#sydbox

2025-07-01

I have just submitted this issue, github.com/nushell/nushell/iss for #nushell + #sydbox integration for a well-confined and audited default shell. Hopefully we can provide a portable base to include #FreeBSD's #Capsicum, #OpenBSD's #pledge and #NetBSD's #secmodel supported one day too! Imagine your #shell covering your ass when you tell noone but #curl #bash at 3 am on a nightshift trying not to wake anyone up! Feedback much appreciated! #exherbo #security

2025-06-28

#sydbox 3.36.0 is released! #sydbox is a rock solid application #kernel to sandbox applications on #Linux: is.gd/syd_3_36_0 #exherbo #security

2025-06-12

Latest #sydbox will come with a novel use of #seccomp: Using unused syscall arguments as random cookies. Read here for more information: man.exherbo.org/syd.7.html#Sys #exherbo #linux #security

2025-06-05

Updated #sydbox to 3.35.0: hardened #Landlock, empty mount namespaces using pivot_root and root:tmpfs a la #bubblewrap, many bug fixes thx to LTP, many bug/portability fixes thx to #alpine #linux folks. New utilities #syd-fd and #syd-x. See the release mail for more information: is.gd/syd_3_35_0 #exherbo #hacking #security

2025-06-05

News from #sydbox #git: #Landlock compatibility levels are now supported with the "default/lock" option. Default compat level has been changed from "best-effort" to "hard-requirement" to adhere to the principle of secure defaults. Our standalone #Landlock utility syd-lock learned "-C" option to interface with compat levels. ENOENT, aka "No such file or directory" errors during sandbox setup are now fatal unless compat level has been set to "best-effort". #linux #security man.exherbo.org/syd-lock.1.html

2025-05-28

News from #sydbox: when you configure syd-tor to use a #UNIX domain socket for external #TOR connections which is a new feature it will open an O_PATH fd to the socket, enter into a network+mount+user+... namespace, chroot into /proc/self/fd and access the unix socket using the fd number. This means it will work even if you remove the socket. The socket is duplicated to a random fd to make fd reuse harder. We also apply mdwe, #seccomp and #landlock on top, read more here: man.exherbo.org/syd-tor.1.html

2025-05-13

#sydbox-3.34.0 is released with support for using mseal(2) to seal read-only the sandbox policy when the sandbox is locked, read more here: is.gd/Cq0msi #exherbo #security #linux

2025-05-08

#sydbox #git now uses the new mseal(2) system call where available to seal as read-only the critical regions of the sandbox policy when the sandbox is locked with "lock:on". Added hardening is provided by installing guard pages in place of empty ACLs. Read more about it here: man.exherbolinux.org/syd.7.htm #exherbo #security

2025-05-07

#Sandboxing section of the document "Exheres for Smarties" has been updated to cover the new #sydbox: exherbolinux.org/docs/eapi/exh #exherbo #linux

2025-05-04

"This isn't a sandbox. This is a maximum security syscall prison built by the devil himself (you). You didn't just patch the roof — you removed the doors, replaced the floor with lava, and then set the air on fire." says #chatgpt about #sydbox after trying to crack the #sydbox #ctf in vain for about an hour. Try it yourself: ctftime.org/event/2178 #exherbo #security

2025-05-03

#sydbox-3.33.0 is released, This work continues the sandbox category rework: "rmdir" category is now split from the "delete" category and the #landlock categories have been refined to be more #openbsd #pledge like. The tool syd-lock also got a rework so landlock categories may be used with that too while the old, easyinterface is still available so your scripts will not break! See the release announcement for more information: is.gd/eVxsBt #exherbo

2025-04-24

"When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." --John Perry Barlow man.exherbolinux.org/syd.7.htm #exherbo #sydbox

st1nger :unverified: 🏴‍☠️ :linux: :freebsd:st1nger@infosec.exchange
2025-03-27

@xameer think that it's designed for application sandboxing rather than virtual machine or container management, if I understood your question correctly. You can also ask more questions with #sydbox tag or via ircs://irc.libera.chat/#sydbox

2025-03-27

I've just installed #atop on #sydbox #ctf server in case people want to explore exploiting the recent heap corruption. I don't trust jia tan enough to leave atop.service running as root though so the attack vector is limited. Sail with #ssh to syd.chesswob.org (user/pass: syd) or go to syd.chesswob.org although the #nodejs client is a bit more limited. See here for the #security issue, openwall.com/lists/oss-securit (tl;dr uninstall #atop asap!) and here for #sydbox #ctf ctftime.org/event/2178

2025-03-24

@r1w1s1 also check out man.exherbolinux.org/syd-lock. which is written in #rustlang and is part of #sydbox!

2025-03-16

#sydbox-3.32.5 is released with the new abort action for #openbsd #pledge compat and this release also includes a #security fix so the users are recommended to update asap. Read more here, is.gd/MzUXGZ #exherbo

2025-03-15

Did you know #sydbox comes with an #emacs wrapper for your convenience of sandboxed #editor environments? You also have access to #sydbox #api from within initial #emacs process when you do "lock:exec" or by default with the "lib" profile? Configuring #sydbox using #emacs #lisp is possible using the file virtually loaded via "/dev/syd.el" to wrap the syd(2) API, see more here: man.exherbolinux.org/syd-emacs #exherbo #security

2025-03-13

We have 393 packages on #exherbo which is all the system set plus dependencies passing with tests under the new #sydbox! We're close to unmasking the new "syd" and retire the old sydbox-1. #security

2025-03-12

Thanks to #archlinux for packaging #sydbox and having it easily available for their users! You can now do "pacman -S syd" and have #sydbox installed, archlinux.org/packages/extra/x #exherbo #security

2025-03-12

For those who want to have a #tracker-free life on various platforms, #Sydbox is designed for ease of use across a wide array of architectures, including x86, x86_64, x32, armv7, aarch64, loongarch64, mips, mips64, mips64el, ppc, ppc64, ppc64le, riscv64, and s390x embodying the principle of providing simple, flexible, and robust access control to #Linux users. Read more here, man.exherbolinux.org/syd.1.html #exherbo #security

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst