#gvisor does/can not ship PIE binaries and requires ROOT, #sydbox needs no extra privileges and is built with PIE and will _not_ execute any non-PIE binaries unless relaxed with trace/allow_unsafe_nopie:1 #exherbo

xyhhx vs gvisor and cilium: round 2

Well, that's a bit of a letdown. I upgraded my machines to Talos 1.8.0 and gvisor broke. Probably due to containerd v2. Thankfully, someone already noticed that a while back and it seems to be an upstream issue.

https://github.com/siderolabs/extensions/issues/417

We’re kicking off a new blog series with a deep dive into our recent #gVisor integration, introduced in Dangerzone 0.7.0.

In collaboration with the gVisor team, this post explains how we’ve enhanced Dangerzone’s security with a stronger sandbox.

If you use containers to secure your application, make sure not to miss this one!

https://dangerzone.rocks/news/2024-09-23-gvisor/

Yet another #benchmark, this time featuring compilation of #postgresql under #sydbox and #gvisor, shows #sydbox has a small ~10% overhead compared to ~55% of #gvisor: https://bpa.st/raw/45CQ Thanks to #gentoo developer Patrick Lauer for conducting the benchmark! Choose your #sandbox wisely ;) #exherbo

#sydbox-3.24.4 is released! This concludes our #optimization work for the past releases, bringing #sydbox' overhead to 15%-17%. This is a respectable improvement in comparison to, e.g. #gvisor which comes with a 40%-80% overhead. Check out the benchmarks in the release mail and choose your #sandbox wisely ;) https://is.gd/NYkDiQ #exherbo

Reading the ambitious roadmap of #GrapheneOS, I get the impression that this might become the most secure and #privacy-respecting platform that also overlaps with many classic desktop use-cases and desktop OS.

https://grapheneos.org/faq#roadmap

#sydbox is now faster than #gvisor! A funny #optimization story: https://news.ycombinator.com/item?id=41228244

Looking forward to migrate my Kubernetes setup to a micro-vm environment:

https://github.com/siderolabs/extensions/pull/434

Already started to run pods in gvisor and now moving to KVM-based gvisor runtime, will be even more fun.

Functional correctness is another area #sydbox can be proud about. Meanwhile #gvisor's goal is "#nodejs should work, full compat is not required" #sydbox supports full build and test coverage for all #exherbo packages. Each test failure that passes outside the #sandbox is considered a bug and we work hard to provide compatibility. #exherbo #rustlang

I've just added a section to syd.7 manual page comparing #sydbox to other sandboxing solutions like #gvisor, #bubblewrap and #firejail: http://man.exherbolinux.org/syd.7.html#Comparison_with_Other_Sandboxing_Solutions #sydbox is a #seccomp and #landlock based application #sandbox with support for #namespaces written in #rustlang.

xdg-desktop-portal should be documented separately from flatpak.

I profoundly dislike flatpak among other reasons because of its sense of #FalseSecurity (sandboxes still run on the same kernel, I might withdraw this objection when they start using #gVisor for everything) and also because of the vendoring (https://wiki.gentoo.org/wiki/Why_not_bundle_dependencies) it encourages, but I can also recognize that for other reasons that #dBus interface is a good idea.

#gVisor : systrap actually outperforms kvm in a syscall microbenchmark? This is on baremetal...

systrap: ~8s
ptrace: ~121s (lmfao)
kvm: ~15s

(benchmark is just "perf bench syscall basic", which runs 10000000 getppid() calls, on Alpine Linux)

gVisor is a container security platform

https://gvisor.dev/

Hoy a las 17:00 doy la charla:
Reforzando la seguridad de Kubernetes con #gvisor y #falco en la Kubernetes Community Days Spain.

¿te apuntas? https://buff.ly/3sFRqdx