#sydbox 3.45.0 is released! This update strengthens root mount security by applying strict namespace protections and introducing configurable ramfs mounting. New flags enforce more robust handling of symbolic links and file creation. Various bug fixes, including improved PTY sandboxing and stat(2) handling, solidify sandbox stability and security. Notable changes include new environment variables and expanded restrictions for unsafe capabilities: https://sydbox.exherbo.org #exherbo #linux #security

Fellow #Exherbo developer Johannes Nixdorf, aka mixi, fixed a race in #Linux kernel seccomp(2). The bug caused #golang programs to fail with EINTR under #sydbox. Kees Cook has merged the fix recently and it has been ported to all stable trees. One more item checked out to unmask syd-3 on #Exherbo, yey!: https://gitlab.exherbo.org/exherbo/arbor/-/merge_requests/5057#note_55734

Before you write your own #landlock wrapper, check this one out: syd-lock, a simple #cli that supports up to #landlock abi 7 with a simple interface: https://man.exherbo.org/syd-lock.1.html #exherbo #linux #security

Imagine how many proc(5) parsing libraries you will break if you set your process name to "lol ) R 42" which #Linux will provide as is without escaping in the proc(5) files. #sydbox' process name modification restriction guards against this: https://man.exherbo.org/syd.7.html#Process_Name_Modification_Restriction #exherbo #security

#sydbox 3.42.0 is released! Syd is a rock solid application #kernel to #sandbox applications on #Linux >= 5.19 and requires no extra privileges! Grab it while it's hot! https://is.gd/syd_3_42_0 #exherbo #security

Symlinks strike again! This time with 3 #container breakouts in #runc. Other runtimes including #youki and #crun are also affected. #sydbox' syd-oci is also affected which is based on #youki. Expect updates soon: https://www.openwall.com/lists/oss-security/2025/11/05/3 #exherbo #linux #security #podman

Did you know syd-ls(1) is the safest and most efficient ls(1) in human history? https://man.exherbo.org/syd-ls.1.html #exherbo #sydbox #linux #security

Typical #rustlang ub i just fixed in #sydbox. One unsafe and all hell breaks loose :-) https://gitlab.exherbo.org/sydbox/sydbox/-/commit/79ce9b7e3a73ebdb796c05c1f538f65bbd144253 #exherbo #linux #security

Here is an interesting attempt to implement system call cookies for #OpenBSD https://marc.info/?l=openbsd-tech&m=176173191311272&w=2 #sydbox had this feature for a while and we've been extending it with new system calls ever since: https://man.exherbo.org/syd.7.html#Syscall_Argument_Cookies #exherbo #linux #security

#sydbox 3.41.1 is released. This release comes with some fixes for networking syscalls and wordexp. I addition, we release the initial version of syd-tui, which is a terminal user interface for syd written in #async #rustlang with @ratatui_rs and #tokio! See the asciicast for a primer: https://asciinema.org/a/751235 #exherbo #linux #security

I ran the #ELF #parser of #sydbox over 60k #Linux #malware samples from #Virusshare and 40k orcs which are malformed elves generated by the Melkor ELF #Fuzzer and got no crashes. The parser is written in #rustlang. It's free from unsafe code and arithmetic side effects. Syd parses ELF at exec(3) and mmap(2) boundary to perform various restrictions for binaries such as PIE and non-executable stack. #exherbo #security

Read this section of the syd(7) manual page for more info on the new securebits handling of #sydbox: https://man.exherbo.org/syd.7.html#Securebits_and_Kernel-Assisted_Executability #exherbo #linux #security

Never trust other people's benchmarks: For #sydbox benchmarks are run in CI with different profiles over #git compilation. #gvisor is also used with ptrace and systrap backends to have a solid ground to compare against. Unlike the unrealistic getpid benchmark which gvisor devs use in their blogpost to justify systrap is noticably faster, our benchmark claim the opposite. This on its own proves nothing but it's enough reason to be skeptic about benchmarks. #exherbo #linux https://builds.sr.ht/~alip/job/1587917#task-bench

My #BalCCon2k25 talk on #sydbox and advanced #sandboxing has just been released: https://is.gd/syd_balccon2k25 #exherbo #linux #security

News from #sydbox #git: We have started testing using LTP in CI which uncovered many bugs, we have fixed all of them and LTP tests currently pass. Huge thanks to the LTP project! Stay tuned for next release! #exherbo #linux #security https://linux-test-project.readthedocs.io/en/latest/

#sydbox 3.39.0 is released: isolated procfs (subset=pid+hidepid=4); syscall arg-cookies for net syscalls; keyrings replace raw keys for Crypt sandboxing; force RESOLVE_NO_XDEV with trace/force_no_xdev; new lock mode lock:read: https://is.gd/syd_3_39_0 #exherbo #linux #security

#sydbox has a mirror on #codeberg now! https://codeberg.org/alip/sydbox #exherbo #security #linux

sydbox-3.38.5 is out! Final release before #BalCCon2k25! Everyone is invited to my talk on Advanced sandboxing :) Slides are here if you want to take a look before: https://gitlab.exherbo.org/sydbox/sydbox/-/tree/main/doc/talks/2025-Syd-BalCCon #exherbo #linux #security

#sydbox 3.38.0 comes with hardened proc_pid_status(5) which zeroes out fields such as TracerPid and Seccomp. This is intended to help with #malware analysis, as these fields are commonly used by malware to evade detection, see this for more info: https://man.exherbo.org/syd.7.html#Hardened_proc_pid_status(5) #exherbo #linux #security

#sydbox 3.38.0 is released! Refined device restrictions, hardened proc & seccomp filters, #OpenBSD pledge(2) style category sets, #Landlock ABI 7 support, and safer handling of memfd & personality flags. See https://is.gd/syd_3_38_0 I'll be giving a talk on advanced sandboxing at #BalCCon2k25! Everyone is invited! #exherbo #linux #security