Expand description
§libsyd - syd API Rust Library
libsyd
is a C library written in Rust that implements the syd
stat API, providing an interface to the /dev/syd
of syd. It
allows for runtime configuration and interaction with the syd
sandboxing environment.
§Overview
The library is designed to interact with the syd sandboxing
environment, offering functionalities to check and modify the state
of the sandbox lock, and perform system calls to /dev/syd
.
For more detailed information and usage instructions, refer to the syd manual, available at syd Manual.
§Author
Ali Polatel alip@chesswob.org
Constants§
- ACTION_
ABORT - Deny system call, warn and abort the offending process.
- ACTION_
ALLOW - Allow system call.
- ACTION_
DENY - Deny system call and warn.
- ACTION_
EXIT - Warn, and exit Syd immediately with deny errno as exit value.
- ACTION_
FILTER - Deny system call silently.
- ACTION_
KILL - Deny system call, warn and kill the offending process.
- ACTION_
PANIC - Deny system call, warn and panic the current Syd thread.
- ACTION_
STOP - Deny system call, warn and stop the offending process.
- ACTION_
WARN - Allow system call and warn.
- LOCK_
EXEC - The sandbox lock is set to on for all processes except the initial process (syd exec child).
- LOCK_
OFF - The sandbox lock is off, allowing all sandbox commands.
- LOCK_ON
- The sandbox lock is on, disallowing all sandbox commands.
Functions§
- syd_api
- Performs a syd API check
- syd_
chattr_ add - Adds to the given actionlist of chattr sandboxing.
- syd_
chattr_ del - Removes the first instance from the end of the given actionlist of chattr sandboxing.
- syd_
chattr_ rem - Removes all matching patterns from the given actionlist of chattr sandboxing.
- syd_
chdir_ add - Adds to the given actionlist of chdir sandboxing.
- syd_
chdir_ del - Removes the first instance from the end of the given actionlist of chdir sandboxing.
- syd_
chdir_ rem - Removes all matching patterns from the given actionlist of chdir sandboxing.
- syd_
check - Performs an lstat system call on the file “/dev/syd”.
- syd_
chgrp_ add - Adds to the given actionlist of chgrp sandboxing.
- syd_
chgrp_ del - Removes the first instance from the end of the given actionlist of chgrp sandboxing.
- syd_
chgrp_ rem - Removes all matching patterns from the given actionlist of chgrp sandboxing.
- syd_
chmod_ add - Adds to the given actionlist of chmod sandboxing.
- syd_
chmod_ del - Removes the first instance from the end of the given actionlist of chmod sandboxing.
- syd_
chmod_ rem - Removes all matching patterns from the given actionlist of chmod sandboxing.
- syd_
chown_ add - Adds to the given actionlist of chown sandboxing.
- syd_
chown_ del - Removes the first instance from the end of the given actionlist of chown sandboxing.
- syd_
chown_ rem - Removes all matching patterns from the given actionlist of chown sandboxing.
- syd_
chroot_ add - Adds to the given actionlist of chroot sandboxing.
- syd_
chroot_ del - Removes the first instance from the end of the given actionlist of chroot sandboxing.
- syd_
chroot_ rem - Removes all matching patterns from the given actionlist of chroot sandboxing.
- syd_
create_ add - Adds to the given actionlist of create sandboxing.
- syd_
create_ del - Removes the first instance from the end of the given actionlist of create sandboxing.
- syd_
create_ rem - Removes all matching patterns from the given actionlist of create sandboxing.
- syd_
default_ block - Set the default action for IP blocklist violations.
- syd_
default_ chattr - Set the default action for Chattr Sandboxing.
- syd_
default_ chdir - Set the default action for Chdir Sandboxing.
- syd_
default_ chgrp - Set the default action for Chgrp Sandboxing.
- syd_
default_ chmod - Set the default action for Chmod Sandboxing.
- syd_
default_ chown - Set the default action for Chown Sandboxing.
- syd_
default_ chroot - Set the default action for Chroot Sandboxing.
- syd_
default_ create - Set the default action for Create Sandboxing.
- syd_
default_ delete - Set the default action for Delete Sandboxing.
- syd_
default_ exec - Set the default action for Exec Sandboxing.
- syd_
default_ force - Set the default action for Force Sandboxing.
- syd_
default_ ioctl - Set the default action for Ioctl Sandboxing.
- syd_
default_ mem - Set the default action for Memory Sandboxing.
- syd_
default_ mkdev - Set the default action for Mkdev Sandboxing.
- syd_
default_ mkdir - Set the default action for Mkdir Sandboxing.
- syd_
default_ mkfifo - Set the default action for Mkfifo Sandboxing.
- syd_
default_ mktemp - Set the default action for Mktemp Sandboxing.
- syd_
default_ net - Set the default action for Network Sandboxing.
- syd_
default_ pid - Set the default action for PID Sandboxing.
- syd_
default_ read - Set the default action for Read Sandboxing.
- syd_
default_ readdir - Set the default action for Readdir Sandboxing.
- syd_
default_ rename - Set the default action for Rename Sandboxing.
- syd_
default_ rmdir - Set the default action for Rmdir Sandboxing.
- syd_
default_ segvguard - Set the default action for SegvGuard
- syd_
default_ stat - Set the default action for Stat Sandboxing.
- syd_
default_ symlink - Set the default action for Symlink Sandboxing.
- syd_
default_ tpe - Set the default action for TPE Sandboxing.
- syd_
default_ truncate - Set the default action for Truncate Sandboxing.
- syd_
default_ utime - Set the default action for Utime Sandboxing.
- syd_
default_ write - Set the default action for Write Sandboxing.
- syd_
delete_ add - Adds to the given actionlist of delete sandboxing.
- syd_
delete_ del - Removes the first instance from the end of the given actionlist of delete sandboxing.
- syd_
delete_ rem - Removes all matching patterns from the given actionlist of delete sandboxing.
- syd_
disable_ chattr - Disable chattr sandboxing.
- syd_
disable_ chdir - Disable chdir sandboxing.
- syd_
disable_ chgrp - Disable chgrp sandboxing.
- syd_
disable_ chmod - Disable chmod sandboxing.
- syd_
disable_ chown - Disable chown sandboxing.
- syd_
disable_ chroot - Disable chroot sandboxing.
- syd_
disable_ create - Disable create sandboxing.
- syd_
disable_ delete - Disable delete sandboxing.
- syd_
disable_ exec - Disable exec sandboxing.
- syd_
disable_ force - Disable force sandboxing.
- syd_
disable_ ioctl - Disable ioctl sandboxing.
- syd_
disable_ mem - Disable memory sandboxing.
- syd_
disable_ mkdev - Disable mkdev sandboxing.
- syd_
disable_ mkdir - Disable mkdir sandboxing.
- syd_
disable_ mkfifo - Disable mkfifo sandboxing.
- syd_
disable_ mktemp - Disable mktemp sandboxing.
- syd_
disable_ net - Disable net sandboxing.
- syd_
disable_ pid - Disable PID sandboxing.
- syd_
disable_ read - Disable read sandboxing.
- syd_
disable_ readdir - Disable readdir sandboxing.
- syd_
disable_ rename - Disable rename sandboxing.
- syd_
disable_ rmdir - Disable rmdir sandboxing.
- syd_
disable_ stat - Disable stat sandboxing.
- syd_
disable_ symlink - Disable symlink sandboxing.
- syd_
disable_ tpe - Disable TPE sandboxing.
- syd_
disable_ truncate - Disable truncate sandboxing.
- syd_
disable_ utime - Disable utime sandboxing.
- syd_
disable_ write - Disable write sandboxing.
- syd_
enable_ chattr - Enable chattr sandboxing.
- syd_
enable_ chdir - Enable chdir sandboxing.
- syd_
enable_ chgrp - Enable chgrp sandboxing.
- syd_
enable_ chmod - Enable chmod sandboxing.
- syd_
enable_ chown - Enable chown sandboxing.
- syd_
enable_ chroot - Enable chroot sandboxing.
- syd_
enable_ create - Enable create sandboxing.
- syd_
enable_ delete - Enable delete sandboxing.
- syd_
enable_ exec - Enable exec sandboxing.
- syd_
enable_ force - Enable force sandboxing.
- syd_
enable_ ioctl - Enable ioctl sandboxing.
- syd_
enable_ mem - Enable memory sandboxing.
- syd_
enable_ mkdev - Enable mkdev sandboxing.
- syd_
enable_ mkdir - Enable mkdir sandboxing.
- syd_
enable_ mkfifo - Enable mkfifo sandboxing.
- syd_
enable_ mktemp - Enable mktemp sandboxing.
- syd_
enable_ net - Enable net sandboxing.
- syd_
enable_ pid - Enable PID sandboxing.
- syd_
enable_ read - Enable read sandboxing.
- syd_
enable_ readdir - Enable readdir sandboxing.
- syd_
enable_ rename - Enable rename sandboxing.
- syd_
enable_ rmdir - Enable rmdir sandboxing.
- syd_
enable_ stat - Enable stat sandboxing.
- syd_
enable_ symlink - Enable symlink sandboxing.
- syd_
enable_ tpe - Enable TPE sandboxing.
- syd_
enable_ truncate - Enable truncate sandboxing.
- syd_
enable_ utime - Enable utime sandboxing.
- syd_
enable_ write - Enable write sandboxing.
- syd_
enabled_ chattr - Checks if chattr sandboxing is enabled.
- syd_
enabled_ chdir - Checks if chdir sandboxing is enabled.
- syd_
enabled_ chgrp - Checks if chgrp sandboxing is enabled.
- syd_
enabled_ chmod - Checks if chmod sandboxing is enabled.
- syd_
enabled_ chown - Checks if chown sandboxing is enabled.
- syd_
enabled_ chroot - Checks if chroot sandboxing is enabled.
- syd_
enabled_ create - Checks if create sandboxing is enabled.
- syd_
enabled_ crypt - Checks if crypt sandboxing is enabled.
- syd_
enabled_ delete - Checks if delete sandboxing is enabled.
- syd_
enabled_ exec - Checks if exec sandboxing is enabled.
- syd_
enabled_ force - Checks if force sandboxing is enabled.
- syd_
enabled_ ioctl - Checks if ioctl sandboxing is enabled.
- syd_
enabled_ lock - Checks if lock sandboxing is enabled.
- syd_
enabled_ mem - Checks if memory sandboxing is enabled.
- syd_
enabled_ mkdev - Checks if mkdev sandboxing is enabled.
- syd_
enabled_ mkdir - Checks if mkdir sandboxing is enabled.
- syd_
enabled_ mkfifo - Checks if mkfifo sandboxing is enabled.
- syd_
enabled_ mktemp - Checks if mktemp sandboxing is enabled.
- syd_
enabled_ net - Checks if net sandboxing is enabled.
- syd_
enabled_ pid - Checks if PID sandboxing is enabled.
- syd_
enabled_ proxy - Checks if proxy sandboxing is enabled.
- syd_
enabled_ read - Checks if read sandboxing is enabled.
- syd_
enabled_ readdir - Checks if readdir sandboxing is enabled.
- syd_
enabled_ rename - Checks if rename sandboxing is enabled.
- syd_
enabled_ rmdir - Checks if rmdir sandboxing is enabled.
- syd_
enabled_ stat - Checks if stat sandboxing is enabled.
- syd_
enabled_ symlink - Checks if symlink sandboxing is enabled.
- syd_
enabled_ tpe - Checks if TPE sandboxing is enabled.
- syd_
enabled_ truncate - Checks if truncate sandboxing is enabled.
- syd_
enabled_ utime - Checks if utime sandboxing is enabled.
- syd_
enabled_ write - Checks if write sandboxing is enabled.
- syd_
exec ⚠ - Execute a command outside the sandbox without sandboxing
- syd_
exec_ add - Adds to the given actionlist of exec sandboxing.
- syd_
exec_ del - Removes the first instance from the end of the given actionlist of exec sandboxing.
- syd_
exec_ rem - Removes all matching patterns from the given actionlist of exec sandboxing.
- syd_
force_ ⚠add - Adds an entry to the Integrity Force map for Force Sandboxing.
- syd_
force_ clr - Clears the Integrity Force map for Force Sandboxing.
- syd_
force_ ⚠del - Removes an entry from the Integrity Force map for Force Sandboxing.
- syd_
ioctl_ add - Adds to the given actionlist of ioctl sandboxing.
- syd_
ioctl_ del - Removes the first instance from the end of the given actionlist of ioctl sandboxing.
- syd_
ioctl_ deny - Adds a request to the ioctl(2) denylist.
- syd_
ioctl_ rem - Removes all matching patterns from the given actionlist of ioctl sandboxing.
- syd_
load - Causes syd to read configuration from the given file descriptor.
- syd_
lock - Sets the state of the sandbox lock.
- syd_
mem_ max - Set syd maximum per-process memory usage limit for memory sandboxing.
- syd_
mem_ vm_ max - Set syd maximum per-process virtual memory usage limit for memory sandboxing.
- syd_
mkdev_ add - Adds to the given actionlist of mkdev sandboxing.
- syd_
mkdev_ del - Removes the first instance from the end of the given actionlist of mkdev sandboxing.
- syd_
mkdev_ rem - Removes all matching patterns from the given actionlist of mkdev sandboxing.
- syd_
mkdir_ add - Adds to the given actionlist of mkdir sandboxing.
- syd_
mkdir_ del - Removes the first instance from the end of the given actionlist of mkdir sandboxing.
- syd_
mkdir_ rem - Removes all matching patterns from the given actionlist of mkdir sandboxing.
- syd_
mkfifo_ add - Adds to the given actionlist of mkfifo sandboxing.
- syd_
mkfifo_ del - Removes the first instance from the end of the given actionlist of mkfifo sandboxing.
- syd_
mkfifo_ rem - Removes all matching patterns from the given actionlist of mkfifo sandboxing.
- syd_
mktemp_ add - Adds to the given actionlist of mktemp sandboxing.
- syd_
mktemp_ del - Removes the first instance from the end of the given actionlist of mktemp sandboxing.
- syd_
mktemp_ rem - Removes all matching patterns from the given actionlist of mktemp sandboxing.
- syd_
net_ bind_ add - Adds to the given actionlist of net/bind sandboxing.
- syd_
net_ bind_ del - Removes the first instance from the end of the given actionlist of net/bind sandboxing.
- syd_
net_ bind_ rem - Removes all matching patterns from the given actionlist of net/bind sandboxing.
- syd_
net_ connect_ add - Adds to the given actionlist of net/connect sandboxing.
- syd_
net_ connect_ del - Removes the first instance from the end of the given actionlist of net/connect sandboxing.
- syd_
net_ connect_ rem - Removes all matching patterns from the given actionlist of net/connect sandboxing.
- syd_
net_ link_ add - Adds to the given actionlist of net/link sandboxing.
- syd_
net_ link_ del - Removes the first instance from the end of the given actionlist of net/link sandboxing.
- syd_
net_ link_ rem - Removes all matching patterns from the given actionlist of net/link sandboxing.
- syd_
net_ sendfd_ add - Adds to the given actionlist of net/sendfd sandboxing.
- syd_
net_ sendfd_ del - Removes the first instance from the end of the given actionlist of net/sendfd sandboxing.
- syd_
net_ sendfd_ rem - Removes all matching patterns from the given actionlist of net/sendfd sandboxing.
- syd_
panic - Causes syd to exit immediately with code 127
- syd_
pid_ max - Set syd maximum process id limit for PID sandboxing
- syd_
read_ add - Adds to the given actionlist of read sandboxing.
- syd_
read_ del - Removes the first instance from the end of the given actionlist of read sandboxing.
- syd_
read_ rem - Removes all matching patterns from the given actionlist of read sandboxing.
- syd_
readdir_ add - Adds to the given actionlist of readdir sandboxing.
- syd_
readdir_ del - Removes the first instance from the end of the given actionlist of readdir sandboxing.
- syd_
readdir_ rem - Removes all matching patterns from the given actionlist of readdir sandboxing.
- syd_
rename_ add - Adds to the given actionlist of rename sandboxing.
- syd_
rename_ del - Removes the first instance from the end of the given actionlist of rename sandboxing.
- syd_
rename_ rem - Removes all matching patterns from the given actionlist of rename sandboxing.
- syd_
reset - Causes syd to reset sandboxing to the default state. Allowlists, denylists and filters are going to be cleared.
- syd_
rmdir_ add - Adds to the given actionlist of rmdir sandboxing.
- syd_
rmdir_ del - Removes the first instance from the end of the given actionlist of rmdir sandboxing.
- syd_
rmdir_ rem - Removes all matching patterns from the given actionlist of rmdir sandboxing.
- syd_
segvguard_ expiry - Specify SegvGuard entry expiry timeout in seconds. Setting this timeout to 0 effectively disables SegvGuard.
- syd_
segvguard_ maxcrashes - Specify SegvGuard max number of crashes before suspension.
- syd_
segvguard_ suspension - Specify SegvGuard entry suspension timeout in seconds.
- syd_
stat_ add - Adds to the given actionlist of stat sandboxing.
- syd_
stat_ del - Removes the first instance from the end of the given actionlist of stat sandboxing.
- syd_
stat_ rem - Removes all matching patterns from the given actionlist of stat sandboxing.
- syd_
symlink_ add - Adds to the given actionlist of symlink sandboxing.
- syd_
symlink_ del - Removes the first instance from the end of the given actionlist of symlink sandboxing.
- syd_
symlink_ rem - Removes all matching patterns from the given actionlist of symlink sandboxing.
- syd_
truncate_ add - Adds to the given actionlist of truncate sandboxing.
- syd_
truncate_ del - Removes the first instance from the end of the given actionlist of truncate sandboxing.
- syd_
truncate_ rem - Removes all matching patterns from the given actionlist of truncate sandboxing.
- syd_
utime_ add - Adds to the given actionlist of utime sandboxing.
- syd_
utime_ del - Removes the first instance from the end of the given actionlist of utime sandboxing.
- syd_
utime_ rem - Removes all matching patterns from the given actionlist of utime sandboxing.
- syd_
write_ add - Adds to the given actionlist of write sandboxing.
- syd_
write_ del - Removes the first instance from the end of the given actionlist of write sandboxing.
- syd_
write_ rem - Removes all matching patterns from the given actionlist of write sandboxing.
Type Aliases§
- action_
t action_t
type represents possible sandboxing action values.- lock_
state_ t lock_state_t_t
type represents possible states for the sandbox lock.