Crate syd

Source
Expand description

§libsyd - syd API Rust Library

libsyd is a C library written in Rust that implements the syd stat API, providing an interface to the /dev/syd of syd. It allows for runtime configuration and interaction with the syd sandboxing environment.

§Overview

The library is designed to interact with the syd sandboxing environment, offering functionalities to check and modify the state of the sandbox lock, and perform system calls to /dev/syd.

For more detailed information and usage instructions, refer to the syd manual, available at syd Manual.

§Author

Ali Polatel alip@chesswob.org

Constants§

ACTION_ABORT
Deny system call, warn and abort the offending process.
ACTION_ALLOW
Allow system call.
ACTION_DENY
Deny system call and warn.
ACTION_EXIT
Warn, and exit Syd immediately with deny errno as exit value.
ACTION_FILTER
Deny system call silently.
ACTION_KILL
Deny system call, warn and kill the offending process.
ACTION_PANIC
Deny system call, warn and panic the current Syd thread.
ACTION_STOP
Deny system call, warn and stop the offending process.
ACTION_WARN
Allow system call and warn.
LOCK_EXEC
The sandbox lock is set to on for all processes except the initial process (syd exec child).
LOCK_OFF
The sandbox lock is off, allowing all sandbox commands.
LOCK_ON
The sandbox lock is on, disallowing all sandbox commands.

Functions§

syd_api
Performs a syd API check
syd_chattr_add
Adds to the given actionlist of chattr sandboxing.
syd_chattr_del
Removes the first instance from the end of the given actionlist of chattr sandboxing.
syd_chattr_rem
Removes all matching patterns from the given actionlist of chattr sandboxing.
syd_chdir_add
Adds to the given actionlist of chdir sandboxing.
syd_chdir_del
Removes the first instance from the end of the given actionlist of chdir sandboxing.
syd_chdir_rem
Removes all matching patterns from the given actionlist of chdir sandboxing.
syd_check
Performs an lstat system call on the file “/dev/syd”.
syd_chgrp_add
Adds to the given actionlist of chgrp sandboxing.
syd_chgrp_del
Removes the first instance from the end of the given actionlist of chgrp sandboxing.
syd_chgrp_rem
Removes all matching patterns from the given actionlist of chgrp sandboxing.
syd_chmod_add
Adds to the given actionlist of chmod sandboxing.
syd_chmod_del
Removes the first instance from the end of the given actionlist of chmod sandboxing.
syd_chmod_rem
Removes all matching patterns from the given actionlist of chmod sandboxing.
syd_chown_add
Adds to the given actionlist of chown sandboxing.
syd_chown_del
Removes the first instance from the end of the given actionlist of chown sandboxing.
syd_chown_rem
Removes all matching patterns from the given actionlist of chown sandboxing.
syd_chroot_add
Adds to the given actionlist of chroot sandboxing.
syd_chroot_del
Removes the first instance from the end of the given actionlist of chroot sandboxing.
syd_chroot_rem
Removes all matching patterns from the given actionlist of chroot sandboxing.
syd_create_add
Adds to the given actionlist of create sandboxing.
syd_create_del
Removes the first instance from the end of the given actionlist of create sandboxing.
syd_create_rem
Removes all matching patterns from the given actionlist of create sandboxing.
syd_default_block
Set the default action for IP blocklist violations.
syd_default_chattr
Set the default action for Chattr Sandboxing.
syd_default_chdir
Set the default action for Chdir Sandboxing.
syd_default_chgrp
Set the default action for Chgrp Sandboxing.
syd_default_chmod
Set the default action for Chmod Sandboxing.
syd_default_chown
Set the default action for Chown Sandboxing.
syd_default_chroot
Set the default action for Chroot Sandboxing.
syd_default_create
Set the default action for Create Sandboxing.
syd_default_delete
Set the default action for Delete Sandboxing.
syd_default_exec
Set the default action for Exec Sandboxing.
syd_default_force
Set the default action for Force Sandboxing.
syd_default_ioctl
Set the default action for Ioctl Sandboxing.
syd_default_mem
Set the default action for Memory Sandboxing.
syd_default_mkdev
Set the default action for Mkdev Sandboxing.
syd_default_mkdir
Set the default action for Mkdir Sandboxing.
syd_default_mkfifo
Set the default action for Mkfifo Sandboxing.
syd_default_mktemp
Set the default action for Mktemp Sandboxing.
syd_default_net
Set the default action for Network Sandboxing.
syd_default_pid
Set the default action for PID Sandboxing.
syd_default_read
Set the default action for Read Sandboxing.
syd_default_readdir
Set the default action for Readdir Sandboxing.
syd_default_rename
Set the default action for Rename Sandboxing.
syd_default_rmdir
Set the default action for Rmdir Sandboxing.
syd_default_segvguard
Set the default action for SegvGuard
syd_default_stat
Set the default action for Stat Sandboxing.
syd_default_symlink
Set the default action for Symlink Sandboxing.
syd_default_tpe
Set the default action for TPE Sandboxing.
syd_default_truncate
Set the default action for Truncate Sandboxing.
syd_default_utime
Set the default action for Utime Sandboxing.
syd_default_write
Set the default action for Write Sandboxing.
syd_delete_add
Adds to the given actionlist of delete sandboxing.
syd_delete_del
Removes the first instance from the end of the given actionlist of delete sandboxing.
syd_delete_rem
Removes all matching patterns from the given actionlist of delete sandboxing.
syd_disable_chattr
Disable chattr sandboxing.
syd_disable_chdir
Disable chdir sandboxing.
syd_disable_chgrp
Disable chgrp sandboxing.
syd_disable_chmod
Disable chmod sandboxing.
syd_disable_chown
Disable chown sandboxing.
syd_disable_chroot
Disable chroot sandboxing.
syd_disable_create
Disable create sandboxing.
syd_disable_delete
Disable delete sandboxing.
syd_disable_exec
Disable exec sandboxing.
syd_disable_force
Disable force sandboxing.
syd_disable_ioctl
Disable ioctl sandboxing.
syd_disable_mem
Disable memory sandboxing.
syd_disable_mkdev
Disable mkdev sandboxing.
syd_disable_mkdir
Disable mkdir sandboxing.
syd_disable_mkfifo
Disable mkfifo sandboxing.
syd_disable_mktemp
Disable mktemp sandboxing.
syd_disable_net
Disable net sandboxing.
syd_disable_pid
Disable PID sandboxing.
syd_disable_read
Disable read sandboxing.
syd_disable_readdir
Disable readdir sandboxing.
syd_disable_rename
Disable rename sandboxing.
syd_disable_rmdir
Disable rmdir sandboxing.
syd_disable_stat
Disable stat sandboxing.
syd_disable_symlink
Disable symlink sandboxing.
syd_disable_tpe
Disable TPE sandboxing.
syd_disable_truncate
Disable truncate sandboxing.
syd_disable_utime
Disable utime sandboxing.
syd_disable_write
Disable write sandboxing.
syd_enable_chattr
Enable chattr sandboxing.
syd_enable_chdir
Enable chdir sandboxing.
syd_enable_chgrp
Enable chgrp sandboxing.
syd_enable_chmod
Enable chmod sandboxing.
syd_enable_chown
Enable chown sandboxing.
syd_enable_chroot
Enable chroot sandboxing.
syd_enable_create
Enable create sandboxing.
syd_enable_delete
Enable delete sandboxing.
syd_enable_exec
Enable exec sandboxing.
syd_enable_force
Enable force sandboxing.
syd_enable_ioctl
Enable ioctl sandboxing.
syd_enable_mem
Enable memory sandboxing.
syd_enable_mkdev
Enable mkdev sandboxing.
syd_enable_mkdir
Enable mkdir sandboxing.
syd_enable_mkfifo
Enable mkfifo sandboxing.
syd_enable_mktemp
Enable mktemp sandboxing.
syd_enable_net
Enable net sandboxing.
syd_enable_pid
Enable PID sandboxing.
syd_enable_read
Enable read sandboxing.
syd_enable_readdir
Enable readdir sandboxing.
syd_enable_rename
Enable rename sandboxing.
syd_enable_rmdir
Enable rmdir sandboxing.
syd_enable_stat
Enable stat sandboxing.
syd_enable_symlink
Enable symlink sandboxing.
syd_enable_tpe
Enable TPE sandboxing.
syd_enable_truncate
Enable truncate sandboxing.
syd_enable_utime
Enable utime sandboxing.
syd_enable_write
Enable write sandboxing.
syd_enabled_chattr
Checks if chattr sandboxing is enabled.
syd_enabled_chdir
Checks if chdir sandboxing is enabled.
syd_enabled_chgrp
Checks if chgrp sandboxing is enabled.
syd_enabled_chmod
Checks if chmod sandboxing is enabled.
syd_enabled_chown
Checks if chown sandboxing is enabled.
syd_enabled_chroot
Checks if chroot sandboxing is enabled.
syd_enabled_create
Checks if create sandboxing is enabled.
syd_enabled_crypt
Checks if crypt sandboxing is enabled.
syd_enabled_delete
Checks if delete sandboxing is enabled.
syd_enabled_exec
Checks if exec sandboxing is enabled.
syd_enabled_force
Checks if force sandboxing is enabled.
syd_enabled_ioctl
Checks if ioctl sandboxing is enabled.
syd_enabled_lock
Checks if lock sandboxing is enabled.
syd_enabled_mem
Checks if memory sandboxing is enabled.
syd_enabled_mkdev
Checks if mkdev sandboxing is enabled.
syd_enabled_mkdir
Checks if mkdir sandboxing is enabled.
syd_enabled_mkfifo
Checks if mkfifo sandboxing is enabled.
syd_enabled_mktemp
Checks if mktemp sandboxing is enabled.
syd_enabled_net
Checks if net sandboxing is enabled.
syd_enabled_pid
Checks if PID sandboxing is enabled.
syd_enabled_proxy
Checks if proxy sandboxing is enabled.
syd_enabled_read
Checks if read sandboxing is enabled.
syd_enabled_readdir
Checks if readdir sandboxing is enabled.
syd_enabled_rename
Checks if rename sandboxing is enabled.
syd_enabled_rmdir
Checks if rmdir sandboxing is enabled.
syd_enabled_stat
Checks if stat sandboxing is enabled.
syd_enabled_symlink
Checks if symlink sandboxing is enabled.
syd_enabled_tpe
Checks if TPE sandboxing is enabled.
syd_enabled_truncate
Checks if truncate sandboxing is enabled.
syd_enabled_utime
Checks if utime sandboxing is enabled.
syd_enabled_write
Checks if write sandboxing is enabled.
syd_exec
Execute a command outside the sandbox without sandboxing
syd_exec_add
Adds to the given actionlist of exec sandboxing.
syd_exec_del
Removes the first instance from the end of the given actionlist of exec sandboxing.
syd_exec_rem
Removes all matching patterns from the given actionlist of exec sandboxing.
syd_force_add
Adds an entry to the Integrity Force map for Force Sandboxing.
syd_force_clr
Clears the Integrity Force map for Force Sandboxing.
syd_force_del
Removes an entry from the Integrity Force map for Force Sandboxing.
syd_ioctl_add
Adds to the given actionlist of ioctl sandboxing.
syd_ioctl_del
Removes the first instance from the end of the given actionlist of ioctl sandboxing.
syd_ioctl_deny
Adds a request to the ioctl(2) denylist.
syd_ioctl_rem
Removes all matching patterns from the given actionlist of ioctl sandboxing.
syd_load
Causes syd to read configuration from the given file descriptor.
syd_lock
Sets the state of the sandbox lock.
syd_mem_max
Set syd maximum per-process memory usage limit for memory sandboxing.
syd_mem_vm_max
Set syd maximum per-process virtual memory usage limit for memory sandboxing.
syd_mkdev_add
Adds to the given actionlist of mkdev sandboxing.
syd_mkdev_del
Removes the first instance from the end of the given actionlist of mkdev sandboxing.
syd_mkdev_rem
Removes all matching patterns from the given actionlist of mkdev sandboxing.
syd_mkdir_add
Adds to the given actionlist of mkdir sandboxing.
syd_mkdir_del
Removes the first instance from the end of the given actionlist of mkdir sandboxing.
syd_mkdir_rem
Removes all matching patterns from the given actionlist of mkdir sandboxing.
syd_mkfifo_add
Adds to the given actionlist of mkfifo sandboxing.
syd_mkfifo_del
Removes the first instance from the end of the given actionlist of mkfifo sandboxing.
syd_mkfifo_rem
Removes all matching patterns from the given actionlist of mkfifo sandboxing.
syd_mktemp_add
Adds to the given actionlist of mktemp sandboxing.
syd_mktemp_del
Removes the first instance from the end of the given actionlist of mktemp sandboxing.
syd_mktemp_rem
Removes all matching patterns from the given actionlist of mktemp sandboxing.
syd_net_bind_add
Adds to the given actionlist of net/bind sandboxing.
syd_net_bind_del
Removes the first instance from the end of the given actionlist of net/bind sandboxing.
syd_net_bind_rem
Removes all matching patterns from the given actionlist of net/bind sandboxing.
syd_net_connect_add
Adds to the given actionlist of net/connect sandboxing.
syd_net_connect_del
Removes the first instance from the end of the given actionlist of net/connect sandboxing.
syd_net_connect_rem
Removes all matching patterns from the given actionlist of net/connect sandboxing.
syd_net_link_add
Adds to the given actionlist of net/link sandboxing.
syd_net_link_del
Removes the first instance from the end of the given actionlist of net/link sandboxing.
syd_net_link_rem
Removes all matching patterns from the given actionlist of net/link sandboxing.
syd_net_sendfd_add
Adds to the given actionlist of net/sendfd sandboxing.
syd_net_sendfd_del
Removes the first instance from the end of the given actionlist of net/sendfd sandboxing.
syd_net_sendfd_rem
Removes all matching patterns from the given actionlist of net/sendfd sandboxing.
syd_panic
Causes syd to exit immediately with code 127
syd_pid_max
Set syd maximum process id limit for PID sandboxing
syd_read_add
Adds to the given actionlist of read sandboxing.
syd_read_del
Removes the first instance from the end of the given actionlist of read sandboxing.
syd_read_rem
Removes all matching patterns from the given actionlist of read sandboxing.
syd_readdir_add
Adds to the given actionlist of readdir sandboxing.
syd_readdir_del
Removes the first instance from the end of the given actionlist of readdir sandboxing.
syd_readdir_rem
Removes all matching patterns from the given actionlist of readdir sandboxing.
syd_rename_add
Adds to the given actionlist of rename sandboxing.
syd_rename_del
Removes the first instance from the end of the given actionlist of rename sandboxing.
syd_rename_rem
Removes all matching patterns from the given actionlist of rename sandboxing.
syd_reset
Causes syd to reset sandboxing to the default state. Allowlists, denylists and filters are going to be cleared.
syd_rmdir_add
Adds to the given actionlist of rmdir sandboxing.
syd_rmdir_del
Removes the first instance from the end of the given actionlist of rmdir sandboxing.
syd_rmdir_rem
Removes all matching patterns from the given actionlist of rmdir sandboxing.
syd_segvguard_expiry
Specify SegvGuard entry expiry timeout in seconds. Setting this timeout to 0 effectively disables SegvGuard.
syd_segvguard_maxcrashes
Specify SegvGuard max number of crashes before suspension.
syd_segvguard_suspension
Specify SegvGuard entry suspension timeout in seconds.
syd_stat_add
Adds to the given actionlist of stat sandboxing.
syd_stat_del
Removes the first instance from the end of the given actionlist of stat sandboxing.
syd_stat_rem
Removes all matching patterns from the given actionlist of stat sandboxing.
syd_symlink_add
Adds to the given actionlist of symlink sandboxing.
syd_symlink_del
Removes the first instance from the end of the given actionlist of symlink sandboxing.
syd_symlink_rem
Removes all matching patterns from the given actionlist of symlink sandboxing.
syd_truncate_add
Adds to the given actionlist of truncate sandboxing.
syd_truncate_del
Removes the first instance from the end of the given actionlist of truncate sandboxing.
syd_truncate_rem
Removes all matching patterns from the given actionlist of truncate sandboxing.
syd_utime_add
Adds to the given actionlist of utime sandboxing.
syd_utime_del
Removes the first instance from the end of the given actionlist of utime sandboxing.
syd_utime_rem
Removes all matching patterns from the given actionlist of utime sandboxing.
syd_write_add
Adds to the given actionlist of write sandboxing.
syd_write_del
Removes the first instance from the end of the given actionlist of write sandboxing.
syd_write_rem
Removes all matching patterns from the given actionlist of write sandboxing.

Type Aliases§

action_t
action_t type represents possible sandboxing action values.
lock_state_t
lock_state_t_t type represents possible states for the sandbox lock.