Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAAiePB7WGmCJ4za4poNm9vMYMjhQgzu0G26eWRam1arHPuO+tA@mail.gmail.com>
Date: Mon, 25 Nov 2024 11:04:17 -0600
From: Evan Carroll <me@...ncarroll.com>
To: oss-security@...ts.openwall.com
Subject: Re: Article: State of Sandboxing in Linux

>
> You might want "sydbox", though I wouldn't know.
>

Historically, there were 10,000 different ways to sandbox things. From
chroots, to firejails. I however don't understand why anyone would
entertain any of these pre-containerization methods today. That's why I'm
questioning what's the purpose of comparing different sandboxing methods in
isolation of the current status quo -- containerization. Why would anyone
want sydbox (whatever it is) over rootless podman?

By the way, you mention "when would I want [...] over kernel
> user-namespaces", which I think is a complete and utter misunderstanding
> of the problem domain.
>
> sydbox documents that one of the technologies it uses in its source code
> is user namespaces. Generally, "user namespaces" isn't a program you
> use, it's a technique you can make use of in the source code of another
> program entirely... such as sydbox or at a high level, podman.
>

Right! And if it's not providing anything except user namespaces, and
cgroups, and secgroups, it's just another containerization tool. So why
introduce a term that has fallen entirely into disuse like "sandbox" that
includes technologies that predate contianers. As far as I can see, that's
adding complexity and explaining nothing. And, why not compare these tools
against the 600 lb gorilla in containerization: rootless podman.

>From looking through the sydbox homepage, and very quickly checking for
> keywords such as "podman", I got pointed to this link:
>
> https://man.exherbolinux.org/syd-oci.1.html
>
> It suggests that the relevance of this software to podman is that you
> can use "sydbox" as an OCI runtime for podman, to replace "crun" or
> "runc", via:
>
> podman run --runtime=syd-oci
>

So now we're getting at it: syd isn't a "sandboxing" thing at all. It's a
container runtime. And now the 100 million dollar question is very simple,
how does this container runtime compare with youki, which is also in rust
and it clearly says it's based on, from your link "It is largely based on
youki": Youki has 113 contributors. Sydbox seems to be a one man show
https://gitlab.exherbo.org/sydbox/sydbox/-/commits/main/?ref_type=HEADS

Not that this is reason enough not to take it seriously. But the blog entry
we need doesn't compare it to esoteric tech in Gentoo (which no one uses).
It's a comparison between it and Youki that explains how each of the points
under "capabilities" is different from Youki which doesn't use a
"unikernel" and claims many of the same capabilities (because as you said,
they're all using user-namespaces, cgroups, and secgroups under the hood).

--
Evan Carroll - me@...ncarroll.com
System Lord of the Internets
web: http://www.evancarroll.com
ph: 281.901.0011 <+1-281-901-0011>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.