Did a new release of `ssh-tpm-agent`, `v0.8.0`.

Notable changes is hierarchy keys, keyctl backed passwords and some preliminary landlock support.

https://github.com/Foxboron/ssh-tpm-agent/releases/tag/v0.8.0

Linux 6.14 changelog.
https://kernelnewbies.org/Linux_6.14

I'm really looking forward to #Slackware current ship #kernel 6.14. I'm especially interested in Landlock, and to take advantage of it, I'll compile my own kernel, a task I've mastered over the past decade... or
so I thought. Apparently, Slackware's philosophy is 'if you're not compiling a kernel, are you even really living?'
So, back to the make mines I go!

Then, I'll be running Landrun (https://github.com/Zouuup/landrun)

在安全的、非特權沙盒中運行任何 Linux 進程，使用 Landlock LSM。<br>
➤ Landlock LSM 提供安全的 Linux 沙盒環境。<br>
✤ https://github.com/Zouuup/landrun
這篇文章介紹了針對 Linux 進程運行的 Landlock LSM 安全沙盒，類似 firejail，但更輕巧、用戶友好並融入內核。<br>
+ 這篇文章提供了清晰的說明，讓人對 Landlock LSM 的安全功能有更深入的瞭解。<br>
+ 使用 Landlock LSM 在 Linux 上運行進程看起來是一個很有前景的方向，希望以後能看到更多相關的應用場景。
#Linux安全 #沙盒環境 #Landlock LSM<br>

Landrun: Sandbox any Linux process using Landlock, no root or containers

https://github.com/Zouuup/landrun

Regarding latest #landlock #cve which is still under analysis, #sydbox prevents unknown files (and files referring to block devices) from being listed and opened, see https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/src/hook.rs?ref_type=heads#L12380 and https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/src/path.rs?ref_type=heads#L349, the #cve is here, https://nvd.nist.gov/vuln/detail/CVE-2025-21830 So far the only false positive we had is pipewire passing files of unknown types thru unix sockets so we relaxed that but we still do disallow passing dirfds like #openbsd and add to that symlinkfds and blockdevfds #exherbo #security

The core idea behind #sydbox + #landlock and #openbsd's #pledge + #unveil is quite similar. In #sydbox, syscall emulator processes are confined with the same #landlock sandbox as the sandbox process, therefore it allows for building a multi-layered sandbox that complements the main seccomp-{bpf,notify} sandbox. This is the core reason why the #landlock break CVE-2024-42318 does not work under #sydbox. #exherbo #security

I'd like to share something nice that I am currently working on: A Landlock integration for Forgejo.

Landlock (https://landlock.io) lets userspace processes tell the kernel "hey kernel, please only let me access the following filesystem resources" (and it also supports sockets, etc. now).

My integration only limits unfettered access to arbitrary files. It needs a lot more yak shaving (refactoring, configurations, using the PATH variable for Git binaries) and time.

I'll give a talk at #FOSDEM: #Sandbox IDs with #Landlock
We'll talk about the challenges to identify sandboxed processes in a safe and unprivileged way, and how that could be used to identify #containers.
https://fosdem.org/2025/schedule/event/fosdem-2025-6071-sandbox-ids-with-landlock/
#FOSDEM2025 #container

If anyone is interested in contributing to ssh-tpm-agent I've written up the remaining issues before a 1.0.0 release.

Largely about #landlock support, using the kernel keyring for PIN caching, and writing up man pages for all the tools.

https://github.com/Foxboron/ssh-tpm-agent/milestone/1

Probably a good opportunity to learn more about TPMs and ssh for those interested!

#sydbox-3.29.0 has been released! This release adds support for #Landlock ABIs 4, 5, and 6. ABI 4 offers #network confinement, 5 confines #ioctl operations, 6 has scoped unix abstract sockets and signaling. #sydbox is a rock-solid #application #kernel to #sandbox apps on #Linux >=5.19 written in #rustlang: https://is.gd/j5O16R #exherbo

Check out this little utility of #sydbox called syd-lock which is a tool to use #Landlock standalone, http://man.exherbolinux.org/syd-lock.1.html#EXAMPLE #sydbox is a rock-solid #application #kernel to #sandbox apps on #Linux >=5.19 written in #rustlang #exherbo

#sydbox #git is nearing a release with #Landlock ABI {4..=6} support, and #TCP FastOpen support for syd-tor: https://gitlab.exherbo.org/sydbox/sydbox/-/commit/990116798cb6dbe5183afdfc0dadf919662741cf stay tuned! #sydbox is a rock-solid #application #kernel to #sandbox apps on #Linux >=5.19 written in #rustlang

Linux experts… does someone know if there is a way in Landlock to apply rules dynamically, basically an equivalent to seccomp_unotify? Or something similar to allow and deny access dynamically.

Pls boost for reach really out of ideas here

(cringe hashtags, but hopefully more reach lol)
#linux #seccomp #landlock #security #sandbox