github ravindu644/Droidspaces-OSS v5.6.0
Droidspaces v5.6.0
on GitHub

latest releases: v6.3.0, v6.2.5, v6.2.0...
3 months ago

What's Changed

  • droidspaces: bump version 5.6.0 (a1459da)
  • fix: Drop CAP_DAC_READ_SEARCH capability to mitigate the Shocker escape vulnerability. (77d330a)
  • fix: Prevent seccomp bypasses by killing processes on architecture mismatches and blocking x32 ABI syscalls on x86-64. (1179acd)
  • security: Block __NR_clone3 to prevent seccomp bypasses of clone/unshare flag filters. (54fb851)
  • feat(security): universally restrict CLONE_NEWUSER via seccomp (a44077a)
  • feat(security): mask cgroup v1 release_agent to prevent container escape (a7952ed)
  • feat: Apply seccomp filters and capability hardening to processes enter_rootfs() and run_in_rootfs() (bc58ce2)
  • feat(security): implement conditional container hardening and jail masking (a637efd)
  • feat: implement dynamic shell detection via /etc/passwd (d682b6c)
  • feat: Implement configurable Deadlock Shield seccomp filter to prevent kernel deadlocks on legacy Android kernels (eed18bc)
  • docs: remove old caption from the readme related to the desktop linux showcase (f2b211d)
  • container.c: prevent file descriptor leaks into container by setting close-on-exec on all internal pipes (f58bad7)
  • container.c: canonicalize rootfs paths to prevent symlink TOCTOU attacks (fa022ad)
  • docs: Update kernel configuration anchor links in README to match the new documentation section IDs. (ced26e4)

Note: After installing this release, if you are using an old kernel like 4.14.113 (this issue is specific to this kernel version), and systemd appears to hang, systemctl commands do not work, or your phone becomes unresponsive, you are affected by the grab_super() VFS deadlock bug.

Strangely, this issue does not occur on 4.9 kernels and only manifests on 4.14.113, which affects most devices, particularly Samsung devices released between 2019 and 2020.

Previously, to fix this, all clone() and unshare() syscalls had to be blocked to prevent systemd from creating sandboxes, which resolved the deadlock and allowed systemd to boot. However, this came at the cost of losing the ability to run Docker, Podman, or LXC inside a Droidspaces container on any kernel below 5.x.

In this release, that hard-coded block has been completely removed. Users can now enable the "Deadlock Shield" only if needed, directly from the container configuration menu.

As a result, users already running an upstream kernel such as 4.14.356 can now run Docker inside Droidspaces, while affected users can still enable the Deadlock Shield manually.

Check out latest releases or
releases around ravindu644/Droidspaces-OSS v5.6.0

Don't miss a new Droidspaces-OSS release

NewReleases is sending notifications on new releases.

Get notifications