~alip/exherbo-dev

Sydbox 3.21.0 Released

Ali Polatel <alip@hexsys.org>
Details
Message ID
<zKZm3xdiDdFhy_3ux4uVt376-5_WyJTTr0mTlGpthq0NGcFqfYeFBrhU2bbIUS7TLqZlnZ4xfGLTNid8L4k41KLKfuee4D-yKo-oxOGLCqY=@hexsys.org>
DKIM signature
pass
Download raw message
3.21.0:

    * Skip applying umask when the parent directory has POSIX ACLs defined.
    * Fix symlink handling in `chown` and `chmod` handlers.
    * Add `trace/allow_unsafe_env:1` to the `paludis` profile.
    * Mask the paths `/dev/kmsg`, `/proc/kmsg` by default and allow read,
      and stat access to these files in `paludis` and `user` profiles. This
      is done to prevent the _dmesg_(1) tool from falling back to the
      denylisted _syslog_(2) system call which will fail with `ENOSYS`.
    * Fix an UB in the utime syscall handlers.
    * Ensure the virtual stat API returns `EBUSY` for all settings that must
      be set at startup.
    * Align stack pointer to 16 bytes for the clone that spawns the sandox
      process to ensure proper memory alignment.
    * Fix PID recycling issues of clones in `l*xattr` and network syscall
      handlers.
    * Emulate xattr calls on symbolic links in a safe way and drop the
      setting `trace/allow_unsafe_xattr`.
    * Fix a FS TOCTOU in network system call handlers when using UNIX domain
      sockets and mitigate another.
    * Upgrade the crate `mimalloc2-rust v0.3.1 -> v0.3.2` which updates
      the vendored `mimalloc` from 2.1.4 to 2.1.7.
    * Do not hook into `fchmod`, `fchown` `fallocate`, `ftruncate`, and
      `ftruncate64` anymore.  These system calls operate on file descriptors
      only and the file must be opened for write so Write sandboxing checkes
      them on open.
    * Add `/proc` to the read allowlist of Lock sandboxing by default.  Syd
      is included in the Landlock sandbox and Syd requires this directory to
      function.
    * Add `/dev/null` to the write allowlist of Lock sandboxing by default.
      Syd is included in the Landlock sandbox and Syd requires this file to
      function.
    * Allow read access to `/dev/random` in `paludis` and `user`
      profiles. Read access to `/dev/urandom` was already granted.
    * Check for invalid socket descriptors early in network calls.
    * Drop `trace/allow_safe_setid:1` from the `paludis` profile.
    * Fix symbolic link handling in `stat` handlers.
    * Fix symbolic link handling in `utimensat` handler.
    * Implement sidechannel mitigation by adjusting timestamps on
      sidechannel devices and stripping access and modify flags
      of _fanotify_(7)/_inotify_(7) calls on such devices.
    * Enhance security by denying symlink resolution in insecure writable
      directories.
    * Avoid double open in `fchdir`, `fchmod`, `fchown`, `fgetxattr`,
      `fsetxattr`, `flistxattr`, `fremovexattr`, `fstatfs`, `fstatfs64`, and
      `truncate` system call handlers.
    * Keep `CAP_CHOWN` when SafeSetID is enabled.
    * Make SafeSetID continue system calls when there's no change in {u,g}id.
    * Start sandboxing `fanotify_mark` and `inotify_add_watch` system calls
      as part of Stat sandboxing.
    * Respect the `AT_EMPTY_PATH` flag in the `faccessat2` handler.
    * Avoid double open in `getxattr`, `setxattr`, `listxattr`, and
      `removexattr`.
    * Deny `ghost`, `panic`, and `reset` commands when Crypt sandboxing is
      on with `EBUSY` for safety.
    * Publish [the CTF
      profile](https://gitlab.exherbo.org/sydbox/sydbox/-/raw/main/data/ctf.syd-3)
      for transparency.
    * Enable TPE sandboxing for the `user` profile and set trusted GID to
      sandbox process' current effective GID.
    * Enable TPE sandboxing for the `paludis` profile.
    * Make the ptrace Exec sandboxing check honour filtered paths to avoid
      reporting access violations.
    * Implement [Trusted Path Execution (TPE)
      sandboxing](http://man.exherbolinux.org/syd.7.html#TPE_sandboxing).
    * Remove the setting `exec/kill`.
    * Ensure the `lib` profile sets the sandbox lock to `exec` as `exec` is
      not the default anymore since 3.17.0.
    * Make the `ghost` command imply `reset` to ensure no run-away exec
      processes after the invocation of the `ghost` command.
    * Avoid panic when unsetting `SYD_` environment variables when the
      environment key or value contains invalid UTF-8.
    * Fix undefined behaviour when unsetting `SYD_` environment variables in
      the child by moving the unset logic to the parent right before process
      spawn.

Download:

    * Cargo:  https://crates.io/crates/syd (cargo install syd)
    * Source: https://git.sr.ht/~alip/syd/archive/v3.21.0.tar.gz
    * Binary: https://distfiles.exherbolinux.org/sydbox/syd-3.21.0.tar.xz
              https://distfiles.exherbolinux.org/sydbox/syd-3.21.0.tar.xz.sha512sum
              https://distfiles.exherbolinux.org/sydbox/syd-3.21.0.tar.xz.sha512sum.asc
    * Binary release is signed with the following key: https://keybase.io/alip/pgp_keys.asc

This release contains 182 commits.

This is a relatively big release. Feature-wise the biggest highlights
are Trusted Path Execution (TPE) and symlink restrictions. TPE is based
on HardenedBSD's implementation and closely resembles GrSecurity's. One
notable difference is we set `tpe/root_owned` and `tpe/user_owned` to
false by default as these checks will not do the right thing with
`unshare/user:1` when unmapped users in the user namespace will appear
as the overflow {U,G}ID (ie no{body,group}). Refer to this link for more
information: http://man.exherbolinux.org/syd.7.html#TPE_sandboxing

TPE is enabled for the Paludis profile. I did not see a reason not to
enable it and I surely want to get wider testing for it. That said if we
have any test regressions we can disable it. A TPE access violation will
have the Capability ("cap") set to "t" in the access violation report.

Symlink restrictions mean sandbox process cannot follow symbolic links
in world-writable +t directories (e.g. /tmp). This restriction is
enabled both for the readlink syscall hooks and for Syd's internal path
canonicalizer. Unlike GrSecurity's linking restrictions, aka
GRKERNSEC_LINK, we deny regardless of the owner of the symlink. Again
this is done to ensure correct functionality under user namespaces.

Symlink restrictions are hard enabled adhering to Syd's goal to be
secure by default. Should this cause any test regressions, we can
provide a switch for it and turn it off for the Paludis profile.
Refer to this link for more information:
http://man.exherbolinux.org/syd.7.html#Enhanced_Symbolic_Link_Validation

With this release, we publish the CTF profile used for the Sydbox CTF
game on syd.chesswob.org for transparency, the profile is located here:
https://gitlab.exherbo.org/sydbox/sydbox/-/raw/main/data/ctf.syd-3
and the link to the CTF game is: https://ctftime.org/event/2178

Best,
alip
Reply to thread Export thread (mbox)