Crate syd 

syd: The ☮ther SⒶndbøx

syd is a seccomp(2) based sandboxing utility for modern Linux[>=5.6] machines to sandbox unwanted process access to filesystem and network resources. syd requires no root access and no ptrace rights. All you need is a recent Linux kernel and libsecc☮mp which is available on many different architectures, including x86, x86_64, x32, arm, aarch64, mips, mips64… This makes it very easy for a regular user to use. This is the motto of syd: bring easy, simple, flexible and powerful access restriction to the Linux user!

The basic idea of syd is to run a command under certain restrictions. These restrictions define which system calls the command is permitted to run and which argument values are permitted for the given system call. The restrictions may be applied via two ways. seccomp-bpf can be used to apply simple Secure Computing user filters to run sandboxing fully on kernel space, and seccomp-notify functionality can be used to run sandboxing on kernel space and fallback to user space to dereference pointer arguments of system calls (See Security about TOCTOU et. al), which are one of pathname, UNIX socket address, IPv4 or IPv6 network address, and make dynamic decisions using Unix shell style patterns such as allow/write+/home/syd/***, or allow/write+/run/user/*/pulse for pathnames, and using CIDR notation such as allow/net/connect+127.0.0.1/8!9050, or allow/net/connect+::1/8!9050 for IPv4 and IPv6 addresses and perform an action which is by default denying the system call with an appropriate error, which is usually access denied, aka EACCES. For default disallowed system calls, such as ptrace or process_vm_writev (See Security about TOCTOU et. al) syd returns EACCES as well.

To be able to use syd, you need a recent Linux kernel with the system calls pidfd_getfd, pidfd_send_signal. The Secure Computing facility of the Linux kernel should support the SECCOMP_USER_NOTIF_FLAG_CONTINUE operation. It is recommended to have the CONFIG_CROSS_MEMORY_ATTACH kernel option enabled, if this option is not enabled, syd will fallback to reading/writing from /proc/$pid/mem. Linux-5.11 or later is recommended.

Modules

api

JSON serializers for syd(2) API

asm

Assembly instruction decoder

cache

Utilities for caching

caps

Interface to Linux capabilities A pure-Rust library to work with Linux capabilities.

compat

Compatibility code for different libcs

config

Static configuration, edit & recompile!

confine

Sandboxing utilities

dns

DNS utilities

elf

ELF parser Set of functions to manage parsing ELF files

err

Error types and error handling code.

fs

Filesystem utilities Set of functions to manage files and symlinks

hash

Utilities for hashing

hook

Secure computing hooks

ioctl

ioctl(2) request decoder

landlock

Interface to LandLock LSM Landlock is a security feature available since Linux 5.13. The goal is to enable to restrict ambient rights (e.g., global filesystem access) for a set of processes by creating safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs, unexpected or malicious behaviors in applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves. More information about Landlock can be found in the official website.

landlock_policy

Landlock policy helper library for Syd

log

Simple logging on standard error using JSON lines

magic

magic symlink utilities

parsers

/proc and syd(2) nom parsers

path

Path handling for UNIX

proc

/proc utilities

ptrace

ptrace(2) utilities

sandbox

Sandbox configuration

seal

Execute program as sealed anonymous file

sealbox

SealBox for type-safe sealing/protecting

sigset

Portable sigset that can handle reserved signals

spec

Interface to Linux prctl(2) speculation misfeature interfac Set of functions to manage speculation misfeature

sysinfo

sysinfo(2) interface

syslog

syslog(2) interface

timer

Per-thread SIGALRM timer

unshare

The low-level interface for linux namespaces (containers) The Command has mostly same API as std::process::Command except where is absolutely needed.

wildmatch

Shell-style wildcard matching

wordexp

Interface to wordexp(3)

Macros

T

Write a formatted message to an invalid fd.

alert

alert! logging macro

crit

crit! logging macro

debug

debug! logging macro

emerg

emerg! logging macro

error

error! logging macro

info

info! logging macro

lasterrno

A macro to create a SydError from the last errno.

log_enabled

Returns whether given log level is enabled.

main

Convenience macro to define a main function with correct errno return.

make_bitflags

notice

notice! logging macro

rwrite

write! which retries on EINTR and EAGAIN.

rwriteln

writeln! which retries on EINTR and EAGAIN.

t

Write a formatted message to an invalid fd.

warn

warn! logging macro

xpath

Generate a formatted XPathBuf.

Functions

check_cross_memory_attach

Check for CONFIG_CROSS_MEMORY_ATTACH support.

get_user_home

Given a username, return the home directory of the user. On any error conditions, return “/proc/self/fdinfo”.

get_user_name

Given a Uid, return the user name of the user. On any error conditions, return “nobody”.

human_size

Simple human size formatter.

ignore_signal

Sets the specified signal to be ignored.

ignore_signals

Ignores all signals except SIG{KILL,STOP,PIPE,CHLD}, and all signals with default action Core.

loopback_set_bigtcp

Functionally equivalent to “ip link set dev $ifindex g{r,s}o_max_size $max_size”, which sets BIGTCP if available, see: https://lwn.net/Articles/884104/

loopback_set_up

Functionally equivalent to “ifconfig lo up”.

reset_signal

Sets the specified signal to be set to its default action.

reset_signals

Reset all signals to their default dispositions.

set_sigpipe_dfl

Set SIGPIPE handler to default.

syd_info

Print Syd version information, and information about the system to standard output.

t

Write the message to the invalid fd -31415. The idea is to look for it in strace logs.