Puppy Linux Discussion Forum

Chrysolite Azalea

I haven't enabled it because I don't know anything about it. Landlock is an unprivileged file access self-restriction feature. It allows apps to define which files/directories they are allowed to access, and all access to any files/directories not mentioned in the ruleset would be denied. It's like...

Chrysolite Azalea

Yes, the kernel config: # CONFIG_SECURITY_LANDLOCK is not set I haven't enabled it because I don't know anything about it. Even if I did know what it does, I tend not to enable extra kernel security features unless I actually will use them. But Landlock is supposed to be used by user's apps (specif...

Chrysolite Azalea

P.S. I have used this sandboxer in order to test it, although I have slightly modified it in order to simplify compiling it.

Chrysolite Azalea

Hello everyone! I've tested EasyOS recently, and I wonder, why does EasyOS lack Landlock support? It does support seccomp... but not Landlock? That seems strange to me. (Landlock was added in the 5.13 kernel version)

Chrysolite Azalea

I wonder, is there a reason for completely disabling support for SELinux and AppArmor in the kernel at compile-time, rather than simply booting the system without them?

(I'm asking because I'm using AppArmor on my main system)

Chrysolite Azalea

Hello everyone! I've forked the run_woof project and replaced chroot with systemd-nspawn . The advantages of it: Various virtual filesystems are now handled by systemd-nspawn and don't have to be handled by run_woof systemd-nspawn containers can be managed by machinectl utility PID namespace isolati...

Chrysolite Azalea

Hello everyone! I'm creating a remaster for Puppy Linux, and, due to security issues with X.Org, I'd like to run some applications under the Wayland composer. I've looked some composers, and I think about using Weston and/or Cage. The issue is, that Cage depends on wlroots, and the "libwlroots-...

Chrysolite Azalea

Hello everyone! I've made a new remaster. What has changed: Since the 5.19 kernel reached the end-of-life, I've switched to the long-term 5.15 kernel run-as-spot now loads a basic deny-list seccomp filter that blocks the most dangerous system calls The init process is now run under a permissive comp...

Chrysolite Azalea

Back when I was originally researching namespaces, it looked like user-namespace is itself a potential security weakness. So it is deliberately disabled. The problem is that user namespaces are also a highly important security feature . What is sometimes called a security weakness, however, is unpr...

Chrysolite Azalea

I've looked how EasyContainers works, and I have found something... disturbing in the EasyOS kernel (pic. 2) -- I just wonder, who could think that disabling the support for user namespaces in the kernel was a remotely good idea? User namespacing is a highly important feature Do you see security co...

Chrysolite Azalea

Hello everyone! Today, I've downloaded EasyOS and tried to run it in a virtual machine. I've looked what applications it has, what features are added, etc. Also, I've looked up the kernel configurations and have some questions: 1. What was the reason behind excluding mandatory access control systems...

Chrysolite Azalea

Hello everyone! Recently, I've managed to compile LXC on Puppy Linux. LXC is a open-source container manager for GNU/Linux. I think it can be useful: Software that is hard to compile for Puppy Linux can be run in a container, that has all the dependencies built in it We can use it to run Android app...

Chrysolite Azalea

A new kernel has been built.

Chrysolite Azalea

Hello everyone! Recently, the CVE-2022-2602 security vulnerability was reported on OpenWall that can potentially lead to privilege escalation due to some issue with Unix-domain sockets. There also seems to be a proposed fix -- the commit that was mentioned in the OpenWall message as one that fixes t...

Chrysolite Azalea

I'll have to read-up about Armour. It does not appear that its restrictions take effect by default. Using the Chromium installed (see last post) I was able to download files other than to the /Spot Folder, see files on a mounted partition of my hard-drive Because this remaster doesn't offer any aut...

Chrysolite Azalea

I've made some changes (since the last ISO I've made worked on QEMU, but I couldn't boot it on bare-metal, I'm publishing this one in form of SFS files, vmlinuz and initrd.gz kit -- you can create a frugal installation and put these ones instead of standard ones) What has changed: The firewall now u...

Chrysolite Azalea

That's nice. However, I think that Landlock is a way for already sandboxed apps to further restrict themselves. For example, a browser might want to prevent itself from reading anything other than its own directories, and the downloads directory. Since run-as-spot usually runs as root, it can make u...

Chrysolite Azalea

Lockdown is a Linux security module that protects the running kernel from modifications by privileged processes. It also blocks hibernation, kexec reboot and unsigned module loading.

Chrysolite Azalea

Hello everyone! I'm creating a Fossapup remaster with several enhancements, and I would like to ask a question. I've compiled the kernel with Lockdown enabled (it's turned off by default). When I pass a lockdown=integrity option to the kernel command line, the system loads, but the X server fails to...

Chrysolite Azalea

I'd like to mention, I've only tested it in the QEMU, I've never tried to run it on bare metal.

Chrysolite Azalea

Hello everyone! I've created a Fossapup remaster with several enhancements. What has been changed: The new kernel has been compiled (5.15.4) with AppArmor and Landlock support New software: AppArmor userspace utilities and Bubblewrap -- the unprivileged namespace sandboxing tool run-as-spot script h...

Chrysolite Azalea

I think that the problem could possibly be solved by running a local Gitea server with a copy of all repositories, I'm planning to propose a pull request that allows to choose custom Git repositories soon.

Chrysolite Azalea

Solved by disabling certificate verification in global git config.

Chrysolite Azalea

Hello everyone! I've tried to recompile the kernel with **kernel-kit**, but it fails to proceed because it cannot download the **aufs-util** -- the git.code.sf.net mirror shows certificate error, and the second link also fails because **aufs-util** Puppy Linux repository seems to be removed from Git...

Chrysolite Azalea

@Chrysolite Azalea You can. I use the kernel-kit independently of woof-CE to make kernels for another operating system. This method needs to be run from a Puppy Linux with it's devx SFS loaded. get woof-CE by git clone or download. open a terminal in the woof-CE directory. Run ./merge2out select th...

Chrysolite Azalea

Also, the kernel sources from Linux Mint repositories seem to have AUFS support -- is this what's needed for Puppy Linux?

Chrysolite Azalea

Hello everyone! I want to re-compile the kernel (because the one in Fossapup is too old, I want 5.15). However, I don't want to reboot into Puppy Linux, because I think it would be nice to be able to use the computer during the re-compilation process. Can I re-compile it while I'm in Linux Mint? Wha...

Chrysolite Azalea

Got TOMOYO functioning today. What I'd like to note, to get TOMOYO working, you need to add ccs-tools to one of the SFS files loaded at boot time. I added them to adrv . To do so, you need to unpack one of the SFS files (adrv, fdrv, zdrv, puppy-sfs) with unsquashfs , add ccs-tools , repack the file ...

Chrysolite Azalea

Hello everyone! I've compiled a kernel with TOMOYO 1.8 support (TOMOYO is a mandatory access control system) by patching the kernel sources before running menuconfig (Woof-CE Kernel kit asks which configuration software to use, kernel sources can be patched at this time). vmlinuz file: https://mega....

Chrysolite Azalea

Hello everyone! I'm on Puppy Linux, Fossapup version, kernel 5.4.53, Frugal installation on my USB drive. I've recompiled the kernel (installed devx and sources from QuickPet, then ran make menuconfig , configured the kernel and ran make ), and it ran completely fine. However, when I try to install ...

Puppy Linux Discussion Forum

Search found 30 matches

Re: No support for Landlock in EasyOS?

Re: No support for Landlock in EasyOS?

Re: Landlock

No support for Landlock in EasyOS?

Re: EasyOS version 4.5 released

run_woof using systemd-nspawn instead of chroot

How can I add a Wayland composer to my remaster?

Re: Fossapup Remaster with recompiled kernel

Re: Questions & observations after trying EasyOS

Re: Really, what the..?

Questions & observations after trying EasyOS

What do you think about LXC?

Re: Fossapup Remaster with recompiled kernel

CVE-2022-2602 security vulnerability

Re: Fossapup Remaster with recompiled kernel

Re: Fossapup Remaster with recompiled kernel

Re: Fossapup Remaster with recompiled kernel

Re: The X server doesn't start if Lockdown is enabled at boot

Fossapup remaster: The X server doesn't start if Lockdown is enabled at boot

Re: Fossapup Remaster with recompiled kernel

Fossapup Remaster with recompiled kernel

Solution proposal

Re: "Certificate verification failed"

"Certificate verification failed" when recompiling the kernel (Solved)

Re: Is it possible to compile the kernel without Woof-CE?

Re: Is it possible to compile the kernel without Woof-CE?

Is it possible to compile the kernel without Woof-CE?

Re: Linux kernel version 5.13.4 with TOMOYO support

Linux kernel version 5.13.4 with TOMOYO support

"Can't find LILO"