Expand description
§syd: The ☮ther SⒶndbøx
syd is a seccomp(2) based sandboxing utility for modern Linux[>=5.6] machines to sandbox unwanted process access to filesystem and network resources. syd requires no root access and no ptrace rights. All you need is a recent Linux kernel and libsecc☮mp which is available on many different architectures, including x86, x86_64, x32, arm, aarch64, mips, mips64… This makes it very easy for a regular user to use. This is the motto of syd: bring easy, simple, flexible and powerful access restriction to the Linux user!
The basic idea of syd is to run a command under certain restrictions. These
restrictions define which system calls the command is permitted to run and which
argument values are permitted for the given system call. The restrictions may be
applied via two ways. seccomp-bpf can be used to apply simple Secure Computing
user filters to run sandboxing fully on kernel space, and seccomp-notify
functionality can be used to run sandboxing on kernel space and fallback to user
space to dereference pointer arguments of system calls (See
Security about TOCTOU et. al), which are one of
pathname, UNIX socket
address,
IPv4 or
IPv6 network address, and make dynamic
decisions using Unix shell style patterns such as
allow/write+/home/syd/***, or allow/write+/run/user/*/pulse for
pathnames, and using
CIDR notation such as
allow/net/connect+127.0.0.1/8!9050, or
allow/net/connect+::1/8!9050 for
IPv4 and
IPv6 addresses and perform an action
which is by default denying the system call with an appropriate error, which is
usually access denied, aka EACCES. For default disallowed system calls,
such as ptrace or process_vm_writev (See Security about
TOCTOU et. al) syd returns EACCES as well.
To be able to use syd, you need a recent Linux kernel with the system calls
pidfd_getfd, pidfd_send_signal. The Secure Computing facility of the
Linux kernel should support the SECCOMP_USER_NOTIF_FLAG_CONTINUE operation.
It is recommended to have the CONFIG_CROSS_MEMORY_ATTACH kernel option
enabled, if this option is not enabled, syd will fallback to reading/writing
from /proc/$pid/mem. Linux-5.11 or later is recommended.
Modules§
- cache
- Utilities for caching
- caps
- Interface to Linux capabilities A pure-Rust library to work with Linux capabilities.
- compat
- Compatibility code for different libcs
- config
- Static configuration, edit & recompile!
- dns
- DNS utilities
- elf
- ELF parser Set of functions to manage parsing ELF files
- err
- Error types and error handling code.
- fs
- Filesystem utilities Set of functions to manage files and symlinks
- hash
- Utilities for hashing
- hook
- Secure computing hooks
- landlock
- Interface to LandLock LSM Landlock is a security feature available since Linux 5.13. The goal is to enable to restrict ambient rights (e.g., global filesystem access) for a set of processes by creating safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs, unexpected or malicious behaviors in applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves. More information about Landlock can be found in the official website.
- landlock_
policy - Landlock policy helper library for Syd
- log
- Simple logging on standard error using JSON lines
- path
- Path handling for UNIX
- proc
- /proc utilities
- ptrace
- ptrace(2) utilities
- sandbox
- Sandbox configuration
- seal
- Execute program as sealed anonymous file
- sealbox
- SealBox
for type-safe sealing/protecting - spec
- Interface to Linux prctl(2) speculation misfeature interfac Set of functions to manage speculation misfeature
- sysinfo
- sysinfo(2) interface
- syslog
- syslog(2) interface
- unshare
- The low-level interface for linux namespaces (containers)
The
Commandhas mostly same API asstd::process::Commandexcept where is absolutely needed. - wildmatch
- Shell-style wildcard matching
- wordexp
- Interface to wordexp(3)
Macros§
- T
- Write a formatted message to an invalid fd.
- alert
- alert! logging macro
- crit
- crit! logging macro
- debug
- debug! logging macro
- emerg
- emerg! logging macro
- error
- error! logging macro
- info
- info! logging macro
- lasterrno
- A macro to create a SydError from the last errno.
- log_
enabled - Returns whether given log level is enabled.
- make_
bitflags - notice
- notice! logging macro
- t
- Write a formatted message to an invalid fd.
- warn
- warn! logging macro
- xpath
- Generate a formatted
XPathBuf.
Structs§
- Scmp
Notif Req - Represents a seccomp notify request. We redefine this because libseccomp struct is non-exhaustive.
- SydMemory
Map - A wrapper type that wraps MemoryMap and provides
Serialize. - SydSig
Set - A sigset that can handle reserved signals.
- Sydcall
- Simple wrapper over ScmpSyscall and ScmpArch to provide Display.
Enums§
- Export
Mode - Seccomp sandbox profile export modes.
Constants§
- CLONE_
NEWTIME - CLONE_NEWTIME constant to create time namespaces.
- MS_
NOSYMFOLLOW - MS_NOSYMFOLLOW is Linux>=5.10 and not defined by libc yet.
Functions§
- bring_
up_ loopback - Functionally equivalent to “ifconfig lo up”.
- check_
fd_ leaks - Check for file descriptor leaks above the standard input, output, and error.
- extend_
ioctl - Extends the ioctl value if necessary.
- fork_
fast ⚠ - Fork fast.
- get_
user_ home - Given a username, return the home directory of the user. On any error conditions, return “/proc/self/fdinfo”.
- get_
user_ name - Given a
Uid, return the user name of the user. On any error conditions, return “nobody”. - human_
size - Simple human size formatter.
- ignore_
signal - Sets the specified signal to be ignored.
- ignore_
signals - Ignores all signals except SIG{KILL,STOP,PIPE,CHLD}, and all signals with default action Core.
- lock_
enabled - Checks if the given LandLock ABI is supported. Returns:
- ns_
enabled - Checks if the given namespaces are enabled.
- nsflag_
name - Convert a CLONE namespace flag to its String representation.
- nsflags_
name - Convert CLONE namespace flags to a Vector of Strings.
- print_
seccomp_ architectures - Print list of libseccomp’s supported architectures
Used by
syd --arch list - reset_
signal - Sets the specified signal to be set to its default action.
- reset_
signals - Reset all signals to their default dispositions.
- safe_
drop_ cap - Drop a Capability from the Effective, Ambient, Inheritable and Permitted capsets.
- scmp_
arch - Helper function to convert raw arch value to ScmpArch.
- scmp_
arch_ bits - Check if arch is 64-bit or 32-bit.
- scmp_
arch_ raw - Helper function to convert ScmpArch to raw arch values.
- scmp_
big_ endian - Helper function to determine if the architecture is big-endian.
- seccomp_
add_ architectures - Add all supported architectures to the given filter.
- seccomp_
native_ has_ socketcall - Return true if native architecture has the multiplexed socketcall system call. Panics if it cannot determine the native architecture.
- set_
sigpipe_ dfl - Set SIGPIPE handler to default.
- syd_
enabled - Returns true if we are running under syd.
- syd_
info - Print Syd version information, and information about the system to standard output.
- t
- Write the message to the invalid fd -31415. The idea is to look for it in strace logs.