v1.3.0

v1.3.0

This release adds compartment-bpf, a new optional advanced module for
kernel-level inode sealing via BPF LSM.

compartment-user and compartment-root are unchanged and remain the
zero-dependency core toolkit.

v1.2.0 — Deep Security Hardening

What's New

20 security issues fixed since v1.1.0, found via targeted deep-dive review passes (BPF instruction tracing, control flow analysis, Landlock construction audit, namespace sequence verification, profile parser fuzzing, sandbox.sh race analysis) plus independent reviews by Gemini and Codex.

Seccomp

• #34 x32 ABI bypass (High): BPF filter now kills x32 syscalls (BPF_JSET 0x40000000) — prevents deny-list bypass on x86_64
• #36 Unknown syscall warning: Now explicitly warns "block NOT applied" when a syscall name is unrecognized

Landlock

• #43 W^X enforcement (Medium): PATH_RW no longer includes EXECUTE. Writable /tmp is no longer executable. New rwx directive and PATH_RWX mode for directories that need both (e.g., $HOME). Write+Execute now requires explicit opt-in.
• #42 Empty ruleset detection: Landlock with 0 paths now fails with a clear error instead of silently denying all filesystem access
• #44 Symlink protection: landlock_add_path() uses O_NOFOLLOW + realpath() fallback to prevent symlink-based sandbox expansion

Capability & Privilege Drop

• #39 cap_last_cap (Medium): Read from /proc/sys/kernel/cap_last_cap BEFORE masking /proc/sys — was using stale fallback of 37, leaving CAP_PERFMON, CAP_BPF, CAP_CHECKPOINT_RESTORE in the bounding set
• #40 FD close ordering: set_rlimits() moved after FD cleanup so fallback loop sees original RLIMIT_NOFILE

Profile Parser

• #37 CLI precedence: --no-landlock/--no-seccomp flags now always override profile settings
• #41 $HOME validation: expand_var() fails when $HOME/$USER is unset or empty instead of silently producing broken paths

Pre-flight Check (New)

• compartment-user validates Landlock availability, filesystem type (detects 9p/NFS/CIFS), and seccomp before executing
• --unsecure flag allows degraded execution with warnings
• Shell-replacement mode never blocks login — logs to syslog on degradation

sandbox.sh

• #38 MS_PRIVATE (Medium): Mount propagation changed from MS_SLAVE to MS_PRIVATE
• #45 rprivate in namespace: mount --make-rprivate / added inside both HARD and SOFT namespaces
• #46 Shell intercept expanded: Now covers bash, sh, dash, zsh in /bin and /usr/bin
• #47 Process cleanup: SOFT mode uses unshare --pid --fork to kill background processes on exit

Other

• Man pages for compartment-user(1) and compartment-root(8) with make install support
• tools/syscall.py profile generator included in repo
• scripts/timestamp.sh for release archival with SHA256 + OpenTimestamps

Archive

Release integrity proof on branch archive/v1.2.0 (59 files checksummed, OpenTimestamps anchored):

git checkout archive/v1.2.0
sha256sum -c archive/SHA256SUMS
ots verify archive/SHA256SUMS.root.ots

Full Changelog: v1.1.0...v1.2.0

v1.1.0 — Security Hardening, SSH Profiles, Syscall Profiler

What's New

Security Hardening (14 issues fixed, bugs #20-33)

Multi-pass adversarial security review with 6 independent review passes:

• Profile parser hardened: uid/gid overflow→UID 0 fixed, line wrapping misparse caught, boolean values accept on/off/yes/no/true/false, unknown directives warned, limit truncation now fail-closed
• Seccomp coverage expanded: 10 new blocked syscalls — open_by_handle_at, name_to_handle_at, new mount API (open_tree, move_mount, fsopen, fsmount, fsconfig, fspick, mount_setattr), pidfd_getfd
• Environment deny-list expanded: cloud credentials (AWS, GCP, Azure), VCS tokens (GitHub, GitLab, NPM), SSH agent socket, database passwords, interpreter startup injection (BASH_ENV, NODE_OPTIONS, PYTHONSTARTUP, PERL5OPT, RUBYOPT)
• Landlock fail-closed: landlock_add_path() return value now checked
• Shell injection fixed: UPSTREAM_PROXY in sandbox.sh --verify mode
• FD safety: O_CLOEXEC/SOCK_CLOEXEC on all short-lived fds, fopen("re") throughout
• Input validation: proxy host:port, port range 1-65535, rootdir/mount-mask path traversal
• MAX_ENV_VARS: increased 32→64

New: Hardened SSH Profiles

Privilege separation for network clients — split a process so no single component can both access secrets AND exfiltrate them:

• examples/ssh.conf — read-only SSH client (can read keys, cannot write to disk)
• examples/socat-proxy.conf — network-only socat bridge (cannot read user files)
• examples/paranoid-ssh.sh — combines both: SSH reads keys but can't write, socat has network but can't read secrets

New: Syscall Profiler (tools/syscall.py)

Generate compartment profiles for any program automatically:

python3 tools/syscall.py profile -o curl.conf -- curl https://example.com
python3 tools/syscall.py check --profile ai-agent -- ./my-program

Supports deny-list (safe default), allow-list (strict), static ELF analysis, and profile compatibility checking. Requires strace.

Test Suite Improvements

• 58 tests (up from 52), 0 failures
• Seccomp false-green eliminated (expect_blocked verifies probe output)
• FD inheritance test added
• Profile hardening negative tests (invalid boolean, unknown directive, path traversal)
• Credential stripping tests (AWS_SECRET_ACCESS_KEY, SSH_AUTH_SOCK)

Documentation

• Profile selection guide with threat model table
• Hardened SSH worked example with architecture diagram
• Advanced deployment: compartmented login shell for non-admin users
• Syscall profiling guide (tools/HOWTO-syscall-profiling.md)

Archive

Release integrity proof on branch archive/v1.1.0:

• SHA256 checksums of all source files
• OpenTimestamps blockchain anchor

git checkout archive/v1.1.0
sha256sum -c archive/SHA256SUMS
ots verify archive/SHA256SUMS.root.ots

---

Full Changelog: v1.0.0...v1.1.0