3.21.0:
* Skip applying umask when the parent directory has POSIX ACLs defined.
* Fix symlink handling in `chown` and `chmod` handlers.
* Add `trace/allow_unsafe_env:1` to the `paludis` profile.
* Mask the paths `/dev/kmsg`, `/proc/kmsg` by default and allow read,
and stat access to these files in `paludis` and `user` profiles. This
is done to prevent the _dmesg_(1) tool from falling back to the
denylisted _syslog_(2) system call which will fail with `ENOSYS`.
* Fix an UB in the utime syscall handlers.
* Ensure the virtual stat API returns `EBUSY` for all settings that must
be set at startup.
* Align stack pointer to 16 bytes for the clone that spawns the sandox
process to ensure proper memory alignment.
* Fix PID recycling issues of clones in `l*xattr` and network syscall
handlers.
* Emulate xattr calls on symbolic links in a safe way and drop the
setting `trace/allow_unsafe_xattr`.
* Fix a FS TOCTOU in network system call handlers when using UNIX domain
sockets and mitigate another.
* Upgrade the crate `mimalloc2-rust v0.3.1 -> v0.3.2` which updates
the vendored `mimalloc` from 2.1.4 to 2.1.7.
* Do not hook into `fchmod`, `fchown` `fallocate`, `ftruncate`, and
`ftruncate64` anymore. These system calls operate on file descriptors
only and the file must be opened for write so Write sandboxing checkes
them on open.
* Add `/proc` to the read allowlist of Lock sandboxing by default. Syd
is included in the Landlock sandbox and Syd requires this directory to
function.
* Add `/dev/null` to the write allowlist of Lock sandboxing by default.
Syd is included in the Landlock sandbox and Syd requires this file to
function.
* Allow read access to `/dev/random` in `paludis` and `user`
profiles. Read access to `/dev/urandom` was already granted.
* Check for invalid socket descriptors early in network calls.
* Drop `trace/allow_safe_setid:1` from the `paludis` profile.
* Fix symbolic link handling in `stat` handlers.
* Fix symbolic link handling in `utimensat` handler.
* Implement sidechannel mitigation by adjusting timestamps on
sidechannel devices and stripping access and modify flags
of _fanotify_(7)/_inotify_(7) calls on such devices.
* Enhance security by denying symlink resolution in insecure writable
directories.
* Avoid double open in `fchdir`, `fchmod`, `fchown`, `fgetxattr`,
`fsetxattr`, `flistxattr`, `fremovexattr`, `fstatfs`, `fstatfs64`, and
`truncate` system call handlers.
* Keep `CAP_CHOWN` when SafeSetID is enabled.
* Make SafeSetID continue system calls when there's no change in {u,g}id.
* Start sandboxing `fanotify_mark` and `inotify_add_watch` system calls
as part of Stat sandboxing.
* Respect the `AT_EMPTY_PATH` flag in the `faccessat2` handler.
* Avoid double open in `getxattr`, `setxattr`, `listxattr`, and
`removexattr`.
* Deny `ghost`, `panic`, and `reset` commands when Crypt sandboxing is
on with `EBUSY` for safety.
* Publish [the CTF
profile](https://gitlab.exherbo.org/sydbox/sydbox/-/raw/main/data/ctf.syd-3)
for transparency.
* Enable TPE sandboxing for the `user` profile and set trusted GID to
sandbox process' current effective GID.
* Enable TPE sandboxing for the `paludis` profile.
* Make the ptrace Exec sandboxing check honour filtered paths to avoid
reporting access violations.
* Implement [Trusted Path Execution (TPE)
sandboxing](http://man.exherbolinux.org/syd.7.html#TPE_sandboxing).
* Remove the setting `exec/kill`.
* Ensure the `lib` profile sets the sandbox lock to `exec` as `exec` is
not the default anymore since 3.17.0.
* Make the `ghost` command imply `reset` to ensure no run-away exec
processes after the invocation of the `ghost` command.
* Avoid panic when unsetting `SYD_` environment variables when the
environment key or value contains invalid UTF-8.
* Fix undefined behaviour when unsetting `SYD_` environment variables in
the child by moving the unset logic to the parent right before process
spawn.
Download:
* Cargo: https://crates.io/crates/syd (cargo install syd)
* Source: https://git.sr.ht/~alip/syd/archive/v3.21.0.tar.gz
* Binary: https://distfiles.exherbolinux.org/sydbox/syd-3.21.0.tar.xz
https://distfiles.exherbolinux.org/sydbox/syd-3.21.0.tar.xz.sha512sum
https://distfiles.exherbolinux.org/sydbox/syd-3.21.0.tar.xz.sha512sum.asc
* Binary release is signed with the following key: https://keybase.io/alip/pgp_keys.asc
This release contains 182 commits.
This is a relatively big release. Feature-wise the biggest highlights
are Trusted Path Execution (TPE) and symlink restrictions. TPE is based
on HardenedBSD's implementation and closely resembles GrSecurity's. One
notable difference is we set `tpe/root_owned` and `tpe/user_owned` to
false by default as these checks will not do the right thing with
`unshare/user:1` when unmapped users in the user namespace will appear
as the overflow {U,G}ID (ie no{body,group}). Refer to this link for more
information: http://man.exherbolinux.org/syd.7.html#TPE_sandboxing
TPE is enabled for the Paludis profile. I did not see a reason not to
enable it and I surely want to get wider testing for it. That said if we
have any test regressions we can disable it. A TPE access violation will
have the Capability ("cap") set to "t" in the access violation report.
Symlink restrictions mean sandbox process cannot follow symbolic links
in world-writable +t directories (e.g. /tmp). This restriction is
enabled both for the readlink syscall hooks and for Syd's internal path
canonicalizer. Unlike GrSecurity's linking restrictions, aka
GRKERNSEC_LINK, we deny regardless of the owner of the symlink. Again
this is done to ensure correct functionality under user namespaces.
Symlink restrictions are hard enabled adhering to Syd's goal to be
secure by default. Should this cause any test regressions, we can
provide a switch for it and turn it off for the Paludis profile.
Refer to this link for more information:
http://man.exherbolinux.org/syd.7.html#Enhanced_Symbolic_Link_Validation
With this release, we publish the CTF profile used for the Sydbox CTF
game on syd.chesswob.org for transparency, the profile is located here:
https://gitlab.exherbo.org/sydbox/sydbox/-/raw/main/data/ctf.syd-3
and the link to the CTF game is: https://ctftime.org/event/2178
Best,
alip