data transfer efficiency.
* Ensure no file descriptors leak from the Syd process into the
_syd-tor_(1) process other than the fds specifically passed.
* Deny syscalls for Memory protection keys by default, and add the
option
[`trace/allow_unsafe_pkey`](http://man.exherbolinux.org/syd.2.html#trace/allow_unsafe_pkey)
to relax the restriction. Refer to the [Restricting Memory Protection
Keys System
Calls](http://man.exherbolinux.org/syd.7.html#Restricting_Memory_Protection_Keys_System_Calls)
section of the [_syd_(7)](http://man.exherbolinux.org/syd.7.html)
manual page for more information.
* Deny syscalls for Kernel keyring access by default, and add the option
[`trace/allow_unsafe_keyring`](http://man.exherbolinux.org/syd.2.html#trace/allow_unsafe_keyring)
to relax the restriction. Refer to the [Kernel Keyring Access
Restriction](http://man.exherbolinux.org/syd.7.html#Kernel_Keyring_Access_Restriction)
section of the [_syd_(7)](http://man.exherbolinux.org/syd.7.html)
manual page for more information.
* Deny syscalls for CPU emulation functionality by default, and add the
option
[`trace/allow_unsafe_cpu`](http://man.exherbolinux.org/syd.2.html#trace/allow_unsafe_cpu)
to relax the restriction. Refer to the [Restricting CPU Emulation
Syscalls](http://man.exherbolinux.org/syd.7.html#Restricting_CPU_Emulation_System_Calls)
section of the [_syd_(7)](http://man.exherbolinux.org/syd.7.html)
manual page for more information.
* Fix a race condition in Crypt sandboxing which causes **data
corruption** when handling concurrent writes to the same encrypted
file. Encrypted files affected by the issue have corrupt
blocks which are in a practically unrecoverable state.
To reduce the likelihood of the issue reappearing
in later versions, we have written [82 integration
tests](https://gitlab.exherbo.org/sydbox/sydbox/-/blob/b332c892c504cef3f1205c386b760d6a8d5e73e9/src/t/test.rs#L337-418)
to verify correct functioning of Crypt sandboxing. However, users
should know this is only tested on the architectures "x86\_64",
"x86", "aarch64", and "armv7". Users running Syd on other architectures
are _strongly recommended_ to run integration tests using the tool
[_syd-test_(1)](https://man.exherbolinux.org/syd-test.1.html)
before any usage of Syd. In addition, package maintainers are
_strongly recommended_ to install Syd's installable integration
tests by installing the two utilities "syd-test" and "syd-test-do"
along with Syd and advise the user to run the tests with a
post-install message. This ensures Syd is, to the
extent possible, verified to work on the target system. These
utilities come with no additional dependencies and their size
is negligible taken into account the total size.
* Fix an issue with _utimensat_(2) handler on 32-bit systems.
* Fix an issue with _truncate_(2) handler on 32-bit systems.
* _syd-cp_(1) no longer overwrites the destination file by default.
The command line argument `-f` can be used to force overwrite.
* _syd-cp_(1) learned to read from standard input when only the
destination file is passed via command line parameters.
* Make the encryption thread more efficient and drop the _write_(2)
batching workaround which is no longer necessary.
* Block Crypt readers/writers when a subsequent write is in progress
rather than failing with `EBUSY`.
* _syd-aes_(1), _syd-cp_(1), and _syd-tor_(1) have been promoted to core
tools, as such they're installed even with the utils feature disabled.
* _syd-aes_(1) learned `-v` argument to periodically print progress
report on standard error.
* Ensure files configured for encryption are processed even
if Read & Write sandboxing is off.
* Increase stack size of encryption threads from 4k to 64k.
* Improve lock usage in `ptrace` exit handler.
* Improve lock usage in `stat` system call handlers.
* The setting `trace/force_umask` no longer applies to
directory creation for convenience.
* Make `trace/force_umask` override POSIX ACLs during
_umask_(2) calculation.
* Hook into `fchmod` and `fchown` and check for write access.
In addition `trace/force_umask` is applied for `fchmod`.
* Add `-b <bufsiz>` argument to _syd-tor_(1) to specify pipe
buffer size.
* Improve Crypt sandboxing and _syd-tor_(1) throughput by setting pipe
buffer sizes to the maximum value allowed by the system where errors
are handled gracefully and reverts to the old default `PIPE_BUF` which
is typically 4096 bytes.
* Apply the noexec-memfd restriction regardless of the state
of sandboxing.
* Fix a TOCTOU in socketcall (32-bit) handler when handling
the _socket_(2) subcall.
* Add Netlink support to Network sandboxing which allows
the user to filter on netlink family. The new
[`allow/net/link`](https://man.exherbolinux.org/syd.2.html#allow/net/link)
setting can be used to add/remove items to the allowlist.
* Confine _syd-tor_(1) process further utilizing namespaces
if available and permitted.
* Fix PID recycling issue of clone which happens during
re-exec when namespaces are enabled.
* Sanitize environment of the _syd-tor_(1) process.
* Make file descriptor tracking of _syd-tor_(1) more efficient.
Download:
* Cargo: https://crates.io/crates/syd (cargo install syd)
* Source: https://git.sr.ht/~alip/syd/archive/v3.23.0.tar.gz
* Binary: https://distfiles.exherbolinux.org/sydbox/syd-3.23.0.tar.xz
https://distfiles.exherbolinux.org/sydbox/syd-3.23.0.tar.xz.sha512sum
https://distfiles.exherbolinux.org/sydbox/syd-3.23.0.tar.xz.sha512sum.asc
* Binary release is signed with the following key: https://keybase.io/alip/pgp_keys.asc
This release contains 267 commits.
In addition we've also released libsyd-3.3.0 and pandora_box-0.10.0.
Best,
alip