General
- The sniffglue internal syscall table has been dropped and was replaced by the table in rust-lang/libc.
Security
- cargo-fuzz found a DoS bug in a dependency that would panic the sniffer. This has been addressed and a regression test has been added.
- After some curiosity of how the sandbox looks like for an exploited sniffglue process, boxxy-rs has been developed and introduced so you can have a look yourself. This is also used to implement CI tests for the sandbox.
- The docker image now includes a config file so sniffglue drops privileges inside the container
Fancy
- To support the effort of reproducible-builds.org, reprotest has been added to the CI system and every release and PR is tested for reproducibility. This also documents how to build sniffglue binaries in a reproducible way.
- A musl docker container has been built and seccomp has been adjusted to support musl libc.
Contributors
- @Mrmaxmeier submitted a patch that added missing syscalls to the seccomp filter. Thanks!