Sydbox v2.1.0

Publish date: Jun 17, 2021
Tags: release exherbo sandbox syd-2 daemon aarch64

Changes
Download

I am happy to annouce the release of SydBox-2.1.0. This release has many fixes and some new features. Below you may find information on the recent changes and how to acquire SydBox.

Changes

sydbox: do not warn when reading /proc/pid/stat returns invalid argument
tests: many fixes, add more test coverage
sydbox: fix AArch64 compilation and tests
sydbox: add many daemon options, such as --user, --group, --background, --nice etc. Read the fine manual for further details.
sydbox: fix minor security defects identified by Coverity.
sydbox: make tracee memory read/write functions more resillient to different types of errors
sydbox: fix & dump memory access, bpf filters for network calls. This makes sure the network system calls return the expected error numbers in bpf and deny modes:
- bind: EADDRNOTAVAIL
- connect: ECONNREFUSED
- send{to,msg}: ENOTCONN
- recvmsg: ECONNREFUSED
sydbox: deny send{msg,to} calls with ENOTCONN. This allows sophisticated UDP sandboxing.
sydbox: improve option parsing, add short options for many options
sydbox: new command line flag --mem-access, and magic command core/trace/mem_access to define mode of operation during memory access:
- --mem-access 0: Use cross memory attach if available, /proc otherwise.
- --mem-access 1: Use /proc/pid/mem unconditionally.
- --mem-access 2: Use cross memory attach if available, use /proc otherwise, open file once, do not reopen the file for each call.
- --mem-access 3: Use /proc/pid/mem unconditionally, open file once, do not reopen the file for each call.
- Warning: Modes 2 and 3 may run into too many processes errors. Use another mode or adapt sysctl fs.nr_open as necessary if this is the case.
autotools: improve configure.
- print descriptory message in the end.
- fix checks for struct iovec, statx, msghdr, mmsghdr and open_how.
- remove old and useless ptrace checks.
- make sure to fallback to /proc/pid/mem if both struct iovec and process_vm_readv, process_vm_writev are not found.
- properly fallback to the numbers 310 and 311 if __NR_process_vm_{read,write}v are not defined.
sydbox: replace the hashmap implementation uthash with the more performant sc_map.
sydbox: fix issue with trapped children in SIGCHLD handler.

Download

.	@
Tar	https://dev.exherbo.org/~alip/sydbox/sydbox-2.1.0.tar.bz2
SHA	https://dev.exherbo.org/~alip/sydbox/sydbox-2.1.0.tar.bz2.sha1sum
GPG	https://dev.exherbo.org/~alip/sydbox/sydbox-2.1.0.tar.bz2.sha1sum.asc
Git	https://git.exherbo.org/git/sydbox-1.git
Hub	https://github.com/sydbox/sydbox-1

The tarball is signed with this key.
Use: keybase pgp pull alip
Browse: https://git.exherbo.org/sydbox-1.git/
Exheres:
- sydbox.exlib
- sydbox-2.1.0.exheres-0

Sydbox v2.1.0

Table of contents

Changes

Download