Here is a brief attempt to translate the nervous breakdown of a Trachian soldier after 6 hours of sentry-duty… As a show of respect to the soldier, the f-word has been substituted with the word love on all occurences.
That’s it, love it! That’s it, love it!
I’ve had enough of this duty!
I’ve been here for 6 hours, love it!
Love who put me here, love who made him put me here! Love ‘em all!
Lovers trusting me to secure this huge company!
What is this? That tears it! Love it!
What is this? Love it!
What is this? Am I an animal? Love it!
Are my parents cows?!!
No more of this loving duty!
No more I am no part of it! Love it!
Cameraman: Yeah, lie down, chill!
What is this? Who the love does he think he is? Love him too!
Cameraman: Enough already!
Linux kernel 3.8 has been released this week which reminded me to write about recent Linux kernel changes which may help in improving sydbox. Below is a short summary of new, and not so new, features merely to get myself to stop slacking and start coding again.
Per-process namespace support
Per-process namespace support is completed with linux-3.8. This feature provides a nice way to separate resources on a per-process basis, for example a process might see a set mountpoints, PID numbers, and network stack state, and a process in other namespace might see others. For more information see the Linux-3.8 Changes page on kernelnewbies and the Namespaces in Operation articles on LWN.
PTRACE_O_EXITKILL
New in linux-3.8, this ptrace(2) option makes the tracer send SIGKILL to tracees on exit. This is useful for ptrace(2) based sandboxes for which a resumed tracee is a security risk. See the related commit for more information.
SECCOMP_MODE_FILTER
This is by far my favourite feature. Introduced with Linux kernel 3.5 and also known as seccomp mode 2 or user filters this feature lets you add basic system call filters expressed as Berkeley Packet Filter programs. Even though sydbox still has to use ptrace(2) to do more sophisticated argument checking, this feature removes the need to stop the tracee on every system call entry and exit which is a PITA especially when tracing multithreaded programs. sydbox-1 takes advantage of this feature using SECCOMP_RET_TRACE which signals the tracer with the new ptrace(2) event PTRACE_EVENT_SECCOMP.
Here are some useful links:
- Using simple seccomp filters
- A library for seccomp filters
- vsftpd’s seccomp sandbox
- openssh’s seccomp filter
- seccomp filtering with systemd
PTRACE_SEIZE & PTRACE_INTERRUPT
Probably even older than seccomp user filters, these ptrace requests allow the tracer to attach to tracee without trapping it or affecting its job control states. See, http://thread.gmane.org/gmane.linux.kernel/1136930 for more information.
As I took a sip from my tea, the room felt a bit different. Different in such a way that it enabled me to let my unconscious take over.
The wall I was leaning against seemed to change. It was turning into a door. A door made of small curved mirrors… All paintings on the wall faded away slowly. There I was, left alone with a door to enter. Was this a question of bravery? “Temptation, temptation…” So I heard the voices sing. I must admit, I felt kind of scared. Like a baby felt giving birth to her first mother. Before I could change my mind, I quickly grabbed my book and opened the door. I was expecting a divine forest, green and huge. Quite the contrary, the door led me to another room with mirrors on all of its walls, ceiling and floor. I could see the reflection of everything in the room but not myself. The door had vanished and my book looked a lot different to me. What was it that I was to do here? What exactly did I leave behind? This thought made me smile, like a mother smiled while giving birth to her own mother…
Leaving my book in a corner of the room, I observed the mirrors. Why was my reflection not there? In a room like this, how could I see what differences this journey might have made in me? After a couple of minutes, I was surprised to discover that I couldn’t see the reflections of the things that “touched” me. My clothes, my shoes, my earring… All became visible as I took them off. “The book!” I said, “where is it?” turning into the corner where I left it. Its reflection was still there. Looking at me and smiling like my mother smiled, giving birth to my grandmother…
Somehow, I knew the cure was in this room but where? The endlessness, which the mirrors have formed, gave me an idea. Why was I thinking that the other side of the mirror was inaccessible to me? “Temptation, temptation…” So I heard the voices sing. I must admit, I felt kind of scared. Like a warrior felt, being slain by his new-born baby… Feeling I might have found the cure, I took a step into the mirror. There I saw my “other” self sitting in that room, looking at the wall, writing a truly odd story… I can’t say he was astonished though, seeing me standing against him, naked.
Writing with the intention to grow up:
Rule 1: Stay out of the magical world. This your subconscious speaking.
Rule 2: Never underestimate the power of goats.
Rule 3: Pink Floyd after midnight is easy on the eyes.
Rule ?: Numbers are bad.
Rule: Actually they have no reason whatsoever to even exist.
?: No rule, no pain.
Love: You are on the right path, Watson.
Do not define sizeof(void *). Because in what you would call a primitive world you would only need love, pure, endless love.
Ooomray!
Now look at the sky, look at the river. Isn’t it good?
If not, return to rule 3.
After nearly two years I began working on a sydbox replacement1 she is finally nearing completion. This post is meant both as a preliminary announcement and help request.
sydbox-1 has been in ::arbor for sometime as sydbox-scm2 and paludis supports it since version 0.78.1. The git repository is hosted on exherbo.org3. Before going on to tell you about her I want to kindly ask you to help me with some tasks:
-
Proof read the manual page4. I am still unsure about the configuration file format and the magic command API so now is the time to share your ideas and views to help make sydbox-1 better.
-
For brave souls, unmask it and install it. Especially important is to run its tests. To do that you have to set the environment variable PALUDIS_DO_NOTHING_SANDBOXY5. You will notice that it doesn’t depend on pinktrace anymore. This is because sydbox-1 includes a rewrite of pinktrace which will eventually be released as pinktrace-1.
-
Once again for brave souls, use it on your system. I am especially interested in how it performs during the
src_testphase of exhereseses so please make sure tests are enabled if you do so and report back any issues (accompanied with a poem of your choosing!). It is always a good idea to have a pbin of the package in question to easily rollback changes in case you hit a severe bug6.
If you are bored, you can stop reading now. I will go on to introduce sydbox-1.
Why?
I am not a professional programmer. However, I have gained many experiences after writing sydbox-0 and watching it perform as the default sandbox of Exherbo. sydbox-0 has many shortcomings and drawbacks which made it rather hard to maintain. Such as:
- sydbox-0 was based on the now unmaintained
catboxinitially. There are many design issues which didn’t fit with our use cases for Exherbo. - Being GPL-2 licensed it was problematic to share code with the well-established
ptrace(2)based projects likestraceandtruss(of FreeBSD). I have partially solved this problem by writing pinktrace - a BSD3 licensed library providing thin wrappers around certainptrace(2)calls but this was not enough. (See below aboutpinktrace-easy) - Being a crucial part of the system set, dependencies like
GLibwas obviously a bad idea. - Over the years as sydbox-0 codebase grew there were unforeseen code maintenance problems making it difficult to add new features.
Features of sydbox-1
Below are main features of sydbox-1. You may consult the manual page³ for more information.
- No external dependencies.
GLibdependency is gone for good among with the ini-format configuration file. sydbox-1 uses JSON format for configuration. - Most of the
ptrace(2)work is now abstracted by a callback-driven higher-level BSD3 licensed library calledpinktrace-easy. This makes both the maintenance easier and code sharing withstraceless problematic. - Well designed, well documented magic command API which fits in with the configuration file format and provides an easier experience during command line invocation.
- Process dump can be obtained by sending sydbox-1 the
SIGUSR1signal (orSIGUSR2for a more verbose dump). This makes it easier to debug sydbox hangs. - Better signal handling to make sydbox more immune to interrupts.
- More powerful and configurable rsync-like pattern matching.
- Support for secure computing mode aka seccomp7. This requires Linux-3.5 or newer and
CONFIG_SECCOMP=yandCONFIG_SECCOMP_FILTER=ykernel configuration options. sydbox-scm exheres has a seccomp option to pass--enable-seccompto econf. This is one of the key features which may make sydbox-1 faster compared to sydbox-0 because in this mode sydbox only traces the sandboxed system calls. Tracing other commonly used system calls - think threaded applications calling sched_yield() - is therefore avoided. - Logging is easier to filter. This still needs some work though.
- Port numbers can now be entered as service names which will be queried from the
services(5)database. - Unsupported socket families can be whitelisted/blacklisted.
- New magic commands exec/resume_if_match and exec/kill_if_match are added. These commands may be used to resume or kill matching binaries upon successful execution. Paludis has
esandbox resumeandesandbox killcommands as an interface for exheres-0 (Make sureesandbox apireturns 1 before using them). See systemd.exlib as an example on how we can now restart services from within exhereseses without worrying about sandboxing. - Read sandboxing to prevent unwanted filesytem reads.
- Black listing is now also supported in addition to white listing. This may be used to make an “allow by default and black list unwanted accesses” sandboxing policy.
- Many bugs fixed, some new system calls are sandboxed.
How can I thank you?
Send me poems8!
-
She used to be called
↩pandorain the early days. -
Not sydbox-0-scm which is the old one.
↩ -
http://git.exherbo.org/sydbox-1.git/
↩ -
http://dev.exherbo.org/~alip/sydbox/sydbox.html
↩ -
Eventually sydbox-1 will install its tests so this phase is going to be more convenient.
↩ -
sydbox-1 has been tested for some time by kind people and I have heard about only one such issue so far but it is always a good idea to be cautious.
↩ -
http://lwn.net/Articles/475043/
↩ -
http://dev.exherbo.org/~alip/sydbox/poems.txt
↩
pinktrace-0.1.2 is released with a minor change to recognize Linux-3.0 and a new function pink_name_lookup_with_length()
Here is a tip to make a multilingual site using Liquid templates and Jekyll relatively easily and with few duplications.
I will be giving examples from my own experience for http://alip.github.com/
Start by specifying the language in YAML Front Matter using a custom tag like lang:
---
layout: default
title: Projelerim
lang: tr
---
Here lang is just a custom tag which we can make use via page.lang variable from within our pages.
Next, change your _layouts/ and _includes/ to be multilingual using simple case statements:
<h3>{% case page.lang %}{% when 'tr' %}Etiket Bulutu{% else %}Tag Cloud{% endcase %}</h3>
Make note of the else statements which we use to specify a default language. So pages without the lang tag will be in English.
That’s all!
For more information, feel free to play with the source code of my blog: http://github.com/alip/alip.github.com
Now I’ll be writing a Turkish translation of this post and see if it works :)
Note to self: writing literal Liquid inside Liquid requires some weird syntax mentioned here.
19th January 2007 was a black day. Journalist Hrant Dink was assassinated by a Turkish nationalist. Hrant was a brave man who refused to remain silent despite threats on his life. Today - after four years - the pain is still fresh. The anger towards fascism and the will to escape from our stinking black-minded ignorance keeps growing.
Just like other intellectuals of this land whose lives were taken away - Ahmet Taner Kışlalı, Bahriye Üçok and Uğur Mumcu to name a few - he has a place in our hearts. Their ideas and thoughts shed light on our path to peace.
If you have a project using Doxygen for documentation and Git for source control management you may use this trick in doxygen.conf:
FILE_VERSION_FILTER = "/bin/sh -c 'git log --pretty=\"format:%ci\" -1 \"${1}\" || echo no git'"This will show date of the last commit in the header:
You can give even more useful information using git’s pretty formats:
FILE_VERSION_FILTER = "/bin/sh -c 'git log --pretty=\"format:%ci, author:%aN <%aE>, commit:%h\" -1 \"${1}\" || echo no git'"This looks like:
Note this may vastly increase runtime of Doxygen if you have lots of files to process, but I think it is a nice way to give information to project users.
Here are some new stuff that has been cooking in pinktrace.git:
ARM port
I’ve ported PinkTrace to ARM. Thanks to dagger and arachnist who have given me access to their ARM boxes. If you want to know the technical details of this port, have a look at the file pink-linux-trace-arm.c.
Haskell bindings
I’ve started writing Haskell bindings. This is a work in progress which you can find in the haskell branch.
Sydbox & PinkTrace
Sydbox requires PinkTrace in the next branch. I’ll merge next to master after I’m done with testing, for which you may be of help.
TODO
I’ve also written a TODO file and added a link to it from Exherbo’s project-ideas page.
This is all for now!
I’ve started a new university in a different city by the way and don’t have a stable internet connection these days. So if you’re trying to contact me via IRC and I’m not responding, try email.
