;;; syd.el --- Emacs Lisp binding for the syd(2) API -*- lexical-binding: t; -*-
;; Syd: rock-solid application kernel
;;
;; Copyright (c) 2023, 2024, 2025, 2026 Ali Polatel <alip@chesswob.org>
;;
;; Author: Ali Polatel <alip@chesswob.org>
;; SPDX-License-Identifier: GPL-3.0
;;; Commentary:
;; This is the Emacs Lisp implementation of the virtual syd(2) stat
;; interface. A sandboxed process configures and queries the Syd
;; application kernel by issuing stat(2) calls on magic paths under
;; /dev/syd. Syd answers each with a character-special device. Every
;; public function here builds such a magic path and validates the
;; response with `syd--stat'.
;;; Code:
; Define lock states as keywords
(defconst syd-lock-off :lock-off
"The sandbox lock is off, allowing all sandbox commands.")
(defconst syd-lock-exec :lock-exec
"Sandbox commands are allowed only from the syd exec child (the default).")
(defconst syd-lock-drop :lock-drop
"Sandbox commands are allowed only to drop privileges.")
(defconst syd-lock-read :lock-read
"Sandbox commands are allowed only to read sandbox state.")
(defconst syd-lock-on :lock-on
"The sandbox lock is on, disallowing all sandbox commands.")
; Define sandbox actions as keywords
(defconst syd-action-allow :action-allow
"Allow system call.")
(defconst syd-action-warn :action-warn
"Allow system call and warn.")
(defconst syd-action-filter :action-filter
"Deny system call silently.")
(defconst syd-action-deny :action-deny
"Deny system call and warn.")
(defconst syd-action-panic :action-panic
"Deny system call, warn and panic the current Syd thread.")
(defconst syd-action-stop :action-stop
"Deny system call, warn and stop offending process.")
(defconst syd-action-abort :action-abort
"Deny system call, warn and abort offending process.")
(defconst syd-action-kill :action-kill
"Deny system call, warn and kill offending process.")
(defconst syd-action-exit :action-exit
"Warn, and exit Syd immediately with deny errno as exit value.")
(defun syd-info ()
"Read the state of the syd sandbox from /dev/syd and return it as an alist.
If the `json' module is not available, returns nil."
(if (require 'json nil t)
(condition-case nil
(with-temp-buffer
(insert-file-contents "/dev/syd" nil nil (* 16 1024 1024))
(with-no-warnings
(let ((json-object-type 'alist)
(json-array-type 'list)
(json-key-type 'symbol)
(json-false nil)
(json-null nil))
(json-read))))
(file-error
(message "Error reading /dev/syd.")
nil)
(json-error
(message "JSON decoding error.")
nil))
(progn
(message "JSON module not available.")
nil)))
(defun syd-api ()
"Perform a syd API check."
(if (syd--stat "/dev/syd/3")
3 ; API number on success
nil)) ; On error, return nil
(defun syd-check ()
"Check if '/dev/syd' is a character device."
(syd--stat "/dev/syd"))
(defun syd-panic ()
"Cause syd to exit immediately with code 127."
(syd--stat "/dev/syd/panic"))
(defun syd-ghost ()
"Initiate Ghost mode."
(syd--stat "/dev/syd/ghost"))
(defun syd-load (fd)
"Cause syd to read configuration from the given file descriptor FD."
(let ((path (concat "/dev/syd/load/" (number-to-string fd))))
(syd--stat path)))
(defun syd-lock (state)
"Set the sandbox lock to STATE.
STATE is one of the keywords `:lock-off', `:lock-exec', `:lock-drop',
`:lock-read' or `:lock-on'.
Return t on success, nil on failure."
(cond
((eq state syd-lock-off) (syd--stat "/dev/syd/lock:off"))
((eq state syd-lock-exec) (syd--stat "/dev/syd/lock:exec"))
((eq state syd-lock-drop) (syd--stat "/dev/syd/lock:drop"))
((eq state syd-lock-read) (syd--stat "/dev/syd/lock:read"))
((eq state syd-lock-on) (syd--stat "/dev/syd/lock:on"))
(t nil))) ; Invalid state
(defun syd-enabled-fs ()
"Check whether Filesystem sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/fs?"))
(defun syd-enable-fs ()
"Enable Filesystem sandboxing."
(syd--stat "/dev/syd/sandbox/fs:on"))
(defun syd-disable-fs ()
"Disable Filesystem sandboxing."
(syd--stat "/dev/syd/sandbox/fs:off"))
(defun syd-enabled-walk ()
"Check whether Walk sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/walk?"))
(defun syd-enable-walk ()
"Enable Walk sandboxing."
(syd--stat "/dev/syd/sandbox/walk:on"))
(defun syd-disable-walk ()
"Disable Walk sandboxing."
(syd--stat "/dev/syd/sandbox/walk:off"))
(defun syd-enabled-list ()
"Check whether List sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/list?"))
(defun syd-enable-list ()
"Enable List sandboxing."
(syd--stat "/dev/syd/sandbox/list:on"))
(defun syd-disable-list ()
"Disable List sandboxing."
(syd--stat "/dev/syd/sandbox/list:off"))
(defun syd-enabled-stat ()
"Check whether Stat sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/stat?"))
(defun syd-enable-stat ()
"Enable Stat sandboxing."
(syd--stat "/dev/syd/sandbox/stat:on"))
(defun syd-disable-stat ()
"Disable Stat sandboxing."
(syd--stat "/dev/syd/sandbox/stat:off"))
(defun syd-enabled-read ()
"Check whether Read sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/read?"))
(defun syd-enable-read ()
"Enable Read sandboxing."
(syd--stat "/dev/syd/sandbox/read:on"))
(defun syd-disable-read ()
"Disable Read sandboxing."
(syd--stat "/dev/syd/sandbox/read:off"))
(defun syd-enabled-write ()
"Check whether Write sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/write?"))
(defun syd-enable-write ()
"Enable Write sandboxing."
(syd--stat "/dev/syd/sandbox/write:on"))
(defun syd-disable-write ()
"Disable Write sandboxing."
(syd--stat "/dev/syd/sandbox/write:off"))
(defun syd-enabled-exec ()
"Check whether Exec sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/exec?"))
(defun syd-enable-exec ()
"Enable Exec sandboxing."
(syd--stat "/dev/syd/sandbox/exec:on"))
(defun syd-disable-exec ()
"Disable Exec sandboxing."
(syd--stat "/dev/syd/sandbox/exec:off"))
(defun syd-enabled-ioctl ()
"Check whether Ioctl sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/ioctl?"))
(defun syd-enable-ioctl ()
"Enable Ioctl sandboxing."
(syd--stat "/dev/syd/sandbox/ioctl:on"))
(defun syd-disable-ioctl ()
"Disable Ioctl sandboxing."
(syd--stat "/dev/syd/sandbox/ioctl:off"))
(defun syd-enabled-create ()
"Check whether create sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/create?"))
(defun syd-enable-create ()
"Enable create sandboxing."
(syd--stat "/dev/syd/sandbox/create:on"))
(defun syd-disable-create ()
"Disable create sandboxing."
(syd--stat "/dev/syd/sandbox/create:off"))
(defun syd-enabled-delete ()
"Check whether delete sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/delete?"))
(defun syd-enable-delete ()
"Enable delete sandboxing."
(syd--stat "/dev/syd/sandbox/delete:on"))
(defun syd-disable-delete ()
"Disable delete sandboxing."
(syd--stat "/dev/syd/sandbox/delete:off"))
(defun syd-enabled-rename ()
"Check whether rename sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/rename?"))
(defun syd-enable-rename ()
"Enable rename sandboxing."
(syd--stat "/dev/syd/sandbox/rename:on"))
(defun syd-disable-rename ()
"Disable rename sandboxing."
(syd--stat "/dev/syd/sandbox/rename:off"))
(defun syd-enabled-readlink ()
"Check whether readlink sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/readlink?"))
(defun syd-enable-readlink ()
"Enable readlink sandboxing."
(syd--stat "/dev/syd/sandbox/readlink:on"))
(defun syd-disable-readlink ()
"Disable readlink sandboxing."
(syd--stat "/dev/syd/sandbox/readlink:off"))
(defun syd-enabled-symlink ()
"Check whether symlink sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/symlink?"))
(defun syd-enable-symlink ()
"Enable symlink sandboxing."
(syd--stat "/dev/syd/sandbox/symlink:on"))
(defun syd-disable-symlink ()
"Disable symlink sandboxing."
(syd--stat "/dev/syd/sandbox/symlink:off"))
(defun syd-enabled-truncate ()
"Check whether Truncate sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/truncate?"))
(defun syd-enable-truncate ()
"Enable Truncate sandboxing."
(syd--stat "/dev/syd/sandbox/truncate:on"))
(defun syd-disable-truncate ()
"Disable Truncate sandboxing."
(syd--stat "/dev/syd/sandbox/truncate:off"))
(defun syd-enabled-chdir ()
"Check whether chdir sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/chdir?"))
(defun syd-enable-chdir ()
"Enable chdir sandboxing."
(syd--stat "/dev/syd/sandbox/chdir:on"))
(defun syd-disable-chdir ()
"Disable chdir sandboxing."
(syd--stat "/dev/syd/sandbox/chdir:off"))
(defun syd-enabled-readdir ()
"Check whether readdir sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/readdir?"))
(defun syd-enable-readdir ()
"Enable readdir sandboxing."
(syd--stat "/dev/syd/sandbox/readdir:on"))
(defun syd-disable-readdir ()
"Disable readdir sandboxing."
(syd--stat "/dev/syd/sandbox/readdir:off"))
(defun syd-enabled-mkdir ()
"Check whether mkdir sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/mkdir?"))
(defun syd-enable-mkdir ()
"Enable mkdir sandboxing."
(syd--stat "/dev/syd/sandbox/mkdir:on"))
(defun syd-disable-mkdir ()
"Disable mkdir sandboxing."
(syd--stat "/dev/syd/sandbox/mkdir:off"))
(defun syd-enabled-rmdir ()
"Check whether rmdir sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/rmdir?"))
(defun syd-enable-rmdir ()
"Enable rmdir sandboxing."
(syd--stat "/dev/syd/sandbox/rmdir:on"))
(defun syd-disable-rmdir ()
"Disable rmdir sandboxing."
(syd--stat "/dev/syd/sandbox/rmdir:off"))
(defun syd-enabled-chown ()
"Check whether chown sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/chown?"))
(defun syd-enable-chown ()
"Enable chown sandboxing."
(syd--stat "/dev/syd/sandbox/chown:on"))
(defun syd-disable-chown ()
"Disable chown sandboxing."
(syd--stat "/dev/syd/sandbox/chown:off"))
(defun syd-enabled-chgrp ()
"Check whether chgrp sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/chgrp?"))
(defun syd-enable-chgrp ()
"Enable chgrp sandboxing."
(syd--stat "/dev/syd/sandbox/chgrp:on"))
(defun syd-disable-chgrp ()
"Disable chgrp sandboxing."
(syd--stat "/dev/syd/sandbox/chgrp:off"))
(defun syd-enabled-chmod ()
"Check whether chmod sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/chmod?"))
(defun syd-enable-chmod ()
"Enable chmod sandboxing."
(syd--stat "/dev/syd/sandbox/chmod:on"))
(defun syd-disable-chmod ()
"Disable chmod sandboxing."
(syd--stat "/dev/syd/sandbox/chmod:off"))
(defun syd-enabled-chattr ()
"Check whether chattr sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/chattr?"))
(defun syd-enable-chattr ()
"Enable chattr sandboxing."
(syd--stat "/dev/syd/sandbox/chattr:on"))
(defun syd-disable-chattr ()
"Disable chattr sandboxing."
(syd--stat "/dev/syd/sandbox/chattr:off"))
(defun syd-enabled-chroot ()
"Check whether chroot sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/chroot?"))
(defun syd-enable-chroot ()
"Enable chroot sandboxing."
(syd--stat "/dev/syd/sandbox/chroot:on"))
(defun syd-disable-chroot ()
"Disable chroot sandboxing."
(syd--stat "/dev/syd/sandbox/chroot:off"))
(defun syd-enabled-notify ()
"Check whether notify sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/notify?"))
(defun syd-enable-notify ()
"Enable notify sandboxing."
(syd--stat "/dev/syd/sandbox/notify:on"))
(defun syd-disable-notify ()
"Disable notify sandboxing."
(syd--stat "/dev/syd/sandbox/notify:off"))
(defun syd-enabled-utime ()
"Check whether utime sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/utime?"))
(defun syd-enable-utime ()
"Enable utime sandboxing."
(syd--stat "/dev/syd/sandbox/utime:on"))
(defun syd-disable-utime ()
"Disable utime sandboxing."
(syd--stat "/dev/syd/sandbox/utime:off"))
(defun syd-enabled-mkbdev ()
"Check whether mkbdev sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/mkbdev?"))
(defun syd-enable-mkbdev ()
"Enable mkbdev sandboxing."
(syd--stat "/dev/syd/sandbox/mkbdev:on"))
(defun syd-disable-mkbdev ()
"Disable mkbdev sandboxing."
(syd--stat "/dev/syd/sandbox/mkbdev:off"))
(defun syd-enabled-mkcdev ()
"Check whether mkcdev sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/mkcdev?"))
(defun syd-enable-mkcdev ()
"Enable mkcdev sandboxing."
(syd--stat "/dev/syd/sandbox/mkcdev:on"))
(defun syd-disable-mkcdev ()
"Disable mkcdev sandboxing."
(syd--stat "/dev/syd/sandbox/mkcdev:off"))
(defun syd-enabled-mkfifo ()
"Check whether mkfifo sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/mkfifo?"))
(defun syd-enable-mkfifo ()
"Enable mkfifo sandboxing."
(syd--stat "/dev/syd/sandbox/mkfifo:on"))
(defun syd-disable-mkfifo ()
"Disable mkfifo sandboxing."
(syd--stat "/dev/syd/sandbox/mkfifo:off"))
(defun syd-enabled-mktemp ()
"Check whether mktemp sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/mktemp?"))
(defun syd-enable-mktemp ()
"Enable mktemp sandboxing."
(syd--stat "/dev/syd/sandbox/mktemp:on"))
(defun syd-disable-mktemp ()
"Disable mktemp sandboxing."
(syd--stat "/dev/syd/sandbox/mktemp:off"))
(defun syd-enabled-net ()
"Check whether Network sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/net?"))
(defun syd-enable-net ()
"Enable Network sandboxing."
(syd--stat "/dev/syd/sandbox/net:on"))
(defun syd-disable-net ()
"Disable Network sandboxing."
(syd--stat "/dev/syd/sandbox/net:off"))
(defun syd-enabled-lock ()
"Check whether lock sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/lock?"))
(defun syd-enabled-crypt ()
"Check whether crypt sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/crypt?"))
(defun syd-enabled-proxy ()
"Check whether proxy sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/proxy?"))
(defun syd-enabled-mem ()
"Check whether memory sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/mem?"))
(defun syd-disable-mem ()
"Disable memory sandboxing."
(syd--stat "/dev/syd/sandbox/mem:off"))
(defun syd-enabled-pid ()
"Check whether PID sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/pid?"))
(defun syd-enable-pid ()
"Enable PID sandboxing."
(syd--stat "/dev/syd/sandbox/pid:on"))
(defun syd-disable-pid ()
"Disable PID sandboxing."
(syd--stat "/dev/syd/sandbox/pid:off"))
(defun syd-enabled-force ()
"Check whether force sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/force?"))
(defun syd-disable-force ()
"Disable force sandboxing."
(syd--stat "/dev/syd/sandbox/force:off"))
(defun syd-enabled-tpe ()
"Check whether TPE sandboxing is enabled."
(syd--stat "/dev/syd/sandbox/tpe?"))
(defun syd-enable-tpe ()
"Enable TPE sandboxing."
(syd--stat "/dev/syd/sandbox/tpe:on"))
(defun syd-disable-tpe ()
"Disable TPE sandboxing."
(syd--stat "/dev/syd/sandbox/tpe:off"))
(defun syd-default-fs (action)
"Set default action for Filesystem sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/fs:%s" action)))
(syd--stat cmd)))))
(defun syd-default-walk (action)
"Set default action for Walk sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/walk:%s" action)))
(syd--stat cmd)))))
(defun syd-default-list (action)
"Set default action for List sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/list:%s" action)))
(syd--stat cmd)))))
(defun syd-default-stat (action)
"Set default action for Stat sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/stat:%s" action)))
(syd--stat cmd)))))
(defun syd-default-read (action)
"Set default action for Read sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/read:%s" action)))
(syd--stat cmd)))))
(defun syd-default-write (action)
"Set default action for Write sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/write:%s" action)))
(syd--stat cmd)))))
(defun syd-default-exec (action)
"Set default action for Exec sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/exec:%s" action)))
(syd--stat cmd)))))
(defun syd-default-ioctl (action)
"Set default action for Ioctl sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/ioctl:%s" action)))
(syd--stat cmd)))))
(defun syd-default-create (action)
"Set default action for Create sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/create:%s" action)))
(syd--stat cmd)))))
(defun syd-default-delete (action)
"Set default action for Delete sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/delete:%s" action)))
(syd--stat cmd)))))
(defun syd-default-rename (action)
"Set default action for rename sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/rename:%s" action)))
(syd--stat cmd)))))
(defun syd-default-readlink (action)
"Set default action for readlink sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/readlink:%s" action)))
(syd--stat cmd)))))
(defun syd-default-symlink (action)
"Set default action for symlink sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/symlink:%s" action)))
(syd--stat cmd)))))
(defun syd-default-truncate (action)
"Set default action for Truncate sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/truncate:%s" action)))
(syd--stat cmd)))))
(defun syd-default-chdir (action)
"Set default action for chdir sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/chdir:%s" action)))
(syd--stat cmd)))))
(defun syd-default-readdir (action)
"Set default action for readdir sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/readdir:%s" action)))
(syd--stat cmd)))))
(defun syd-default-mkdir (action)
"Set default action for mkdir sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/mkdir:%s" action)))
(syd--stat cmd)))))
(defun syd-default-rmdir (action)
"Set default action for rmdir sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/rmdir:%s" action)))
(syd--stat cmd)))))
(defun syd-default-chown (action)
"Set default action for Chown sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/chown:%s" action)))
(syd--stat cmd)))))
(defun syd-default-chgrp (action)
"Set default action for Chgrp sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/chgrp:%s" action)))
(syd--stat cmd)))))
(defun syd-default-chmod (action)
"Set default action for chmod sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/chmod:%s" action)))
(syd--stat cmd)))))
(defun syd-default-chattr (action)
"Set default action for chattr sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/chattr:%s" action)))
(syd--stat cmd)))))
(defun syd-default-chroot (action)
"Set default action for chroot sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/chroot:%s" action)))
(syd--stat cmd)))))
(defun syd-default-notify (action)
"Set default action for notify sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/notify:%s" action)))
(syd--stat cmd)))))
(defun syd-default-utime (action)
"Set default action for utime sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/utime:%s" action)))
(syd--stat cmd)))))
(defun syd-default-mkbdev (action)
"Set default action for mkbdev sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/mkbdev:%s" action)))
(syd--stat cmd)))))
(defun syd-default-mkcdev (action)
"Set default action for mkcdev sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/mkcdev:%s" action)))
(syd--stat cmd)))))
(defun syd-default-mkfifo (action)
"Set default action for mkfifo sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/mkfifo:%s" action)))
(syd--stat cmd)))))
(defun syd-default-mktemp (action)
"Set default action for mktemp sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/mktemp:%s" action)))
(syd--stat cmd)))))
(defun syd-default-net (action)
"Set default action for Network sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/net:%s" action)))
(syd--stat cmd)))))
;; TODO: syd-default-block!
(defun syd-default-mem (action)
"Set default action for Memory sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/mem:%s" action)))
(syd--stat cmd)))))
(defun syd-default-pid (action)
"Set default action for PID sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/pid:%s" action)))
(syd--stat cmd)))))
(defun syd-default-force (action)
"Set default action for Force sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/force:%s" action)))
(syd--stat cmd)))))
(defun syd-default-segvguard (action)
"Set default action for SegvGuard.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/segvguard:%s" action)))
(syd--stat cmd)))))
(defun syd-default-tpe (action)
"Set default action for TPE sandboxing.
ACTION is a constant representing the sandboxing action."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/default/tpe:%s" action)))
(syd--stat cmd)))))
(defun syd-ioctl-deny (request)
"Add a request to the _ioctl_(2) denylist.
REQUEST is the _ioctl_(2) request number to add to the denylist."
(unless (numberp request)
(error "Request must be a number"))
(let ((path (format "/dev/syd/deny/ioctl+%d" request)))
(syd--stat path)))
(defun syd-fs-add (action glob)
"Add to the given actionlist of Filesystem sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/fs" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-fs-del (action glob)
"Remove the first matching Filesystem sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/fs" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-fs-rem (action glob)
"Remove all matching Filesystem sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/fs" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-walk-add (action glob)
"Add to the given actionlist of walk sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/walk" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-walk-del (action glob)
"Remove the first matching walk sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/walk" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-walk-rem (action glob)
"Remove all matching walk sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/walk" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-list-add (action glob)
"Add to the given actionlist of list sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/list" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-list-del (action glob)
"Remove the first matching list sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/list" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-list-rem (action glob)
"Remove all matching list sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/list" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-stat-add (action glob)
"Add to the given actionlist of stat sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/stat" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-stat-del (action glob)
"Remove the first matching stat sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/stat" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-stat-rem (action glob)
"Remove all matching stat sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/stat" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-read-add (action glob)
"Add to the given actionlist of read sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/read" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-read-del (action glob)
"Remove the first matching read sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/read" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-read-rem (action glob)
"Remove all matching read sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/read" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-write-add (action glob)
"Add to the given actionlist of write sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/write" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-write-del (action glob)
"Remove the first matching write sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/write" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-write-rem (action glob)
"Remove all matching write sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/write" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-exec-add (action glob)
"Add to the given actionlist of exec sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/exec" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-exec-del (action glob)
"Remove the first matching exec sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/exec" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-exec-rem (action glob)
"Remove all matching exec sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/exec" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-ioctl-add (action glob)
"Add to the given actionlist of ioctl sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/ioctl" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-ioctl-del (action glob)
"Remove the first matching ioctl sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/ioctl" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-ioctl-rem (action glob)
"Remove all matching ioctl sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/ioctl" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-create-add (action glob)
"Add to the given actionlist of create sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/create" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-create-del (action glob)
"Remove the first matching create sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/create" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-create-rem (action glob)
"Remove all matching create sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/create" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-delete-add (action glob)
"Add to the given actionlist of delete sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/delete" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-delete-del (action glob)
"Remove the first matching delete sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/delete" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-delete-rem (action glob)
"Remove all matching delete sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/delete" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-rename-add (action glob)
"Add to the given actionlist of rename sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/rename" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-rename-del (action glob)
"Remove the first matching rename sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/rename" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-rename-rem (action glob)
"Remove all matching rename sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/rename" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-readlink-add (action glob)
"Add to the given actionlist of readlink sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/readlink" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-readlink-del (action glob)
"Remove the first matching readlink sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/readlink" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-readlink-rem (action glob)
"Remove all matching readlink sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/readlink" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-symlink-add (action glob)
"Add to the given actionlist of symlink sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/symlink" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-symlink-del (action glob)
"Remove the first matching symlink sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/symlink" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-symlink-rem (action glob)
"Remove all matching symlink sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/symlink" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-truncate-add (action glob)
"Add to the given actionlist of truncate sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/truncate" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-truncate-del (action glob)
"Remove the first matching truncate sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/truncate" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-truncate-rem (action glob)
"Remove all matching truncate sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/truncate" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-chdir-add (action glob)
"Add to the given actionlist of chdir sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chdir" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-chdir-del (action glob)
"Remove the first matching chdir sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chdir" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-chdir-rem (action glob)
"Remove all matching chdir sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chdir" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-readdir-add (action glob)
"Add to the given actionlist of readdir sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/readdir" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-readdir-del (action glob)
"Remove the first matching readdir sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/readdir" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-readdir-rem (action glob)
"Remove all matching readdir sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/readdir" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-mkdir-add (action glob)
"Add to the given actionlist of mkdir sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/mkdir" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-mkdir-del (action glob)
"Remove the first matching mkdir sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/mkdir" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-mkdir-rem (action glob)
"Remove all matching mkdir sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/mkdir" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-rmdir-add (action glob)
"Add to the given actionlist of rmdir sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/rmdir" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-rmdir-del (action glob)
"Remove the first matching rmdir sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/rmdir" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-rmdir-rem (action glob)
"Remove all matching rmdir sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/rmdir" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-chown-add (action glob)
"Add to the given actionlist of chown sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chown" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-chown-del (action glob)
"Remove the first matching chown sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chown" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-chown-rem (action glob)
"Remove all matching chown sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chown" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-chgrp-add (action glob)
"Add to the given actionlist of chgrp sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chgrp" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-chgrp-del (action glob)
"Remove the first matching chgrp sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chgrp" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-chgrp-rem (action glob)
"Remove all matching chgrp sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chgrp" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-chmod-add (action glob)
"Add to the given actionlist of chmod sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chmod" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-chmod-del (action glob)
"Remove the first matching chmod sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chmod" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-chmod-rem (action glob)
"Remove all matching chmod sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chmod" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-chattr-add (action glob)
"Add to the given actionlist of chattr sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chattr" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-chattr-del (action glob)
"Remove the first matching chattr sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chattr" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-chattr-rem (action glob)
"Remove all matching chattr sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chattr" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-chroot-add (action glob)
"Add to the given actionlist of chroot sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chroot" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-chroot-del (action glob)
"Remove the first matching chroot sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chroot" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-chroot-rem (action glob)
"Remove all matching chroot sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/chroot" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-notify-add (action glob)
"Add to the given actionlist of notify sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/notify" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-notify-del (action glob)
"Remove the first matching notify sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/notify" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-notify-rem (action glob)
"Remove all matching notify sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/notify" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-utime-add (action glob)
"Add to the given actionlist of utime sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/utime" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-utime-del (action glob)
"Remove the first matching utime sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/utime" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-utime-rem (action glob)
"Remove all matching utime sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/utime" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-mkbdev-add (action glob)
"Add to the given actionlist of mkbdev sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/mkbdev" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-mkbdev-del (action glob)
"Remove the first matching mkbdev sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/mkbdev" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-mkbdev-rem (action glob)
"Remove all matching mkbdev sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/mkbdev" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-mkcdev-add (action glob)
"Add to the given actionlist of mkcdev sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/mkcdev" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-mkcdev-del (action glob)
"Remove the first matching mkcdev sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/mkcdev" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-mkcdev-rem (action glob)
"Remove all matching mkcdev sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/mkcdev" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-mkfifo-add (action glob)
"Add to the given actionlist of mkfifo sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/mkfifo" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-mkfifo-del (action glob)
"Remove the first matching mkfifo sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/mkfifo" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-mkfifo-rem (action glob)
"Remove all matching mkfifo sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/mkfifo" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-mktemp-add (action glob)
"Add to the given actionlist of mktemp sandboxing.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/mktemp" action)))
(syd--stat (syd--rule cmd glob ?+))))))
(defun syd-mktemp-del (action glob)
"Remove the first matching mktemp sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/mktemp" action)))
(syd--stat (syd--rule cmd glob ?-))))))
(defun syd-mktemp-rem (action glob)
"Remove all matching mktemp sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
GLOB is a string representing the glob pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/mktemp" action)))
(syd--stat (syd--rule cmd glob ?^))))))
(defun syd-net-bind-add (action addr)
"Add to the given actionlist of net/bind sandboxing.
ACTION is a constant representing the sandboxing action.
ADDR is a string representing the address pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/net/bind" action)))
(syd--stat (syd--rule cmd addr ?+))))))
(defun syd-net-bind-del (action addr)
"Remove the first matching net/bind sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
ADDR is a string representing the address pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/net/bind" action)))
(syd--stat (syd--rule cmd addr ?-))))))
(defun syd-net-bind-rem (action addr)
"Remove all matching net/bind sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
ADDR is a string representing the address pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/net/bind" action)))
(syd--stat (syd--rule cmd addr ?^))))))
(defun syd-net-connect-add (action addr)
"Add to the given actionlist of net/connect sandboxing.
ACTION is a constant representing the sandboxing action.
ADDR is a string representing the address pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/net/connect" action)))
(syd--stat (syd--rule cmd addr ?+))))))
(defun syd-net-connect-del (action addr)
"Remove the first matching net/connect sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
ADDR is a string representing the address pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/net/connect" action)))
(syd--stat (syd--rule cmd addr ?-))))))
(defun syd-net-connect-rem (action addr)
"Remove all matching net/connect sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
ADDR is a string representing the address pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/net/connect" action)))
(syd--stat (syd--rule cmd addr ?^))))))
(defun syd-net-sendfd-add (action addr)
"Add to the given actionlist of net/sendfd sandboxing.
ACTION is a constant representing the sandboxing action.
ADDR is a string representing the address pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/net/sendfd" action)))
(syd--stat (syd--rule cmd addr ?+))))))
(defun syd-net-sendfd-del (action addr)
"Remove the first matching net/sendfd sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
ADDR is a string representing the address pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/net/sendfd" action)))
(syd--stat (syd--rule cmd addr ?-))))))
(defun syd-net-sendfd-rem (action addr)
"Remove all matching net/sendfd sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
ADDR is a string representing the address pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/net/sendfd" action)))
(syd--stat (syd--rule cmd addr ?^))))))
(defun syd-net-link-add (action addr)
"Add to the given actionlist of net/link sandboxing.
ACTION is a constant representing the sandboxing action.
ADDR is a string representing the address pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/net/link" action)))
(syd--stat (syd--rule cmd addr ?+))))))
(defun syd-net-link-del (action addr)
"Remove the first matching net/link sandboxing actionlist entry.
ACTION is a constant representing the sandboxing action.
ADDR is a string representing the address pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/net/link" action)))
(syd--stat (syd--rule cmd addr ?-))))))
(defun syd-net-link-rem (action addr)
"Remove all matching net/link sandboxing actionlist entries.
ACTION is a constant representing the sandboxing action.
ADDR is a string representing the address pattern."
(let ((action (cond
((eq action :action-allow) "allow")
((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "%s/net/link" action)))
(syd--stat (syd--rule cmd addr ?^))))))
(defun syd-force-add (path alg hash action)
"Add an entry to the Integrity Force map for Force Sandboxing.
PATH is a fully-qualified file name.
ALG is the hash algorithm (e.g. \"sha256\").
HASH is a hexadecimal encoded checksum.
ACTION is one of `:action-warn', `:action-filter', `:action-deny',
`:action-panic', `:action-stop', `:action-abort', `:action-kill' or
`:action-exit'."
(let ((action (cond ((eq action :action-warn) "warn")
((eq action :action-filter) "filter")
((eq action :action-deny) "deny")
((eq action :action-panic) "panic")
((eq action :action-stop) "stop")
((eq action :action-abort) "abort")
((eq action :action-kill) "kill")
((eq action :action-exit) "exit"))))
(when action
(let ((cmd (format "/dev/syd/force+%s:%s:%s:%s" path alg hash action)))
(syd--stat cmd)))))
(defun syd-force-del (path)
"Remove an entry from the Integrity Force map for Force Sandboxing.
PATH is a fully-qualified file name."
(let ((cmd (format "/dev/syd/force-%s" path)))
(syd--stat cmd)))
(defun syd-force-clr ()
"Clear the Integrity Force map for Force Sandboxing."
(syd--stat "/dev/syd/force^"))
(defun syd-mem-max (size)
"Set syd maximum per-process memory usage limit.
SIZE can be an integer or a string representing the memory limit."
(let ((size-str (cond ((integerp size) (number-to-string size))
((stringp size) size)
(t (error "Size must be an integer or a string")))))
(syd--stat (syd--rule "mem/max" size-str ?:))))
(defun syd-mem-vm-max (size)
"Set syd maximum per-process virtual memory usage limit.
SIZE can be an integer or a string representing the memory limit."
(let ((size-str (cond ((integerp size) (number-to-string size))
((stringp size) size)
(t (error "Size must be an integer or a string")))))
(syd--stat (syd--rule "mem/vm_max" size-str ?:))))
(defun syd-pid-max (size)
"Set syd maximum process ID limit for PID sandboxing.
SIZE is a number representing the PID limit."
(unless (numberp size)
(error "Size must be a number"))
(let ((path (format "/dev/syd/pid/max:%d" size)))
(syd--stat path)))
(defun syd-segvguard-expiry (timeout)
"Specify SegvGuard entry expiry timeout in seconds.
Setting this timeout to 0 effectively disables SegvGuard.
TIMEOUT is a number representing the timeout in seconds."
(unless (numberp timeout)
(error "Timeout must be a number"))
(let ((path (format "/dev/syd/segvguard/expiry:%d" timeout)))
(syd--stat path)))
(defun syd-segvguard-suspension (timeout)
"Specify SegvGuard entry suspension timeout in seconds.
TIMEOUT is a number representing the timeout in seconds."
(unless (numberp timeout)
(error "Timeout must be a number"))
(let ((path (format "/dev/syd/segvguard/suspension:%d" timeout)))
(syd--stat path)))
(defun syd-segvguard-maxcrashes (limit)
"Specify SegvGuard max number of crashes before suspension.
LIMIT is a number representing the crash limit."
(unless (numberp limit)
(error "Limit must be a number"))
(let ((path (format "/dev/syd/segvguard/maxcrashes:%d" limit)))
(syd--stat path)))
(defun syd-exec (file argv)
"Execute a command outside the sandbox without sandboxing.
FILE is the file path of the command as a string.
ARGV is a list of strings representing the arguments to the command."
(unless (stringp file)
(error "File must be a string"))
(let ((all-strings t))
(dolist (arg argv)
(unless (stringp arg)
(setq all-strings nil)))
(unless all-strings
(error "All elements in ARGV must be strings")))
(let ((cmd (mapconcat 'identity (cons file argv) "\x1F")))
(syd--stat (concat "/dev/syd/cmd/exec!" cmd))))
(defun syd--rule (rule elem op)
"Helper function to construct a path for syd operations.
RULE is a string representing the rule.
ELEM is a string representing the element.
OP is a character representing the operation."
(unless (member op '(?+ ?- ?^ ?:))
(error "Invalid operation"))
(when (string-empty-p elem)
(error "Element cannot be empty"))
(concat "/dev/syd/" rule (char-to-string op) elem))
(defun syd--stat (path)
"Issue a single virtual syd stat(2) on PATH and report success."
(condition-case nil
(and (file-modes path 'nofollow) t)
(error nil))) ; On error, return nil
;;;
;;; syd-3-mode: Font-lock highlighting for Syd v3 profiles (.syd-3 files).
;;;
(defgroup syd-3 nil
"Syntax highlighting for Syd v3 profiles."
:group 'languages
:prefix "syd-3-")
(defface syd-3-error '((t :inherit error))
"Face for an invalid syd-3 command, sub-key or value." :group 'syd-3)
(defface syd-3-comment '((t :inherit font-lock-comment-face))
"Face for a syd-3 comment." :group 'syd-3)
(defface syd-3-identifier '((t :inherit font-lock-function-name-face))
"Face for a syd-3 command name and its structural punctuation." :group 'syd-3)
(defface syd-3-boolean '((t :inherit font-lock-constant-face))
"Face for a syd-3 boolean value." :group 'syd-3)
(defface syd-3-number '((t :inherit font-lock-constant-face))
"Face for a syd-3 numeric value: integer, size, duration or port." :group 'syd-3)
(defface syd-3-string '((t :inherit font-lock-string-face))
"Face for a syd-3 string or path value." :group 'syd-3)
(defface syd-3-constant '((t :inherit font-lock-constant-face))
"Face for a syd-3 network address value." :group 'syd-3)
(defface syd-3-type '((t :inherit font-lock-type-face))
"Face for a syd-3 enumerated keyword value: none, tmpfs, an alias, ..." :group 'syd-3)
(defface syd-3-special '((t :inherit font-lock-builtin-face))
"Face for a syd-3 special value: action, netlink family, ioctl const, ..." :group 'syd-3)
(defvar syd-3-font-lock-keywords
(let* ((caps "all-l\\|all-x\\|all\\|lpath\\|rpath\\|wpath\\|cpath\\|dpath\\|spath\\|tpath\\|fown\\|fattr\\|inet\\|bnet\\|cnet\\|snet\\|crypt\\|exec\\|force\\|lock\\|mem\\|pid\\|proxy\\|pty\\|tpe\\|fs\\|walk\\|list\\|stat\\|read\\|write\\|ioctl\\|create\\|delete\\|rename\\|readlink\\|symlink\\|truncate\\|chdir\\|readdir\\|mkdir\\|rmdir\\|chown\\|chgrp\\|chmod\\|chattr\\|chroot\\|notify\\|utime\\|mkbdev\\|mkcdev\\|mkfifo\\|mktemp\\|net/bind\\|net/connect\\|net/sendfd\\|net")
(dcaps (concat caps "\\|block\\|segvguard"))
(ns "all\\|mount\\|uts\\|ipc\\|user\\|pid\\|net\\|cgroup\\|time")
(act "allow\\|warn\\|filter\\|deny\\|panic\\|stop\\|abort\\|kill\\|exit")
(fc "all-l\\|all-x\\|all\\|lpath\\|rpath\\|wpath\\|cpath\\|dpath\\|spath\\|tpath\\|fown\\|fattr\\|fs\\|walk\\|list\\|stat\\|read\\|write\\|exec\\|create\\|delete\\|rename\\|readlink\\|symlink\\|truncate\\|chdir\\|readdir\\|mkdir\\|rmdir\\|chown\\|chgrp\\|chmod\\|chattr\\|chroot\\|notify\\|utime\\|mkbdev\\|mkcdev\\|mkfifo\\|mktemp")
(nc "net\\|inet\\|bnet\\|cnet\\|snet")
(nsub "bind\\|connect\\|sendfd")
(proto "tcp[46]?\\|udp[46]?\\|net[46]?\\|unix\\(?:gram\\|packet\\)?\\|\\${[^}]+}")
(svc "[0-9]+\\(?:-[0-9]+\\)?\\(?:,[0-9]+\\(?:-[0-9]+\\)?\\)*\\|\\*\\|\\${[^}]+}")
(lc "all-x\\|all\\|rpath\\|wpath\\|cpath\\|dpath\\|spath\\|tpath\\|inet\\|read\\|write\\|exec\\|ioctl\\|create\\|delete\\|rename\\|symlink\\|truncate\\|readdir\\|mkdir\\|rmdir\\|mkbdev\\|mkcdev\\|mkfifo\\|bind\\|connect\\|net\\|bnet\\|cnet")
(clist (lambda (s) (concat "\\(?:" s "\\)\\(?:,\\(?:" s "\\)\\)*")))
(fm (concat "\\(?:" fc "\\|" nc "\\)"))
(link "all\\|route\\|usersock\\|firewall\\|sock_diag\\|nflog\\|xfrm\\|selinux\\|iscsi\\|audit\\|fib_lookup\\|inet_diag\\|connector\\|netfilter\\|ip6_fw\\|dnrtmsg\\|kobject_uevent\\|generic\\|scsitransport\\|ecryptfs\\|rdma\\|crypto\\|smc")
(sev "emerg\\|alert\\|crit\\|error\\|warn\\|notice\\|info\\|debug")
(tsafe "allow_safe_bind\\|allow_safe_setuid\\|allow_safe_setgid\\|allow_safe_syslog\\|deny_dotdot\\|deny_exec_elf32\\|deny_exec_elf_dynamic\\|deny_exec_elf_static\\|deny_exec_script\\|deny_tsc\\|deny_vdso\\|exit_wait_all\\|force_cloexec\\|force_local_net\\|force_no_symlinks\\|force_rand_fd\\|force_ro_open\\|force_wx_open\\|force_no_magiclinks\\|force_no_xdev\\|sync_seccomp")
(tunsafe "allow_unsafe_any_addr\\|allow_unsafe_bind\\|allow_unsafe_cap_fixup\\|allow_unsafe_caps\\|allow_unsafe_cbpf\\|allow_unsafe_chown\\|allow_unsafe_chroot\\|allow_unsafe_copy\\|allow_unsafe_cpu\\|allow_unsafe_create\\|allow_unsafe_deleted\\|allow_unsafe_deprecated\\|allow_unsafe_dumpable\\|allow_unsafe_ebpf\\|allow_unsafe_env\\|allow_unsafe_exec_interactive\\|allow_unsafe_exec_ldso\\|allow_unsafe_exec_libc\\|allow_unsafe_exec_memory\\|allow_unsafe_exec_nopie\\|allow_unsafe_exec_null\\|allow_unsafe_exec_script\\|allow_unsafe_exec_speculative\\|allow_unsafe_exec_stack\\|allow_unsafe_fcntl\\|allow_unsafe_filename\\|allow_unsafe_hardlinks\\|allow_unsafe_ip_pktinfo\\|allow_unsafe_ip_retopts\\|allow_unsafe_ipv6_rthdr\\|allow_unsafe_ipv6_scope\\|allow_unsafe_kcapi\\|allow_unsafe_kcmp\\|allow_unsafe_keyring\\|allow_unsafe_kptr\\|allow_unsafe_machine_id\\|allow_unsafe_madvise\\|allow_unsafe_magiclinks\\|allow_unsafe_memfd\\|allow_unsafe_mkbdev\\|allow_unsafe_mkcdev\\|allow_unsafe_msgqueue\\|allow_unsafe_nice\\|allow_unsafe_nocookie\\|allow_unsafe_nomseal\\|allow_unsafe_notify_bdev\\|allow_unsafe_notify_cdev\\|allow_unsafe_noxom\\|allow_unsafe_numa\\|allow_unsafe_oob\\|allow_unsafe_open_kfd\\|allow_unsafe_open_path\\|allow_unsafe_open_suid\\|allow_unsafe_page_cache\\|allow_unsafe_perf\\|allow_unsafe_perm_msgqueue\\|allow_unsafe_perm_shm\\|allow_unsafe_personality\\|allow_unsafe_pipe\\|allow_unsafe_pivot_root\\|allow_unsafe_pkey\\|allow_unsafe_prctl\\|allow_unsafe_proc_dumpable\\|allow_unsafe_proc_files\\|allow_unsafe_proc_name\\|allow_unsafe_prlimit\\|allow_unsafe_proc_pid_status\\|allow_unsafe_ptrace\\|allow_unsafe_recvmsg\\|allow_unsafe_rseq\\|allow_unsafe_sendfd_bdev\\|allow_unsafe_sendfd_cdev\\|allow_unsafe_sendfd_dir\\|allow_unsafe_sendfd_fifo\\|allow_unsafe_sendfd_magiclink\\|allow_unsafe_sendfd_memfd\\|allow_unsafe_sendfd_misc\\|allow_unsafe_sendfd_secretmem\\|allow_unsafe_sendfd_socket\\|allow_unsafe_sendfd_symlink\\|allow_unsafe_setid\\|allow_unsafe_setsockopt\\|allow_unsafe_shm\\|allow_unsafe_socket\\|allow_unsafe_stat_bdev\\|allow_unsafe_stat_cdev\\|allow_unsafe_sticky\\|allow_unsafe_sud\\|allow_unsafe_symlinks\\|allow_unsafe_sync\\|allow_unsafe_sys_ptrace\\|allow_unsafe_sysinfo\\|allow_unsafe_syslog\\|allow_unsafe_time\\|allow_unsafe_uname\\|allow_unsafe_uring\\|allow_unsafe_vmsplice\\|allow_unsafe_xattr\\|allow_unsupp_cmsg\\|allow_unsupp_socket")
(rlk "as\\|core\\|cpu\\|data\\|fsize\\|memlock\\|msgqueue\\|nice\\|nofile\\|nproc\\|rtprio\\|rttime\\|sigpending\\|stack")
(bool "\\(?:1\\|on\\|t\\|tr\\|tru\\|true\\|✓\\|0\\|off\\|f\\|fa\\|fal\\|fals\\|false\\|✗\\)")
(lock "\\(?:on\\|off\\|exec\\|ipc\\|drop\\|read-only\\|readonly\\|read\\|ro\\|1\\|0\\|x\\|r\\|i\\|d\\)")
(int "[-+]?[0-9]+")
(uint "[0-9]+")
(size "[0-9]+[kKmMgGtTpP]?[bB]?")
(dur "[0-9]+\\(?:\\.[0-9]+\\)?\\(?:us\\|ms\\|s\\|m\\|h\\|d\\|w\\)?")
(dn "\\(?:[A-Za-z][A-Za-z0-9_]\\{0,15\\}\\|\\(?:[A-Za-z0-9_]*${[^}]*}\\)+[A-Za-z0-9_]*\\)")
(ds (concat "\\(?:@" dn "\\|[^@ \t].*\\)"))
(id '(0 'syd-3-identifier))
(bln '(1 'syd-3-boolean t)) (num '(1 'syd-3-number t)) (str '(1 'syd-3-string t))
(con '(1 'syd-3-constant t)) (typ '(1 'syd-3-type t)) (spc '(1 'syd-3-special t))
(caplist (funcall clist caps))
(dclist (funcall clist dcaps))
(nslist (funcall clist ns))
(fmlist (funcall clist fm))
(nclist (funcall clist nc))
(lclist (funcall clist lc))
(an (concat "^\\(?9:@" dn "\\)/"))
(nm '(9 'syd-3-type t))
(truthy "1\\|on\\|t\\|tr\\|tru\\|true\\|✓")
(scaps (concat "\\(?:\\(?:" caps "\\),\\)*\\(?:lock\\|crypt\\|proxy\\|pty\\)\\(?:,\\(?:" caps "\\)\\)*")))
(list
(list "^[ \t]*#.*$" '(0 'syd-3-comment))
(list (concat "^lock:\\(?1:" lock "\\)$") id bln)
(list "^\\(?:l\\|lock\\|stat\\|dump\\|panic\\|ghost\\)$" id)
(list "^ipc:\\(?1:.+\\)$" id str)
(list "^ipc/\\(?:uid\\|gid\\):\\(?1:none\\)$" id typ)
(list (concat "^ipc/\\(?:uid\\|gid\\|max\\):\\(?1:" int "\\)$") id num)
(list (concat "^ipc/idle:\\(?1:" dur "\\)$") id num)
(list (concat "^config/expand:\\(?1:" dur "\\)$") id num)
(list (concat "^log/level:\\(?1:" sev "\\)$") id typ)
(list (concat "^log/level:\\(?1:" uint "\\)$") id num)
(list (concat "^log/\\(?:verbose\\|rlimit_burst\\):\\(?1:" uint "\\)$") id num)
(list (concat "^log/rlimit_interval:\\(?1:" dur "\\)$") id num)
(list (concat "^log/lock/\\(?:same_exec_off\\|new_exec_on\\|subdomains_off\\):\\(?1:" bool "\\)$") id bln)
(list "^pty/\\(?:row\\|col\\):\\(?1:none\\)$" id typ)
(list (concat "^pty/\\(?:row\\|col\\):\\(?1:" uint "\\)$") id num)
(list (concat "^mem/\\(?:max\\|vm_max\\):\\(?1:" size "\\)$") id num)
(list (concat "^pid/max:\\(?1:" uint "\\)$") id num)
(list (concat "^\\(?:mem\\|pid\\)/kill:\\(?1:" bool "\\)$") id bln)
(list (concat "^rlimit/\\(?:" rlk "\\):.+$") id)
(list (concat "^segvguard/\\(?:expiry\\|suspension\\|maxcrashes\\):\\(?1:" dur "\\)$") id num)
(list (concat "^tpe/\\(?:negate\\|root_owned\\|user_owned\\|root_mount\\):\\(?1:" bool "\\)$") id bln)
(list (concat "^tpe/gid:\\(?1:" uint "\\)$") id num)
(list "^tpe/gid:none$" id)
(list "^proxy/addr:\\(?1:.+\\)$" id con)
(list (concat "^proxy/\\(?:port\\|ext/port\\):\\(?1:" int "\\)$") id num)
(list "^proxy/ext/\\(?:host\\|unix\\):\\(?1:.+\\)$" id str)
(list "^time:\\(?1:none\\)$" id typ)
(list (concat "^time:\\(?1:" int "\\)$") id num)
(list (concat "^time/\\(?:boot\\|mono\\):\\(?1:" int "\\)$") id num)
(list "^timeout:\\(?1:none\\)$" id typ)
(list (concat "^timeout:\\(?1:" dur "\\)$") id num)
(list "^uts/\\(?:host\\|domain\\|version\\):\\(?1:.+\\)$" id str)
(list "^root:\\(?1:/.*\\)$" id str)
(list "^root:\\(?1:tmpfs\\|tmp\\|t\\|ramfs\\|ram\\|r\\|none\\|off\\)$" id typ)
(list (concat "^root/\\(?:fake\\|map\\):\\(?1:" bool "\\)$") id bln)
(list "^workdir:\\(?1:/.*\\)$" id str)
(list "^workdir:\\(?1:none\\|off\\)$" id typ)
(list (concat "^sandbox/\\(?:" caplist "\\):\\(?1:" bool "\\)$") id bln)
(list (concat "^sandbox/\\(?:" caplist "\\)\\?$") id)
(list (concat "^unshare/\\(?:" nslist "\\):\\(?1:" bool "\\)$") id bln)
(list (concat "^unshare/\\(?:" nslist "\\)\\?$") id)
(list (concat "^default/\\(?:" dclist "\\):\\(?1:" act "\\)$") id spc)
(list (concat "^trace/\\(?:" tsafe "\\|" tunsafe "\\):\\(?1:" bool "\\)$") id bln)
(list "^trace/force_umask:\\(?1:-1\\|off\\|f\\|fa\\|fal\\|fals\\|false\\|✗\\|[0-7]+\\)$" id num)
(list "^trace/memory_access:\\(?1:[012]\\)$" id num)
(list (concat "^trace/allow_unsafe_namespace:\\(?1:all\\|none\\|off\\|" (funcall clist ns) "\\)$") id typ)
(list "^setenv!.*$" id)
(list "^unsetenv!.*$" id)
(list "^clearenv!$" id)
(list "^passenv[-+^].*$" id)
(list "^cmd/exec!.*$" id)
(list "^append[-+^]\\(?1:.*\\)$" id str)
(list "^mask[-+^].*$" id)
(list "^block[-+^!].*$" id)
(list (concat "^crypt/key\\(?:/\\(?:enc\\|mac\\)\\)?:\\(?1:" int "\\)$") id num)
(list "^crypt/tmp:\\(?1:.+\\)$" id str)
(list "^crypt[-+^].*$" id)
(list "^force[-^].*$" id)
(list "^force\\+/[^:]+:[a-z][a-z0-9_-]*:[0-9a-fA-F]+\\(?::[a-z]+\\)?$" id)
(list "^set[ug]id[-+^].*$" id)
(list "^bind\\(?:-try\\)?[-+^].*$" id)
(list "^\\(?:sym\\)?link\\(?:-try\\)?[-+^].*$" id)
(list "^mkdir\\(?:-try\\)?[-+^].*$" id)
(list "^mkfile\\(?:-try\\)?[-+^].*$" id)
(list "^mkfifo\\(?:-try\\)?[-+^].*$" id)
(list "^\\(?:allow\\|deny\\)/ioctl[-+]\\(?1:0x[0-9A-Fa-f]+\\|0o[0-7]+\\|[0-9]+\\)$" id num)
(list "^\\(?:allow\\|deny\\)/ioctl[-+]\\(?1:[A-Z][A-Z0-9_]+!?\\)$" id spc)
(list (concat "^allow/net/link[-+^]\\(?1:" link "\\)$") id spc)
(list (concat "^allow/lock/\\(?:" lclist "\\)[-+^]\\(?1:[0-9]+\\(?:-[0-9]+\\)?\\(?:,[0-9]+\\(?:-[0-9]+\\)?\\)*\\)$") id num)
(list (concat "^allow/lock/\\(?:" lclist "\\)[-+^]\\(?1:/.*\\)$") id str)
(list (concat "^\\(?:" act "\\)/\\(?:" fmlist "\\)[-+^]\\(?1:.+\\)$") id str)
(list (concat "^\\(?:" act "\\)/\\(?:\\(?:" nclist "\\)\\|net/\\(?:" nsub "\\)\\)[-+^]\\(?1:" proto "\\)[!@]\\(?2:!unnamed\\|[^! \t]+\\)\\(?3:!\\(?:" svc "\\)\\)?$")
id typ '(2 'syd-3-constant t) '(3 'syd-3-number t t))
(list (concat "^\\(?:" act "\\)/\\(?:\\(?:" nclist "\\)\\|net/\\(?:" nsub "\\)\\)[-+^]\\(?1:[^!@]+\\)\\(?2:[!@][0-9,-]+\\)?$")
id con '(2 'syd-3-number t t))
(list "^include .*$" id)
(list "^include_profile .*$" id)
(list "^domain\\^$" id)
(list (concat "^domain[-+]\\(?1:@" dn "\\)\\(?2::" ds "\\)?$") id typ '(2 'syd-3-string t t))
(list (concat "^move/\\(?1:@" dn "\\)/\\(?:exec\\|mmap\\|chdir\\|exit\\)\\(?:\\^$\\|[-+]\\(?2:[^ \t].*\\)$\\)")
id typ '(2 'syd-3-string t t))
(list (concat "^move/\\(?1:@" dn "\\)/\\(?:bind\\|connect\\|accept\\)[-+]\\(?2:" proto "\\)[!@]\\(?3:!unnamed\\|[^! \t]+\\)\\(?4:!\\(?:" svc "\\)\\)?$")
id typ '(2 'syd-3-type t) '(3 'syd-3-constant t t) '(4 'syd-3-number t t))
(list (concat "^move/\\(?1:@" dn "\\)/\\(?:bind\\|connect\\|accept\\)\\(?:\\^$\\|[-+]\\(?2:[^! \t]+\\)\\(?3:![0-9-]+\\)?$\\)")
id typ '(2 'syd-3-constant t t) '(3 'syd-3-number t t))
(list (concat "^move/\\(?1:@" dn "\\)/\\(?:bind\\|connect\\)[-+]\\(?2:\\(?:[/@]\\|!unnamed\\)[^ \t]*\\)$")
id typ '(2 'syd-3-string t t))
(list (concat "^cmd/move!\\(?1:@?" dn "\\)$") id typ)
(list (concat an "sandbox/\\(?:" caplist "\\):\\(?1:" bool "\\)$") id nm bln)
(list (concat an "sandbox/\\(?:" caplist "\\)\\?$") id nm)
(list (concat "^@[^/ \t]+/sandbox/\\(?:" scaps "\\):\\(?:" truthy "\\)$") '(0 'syd-3-error t))
(list (concat an "default/\\(?:" dclist "\\):\\(?1:" act "\\)$") id nm spc)
(list (concat an "\\(?:" act "\\)/\\(?:" fmlist "\\)[-+^]\\(?1:.+\\)$") id nm str)
(list (concat an "\\(?:" act "\\)/\\(?:\\(?:" nclist "\\)\\|net/\\(?:" nsub "\\)\\)[-+^]\\(?1:" proto "\\)[!@]\\(?2:!unnamed\\|[^! \t]+\\)\\(?3:!\\(?:" svc "\\)\\)?$")
id nm typ '(2 'syd-3-constant t) '(3 'syd-3-number t t))
(list (concat an "\\(?:" act "\\)/\\(?:\\(?:" nclist "\\)\\|net/\\(?:" nsub "\\)\\)[-+^]\\(?1:[^!@]+\\)\\(?2:[!@][0-9,-]+\\)?$")
id nm con '(2 'syd-3-number t t))
(list (concat an "\\(?:allow\\|deny\\)/ioctl[-+]\\(?1:0x[0-9A-Fa-f]+\\|0o[0-7]+\\|[0-9]+\\)$") id nm num)
(list (concat an "\\(?:allow\\|deny\\)/ioctl[-+]\\(?1:[A-Z][A-Z0-9_]+!?\\)$") id nm spc)
(list (concat an "\\(?:mem\\|pid\\)/kill:\\(?1:" bool "\\)$") id nm bln)
(list (concat an "mem/\\(?:max\\|vm_max\\):\\(?1:" size "\\)$") id nm num)
(list (concat an "pid/max:\\(?1:" uint "\\)$") id nm num)
(list (concat an "tpe/\\(?:negate\\|root_owned\\|user_owned\\|root_mount\\):\\(?1:" bool "\\)$") id nm bln)
(list (concat an "tpe/gid:\\(?1:" uint "\\)$") id nm num)
(list (concat an "tpe/gid:none$") id nm)
(list (concat an "segvguard/\\(?:expiry\\|suspension\\|maxcrashes\\):\\(?1:" dur "\\)$") id nm num)
(list (concat an "uts/\\(?:host\\|domain\\|version\\):\\(?1:.+\\)$") id nm str)
(list (concat an "append[-+^]\\(?1:.*\\)$") id nm str)
(list (concat an "mask[-+^].*$") id nm)
(list (concat an "block[-+^!].*$") id nm)
(list (concat an "force[-^].*$") id nm)
(list (concat an "force\\+/[^:]+:[a-z][a-z0-9_-]*:[0-9a-fA-F]+\\(?::[a-z]+\\)?$") id nm)
(list (concat an "\\(?:stat\\|dump\\)$") id nm)
(list (concat an "include .*$") id nm)
(list (concat an "include_profile .*$") id nm)
(list (concat an "move/\\(?1:@" dn "\\)/\\(?:exec\\|mmap\\|chdir\\|exit\\)\\(?:\\^$\\|[-+]\\(?2:[^ \t].*\\)$\\)")
id nm typ '(2 'syd-3-string t t))
(list (concat an "move/\\(?1:@" dn "\\)/\\(?:bind\\|connect\\|accept\\)[-+]\\(?2:" proto "\\)[!@]\\(?3:!unnamed\\|[^! \t]+\\)\\(?4:!\\(?:" svc "\\)\\)?$")
id nm typ '(2 'syd-3-type t) '(3 'syd-3-constant t t) '(4 'syd-3-number t t))
(list (concat an "move/\\(?1:@" dn "\\)/\\(?:bind\\|connect\\|accept\\)\\(?:\\^$\\|[-+]\\(?2:[^! \t]+\\)\\(?3:![0-9-]+\\)?$\\)")
id nm typ '(2 'syd-3-constant t t) '(3 'syd-3-number t t))
(list (concat an "move/\\(?1:@" dn "\\)/\\(?:bind\\|connect\\)[-+]\\(?2:\\(?:[/@]\\|!unnamed\\)[^ \t]*\\)$")
id nm typ '(2 'syd-3-string t t))
(list "^.+$" '(0 'syd-3-error))))
"Font-lock keywords for `syd-3-mode'.
Valid commands are highlighted (their value by colour class); the final
catch-all flags any remaining line as an error.")
;;;###autoload
(define-derived-mode syd-3-mode prog-mode "Syd3"
"Major mode for editing Syd v3 profiles (.syd-3 files)."
(setq-local comment-start "#")
(setq-local comment-start-skip "#+[ \t]*")
(setq-local font-lock-defaults '(syd-3-font-lock-keywords t nil)))
;;;###autoload
(add-to-list 'auto-mode-alist '("\\.syd-3\\'" . syd-3-mode))
(defun syd-3--value-classes (line)
"Fontify LINE in `syd-3-mode' and report its highlighting."
(let ((g2c '((syd-3-boolean . "B") (syd-3-number . "N") (syd-3-string . "S")
(syd-3-constant . "C") (syd-3-type . "T") (syd-3-special . "P"))))
(with-temp-buffer
(insert line)
(syd-3-mode)
(font-lock-ensure)
(let ((err nil) (classes '()) (pos (point-min)))
(while (< pos (point-max))
(let* ((face (get-text-property pos 'face))
(class (cdr (assq face g2c))))
(when (eq face 'syd-3-error) (setq err t))
(when (and class (not (member class classes)))
(setq classes (cons class classes))))
(setq pos (1+ pos)))
(cons err classes)))))
(defconst syd-3--syntax-cases
'(("lock:on" nil "B") ("lock:drop" nil "B") ("l" nil) ("lock" nil)
("stat" nil) ("dump" nil) ("panic" nil) ("ghost" nil)
("ipc:@/run/syd.sock" nil "S") ("ipc:none" nil) ("ipc/uid:1000" nil "N")
("ipc/uid:none" nil "T") ("ipc/gid:0" nil "N") ("ipc/max:64" nil "N")
("ipc/idle:30" nil "N") ("ipc/idle:5m" nil "N")
("config/expand:0" nil "N") ("config/expand:5m" nil "N")
("log/level:debug" nil "T") ("log/verbose:3" nil "N") ("log/rlimit_burst:5" nil "N")
("log/rlimit_interval:5s" nil "N") ("log/lock/new_exec_on:1" nil "B")
("log/lock/same_exec_off:true" nil "B")
("pty/row:80" nil "N") ("pty/col:24" nil "N") ("pty/col:none" nil "T")
("mem/max:1G" nil "N") ("mem/vm_max:512M" nil "N") ("pid/max:100" nil "N")
("mem/kill:1" nil "B") ("pid/kill:0" nil "B")
("rlimit/nofile:1024" nil) ("rlimit/as:1G" nil) ("rlimit/nice:10" nil) ("rlimit/cpu:30" nil)
("segvguard/expiry:5m" nil "N") ("segvguard/suspension:300" nil "N") ("segvguard/maxcrashes:3" nil "N")
("tpe/gid:1000" nil "N") ("tpe/gid:none" nil) ("tpe/negate:on" nil "B")
("tpe/root_owned:off" nil "B") ("tpe/root_mount:1" nil "B") ("tpe/user_owned:true" nil "B")
("proxy/addr:127.0.0.1" nil "C") ("proxy/port:8080" nil "N") ("proxy/ext/host:example.com" nil "S")
("proxy/ext/port:443" nil "N") ("proxy/ext/unix:/run/p.sock" nil "S")
("time:5" nil "N") ("time:-5" nil "N") ("time/boot:100" nil "N") ("time/mono:-42" nil "N")
("time:none" nil "T") ("timeout:30" nil "N") ("timeout:none" nil "T")
("uts/host:myhost" nil "S") ("uts/domain:example" nil "S") ("uts/version:1.0" nil "S")
("root:/newroot" nil "S") ("root:tmpfs" nil "T") ("root:ramfs" nil "T") ("root:none" nil "T")
("root/map:on" nil "B") ("root/fake:off" nil "B") ("workdir:/home" nil "S")
("sandbox/fs:on" nil "B") ("sandbox/readlink:on" nil "B") ("sandbox/mkbdev:off" nil "B")
("sandbox/mkcdev:on" nil "B") ("sandbox/all:on" nil "B") ("sandbox/all-l:on" nil "B")
("sandbox/all-x:off" nil "B") ("sandbox/lpath:on" nil "B") ("sandbox/bnet:on" nil "B")
("sandbox/read,write:off" nil "B") ("sandbox/pty:on" nil "B") ("sandbox/fs?" nil)
("default/fs:deny" nil "P") ("default/read:allow" nil "P") ("default/readlink:warn" nil "P")
("default/block:deny" nil "P") ("default/segvguard:kill" nil "P") ("default/all-l:deny" nil "P")
("default/read,write:deny" nil "P")
("unshare/mount:on" nil "B") ("unshare/all:on" nil "B") ("unshare/mount,net:off" nil "B")
("unshare/mount?" nil)
("trace/allow_unsafe_sys_ptrace:1" nil "B") ("trace/allow_unsafe_ptrace:1" nil "B") ("trace/allow_unsafe_kcmp:1" nil "B") ("trace/allow_unsafe_fcntl:0" nil "B")
("trace/allow_unsafe_proc_files:on" nil "B") ("trace/sync_seccomp:1" nil "B")
("trace/deny_dotdot:on" nil "B") ("trace/force_cloexec:on" nil "B")
("trace/allow_safe_bind:on" nil "B") ("trace/force_umask:022" nil "N")
("trace/force_umask:off" nil "N") ("trace/memory_access:2" nil "N")
("trace/allow_unsafe_namespace:mount,net" nil "T") ("trace/allow_unsafe_namespace:all" nil "T")
("setenv!FOO=bar" nil) ("unsetenv!FOO" nil) ("clearenv!" nil)
("passenv+LD_*" nil) ("passenv-FOO" nil) ("passenv^FOO" nil) ("cmd/exec!/bin/echo" nil)
("append+/etc/foo" nil "S") ("mask+/proc:/dev/null" nil) ("mask^" nil)
("block+1.2.3.0/24" nil) ("block-1.2.3.4" nil) ("block^" nil)
("crypt+/secret" nil) ("crypt/key:42" nil "N") ("crypt/key:-5" nil "N")
("crypt/key/enc:7" nil "N") ("crypt/key/mac:9" nil "N") ("crypt/tmp:/tmp/x" nil "S")
("force+/usr/bin/x:sha256:deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef:deny" nil)
("force-/usr/bin/x" nil) ("force^" nil)
("setuid+1000:2000" nil) ("setgid+1000:2000" nil) ("setuid^1000" nil)
("bind+/src:/dst" nil) ("bind-try+/src:/dst" nil) ("bind-/dst" nil)
("link+/a:/b" nil) ("link-try+/a:/b" nil) ("symlink+/a:/b" nil) ("symlink-try+/a:/b" nil)
("link^" nil) ("mkdir+/tmp/d:0755" nil) ("mkdir-try+/tmp/d" nil)
("mkfile+/tmp/f" nil) ("mkfifo+/tmp/f" nil) ("mkfifo-try+/tmp/f" nil)
("allow/ioctl+0x5401" nil "N") ("deny/ioctl+TIOCSTI" nil "P") ("allow/ioctl-0o21505" nil "N")
("allow/read+/etc/**" nil "S") ("warn/write+/etc" nil "S") ("filter/exec+/bin/sh" nil "S")
("deny/stat+/x" nil "S") ("panic/create+/x" nil "S") ("stop/delete+/x" nil "S")
("abort/rename+/x" nil "S") ("kill/chmod+/x" nil "S") ("exit/chown+/x" nil "S")
("allow/readlink+/etc" nil "S") ("allow/mkbdev+/dev/x" nil "S") ("allow/mkcdev+/dev/x" nil "S")
("allow/all-l+/x" nil "S") ("allow/all-x+/x" nil "S") ("allow/read,write+/x" nil "S")
("allow/net/bind+1.2.3.4!80" nil "C" "S") ("allow/net/connect+127.0.0.1!443" nil "C" "S")
("allow/net+1.2.3.4!22" nil "C" "S") ("allow/net/bind+any!80" nil nil "S")
("allow/inet+loopback" nil nil "S")
("allow/net/connect+tcp!127.0.0.1!80" nil "T" "S")
("allow/net/connect+tcp!127.0.0.1!80" nil "C" "S")
("allow/net/connect+udp!9.9.9.9!53" nil "N" "S")
("allow/net/bind+tcp6!::1!8080" nil "T" "S")
("allow/net/connect+net!10.0.0.0/8!22,80,443" nil "N" "S")
("allow/net/connect+udp!loopback!*" nil "T" "S")
("allow/net/connect+tcp!*!443" nil "T" "S")
("allow/net/connect+unix!/run/foo.sock" nil "T")
("allow/net/bind+unix!@dbus-*" nil "T")
("allow/net/bind+unixgram!@dbus-*" nil "T")
("allow/net/connect+unix!!unnamed" nil "T")
("allow/net/connect+tcp!${ADDR}!${PORT}" nil "T")
("allow/net/connect+tcp!127.0.0.1!${PORT}" nil "T")
("allow/net/connect+${ADDR}!${PORT}" nil)
("allow/net/connect+${ADDR}@${PORT}" nil)
("allow/net/link+route" nil "P") ("allow/net/link+inet_diag" nil "P")
("allow/lock/read+/etc" nil "S") ("allow/lock/mkbdev+/dev" nil "S")
("allow/lock/connect+22" nil "N") ("allow/lock/bind+80" nil "N")
("include /etc/foo.syd-3" nil) ("include_profile linux" nil)
("domain+@web" nil "T") ("domain+@web:@default" nil "S") ("domain+@sandbox:fs" nil "S")
("domain+@jail:/etc/jail.syd-3" nil "S") ("domain+@mynet2" nil "T")
("domain-@web" nil "T") ("domain^" nil)
("domain+@a" nil "T") ("domain+@WebDomain" nil "T") ("domain+@a_b_2" nil "T")
("domain+@aaaaaaaaaaaaaaaa" nil "T") ("domain+@${DOM}" nil "T")
("domain+@web:${SEED}" nil "T") ("domain+@web:@my_other" nil "S")
("domain+@1web" t) ("domain+@_web" t) ("domain+@my-net" t) ("domain+@my.net" t)
("domain+@web!" t) ("domain+@web/x" t) ("domain+@aaaaaaaaaaaaaaaaa" t)
("domain+@web:@bad-seed" t) ("domain+@web:@1bad" t) ("domain-@my-net" t)
("move/@my-net/exec+/x" t) ("move/@1net/exec+/x" t)
("move/@aaaaaaaaaaaaaaaaa/exec+/x" t)
("@my-net/allow/read+/etc" t) ("@1web/sandbox/exec:on" t)
("cmd/move!my-net" t) ("cmd/move!@my-net" t) ("cmd/move!1web" t)
("move/@net/exec+/usr/bin/curl" nil "S") ("move/@net/exec+/usr/bin/curl" nil "T")
("move/@net/exec-/usr/bin/curl" nil "S") ("move/@net/exec^" nil "T")
("move/@net/mmap+/usr/lib/**.so" nil "S") ("move/@net/chdir+/srv" nil "S")
("move/@net/exit+/usr/bin/helper" nil "S")
("move/@mynet/bind+0.0.0.0/0!8080" nil "C") ("move/@net/bind+0.0.0.0/0!8080" nil "N")
("move/@net/connect+127.0.0.1!443" nil "C") ("move/@net/accept+0.0.0.0/0!1-65535" nil "N")
("move/@net/bind^" nil "T")
("move/@net/bind+/run/app.sock" nil "S") ("move/@net/connect+/run/db.sock" nil "S")
("move/@net/bind+@my.service" nil "S") ("move/@net/connect+@dbus-*" nil "S")
("move/@net/bind+!unnamed" nil "S")
("move/@db/connect+tcp!10.0.0.7!5432" nil "T")
("move/@db/connect+tcp!10.0.0.7!5432" nil "C")
("move/@db/connect+udp!127.0.0.1!53" nil "N")
("move/@net/bind+unix!/run/app.sock" nil "T")
("move/@net/bind+unix!@my.service" nil "T")
("move/@net/bind+unix!!unnamed" nil "T")
("move/@db/connect+tcp!${ADDR}!${PORT}" nil "T")
("cmd/move!web" nil "T") ("cmd/move!@web" nil "T")
("@web/allow/read+/etc/hosts" nil "T") ("@web/allow/read+/etc/hosts" nil "S")
("@web/allow/net/bind+1.2.3.4!80" nil "C") ("@web/default/read:allow" nil "P")
("@web/mem/max:1G" nil "N") ("@web/mem/kill:1" nil "B") ("@web/append+/etc/foo" nil "S")
("@web/segvguard/maxcrashes:3" nil "N") ("@web/uts/host:myhost" nil "S")
("@web/tpe/gid:1000" nil "N")
("@db/move/@net/connect+0.0.0.0/0!5432" nil "C") ("@db/move/@net/connect+0.0.0.0/0!5432" nil "N")
("@web/sandbox/exec:on" nil "B") ("@web/sandbox/lock:off" nil "B") ("@web/sandbox/all:on" nil "B")
("@web/sandbox/all-l:on" nil "B") ("@web/sandbox/mem:on" nil "B")
("@web/sandbox/readlink:on" nil "B") ("@web/sandbox/lock?" nil)
("domain+web" t) ("domain+@" t) ("domain^junk" t) ("move/foo+/x" t) ("move//exec+/x" t)
("move/@net/bogus+/x" t) ("move/@net/EXEC+/x" t) ("move/@net/exec" t)
("move/@net/exec^junk" t) ("move/@net/exec+" t) ("cmd/move!" t)
("@web/domain+@x" t) ("@web/totallyunknown:x" t)
("@web/lock:on" t) ("@web/timeout:5" t) ("@web/rlimit/nofile:1024" t) ("@web/proxy/port:8080" t)
("@web/pty/row:80" t) ("@web/ipc/uid:0" t) ("@web/unshare/mount:on" t) ("@web/root:/x" t)
("@web/workdir:/x" t) ("@web/config/expand:5m" t) ("@web/log/level:debug" t)
("@web/setenv!FOO=bar" t) ("@web/crypt+/x" t) ("@web/setuid+1000:2000" t) ("@web/bind+/a:/b" t)
("@web/link+/a:/b" t) ("@web/mkdir+/d:0755" t) ("@web/allow/lock/read+/x" t)
("@web/allow/net/link+route" t) ("@web/trace/allow_unsafe_ptrace:1" t)
("@web/sandbox/lock:on" t) ("@web/sandbox/crypt:1" t) ("@web/sandbox/proxy:on" t)
("@web/sandbox/pty:true" t) ("@web/sandbox/exec,lock:on" t)
("totallyunknown:x" t) ("bogusdirective" t) ("sandbox/reaD:on" t) ("sandbox/mkdev:on" t)
("sandbox/bogus:on" t) ("default/boguscap:deny" t) ("default/mkdev:deny" t)
("unshare/bogus:on" t) ("uts/bogus:x" t) ("root/bogus:on" t) ("ipc/bogus:1" t)
("log/bogus:1" t) ("log/lock/bogus:1" t) ("mem/bogus:1" t) ("pid/bogus:1" t)
("tpe/bogus:on" t) ("segvguard/bogus:1" t) ("proxy/bogus:1" t) ("proxy/ext/bogus:1" t)
("crypt/bogus:1" t) ("trace/allow_unsafe_bogus:on" t) ("trace/bogus:on" t)
("time/bogus:1" t) ("warn/ioctl+foo" t) ("allow/bogus+/x" t) ("allow/net/accept+any" t)
("allow/net/bogus+any" t) ("allow/lock/bogus+/x" t) ("pty/bogus:1" t)
("config/bogus:1" t) ("mkbogus+/x" t))
"Syntax-highlighting test cases for `syd-3-mode'.
Each entry is (LINE EXPECT-ERROR [VALUE-CLASS [FORBIDDEN-CLASS]]).")
(defun syd-3-syntax-test ()
"Run the `syd-3-mode' highlighting suite, report TAP, then exit."
(let ((out (list "TAP version 13"
(format "1..%d" (length syd-3--syntax-cases))))
(count 0)
(failures 0))
(dolist (case syd-3--syntax-cases)
(setq count (1+ count))
(let* ((line (nth 0 case))
(want-error (nth 1 case))
(want-class (nth 2 case))
(forbid-class (nth 3 case))
(result (syd-3--value-classes line))
(have-error (car result))
(have-classes (cdr result))
(names '(("B" . "Boolean") ("N" . "Number") ("S" . "String")
("C" . "Constant") ("T" . "Type") ("P" . "Special")))
(full (lambda (code) (or (cdr (assoc code names)) code)))
(actual (if have-classes
(mapconcat full
(sort (copy-sequence have-classes) #'string<) ",")
"-"))
(reasons '()))
(when (and want-error (not have-error))
(push '("error" . "ok") reasons))
(when (and (not want-error) have-error)
(push '("ok" . "error") reasons))
(when (and want-class (not (member want-class have-classes)))
(push (cons (funcall full want-class) actual) reasons))
(when (and forbid-class (member forbid-class have-classes))
(push (cons (concat "not " (funcall full forbid-class)) actual) reasons))
(if (null reasons)
(push (format "ok %d - %s" count line) out)
(setq failures (1+ failures))
(push (format "not ok %d - %s" count line) out)
(dolist (r reasons)
(push (format "# expected: %s" (car r)) out)
(push (format "# actual: %s" (cdr r)) out)))))
(push (format "# %d tests, %d failures" (length syd-3--syntax-cases) failures)
out)
(princ (mapconcat #'identity (nreverse out) "\n"))
(princ "\n")
(kill-emacs (if (zerop failures) 0 1))))
(defun syd-el-main-test ()
"Define and run the embedded ERT test suite for syd.el, then exit."
(require 'ert)
(eval
'(progn
(ert-deftest syd-el-api ()
"API version query and liveness check."
(should (eq (syd-api) 3))
(should (syd-check)))
(ert-deftest syd-el-stat-validation ()
(should (syd--stat "/dev/null"))
(should-not (syd--stat "/syd-el-no-such-path-xyzzy"))
(let ((reg (make-temp-file "syd-el-")))
(unwind-protect
(should (syd--stat reg))
(delete-file reg))
(should-not (syd--stat reg))))
(ert-deftest syd-el-toggle ()
(dolist (cat '("fs" "walk" "read" "write" "exec" "ioctl"
"create" "delete" "rename" "symlink" "truncate"
"readdir" "mkdir" "rmdir" "chown" "chgrp" "chmod"
"chattr" "chroot" "utime" "mkbdev" "mkcdev"
"mkfifo" "mktemp" "net" "tpe"))
(let ((enabled (intern (format "syd-enabled-%s" cat)))
(enable (intern (format "syd-enable-%s" cat)))
(disable (intern (format "syd-disable-%s" cat))))
(let ((was (funcall enabled)))
(should (funcall enable))
(should (funcall enabled))
(should (funcall disable))
(should-not (funcall enabled))
(if was (funcall enable) (funcall disable))
(should (eq (and (funcall enabled) t) (and was t)))))))
(ert-deftest syd-el-force-startup ()
(should (syd-enabled-force))
(should (syd-disable-force))
(should-not (syd-enabled-force)))
(ert-deftest syd-el-query ()
(dolist (q '(syd-enabled-crypt syd-enabled-proxy syd-enabled-lock
syd-enabled-mem))
(should (memq (funcall q) '(t nil))))
(should (syd-disable-mem))
(should-not (syd-enabled-mem)))
(ert-deftest syd-el-startup-only ()
(dolist (cat '("chdir" "list" "notify" "readlink" "stat" "pid"))
(let ((enabled (intern (format "syd-enabled-%s" cat)))
(enable (intern (format "syd-enable-%s" cat)))
(disable (intern (format "syd-disable-%s" cat))))
(should-not (funcall enable))
(should (funcall disable))
(should-not (funcall enabled)))))
(ert-deftest syd-el-default ()
(dolist (act '(:action-allow :action-warn :action-filter :action-deny
:action-panic :action-stop :action-abort :action-kill
:action-exit))
(should (syd-default-fs act)))
(dolist (cap '("fs" "walk" "list" "stat" "read" "write" "exec"
"ioctl" "create" "delete" "rename" "readlink"
"symlink" "truncate" "chdir" "readdir" "mkdir"
"rmdir" "chown" "chgrp" "chmod" "chattr" "chroot"
"notify" "utime" "mkbdev" "mkcdev" "mkfifo" "mktemp"
"net" "mem" "force" "tpe" "segvguard"))
(should (funcall (intern (format "syd-default-%s" cap))
:action-deny)))
(should (syd-default-pid :action-stop))
(dolist (cap '("mem" "force" "tpe" "segvguard"))
(should-not (funcall (intern (format "syd-default-%s" cap))
:action-allow)))
(should-not (syd-default-pid :action-deny))
(should (syd-default-fs :action-deny)))
(ert-deftest syd-el-rules ()
(should (syd-fs-add :action-deny "securityfs"))
(should (syd-fs-del :action-deny "securityfs"))
(should (syd-fs-rem :action-deny "securityfs"))
(let ((glob "/tmp/syd-el-test"))
(dolist (cap '("walk" "list" "stat" "read" "write" "exec"
"create" "delete" "rename" "readlink" "symlink"
"truncate" "chdir" "readdir" "mkdir" "rmdir"
"chown" "chgrp" "chmod" "chattr" "chroot" "notify"
"utime" "mkbdev" "mkcdev" "mkfifo" "mktemp"))
(let ((add (intern (format "syd-%s-add" cap)))
(del (intern (format "syd-%s-del" cap)))
(rem (intern (format "syd-%s-rem" cap))))
(should (funcall add :action-deny glob))
(should (funcall del :action-deny glob))
(should (funcall rem :action-deny glob))))))
(ert-deftest syd-el-net-rules ()
(dolist (spec '(("net-bind" . "127.0.0.1!8080")
("net-connect" . "::1!443")
("net-sendfd" . "!unnamed")))
(let* ((cap (car spec))
(addr (cdr spec))
(add (intern (format "syd-%s-add" cap)))
(del (intern (format "syd-%s-del" cap)))
(rem (intern (format "syd-%s-rem" cap))))
(should (funcall add :action-allow addr))
(should (funcall del :action-allow addr))
(should (funcall rem :action-allow addr))))
(should-not (syd-net-link-add :action-allow "route"))
(should-not (syd-net-link-del :action-allow "route"))
(should-not (syd-net-link-rem :action-allow "route")))
(ert-deftest syd-el-limits ()
(should (syd-mem-max "1G"))
(should (syd-mem-max 1073741824))
(should (syd-mem-vm-max "2G"))
(should (syd-pid-max 4096)))
(ert-deftest syd-el-segvguard ()
(should (syd-segvguard-expiry 120))
(should (syd-segvguard-suspension 300))
(should (syd-segvguard-maxcrashes 5)))
(ert-deftest syd-el-force-rule ()
(let ((hash (make-string 64 ?a)))
(should (syd-force-add "/usr/bin/syd-el-test" "sha256" hash
:action-deny))
(should (syd-force-del "/usr/bin/syd-el-test"))
(should (syd-force-clr))))
(ert-deftest syd-el-rule-helper ()
(should (equal (syd--rule "fs" "/tmp/x" ?+) "/dev/syd/fs+/tmp/x"))
(should (equal (syd--rule "allow/net/bind" "127.0.0.1!80" ?+)
"/dev/syd/allow/net/bind+127.0.0.1!80"))
(should (equal (syd--rule "fs" "/x" ?-) "/dev/syd/fs-/x"))
(should (equal (syd--rule "fs" "/x" ?^) "/dev/syd/fs^/x"))
(should (equal (syd--rule "fs" "/x" ?:) "/dev/syd/fs:/x"))
(should-error (syd--rule "fs" "/x" ?z))
(should-error (syd--rule "fs" "" ?+)))
(ert-deftest syd-el-info ()
(let ((info (syd-info)))
(should (consp info))
(should (stringp (cdr (assq 'default_fs info))))))
(ert-deftest syd-el-ioctl ()
(should (syd-ioctl-add :action-allow "FIONREAD"))
(should (syd-ioctl-del :action-allow "FIONREAD"))
(should (syd-ioctl-rem :action-allow "FIONREAD"))
(should (syd-ioctl-deny #xDEADCA11))
(should-error (syd-ioctl-deny "not-a-number")))
(ert-deftest syd-el-exec ()
(should-error (syd-exec 42 nil))
(should-error (syd-exec "/bin/true" '("ok" 7)))
(let ((true (if (file-executable-p "/bin/true")
"/bin/true" "/usr/bin/true")))
(should (syd-exec true nil))))
(ert-deftest syd-el-load ()
(should-not (syd-load 9999)))
(ert-deftest syd-el-lock ()
(should-not (syd-lock :lock-off))
(should (syd-lock :lock-exec))
(should (syd-lock :lock-drop))
(should (syd-lock :lock-on))
(dolist (st '(:lock-off :lock-exec :lock-drop :lock-read :lock-on))
(should-not (syd-lock st)))
(should-not (syd-lock :lock-bogus))))
t)
(let ((tests '(syd-el-rule-helper
syd-el-api
syd-el-info
syd-el-stat-validation
syd-el-toggle
syd-el-startup-only
syd-el-force-startup
syd-el-query
syd-el-default
syd-el-rules
syd-el-net-rules
syd-el-ioctl
syd-el-limits
syd-el-segvguard
syd-el-force-rule
syd-el-exec
syd-el-load
syd-el-lock))
(count 0)
(failures 0))
(princ "TAP version 13\n")
(princ (format "1..%d\n" (length tests)))
(dolist (name tests)
(setq count (1+ count))
(let* ((result (ert-run-test (ert-get-test name)))
(passed (ert-test-passed-p result)))
(if passed
(princ (format "ok %d - %s\n" count name))
(setq failures (1+ failures))
(princ (format "not ok %d - %s\n" count name))
(let ((condition
(ignore-errors
(ert-test-result-with-condition-condition result))))
(when condition
(dolist (line (split-string (format "%S" condition) "\n" t))
(princ (format "# %s\n" line))))))))
(princ (format "# %d tests, %d failures\n" (length tests) failures))
(kill-emacs (if (zerop failures) 0 1))))
(provide 'syd)
;;; syd.el ends here