<iAXOGfRAFltXyZIs_KuaGm35siDYoNTGlr9d1COAufSX-LOZtrYu7Z_fqoaHtTeMVRzi3JyCcCrtf95ABN1FLfzkFJZwZM_f141r5WZdbjs=@hexsys.org>
3.27.0: * Mask the file `/etc/machine-id` by default. * The utility `_syd-tick_(1)` has been renamed to `syd-tck` to reduce precious user typing time to invoke this utility. * Enforce `AT_SECURE` in auxiliary vector at process exec. This mitigation may be relaxed with the option `trace/allow_unsafe_libc:1`. * Add new tool _syd-aux_(1) to print auxiliary vector information. * Remove _pipe2_(2), from the allowed system call list of emulator threads. * `trace/allow_safe_bind:1` no longer makes Syd skip the IP blocklist check at _accept_(2) and _accept4_(2) boundaries. * Do not check _accept_(2), and _accept4_(2) calls against the connect sandboxing acl. These system calls are checked against the IP blocklist only. * Return `EACCES` rather than `ELOOP` error on procfs symlink violations. This is in consistency with SELinux and works around pipewire's broken flatpak detection logic. * Add `trace/force_umask:7077` to the `user` profile. This setting has been tested for a long time at the CTF server using the CTF profile. * Ensure _syd-elf_(1) asserts a single path is required as argument during option parsing. Previously, more than a single argument would pass through but only the first path is parsed either way. * Pass `CLONE_IO` to syscall emulator micro-threads in addition to `CLONE_FILES`, `CLONE_VFORK`, `CLONE_VM`, and `CLONE_SIGHAND`. * Use shared memory rather than pipes in syscall emulator micro-threads. * Fix case-insensitivity of the _syd-err_(1) tool. * Handle POSIX ACLs without reading on parent directory. Download: * Cargo: https://crates.io/crates/syd (cargo install syd) * Source: https://git.sr.ht/~alip/syd/archive/v3.27.0.tar.gz * Binary: armv7 : https://distfiles.exherbolinux.org/sydbox/syd-3.27.0-armv7-unknown-linux-gnueabihf.tar.xz aarch64 : https://distfiles.exherbolinux.org/sydbox/syd-3.27.0-aarch64-unknown-linux-gnueabi.tar.xz ppc64le : https://distfiles.exherbolinux.org/sydbox/syd-3.27.0-ppc64le-unknown-linux-gnu.tar.xz riscv64 : https://distfiles.exherbolinux.org/sydbox/syd-3.27.0-riscv64-unknown-linux-gnu.tar.xz s390x : https://distfiles.exherbolinux.org/sydbox/syd-3.27.0-s390x-unknown-linux-gnu.tar.xz i586 : https://distfiles.exherbolinux.org/sydbox/syd-3.27.0-i586-pc-linux-gnu.tar.xz x86_64 : https://distfiles.exherbolinux.org/sydbox/syd-3.27.0-x86_64-pc-linux-gnu.tar.xz * Append ".sha512sum" to the URL for the SHA512 checksum. * Append ".sha512sum.asc" to the URL for the PGP signature. * Binary releases are signed with the following key: ID: 0x25F201EDF60FF478 FP: 2AC66B17D25DDDC0B59CAA5425F201EDF60FF478 MAIL: syd@chesswob.org LINK: https://distfiles.exherbolinux.org/sydbox/syd.asc You can download it from common public keyservers, such as pgp.mit.edu, keyserver.ubuntu.com and keys.openpgp.org too. Please send an encrypted e-mail to this address for security issues. This release contains 61 commits. Best, alip