~alip/exherbo-dev

Sydbox 3.20.0 Released

Ali Polatel <alip@hexsys.org>
Details
Message ID
<aKBazExEppskvM_vLXHpl2Y6dEB1bT2H9umYS0Vbl7vVK9LhE0A-Krfqc8RgyKpudppFoGwk2OiR49ftKkx_NdzvF1YHJ2s7IOi6SBVNBZA=@hexsys.org>
DKIM signature
pass
Download raw message
3.20.0:

    * syd-err can now be used to match errno descriptions as well as names.
    * _open_(2) calls with mode read-write was only checked for write
      sandboxing and not read sandboxing. This is now fixed.
    * Open a memfd rather than a tmpfile for `open(/dev/syd, O_RDONLY)`.
    * syd-err now accepts an errno name glob rather than an errno regex.
    * syd-sys now accepts a system call name glob rather than a name regex.
    * syd-sys learned `-g` argument to enable Ghost mode prior to probing.
    * syd-sys learned `-p` argument to probe the matching system calls.
    * Implement [Ghost mode](http://man.exherbolinux.org/syd.7.html#Ghost_mode).
    * Close standard input and standard output after we pass the file
      descriptors to the sandbox process.
    * Clear all environment variables that start with `SYD_` from the
      environment of the sandbox process, rather than just the specific Syd
      environment variables. This allows the user to safely set an
      environment variable for the Syd process only and can e.g. be used to
      safely set an AES-CTR key with `config/key:${SYD_KEY}` having set the
      environment variable `SYD_KEY` set on Syd invocation.
    * Add new utility `syd-key` to generate AES-CTR key and iv using `/dev/random`.
    * Add new utility `syd-cp` for efficient file copying using _splice_(2).
    * Add new utility `syd-aes` to encrypt/decrypt files akin to openssl-enc.
    * Implement [Crypt
      sandboxing](http://man.exherbolinux.org/syd.7.html#Crypt_Sandboxing) for
      transparent file encryption using AES-CTR.
    * oci: Configure tracing when log feature is on, and disable properly when off.
    * oci: Honour capabilities specified by the container engine.
    * oci: Avoid hitting `UNIX_PATH_MAX` on tenant socket paths.
    * oci: Remove unnecessary chdir from init and start which fixes:
      [youki#2772](https://github.com/containers/youki/issues/2772).
    * Update: `libcgroups v0.3.2 -> v0.3.3`
    * Update: `libcontainer v0.3.2 -> v0.3.3`
    * Update: `liboci-cli v0.3.2 -> v0.3.3`

Download:

    * Cargo:  https://crates.io/crates/syd (cargo install syd)
    * Source: https://git.sr.ht/~alip/syd/archive/v3.20.0.tar.gz
    * Binary: https://distfiles.exherbolinux.org/sydbox/syd-3.20.0.tar.xz
              https://distfiles.exherbolinux.org/sydbox/syd-3.20.0.tar.xz.sha512sum
              https://distfiles.exherbolinux.org/sydbox/syd-3.20.0.tar.xz.sha512sum.asc
    * Binary release is signed with the following key: https://keybase.io/alip/pgp_keys.asc

This release contains 153 commits.

The highlights are the two new sandboxing types:

- Crypt Sandboxing: Transparent File Encryption with AES-CTR: http://man.exherbolinux.org/syd.7.html#Crypt_Sandboxing
- Ghost mode: similar to Seccomp Level 1 aka Strict Mode: http://man.exherbolinux.org/syd.7.html#Ghost_mode

Make sure to read the limitations before using Crypt Sandboxing:
tl;dr.1 it's not _fully_ transparent yet, O_RDWR fds won't work
  (we could not find a way to implement this yet without writing a full-blown VFS implementation,
   as always, feedback in the form of ideas is much much welcome)
tl;dr.2 Random IV is saved in file xattrs to avoid IV reuse, copying files without retaining xattrs means permanent data loss.

The most notable fix is our youki update which brings in a fix to make podman exec work with syd-oci.
Finally another notable change is read-write opens are now checked for both read and write access. Syd only checked such opens for write access before.

Best,
alip
Reply to thread Export thread (mbox)