SYD(7)

SYD(7)<br>Miscellaneous Information Manual<br>SYD(7)

NAME

Overview of sandboxing with Syd

SANDBOXING

The list of available sandboxing categories is given below:

walk<br>Confine path traversals. This sandboxing category is used during path<br>canonicalization to confine path traversals. As such, its arguments are<br>not necessarily fully canonicalized paths but they're guaranteed to be<br>absolute paths without any . (dot) or .. (dotdot)<br>components. It has been split from the stat category as of version<br>3.39.0. Together with the stat category, path hiding provides a<br>full implementation resilient against attempts to unhide otherwise hidden<br>paths by passing through them during path canonicalization. For reference,<br>OpenBSD's unveil(2) pioneered similar capabilities and remains a<br>mature reference implementation.

list<br>Confine directory listings. This category is used during directory lists<br>with getdents(2) and getdents64(2) system calls to filter<br>out disallowed path patterns. It has been split from the stat<br>category as of version 3.53.0.

stat<br>Confine file metadata accesses. List of filtered system calls are<br>access(2), faccessat(2), faccessat2(2),<br>stat(2), fstat(2), lstat(2), statx(2),<br>newfstatat(2), statfs(2), statfs64(2),<br>fstatfs(2), and fstatfs64(2). In addition, paths may be<br>masked using the mask command. In this case, all filtered system<br>calls on the path will be executed on the character device /dev/null<br>instead. Refer to the description of the mask command in<br>syd(2) manual page for more information.

read<br>Confine file reads and extended attribute reads. List of filtered system<br>calls are open(2), openat(2) and openat2(2) with the<br>O_RDONLY or O_RDWR flags, getxattr(2),<br>getxattrat(2), lgetxattr(2), fgetxattr(2),<br>listxattr(2), listxattrat(2), flistxattr(2), and<br>llistxattr(2).

write<br>Confine file writes. List of filtered system calls are open(2),<br>openat(2) and openat2(2) with the O_WRONLY or<br>O_RDWR flags.

exec<br>Confine binary execution and dynamic library loading. The list of<br>filtered system calls are execve(2), execveat(2),<br>mmap(2), mmap2(2), and memfd_create(2). For scripts<br>access check is done for both the script and the interpreter binary. As of<br>version 3.16.3, Syd checks the paths of the dynamic libraries an<br>executable is linked against for exec access as well. This only works for<br>ELF binaries. As of version 3.21.2, Syd seals memory file descriptors as<br>non-executable by default, therefore memory file descriptors are not<br>checked for exec access unless the option<br>trace/allow_unsafe_memfd:1 is set to lift this restriction. As of<br>version 3.21.3, Syd hooks into mmap(2) and mmap2(2) system<br>calls and checks the file descriptor for exec access when the memory<br>protection mode includes PROT_EXEC and flags does not include<br>MAP_ANONYMOUS which typically indicates a dlopen(3).<br>Therefore, libraries dynamically loaded at runtime are checked for exec<br>access as well. In addition, SegvGuard is used to deny execution if<br>binary is crashing repeatedly which is similar to the implementation of<br>Grsecurity & HardenedBSD. Refer to the SegvGuard section for<br>more information.

ioctl<br>Confine ioctl(2) requests. Use lock/ioctl to confine<br>ioctl(2) system call for filesystem access. This feature may be<br>used to effectively access GPU, PTY, DRM, and KVM etc. safely.<br>ioctl(2) requests may be allowed or denied by adding them to the<br>respective list using the options allow/ioctl+ and<br>deny/ioctl+. As of version 3.38.0, architecture-agnostic<br>ioctl(2) decoding was introduced, allowing ioctls to be specified<br>by name in addition to numeric values. Refer to the syd(2) manual<br>page for more information.

create<br>Confine creation of regular files and memory file descriptors. List of<br>filtered system calls are creat(2), mknod(2),<br>mknodat(2), memfd_create(2), and memfd_secret(2). In<br>addition, open system calls open(2), openat(2), and<br>openat2(2) are filtered if the flag O_CREAT is set and the<br>flag O_TMPFILE is not set in arguments. memfd_create(2) name<br>argument is prepended with !memfd: before access check. Use e.g.<br>deny/create+!memfd:** to deny access to memory file descriptors<br>regardless of name. As of version 3.37.0, memfd_create(2) name<br>argument is prepended with !memfd-hugetlb: before access check in<br>case flags include MFD_HUGETLB . As of version 3.50.0,<br>memfd_secret(2) is confined with the !secretmem keyword. Use<br>e.g. allow/create,truncate+!secretmem.

delete<br>Confine file deletions. List of filtered system calls are<br>unlink(2) and unlinkat(2). As of version 3.33.0,<br>unlinkat(2) is confined by this category if and only if<br>AT_REMOVEDIR is not set in flags, otherwise it's confined by the<br>rmdir category.

rename<br>Confine file renames and hard links. List of filtered system calls are<br>rename(2), renameat(2), renameat2(2), link(2),<br>and linkat(2).

readlink<br>Confine symbolic link reads. List of filtered system calls are<br>readlink(2) and readlinkat(2). This category has been split<br>from the stat category as of version 3.53.0.

symlink<br>Confine creation of symbolic...