#POSIX mandates creating files through dangling symbolic links which opens the door for attack vectors which are still relevant today as we see from the #runc breaks where the attacker can plant a dangling symlink at /dev/{null,console} to create trouble. As of 3.45.0, #sydbox implies O_NOFOLLOW at open(2) boundary for O_CREAT unless O_EXCL was also passed. The mitigation can be disabled with the option "trace/allow_unsafe_create:1". See 2nd paragraph: https://man.exherbo.org/syd.7.html#Trusted_File_Creation #linux #security
#sydbox
#sydbox 3.45.0 is released! This update strengthens root mount security by applying strict namespace protections and introducing configurable ramfs mounting. New flags enforce more robust handling of symbolic links and file creation. Various bug fixes, including improved PTY sandboxing and stat(2) handling, solidify sandbox stability and security. Notable changes include new environment variables and expanded restrictions for unsafe capabilities: https://sydbox.exherbo.org #exherbo #linux #security
New #container sidechannel alert! #sydbox is not affected because hardened proc(5) does not allow access to /proc/self/ns directory by default. In addition, unlike #docker, #sydbox supports time namespace with the unshare/time command. https://h4x0r.org/funreliable/ #linux #security
Fellow #Exherbo developer Johannes Nixdorf, aka mixi, fixed a race in #Linux kernel seccomp(2). The bug caused #golang programs to fail with EINTR under #sydbox. Kees Cook has merged the fix recently and it has been ported to all stable trees. One more item checked out to unmask syd-3 on #Exherbo, yey!: https://gitlab.exherbo.org/exherbo/arbor/-/merge_requests/5057#note_55734
Imagine how many proc(5) parsing libraries you will break if you set your process name to "lol ) R 42" which #Linux will provide as is without escaping in the proc(5) files. #sydbox' process name modification restriction guards against this: https://man.exherbo.org/syd.7.html#Process_Name_Modification_Restriction #exherbo #security
All three breakouts feature procfs writes. #sydbox has hardened procfs and devfs, https://man.exherbo.org/syd.7.html#Hardened_procfs_and_devfs
which prevents such breaks. However wrt. syd-oci, the vulnerable code is within the container init done by #youki.
Symlinks strike again! This time with 3 #container breakouts in #runc. Other runtimes including #youki and #crun are also affected. #sydbox' syd-oci is also affected which is based on #youki. Expect updates soon: https://www.openwall.com/lists/oss-security/2025/11/05/3 #exherbo #linux #security #podman
Did you know syd-ls(1) is the safest and most efficient ls(1) in human history? https://man.exherbo.org/syd-ls.1.html #exherbo #sydbox #linux #security
Here is an interesting attempt to implement system call cookies for #OpenBSD https://marc.info/?l=openbsd-tech&m=176173191311272&w=2 #sydbox had this feature for a while and we've been extending it with new system calls ever since: https://man.exherbo.org/syd.7.html#Syscall_Argument_Cookies #exherbo #linux #security
#sydbox 3.41.1 is released. This release comes with some fixes for networking syscalls and wordexp. I addition, we release the initial version of syd-tui, which is a terminal user interface for syd written in #async #rustlang with @ratatui_rs and #tokio! See the asciicast for a primer: https://asciinema.org/a/751235 #exherbo #linux #security
I ran the #ELF #parser of #sydbox over 60k #Linux #malware samples from #Virusshare and 40k orcs which are malformed elves generated by the Melkor ELF #Fuzzer and got no crashes. The parser is written in #rustlang. It's free from unsafe code and arithmetic side effects. Syd parses ELF at exec(3) and mmap(2) boundary to perform various restrictions for binaries such as PIE and non-executable stack. #exherbo #security
Read this section of the syd(7) manual page for more info on the new securebits handling of #sydbox: https://man.exherbo.org/syd.7.html#Securebits_and_Kernel-Assisted_Executability #exherbo #linux #security
#sydbox 3.41.0 is released! Syd now initializes securebits using kernel-assisted executability on Linux 6.14+, falling back to unprivileged checks on EPERM. New options permit disabling script/file vetting and interactive-exec denial. Several trace options were renamed for precision. New CLI, syd-sec(1), is an interface to print secure bits and run programs with secure bits set. Fixes send(2) MSG_OOB on 32-bit, SIGPIPE forwarding on EPIPE, and I/O resilience in syd-tor: https://is.gd/syd_3_41_0
Never trust other people's benchmarks: For #sydbox benchmarks are run in CI with different profiles over #git compilation. #gvisor is also used with ptrace and systrap backends to have a solid ground to compare against. Unlike the unrealistic getpid benchmark which gvisor devs use in their blogpost to justify systrap is noticably faster, our benchmark claim the opposite. This on its own proves nothing but it's enough reason to be skeptic about benchmarks. #exherbo #linux https://builds.sr.ht/~alip/job/1587917#task-bench
My #BalCCon2k25 talk on #sydbox and advanced #sandboxing has just been released: https://is.gd/syd_balccon2k25 #exherbo #linux #security
as a follow up, the other talk that covers syd-oci is also super cool:
@alip, this is so fucking cool. i can't wait to play with this. this feels like an excellent addition to my qubes setups, and a great way to build out a minimal alternative to qubes
#sydbox 3.40.0 released: sendmsg/sendmmsg accept IP_TOS/IPV6_TCLASS cmsgs -> per-pkt TOS/tclass; fallocate(2) FALLOC_FL_WRITE_ZEROES support; PID sandbox sets namespaced kernel.pid_max >= max(pid/max,301); add uts/version + syd-uts; syd-sys -o/-s; uts/host,uts/domain mutable -> uname (defaults:domain=(none),name=localhost); uname hardened; more coverage for seccomp+arg-cookies; mask boot_id; trace opts to disable dev-sidechannel mitigations https://is.gd/syd_3_40_0
woah, i just watched the presentation on syd from fosdem, and i'm pretty impressed
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst