libseccomp
misc
libseccomp | misc | |
---|---|---|
3 | 3 | |
771 | 6 | |
1.3% | - | |
4.6 | 1.1 | |
20 days ago | almost 2 years ago | |
C | Roff | |
GNU Lesser General Public License v3.0 only | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
libseccomp
-
Linux Security - Secure Computing Mode (seccomp)
We can configure seccomp by the libseccomp (https://github.com/seccomp/libseccomp), the prctl(https://man7.org/linux/man-pages/man2/prctl.2.html) system call and/or the seccomp syscall (https://man7.org/linux/man-pages/man2/seccomp.2.html) and/or other CLI tools (like https://github.com/david942j/seccomp-tools) .
-
Show HN: Porting OpenBSD Pledge() to Linux
Very nice! I'm a fan of OpenBSD and pledge(). I've had some success on Linux with libseccomp[0] which means you don't have to deal with BPF directly, but pledge() is obviously much much easier.
0. https://github.com/seccomp/libseccomp
-
Zoom zero-day discovery makes calls safer, hackers $200k richer
Yeah the idea of wrangling raw BPF is a bit daunting. Just FYI, libseccomp (https://github.com/seccomp/libseccomp) exists to abstract away all the BPF stuff. It even comes prepackaged by the major distros (ex https://packages.debian.org/sid/libseccomp2) so you don't even have to compile it yourself.
misc
-
Show HN: Porting OpenBSD Pledge() to Linux
Here's a landlock wrapper for FireFox: https://github.com/62726164/misc/tree/main/go/landlock/firef...
It's more restrictive than Firejail and is not suid.
-
PSA: Serious Security Vulnerability in Tor Browser
I no longer use Tor either (unless I have to for work projects such as remote pentesting).
What is you opinion of Landlock (Linux kernel 5.13 and newer)? If we wrap vanilla FireFox in LandLock, proxy that to tor and use Apparmor/Tomoyo to further limit what FireFox could do (when it gets compromised) then I think that would be a much safer approach than using the Tor Browser Bundle.
Here's a landlock wrapper (in Go) for FireFox: https://github.com/62726164/misc/blob/main/go/landlock/firef...
Also, I've only ever been able to get Tomoyo to work as MAC for FireFox. SELinux and Apparmor were too difficult.
-
Improved Process Isolation in Firefox 100
I firmly believe that isolation is the future of endpoint security. I like experimenting with MACs on Linux. Tomoyo is my favorite major MAC in Linux. And if you have a newer kernel (5.13 or greater), you may like to experiment with landlock. It's pretty cool and unlike FireJail, no suid required. Here's a landlock wrapper for Firefox:
https://github.com/62726164/misc/blob/main/go/landlock/firef...
What are some alternatives?
tracee - Linux Runtime Security and Forensics using eBPF
fdroid-metadata
capstone - Capstone disassembly/disassembler framework: Core (Arm, Arm64, BPF, EVM, M68K, M680X, MOS65xx, Mips, PPC, RISCV, Sparc, SystemZ, TMS320C64x, Web Assembly, X86, X86_64, XCore) + bindings. [Moved to: https://github.com/capstone-engine/capstone]
pornhub-dl - :eggplant: A nice cli-wrapper around youtube-dl for downloading videos and following users/channels on pornhub
seccomp-scopes - Make Linux computing safe
libbpf - Automated upstream mirror for libbpf stand-alone build.
uBlock - uBlock Origin - An efficient blocker for Chromium and Firefox. Fast and lean.
capsicum-linux - Linux kernel with Capsicum support
firejail - Linux namespaces and seccomp-bpf sandbox
Lean and Mean Docker containers - Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)