Expand description
§libsyd - syd API Rust Library
libsyd
is a C library written in Rust that implements the syd
stat API, providing an interface to the /dev/syd
of syd. It
allows for runtime configuration and interaction with the syd
sandboxing environment.
§Overview
The library is designed to interact with the syd sandboxing
environment, offering functionalities to check and modify the state
of the sandbox lock, and perform system calls to /dev/syd
.
For more detailed information and usage instructions, refer to the syd manual, available at syd Manual.
§Author
Ali Polatel alip@chesswob.org
Enums§
- An enumeration of the possible actions for force sandboxing.
- An enumeration of the possible states for the sandbox lock.
Functions§
- Adds to the allowlist of exec sandboxing.
- Removes the first instance from the end of the allowlist of exec sandboxing.
- Removes all matching patterns from the allowlist of exec sandboxing.
- Adds to the allowlist of net/bind sandboxing.
- Removes the first instance from the end of the allowlist of net/bind sandboxing.
- Removes all matching patterns from the allowlist of net/bind sandboxing.
- Adds to the allowlist of net/connect sandboxing.
- Removes the first instance from the end of the allowlist of net/connect sandboxing.
- Removes all matching patterns from the allowlist of net/connect sandboxing.
- Adds to the allowlist of read sandboxing.
- Removes the first instance from the end of the allowlist of read sandboxing.
- Removes all matching patterns from the allowlist of read sandboxing.
- Adds to the allowlist of stat sandboxing.
- Removes the first instance from the end of the allowlist of stat sandboxing.
- Removes all matching patterns from the allowlist of stat sandboxing.
- Adds to the allowlist of write sandboxing.
- Removes the first instance from the end of the allowlist of write sandboxing.
- Removes all matching patterns from the allowlist of write sandboxing.
- Performs a syd API check
- Performs an lstat system call on the file “/dev/syd”.
- Adds to the denylist of exec sandboxing.
- Removes the first instance from the end of the denylist of exec sandboxing.
- Removes all matching patterns from the denylist of exec sandboxing.
- Adds to the denylist of net/bind sandboxing.
- Removes the first instance from the end of the denylist of net/bind sandboxing.
- Removes all matching patterns from the denylist of net/bind sandboxing.
- Adds to the denylist of net/connect sandboxing.
- Removes the first instance from the end of the denylist of net/connect sandboxing.
- Removes all matching patterns from the denylist of net/connect sandboxing.
- Adds to the denylist of read sandboxing.
- Removes the first instance from the end of the denylist of read sandboxing.
- Removes all matching patterns from the denylist of read sandboxing.
- Adds to the denylist of stat sandboxing.
- Removes the first instance from the end of the denylist of stat sandboxing.
- Removes all matching patterns from the denylist of stat sandboxing.
- Adds to the denylist of write sandboxing.
- Removes the first instance from the end of the denylist of write sandboxing.
- Removes all matching patterns from the denylist of write sandboxing.
- Disable exec sandboxing.
- Disable force sandboxing.
- Disable memory sandboxing.
- Disable net sandboxing.
- Disable PID sandboxing.
- Disable read sandboxing.
- Disable stat sandboxing.
- Disable write sandboxing.
- Enable exec sandboxing.
- Enable force sandboxing.
- Enable memory sandboxing.
- Enable net sandboxing.
- Enable PID sandboxing.
- Enable read sandboxing.
- Enable stat sandboxing.
- Enable write sandboxing.
- Checks if exec sandboxing is enabled.
- Checks if force sandboxing is enabled.
- Checks if memory sandboxing is enabled.
- Checks if net sandboxing is enabled.
- Checks if PID sandboxing is enabled.
- Checks if read sandboxing is enabled.
- Checks if stat sandboxing is enabled.
- Checks if write sandboxing is enabled.
- Execute a command outside the sandbox without sandboxing
- Adds to the filter of exec sandboxing.
- Removes the first instance from the end of the filter of exec sandboxing.
- Removes all matching patterns from the filter of exec sandboxing.
- Toggle the reporting of access violations for memory sandboxing
- Adds to the filter of net/bind sandboxing.
- Removes the first instance from the end of the filter of net/bind sandboxing.
- Removes all matching patterns from the filter of net/bind sandboxing.
- Adds to the filter of net/connect sandboxing.
- Removes the first instance from the end of the filter of net/connect sandboxing.
- Removes all matching patterns from the filter of net/connect sandboxing.
- Toggle the reporting of access violations for PID sandboxing
- Adds to the filter of read sandboxing.
- Removes the first instance from the end of the filter of read sandboxing.
- Removes all matching patterns from the filter of read sandboxing.
- Adds to the filter of stat sandboxing.
- Removes the first instance from the end of the filter of stat sandboxing.
- Removes all matching patterns from the filter of stat sandboxing.
- Adds to the filter of write sandboxing.
- Removes the first instance from the end of the filter of write sandboxing.
- Removes all matching patterns from the filter of write sandboxing.
- Adds an entry to the Integrity Force map for Force Sandboxing.
- Clears the Integrity Force map for Force Sandboxing.
- Set the default action for Force Sandboxing.
- Removes an entry from the Integrity Force map for Force Sandboxing.
- Adds to the list of glob patterns used to determine which paths should be killed (prevented from executing) in the sandbox.
- Deletes the first matching item from the end of the list of glob patterns used to determine which paths should be killed (prevented from executing) in the sandbox.
- Toggle kill of the offending process for Memory sandboxing
- Toggle kill of the offending process for PID sandboxing
- Removes all matching items from the list of glob patterns used to determine which paths should be killed (prevented from executing) in the sandbox.
- Causes syd to read configuration from the given file descriptor.
- Sets the state of the sandbox lock.
- Set syd maximum per-process memory usage limit for memory sandboxing.
- Set syd maximum per-process virtual memory usage limit for memory sandboxing.
- Causes syd to exit immediately with code 127
- Set syd maximum process id limit for PID sandboxing
- Causes syd to reset sandboxing to the default state. Allowlists, denylists and filters are going to be cleared.
- Specify SegvGuard entry expiry timeout in seconds. Setting this timeout to 0 effectively disables SegvGuard.
- Specify SegvGuard max number of crashes before suspension.
- Specify SegvGuard entry suspension timeout in seconds.