~alip/exherbo-dev

Sydbox 3.27.0 Released

Ali Polatel <alip@hexsys.org>
Details
Message ID
<iAXOGfRAFltXyZIs_KuaGm35siDYoNTGlr9d1COAufSX-LOZtrYu7Z_fqoaHtTeMVRzi3JyCcCrtf95ABN1FLfzkFJZwZM_f141r5WZdbjs=@hexsys.org>
DKIM signature
pass
Download raw message
3.27.0:

	* Mask the file `/etc/machine-id` by default.
	* The utility `_syd-tick_(1)` has been renamed to `syd-tck` to
	  reduce precious user typing time to invoke this utility.
	* Enforce `AT_SECURE` in auxiliary vector at process exec. This
	  mitigation may be relaxed with the option `trace/allow_unsafe_libc:1`.
	* Add new tool _syd-aux_(1) to print auxiliary vector information.
	* Remove _pipe2_(2), from the allowed system call list of emulator threads.
	* `trace/allow_safe_bind:1` no longer makes Syd skip the IP blocklist
	  check at _accept_(2) and _accept4_(2) boundaries.
	* Do not check _accept_(2), and _accept4_(2) calls against the connect
	  sandboxing acl. These system calls are checked against the IP
	  blocklist only.
	* Return `EACCES` rather than `ELOOP` error on procfs symlink
	  violations. This is in consistency with SELinux and works around
	  pipewire's broken flatpak detection logic.
	* Add `trace/force_umask:7077` to the `user` profile. This setting has
	  been tested for a long time at the CTF server using the CTF profile.
	* Ensure _syd-elf_(1) asserts a single path is required as argument
	  during option parsing. Previously, more than a single argument would
	  pass through but only the first path is parsed either way.
	* Pass `CLONE_IO` to syscall emulator micro-threads in addition to
	  `CLONE_FILES`, `CLONE_VFORK`, `CLONE_VM`, and `CLONE_SIGHAND`.
	* Use shared memory rather than pipes in syscall emulator micro-threads.
	* Fix case-insensitivity of the _syd-err_(1) tool.
	* Handle POSIX ACLs without reading on parent directory.

Download:

    * Cargo:  https://crates.io/crates/syd (cargo install syd)
    * Source: https://git.sr.ht/~alip/syd/archive/v3.27.0.tar.gz
    * Binary:
              armv7   : https://distfiles.exherbolinux.org/sydbox/syd-3.27.0-armv7-unknown-linux-gnueabihf.tar.xz
              aarch64 : https://distfiles.exherbolinux.org/sydbox/syd-3.27.0-aarch64-unknown-linux-gnueabi.tar.xz
              ppc64le : https://distfiles.exherbolinux.org/sydbox/syd-3.27.0-ppc64le-unknown-linux-gnu.tar.xz
              riscv64 : https://distfiles.exherbolinux.org/sydbox/syd-3.27.0-riscv64-unknown-linux-gnu.tar.xz
              s390x   : https://distfiles.exherbolinux.org/sydbox/syd-3.27.0-s390x-unknown-linux-gnu.tar.xz
              i586    : https://distfiles.exherbolinux.org/sydbox/syd-3.27.0-i586-pc-linux-gnu.tar.xz
              x86_64  : https://distfiles.exherbolinux.org/sydbox/syd-3.27.0-x86_64-pc-linux-gnu.tar.xz
              * Append ".sha512sum" to the URL for the SHA512 checksum.
              * Append ".sha512sum.asc" to the URL for the PGP signature.
    * Binary releases are signed with the following key:
              ID: 0x25F201EDF60FF478
              FP: 2AC66B17D25DDDC0B59CAA5425F201EDF60FF478
              MAIL: syd@chesswob.org
              LINK: https://distfiles.exherbolinux.org/sydbox/syd.asc
              You can download it from common public keyservers,
              such as pgp.mit.edu, keyserver.ubuntu.com and
              keys.openpgp.org too. Please send an encrypted
              e-mail to this address for security issues.

This release contains 61 commits.

Best,
alip
Reply to thread Export thread (mbox)