LinnemanLabs

Building systems, breaking systems, observing systems, securing systems, auditing systems... improving systems.

Recent Posts

Hello, my name is Orca: Unprivileged Keylogging on Wayland via D-Bus Accessibility

2026-05-15 · #Keylogging #Wayland

KDE KWin and GNOME Mutter trust a claimable Orca D-Bus name for raw Wayland accessibility keyboard events, including password input.

Hello, my name is NOT unconfined: Two Hops and a Shell on Ubuntu

2026-05-13 · #bypass-pwn #AppArmor

Ubuntu’s userns restriction patch checks a pointer, not a property. After one profile hop, the label is still functionally unconfined but it’s not the sentinel the patch is looking for. Two aa-exec calls, chained into host root via dirtyfrag. Exploring SiCk’s two-hop AppArmor bypass.

Porting Dirty Frag to arm64: Detection, Prevention and Hardening Notes

2026-05-11 · #Dirty Frag #CVE-2026-43284

Porting CVE-2026-43284 exploit to aarch64. The rxrpc path kernel oopses on arm64. Ubuntu 24.04’s AppArmor blocked exploitation over SSH, transitioning into existing complain-mode profile leads to success. Analysis of chmod o-r as a mitigation for SUID targets, FIM limitations, and page-cache persistence.

Purple Team Engineering: Detection Below the Socket Layer with eBPF and Tetragon

2026-04-24 · #Purple Team #Detection Engineering

Creating Tetragon policies to catch malware - AF_INET raw sockets, AF_PACKET with manual Ethernet construction, and the combination-detection patterns that emerge. Working Tetragon policy additions, a custom event parser, and purple-team test binaries to verify detection coverage.

Purple Team Engineering: Covert Channels and the DNF Numbers Station

2026-04-13 · #Purple Team #Detection Engineering

Building a C2 channel indistinguishable from package manager traffic, encoding tasking in Apache ETag microseconds, and surveying the surprising state of repository security on Fedora.

Purple Team Engineering: Building and Detecting a Rust C2 Beacon

2026-04-09 · #Purple Team #Detection Engineering

Building an offensive tool and the detection rules to catch it. The architecture behind Glimmer’s dual-layer encryption, binary hardening from 1.4MB to 388K, and real-time YARA detection through Wazuh.

Modeling the hackerbot-claw Attack Against My Own CI/CD Pipeline

2026-03-20 · #GitHub Actions #Supply Chain Security

Reviewing my infrastructure’s security posture against recent high-profile supply chain security compromises involving GitHub workflows using pull_request_target.

Running Your Own Transparency Infrastructure with Fulcio, Rekor, TesseraCT and Timestamp-Authority

2026-03-18 · #Supply Chain Security #Certificate Transparency

From YubiKey CA root to trust bundles to signed artifacts - the architecture, trust decisions, and security implications behind running a self-hosted Sigstore stack.

Building a Self-Hosted Observability Platform with the Grafana LGTM Stack

2026-03-10 · #Observability #Grafana

A view into the architecture of a 118-node self-hosted observability platform built on Mimir, Loki, Tempo, Pyroscope, and Grafana. All deployed and configured from official documentation with no Helm charts or managed services.

Building an AI-Powered Alert Triage Engine with Go, Claude, and the Grafana LGTM Stack

2026-03-02 · #Go #AI

How I built Vigil - a Go service that receives Alertmanager webhooks, investigates alerts using Claude’s tool-calling API against Mimir and Loki, persists full conversation histories to PostgreSQL, and traces the entire triage lifecycle through Tempo.