Expand description
§syd: The ☮ther SⒶndbøx
syd is a seccomp(2) based sandboxing utility for modern Linux[>=5.6] machines to sandbox unwanted process access to filesystem and network resources. syd requires no root access and no ptrace rights. All you need is a recent Linux kernel and libsecc☮mp which is available on many different architectures, including x86, x86_64, x32, arm, aarch64, mips, mips64… This makes it very easy for a regular user to use. This is the motto of syd: bring easy, simple, flexible and powerful access restriction to the Linux user!
The basic idea of syd is to run a command under certain restrictions. These
restrictions define which system calls the command is permitted to run and which
argument values are permitted for the given system call. The restrictions may be
applied via two ways. seccomp-bpf can be used to apply simple Secure Computing
user filters to run sandboxing fully on kernel space, and seccomp-notify
functionality can be used to run sandboxing on kernel space and fallback to user
space to dereference pointer arguments of system calls (See
Security about TOCTOU et. al), which are one of
pathname, UNIX socket
address,
IPv4 or
IPv6 network address, and make dynamic
decisions using Unix shell style patterns such as
allow/write+/home/syd/***, or allow/write+/run/user/*/pulse for
pathnames, and using
CIDR notation such as
allow/net/connect+127.0.0.1/8!9050, or
allow/net/connect+::1/8!9050 for
IPv4 and
IPv6 addresses and perform an action
which is by default denying the system call with an appropriate error, which is
usually access denied, aka EACCES. For default disallowed system calls,
such as ptrace or process_vm_writev (See Security about
TOCTOU et. al) syd returns EACCES as well.
To be able to use syd, you need a recent Linux kernel with the system calls
pidfd_getfd, pidfd_send_signal. The Secure Computing facility of the
Linux kernel should support the SECCOMP_USER_NOTIF_FLAG_CONTINUE operation.
It is recommended to have the CONFIG_CROSS_MEMORY_ATTACH kernel option
enabled, if this option is not enabled, syd will fallback to reading/writing
from /proc/$pid/mem. Linux-5.11 or later is recommended.
Modules§
- api
- JSON serializers for syd(2) API
- asm
- Assembly instruction decoder
- cache
- Utilities for caching
- caps
- Interface to Linux capabilities A pure-Rust library to work with Linux capabilities.
- cgroup
- Cgroup v2 management for resource limits Cgroup v2 management for resource limits
- compat
- Compatibility code for different libcs
- config
- Static configuration, edit & recompile!
- confine
- Sandboxing utilities
- cookie
- System call argument cookies
- dns
- DNS utilities
- elf
- ELF parser Set of functions to manage parsing ELF files
- err
- Error types and error handling code.
- fs
- Filesystem utilities Set of functions to manage files and symlinks
- hash
- Utilities for hashing
- hook
- Secure computing hooks
- io
- I/O utilities
- ioctl
- ioctl(2) request decoder
- landlock
- Interface to LandLock LSM Landlock is a security feature available since Linux 5.13. The goal is to enable to restrict ambient rights (e.g., global filesystem access) for a set of processes by creating safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs, unexpected or malicious behaviors in applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves. More information about Landlock can be found in the official website.
- landlock_
policy - Landlock policy helper library for Syd
- log
- Simple logging on standard error using JSON lines
- lookup
- Path lookup and canonicalization utilities
- magic
- magic symlink utilities
- mount
- Safe mount interface Safe mount interface
- ofd
- Interface to Open File Description locks Interface to Open File Description locks
- parsers
- /proc and syd(2) nom parsers
- path
- Path handling for UNIX
- proc
- /proc utilities
- ptrace
- ptrace(2) utilities
- req
- seccomp(2) notify request handling
- retry
- Utilities to handle restarting syscalls Utilities to handle restarting syscalls
- rng
- OS Random Number Generator (RNG) interface Set of functions to manage the OS Random Number Generator (RNG)
- sandbox
- Sandbox configuration
- seal
- Execute program as sealed anonymous file
- sealbox
- SealBox
for type-safe sealing/protecting - sigset
- Portable sigset that can handle reserved signals
- spec
- Interface to Linux prctl(2) speculation misfeature interface Set of functions to manage speculation misfeature
- sysinfo
- sysinfo(2) interface
- syslog
- syslog(2) interface
- timer
- Per-thread SIGALRM timer
- unshare
- The low-level interface for linux namespaces (containers)
The
Commandhas mostly same API asstd::process::Commandexcept where is absolutely needed. - uts
- Interface to uname(2)
- wildmatch
- Shell-style wildcard matching
- wordexp
- Interface to wordexp(3)
- xattr
- Extended attribute utilities
Macros§
- T
- Write a formatted message to an invalid fd.
- alert
- alert! logging macro
- crit
- crit! logging macro
- debug
- debug! logging macro
- emerg
- emerg! logging macro
- error
- error! logging macro
- info
- info! logging macro
- lasterrno
- A macro to create a SydError from the last errno.
- log_
enabled - Returns whether given log level is enabled.
- main
- Convenience macro to define a main function with correct errno return.
- make_
bitflags - notice
- notice! logging macro
- printf
- Formatted print which returns Result as Errno rather than panicking.
- printfln
- Formatted println which returns Result as Errno rather than panicking.
- rwrite
- write! which retries on EINTR and EAGAIN.
- rwriteln
- writeln! which retries on EINTR and EAGAIN.
- t
- Write a formatted message to an invalid fd.
- warn
- warn! logging macro
- xpath
- Generate a formatted
XPathBuf.
Structs§
- Ignore
Signal Opts - Represents valid
ignore_signalsoptions.
Functions§
- get_
user_ home - Given a username, return the home directory of the user. On any error conditions, return “/proc/self/fdinfo”.
- get_
user_ name - Given a
Uid, return the user name of the user. On any error conditions, return “nobody”. - human_
size - Simple human size formatter.
- ignore_
signal - Sets the specified signal to be ignored.
- ignore_
signals - Ignores all signals except SIG{ALRM,CHLD,KILL,STOP}.
- loopback_
set_ bigtcp - Functionally equivalent to “ip link set dev $ifindex g{r,s}o_max_size $max_size”, which sets BIGTCP if available, see: https://lwn.net/Articles/884104/
- loopback_
set_ up - Functionally equivalent to “ifconfig lo up”.
- reset_
signal - Sets the specified signal to be set to its default action.
- reset_
signals - Reset all signals to their default dispositions.
- set_
sigpipe_ dfl - Set SIGPIPE handler to default.
- syd_
code_ name - Print Syd code name.
- syd_
info - Print Syd version information, and information about the system to standard output.
- t
- Write the message to the invalid fd -31415. The idea is to look for it in strace logs.