Planet Exherbo

Paludis 1.4.0 has been released:

• Tweaked ‘cave resolve’ output to add blank lines.
• Support for libarchive 3.1.2.
• Compatibility fixes for GCC 4.8.

Filed under: paludis releases Tagged: paludis

Here is a brief attempt to translate the nervous breakdown of a Trachian soldier after 6 hours of sentry-duty… As a show of respect to the soldier, the f-word has been substituted with the word love on all occurences.

That’s it, love it! That’s it, love it!
I’ve had enough of this duty!
I’ve been here for 6 hours, love it!
Love who put me here, love who made him put me here! Love ‘em all!
Lovers trusting me to secure this huge company!
What is this? That tears it! Love it!
What is this? Love it!
What is this? Am I an animal? Love it!
Are my parents cows?!!
No more of this loving duty!
No more I am no part of it! Love it!
Cameraman: Yeah, lie down, chill!
What is this? Who the love does he think he is? Love him too!
Cameraman: Enough already!

Paludis 1.2.0 has been released:

• Bug fixes.
• Dep specs can now use ‘[.key!=value]‘. The behaviour of ‘<’ and ‘>’ has changed: for key types where order comparisons don’t make sense, the match now always fails.
• Various compiler-compatibility fixes.

Filed under: paludis releases Tagged: paludis

It's that time of the year.. Only four days left before the big danish Open Source Days conference starts and we're tying up all the loose ends as quickly as possible.

Things are looking great from my point of view but one of the things we need to sort out before the conference opens is all the different helper roles. And we're still looking for good wanting to be an active part of Open Source Days and get to know all the other great people involved.

If you would like to take part in this you can sign up at Join Us and in return for helping out you get free entrance to the conference including the social event saturday night.

Linux kernel 3.8 has been released this week which reminded me to write about recent Linux kernel changes which may help in improving sydbox. Below is a short summary of new, and not so new, features merely to get myself to stop slacking and start coding again.

Per-process namespace support

Per-process namespace support is completed with linux-3.8. This feature provides a nice way to separate resources on a per-process basis, for example a process might see a set mountpoints, PID numbers, and network stack state, and a process in other namespace might see others. For more information see the Linux-3.8 Changes page on kernelnewbies and the Namespaces in Operation articles on LWN.

PTRACE_O_EXITKILL

New in linux-3.8, this ptrace(2) option makes the tracer send SIGKILL to tracees on exit. This is useful for ptrace(2) based sandboxes for which a resumed tracee is a security risk. See the related commit for more information.

SECCOMP_MODE_FILTER

This is by far my favourite feature. Introduced with Linux kernel 3.5 and also known as seccomp mode 2 or user filters this feature lets you add basic system call filters expressed as Berkeley Packet Filter programs. Even though sydbox still has to use ptrace(2) to do more sophisticated argument checking, this feature removes the need to stop the tracee on every system call entry and exit which is a PITA especially when tracing multithreaded programs. sydbox-1 takes advantage of this feature using SECCOMP_RET_TRACE which signals the tracer with the new ptrace(2) event PTRACE_EVENT_SECCOMP.

Here are some useful links:

• Using simple seccomp filters
• A library for seccomp filters
• vsftpd’s seccomp sandbox
• openssh’s seccomp filter
• seccomp filtering with systemd

PTRACE_SEIZE & PTRACE_INTERRUPT

Probably even older than seccomp user filters, these ptrace requests allow the tracer to attach to tracee without trapping it or affecting its job control states. See, http://thread.gmane.org/gmane.linux.kernel/1136930 for more information.

20.000 minutes sounds like a lot but for sufficiently large projects with sharp deadlines it really isn't.

Converted to a more manageable time scale it's roughly two weeks or roughly how much time until the Open Source Days conference opens. As some of you might know this is the second year I'm involved in organising this big open source conference.

And just like last year it's an awesome experience but also very stressful with all the small things needing to fall into place for the conference to run smoothly. And unlike last year I haven't been sick so I'm getting to enjoy the full experience :)

Having only two weeks left means really long hours every day while we scramble to close all the outstanding issues. But it also means we get to see a huge amount of things fall into place each day.

Some of the things I'm excited about today:

• Most of the talks are now announced on the website


• The keynote talks are all confirmed. More on that later.


• We've added several more sponsors

The next two weeks should be very exciting and I'm sure the conference is going to be even better this year.

See you all at the conference!

As I took a sip from my tea, the room felt a bit different. Different in such a way that it enabled me to let my unconscious take over.

The wall I was leaning against seemed to change. It was turning into a door. A door made of small curved mirrors… All paintings on the wall faded away slowly. There I was, left alone with a door to enter. Was this a question of bravery? “Temptation, temptation…” So I heard the voices sing. I must admit, I felt kind of scared. Like a baby felt giving birth to her first mother. Before I could change my mind, I quickly grabbed my book and opened the door. I was expecting a divine forest, green and huge. Quite the contrary, the door led me to another room with mirrors on all of its walls, ceiling and floor. I could see the reflection of everything in the room but not myself. The door had vanished and my book looked a lot different to me. What was it that I was to do here? What exactly did I leave behind? This thought made me smile, like a mother smiled while giving birth to her own mother…

Leaving my book in a corner of the room, I observed the mirrors. Why was my reflection not there? In a room like this, how could I see what differences this journey might have made in me? After a couple of minutes, I was surprised to discover that I couldn’t see the reflections of the things that “touched” me. My clothes, my shoes, my earring… All became visible as I took them off. “The book!” I said, “where is it?” turning into the corner where I left it. Its reflection was still there. Looking at me and smiling like my mother smiled, giving birth to my grandmother…

Somehow, I knew the cure was in this room but where? The endlessness, which the mirrors have formed, gave me an idea. Why was I thinking that the other side of the mirror was inaccessible to me? “Temptation, temptation…” So I heard the voices sing. I must admit, I felt kind of scared. Like a warrior felt, being slain by his new-born baby… Feeling I might have found the cure, I took a step into the mirror. There I saw my “other” self sitting in that room, looking at the wall, writing a truly odd story… I can’t say he was astonished though, seeing me standing against him, naked.

Paludis 1.0.0 has been released:

• EAPI 5 style subslot specs are allowed in user dependency specs.
• We now support DWARF compression.

Filed under: paludis releases Tagged: paludis

Paludis 0.82.0 has been released:

• Various EAPI 5 related fixes.

Filed under: paludis Tagged: paludis

Writing with the intention to grow up:

Rule 1: Stay out of the magical world. This your subconscious speaking.

Rule 2: Never underestimate the power of goats.

Rule 3: Pink Floyd after midnight is easy on the eyes.

Rule ?: Numbers are bad.

Rule: Actually they have no reason whatsoever to even exist.

?: No rule, no pain.

Love: You are on the right path, Watson.

Do not define sizeof(void *). Because in what you would call a primitive world you would only need love, pure, endless love.

Ooomray!

Now look at the sky, look at the river. Isn’t it good?

If not, return to rule 3.

Paludis 0.80.2 has been released:

• Bug fixes.
• Added ‘cave print-unmanaged-files’.

Filed under: paludis releases Tagged: paludis

Paludis 0.80.1 has been released:

• Bug fixes

Filed under: paludis releases Tagged: paludis

After nearly two years I began working on a sydbox replacement¹ she is finally nearing completion. This post is meant both as a preliminary announcement and help request.

sydbox-1 has been in ::arbor for sometime as sydbox-scm² and paludis supports it since version 0.78.1. The git repository is hosted on exherbo.org³. Before going on to tell you about her I want to kindly ask you to help me with some tasks:

• Proof read the manual page⁴. I am still unsure about the configuration file format and the magic command API so now is the time to share your ideas and views to help make sydbox-1 better.

• For brave souls, unmask it and install it. Especially important is to run its tests. To do that you have to set the environment variable PALUDIS_DO_NOTHING_SANDBOXY⁵. You will notice that it doesn’t depend on pinktrace anymore. This is because sydbox-1 includes a rewrite of pinktrace which will eventually be released as pinktrace-1.

• Once again for brave souls, use it on your system. I am especially interested in how it performs during the src_test phase of exhereseses so please make sure tests are enabled if you do so and report back any issues (accompanied with a poem of your choosing!). It is always a good idea to have a pbin of the package in question to easily rollback changes in case you hit a severe bug⁶.

If you are bored, you can stop reading now. I will go on to introduce sydbox-1.

Why?

I am not a professional programmer. However, I have gained many experiences after writing sydbox-0 and watching it perform as the default sandbox of Exherbo. sydbox-0 has many shortcomings and drawbacks which made it rather hard to maintain. Such as:

• sydbox-0 was based on the now unmaintained catbox initially. There are many design issues which didn’t fit with our use cases for Exherbo.
• Being GPL-2 licensed it was problematic to share code with the well-established ptrace(2) based projects like strace and truss (of FreeBSD). I have partially solved this problem by writing pinktrace - a BSD3 licensed library providing thin wrappers around certain ptrace(2) calls but this was not enough. (See below about pinktrace-easy)
• Being a crucial part of the system set, dependencies like GLib was obviously a bad idea.
• Over the years as sydbox-0 codebase grew there were unforeseen code maintenance problems making it difficult to add new features.

Features of sydbox-1

Below are main features of sydbox-1. You may consult the manual page³ for more information.

• No external dependencies. GLib dependency is gone for good among with the ini-format configuration file. sydbox-1 uses JSON format for configuration.
• Most of the ptrace(2) work is now abstracted by a callback-driven higher-level BSD3 licensed library called pinktrace-easy. This makes both the maintenance easier and code sharing with strace less problematic.
• Well designed, well documented magic command API which fits in with the configuration file format and provides an easier experience during command line invocation.
• Process dump can be obtained by sending sydbox-1 the SIGUSR1 signal (or SIGUSR2 for a more verbose dump). This makes it easier to debug sydbox hangs.
• Better signal handling to make sydbox more immune to interrupts.
• More powerful and configurable rsync-like pattern matching.
• Support for secure computing mode aka seccomp⁷. This requires Linux-3.5 or newer and CONFIG_SECCOMP=y and CONFIG_SECCOMP_FILTER=y kernel configuration options. sydbox-scm exheres has a seccomp option to pass --enable-seccomp to econf. This is one of the key features which may make sydbox-1 faster compared to sydbox-0 because in this mode sydbox only traces the sandboxed system calls. Tracing other commonly used system calls - think threaded applications calling sched_yield() - is therefore avoided.
• Logging is easier to filter. This still needs some work though.
• Port numbers can now be entered as service names which will be queried from the services(5) database.
• Unsupported socket families can be whitelisted/blacklisted.
• New magic commands exec/resume_if_match and exec/kill_if_match are added. These commands may be used to resume or kill matching binaries upon successful execution. Paludis has esandbox resume and esandbox kill commands as an interface for exheres-0 (Make sure esandbox api returns 1 before using them). See systemd.exlib as an example on how we can now restart services from within exhereseses without worrying about sandboxing.
• Read sandboxing to prevent unwanted filesytem reads.
• Black listing is now also supported in addition to white listing. This may be used to make an “allow by default and black list unwanted accesses” sandboxing policy.
• Many bugs fixed, some new system calls are sandboxed.

How can I thank you?

Send me poems⁸!

Paludis 0.80.0 has been released:

• EAPI 5 is supported.

Filed under: paludis releases Tagged: paludis

Paludis 0.78.2 has been released:

• Bug fix: || ( ) dependencies under a non-enabled label are now handled sensibly.
• Bug fix: the resolver no longer attempts to create binaries for accounts.
• Bug fix: 0-scm is now ordered correctly.

Filed under: paludis releases Tagged: paludis