stat

This command causes Syd to output sandbox state on standard error.

reset

This command causes Syd to reset sandboxing to the default state. Allowlists, denylists and filters are going to be cleared. The state of the sandbox lock is not affected by reset. This ensures an unintended reset cannot open window for a sandbox bypass. In addition, the state of Crypt sandboxing is not affected by reset too. This ensures concurrent or near-concurrent encryption operations continue uninterrupted.

panic

This command causes Syd to exit immediately with code 127.

Due to security reasons, this command is only available via the virtual stat call, it may not be used with the -m command line switch or in a configuration file.

Due to safety reasons, panic may not be called when Crypt sandboxing is on. In this case the virtual stat(2) returns -1 and sets errno to "EBUSY". This ensures concurrent or near-concurrent encryption operations continue uninterrupted.

ghost

This command initiates Ghost mode. Ghost mode is irreversible so you can call this command only once during Syd runtime. See Ghost mode section in syd(7) manual page for more information. In case of successful initiation, the virtual stat(2) call returns -1 and sets the errno to "EOWNERDEAD".

Due to security reasons, this command implies "reset", ie. the sandbox state is reset before Ghost mode initiation to ensure there're no run-away exec processes after the invocation of the "ghost" command.

Due to security reasons, this command is only available via the virtual stat call, it may not be used with the -m command line switch or in a configuration file.

config/expand

Given zero as timeout in seconds, which is the default, enables environment variable and tilde expansion using the shellexpand crate. This runs much faster as it does not require confinement, however it does not support command substitution and recursive environment variable expansion like wordexp(3) does. Notably, unset environment variables are not expanded to empty strings. On environment variable lookup errors and UTF-8 decoding errors Syd stops parsing and exits with error. This is done for safety as an unintended empty-string expansion can potentially cause the resulting sandboxing rule to allowlist unintended paths without the user easily noticing it. The user is recommended to set default values for environment variables using the familiar ${HOME:-/var/empty} notation. If you really want empty-string expansion on unset environment variables, you can get this effect using the notation ${HOME:-} but this is not recommended and should be used with care.

Given a positive integer as timeout in seconds, enables environment variable expansion and command substitutiton for configuration using wordexp(3). The fork process which calls /bin/sh for expansion is executed in a confined environment and it is terminated if its runtime exceeds the given timeout. Confinement is done using Landlock, namespaces and seccomp.

Note, this is a static, ie startup-only, setting: For safety reasons, no expansion is performed for runtime configuration.

ipc

Configure sandbox during runtime using the given UNIX socket address with kernel-validated peer authentication. Authentication leverages "SCM_CREDENTIALS" and "SO_PASSCRED" mechanisms to verify that connecting processes share identical UID and GID with the IPC worker process. Authentication UID and GID may be overriden by "ipc/uid" and "ipc/gid" options at startup. This kernel-enforced authentication prevents privilege escalation and unauthorized access by validating credentials on every message, ensuring only the specified user and group or the system administrator can execute IPC commands.

If the argument starts with the character @, the address is taken to be an abstract UNIX socket. Use the keywords none or off to unset a previously set IPC address. The IPC implementation is inspired by HAProxy's stats socket implementation. All responses except the "stats" command are in compact JSON. User is recommended to use the "version" command to check the API version prior to use. As a safety measure, the IPC service is provided as long as the sandbox is unlocked. When the sandbox is locked, the syd_ipc thread exits. This thread makes no attempt to unlink(2) the UNIX domain socket path at startup or exit. The user should perform the cleanup or use abstract sockets which is recommended. To access the socket, an external utility such as socat(1) is required. Socat is a swiss-army knife to connect anything to anything. We use it to connect terminals to the socket, or a couple of stdin/stdout pipes to it for scripts. The two main syntaxes we'll use are the following:

# socat ~/.syd/sandbox.sock stdio
# socat ~/.syd/sandbox.sock readline

The first one is used with scripts. It is possible to send the output of a script to Syd, and pass Syd's output to another script. That's useful for retrieving sandbox configuration as JSON for example. The second one is only useful for issuing commands by hand. It has the benefit that the terminal is handled by the readline library which supports line editing and history, which is very convenient when issuing repeated commands (eg: watch a counter).

The socket supports three operation modes:

• non-interactive, silent
• interactive, silent
• interactive with prompt

The non-interactive mode is the default when socat(1) connects to the socket. In this mode, a single line may be sent. It is processed as a whole, responses are sent back, and the connection closes after the end of the response. This is the mode that scripts and monitoring tools use. A single command may be sent at a time only. The interactive mode allows new commands to be sent after the ones from the previous lines finish. It exists in two variants, one silent, which works like the non-interactive mode except that the socket waits for a new command instead of closing, and one where a prompt is displayed (';') at the beginning of the line. The interactive mode is preferred for advanced tools while the prompt mode is preferred for humans.

The mode can be changed using the "prompt" command. By default, it toggles the interactive+prompt modes. Entering "prompt" in interactive mode will switch to prompt mode. The command optionally takes a specific mode among the following:

• "n": non-interactive mode (single command and quits)
• "i": interactive mode (multiple commands, no prompt)
• "p": prompt mode (multiple commands with a prompt)

Since the default mode is non-interactive, "prompt" must be used as the first command in order to switch it, otherwise the previous command will cause the connection to be closed. Switching to non-interactive mode will result in the connection to be closed after all the commands of the same line complete.

For this reason, when debugging by hand, it's quite common to start with the "prompt" command:

# socat ~/.syd/sandbox.sock readline
prompt
; stats
...
; 

Interactive tools might prefer starting with "prompt i" to switch to interactive mode without the prompt.

The following commands are supported in addition to the syd(2) API:

• stat: Prints sandbox state in compact JSON.
• stats: Prints sandbox state in human-readable format.
• version: Prints IPC api version in compact JSON.

The commands "quit" and "exit" may be used to close a socket connection. The command "ping" is supported for aliveness checks.

ipc/uid

User ID override for IPC authentication. Specifies the UID that connecting processes must possess to authenticate with the IPC worker. Accepts either numeric user IDs or user names. When specified as a user name, the system resolves it to the corresponding UID using getpwnam(3). Defaults to the current process UID obtained via getuid(2). When set, the IPC worker validates that all connecting clients have this exact UID via "SCM_CREDENTIALS" authentication. This setting allows privilege delegation scenarios where the IPC worker runs as one user but accepts connections from processes running as a different specific UID. Set the option to none or off to disable UID authentication for IPC.

ipc/gid

Group ID override for IPC authentication. Specifies the GID that connecting processes must possess to authenticate with the IPC worker. Accepts either numeric group IDs or group names. When specified as a group name, the system resolves it to the corresponding GID using getgrnam(3). Defaults to the current process GID obtained via getgid(2). When set, the IPC worker validates that all connecting clients have this exact GID via "SCM_CREDENTIALS" authentication. This setting enables group-based access control where multiple users belonging to the same group can access the IPC interface. Set the option to none or off to disable GID authentication for IPC.

lock

Set the state of the sandbox lock. Possible values are on, off, exec, and ipc. If the sandbox lock is on no sandbox commands are allowed. If exec is specified, the sandbox lock is set to on for all processes except the initial process, aka Syd exec child. If the sandbox lock is ipc, sandbox commands may only be specified using the IPC socket. Note, the sandbox lock used to default to exec but as a hardening measure and to ensure security by default, as of version 3.17.0, this has been changed such that the default is unset and if no lock clause has been specified by the time Syd executes the initial sandbox process, then the sandbox lock is automatically set to on. This means if no "lock" clause is specified in any of the profiles, configuration files or "-m" CLI arguments, the lock will be on by default. As of version 3.35.2, this default is set to ipc if the "ipc" command was specified but lock was not set explicitly. Setting lock to on at any point during configuration parsing prevents further commands from being emitted by the sandbox. This feature may be used to lock site-wide defaults for a Syd login shell by adding a "lock:on" clause at the end of the site-wide configuration file which prevents Syd from subsequently parsing the user configuration file, practically enforcing the site-wide defaults.

Note, setting lock to off, exec, or ipc at startup makes Syd skip preventing execve(2) and execveat(2) system calls as part of the "Execution Control (EEC)" feature. This is done to allow "cmd/exec" command to execute commands outside the sandbox. This filter to prevent exec(3) is only applied when the sandbox is locked.

log/level

Set the log level. Available log levels are "emerg", "alert", "crit", "error", "warn", "notice", "info", and "debug". Defaults to "warn" unless "SYD_LOG" environment variable is set at startup. Notably, Syd logs access violations with the "warn" log level. You may also use an integer in the closed range [0,7] as an argument to set the level where "0" corresponds to "emerg" and "7" corresponds to "debug".

log/lock/same_exec_off

Disables logging of denied accesses originating from the thread creating the landlock(7) domain, as well as its children, as long as they continue running the same executable code (i.e., without an intervening execve(2) call). This is intended for programs that execute unknown code without invoking execve(2), such as script interpreters. Programs that only sandbox themselves should not set this flag, so users can be notified of unauthorized access attempts via system logs.

This option requires landlock(7) ABI 7 support which is new in Linux-6.15. Setting this option is a NO-OP otherwise. Setting this option is also a NO-OP when sandbox/lock is off. Multiple options may be set or unset at once by passing them as a comma-delimited list. Environment variables in the value are expanded.

log/lock/new_exec_on

Enables logging of denied accesses after an execve(2) call, providing visibility into unauthorized access attempts by newly executed programs within the created landlock(7) domain. This flag is recommended only when all potential executables in the domain are expected to comply with the access restrictions, as excessive audit log entries could make it more difficult to identify critical events.

This option requires landlock(7) ABI 7 support which is new in Linux-6.15. Setting this option is a NO-OP otherwise. Setting this option is also a NO-OP when sandbox/lock is off. Multiple options may be set or unset at once by passing them as a comma-delimited list. Environment variables in the value are expanded. A sandboxer should not log denied access requests to avoid spamming logs, therefore this option is off by default. Use this option to test audit logging.

log/lock/subdomains_off

Disables logging of denied accesses originating from nested landlock(7) domains created by the caller or its descendants. This flag should be set according to runtime configuration, not hardcoded, to avoid suppressing important security events. It is useful for container runtimes or sandboxing tools that may launch programs which themselves create landlock(7) domains and could otherwise generate excessive logs. Unlike log/lock/same_exec_off, this flag only affects future nested domains, not the one being created.

This option requires landlock(7) ABI 7 support which is new in Linux-6.15. Setting this option is a NO-OP otherwise. Setting this option is also a NO-OP when sandbox/lock is off. Multiple options may be set or unset at once by passing them as a comma-delimited list. Environment variables in the value are expanded.

log/verbose

Set verbose logging. In verbose mode, Syd acquires various details about the current seccomp(2) request and adds this information to the access violation JSON payload under the req key. This is primarily intended for malware analysis. When verbose logging is off, which is the default, Syd only logs the process ID of the current seccomp(2) request in addition to the access violation information.

As of version 3.38.0, process name changes using the PR_SET_NAME prctl(2) are logged when verbose mode is on.

pty/row

Set row size for PTY sandboxing. Default is to inherit the window-size. Use the keyword none to unset a previously set value. You may shortly refer to this option as "pty/x".

pty/col

Set column size for PTY sandboxing. Default is to inherit the window-size. Use the keyword none to unset a previously set value. You may shortly refer to this option as "pty/y".

sandbox/stat

Turn Stat sandboxing on or off.

sandbox/read

Turn Read sandboxing on or off.

sandbox/write

Turn Write sandboxing on or off.

sandbox/exec

Turn Exec sandboxing on or off.

sandbox/ioctl

Turn Ioctl sandboxing on or off.

As of version 3.36.0, ioctl(2) requests to block devices are always denied, and ioctl(2) requests to magic links are denied unless "trace/allow_unsafe_magiclinks:1" is set.

sandbox/create

Turn Create sandboxing on or off.

sandbox/delete

Turn Delete sandboxing on or off.

sandbox/rename

Turn Rename sandboxing on or off.

sandbox/symlink

Turn Symlink sandboxing on or off.

sandbox/truncate

Turn Truncate sandboxing on or off.

sandbox/chdir

Turn Chdir sandboxing on or off.

sandbox/readdir

Turn Readdir sandboxing on or off.

sandbox/mkdir

Turn Mkdir sandboxing on or off.

sandbox/rmdir

Turn Rmdir sandboxing on or off.

sandbox/chown

Turn Chown sandboxing on or off.

sandbox/chgrp

Turn Chgrp sandboxing on or off.

sandbox/chmod

Turn Chmod sandboxing on or off.

sandbox/chattr

Turn Chattr sandboxing on or off.

sandbox/chroot

Turn Chroot sandboxing on or off.

sandbox/utime

Turn Utime sandboxing on or off.

sandbox/mkdev

Turn Mkdev sandboxing on or off.

sandbox/mkfifo

Turn Mkfifo sandboxing on or off.

sandbox/mktemp

Turn Mktemp sandboxing on or off.

sandbox/net

Turn Network sandboxing on or off.

sandbox/lock

Turn Landlock sandboxing on or off.

sandbox/force

Turn Force sandboxing on or off.

sandbox/tpe

Turn Trusted Path Execution (TPE) sandboxing on or off.

sandbox/crypt

Turn Crypt sandboxing on or off.

To set this option on, a key must have already been specified with "crypt/key".

Note, setting this sandboxing type to on implies "trace/allow_safe_kcapi:1" to allow cryptographic operations using the Kernel Cryptography API (KCAPI).

Note, setting this sandboxing type to on implies "trace/exit_wait_all:1" so as not to leave any ongoing encryption processes behind on sandbox process exit.

sandbox/proxy

Turn Proxy sandboxing on or off.

Defaults to proxying through TOR. See the options "proxy/addr", "proxy/port", "proxy/ext/host", and "proxy/ext/port" to configure a different proxy.

Implies unshare/net:1.

Requires syd-tor(1) helper utility to be under PATH. syd-tor(1) is executed once at startup, it runs as a single process and this process runs at most as long as the owner Syd process. See the syd-tor(1) manual page for more information.

sandbox/pty

Turn PTY sandboxing on or off.

Requires syd-pty(1) helper utility to be under PATH. syd-pty(1) is executed once at startup, it runs as a single process and this process runs at most as long as the owner Syd process. See the syd-pty(1) manual page for more information. Note, this option has no effect unless both standard input and standard output are attached to a TTY at startup.

sandbox/mem

Turn Memory sandboxing on or off.

For performance reasons, this only works at startup. If not given at startup, Syd will just allow brk(2), mmap(2), mmap2(2), and mremap(2) system calls at seccomp-bpf level. Turning this sandboxing off during runtime is still possible, in this case the respective system calls handlers will do nothing and just continue the calls.

sandbox/pid

Turn PID sandboxing on or off.

default/stat

Specify the default action for Stat sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/read

Specify the default action for Read sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/write

Specify the default action for Write sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/exec

Specify the default action for Exec sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/ioctl

Specify the default action for Ioctl sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/create

Specify the default action for Create sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/delete

Specify the default action for Delete sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "stop", "abort", "kill", "panic", or "exit", where the default is "deny".

default/rename

Specify the default action for Rename sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "stop", "abort", "kill", "panic", or "exit", where the default is "deny".

default/symlink

Specify the default action for Symlink sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "stop", "abort", "kill", "panic", or "exit", where the default is "deny".

default/truncate

Specify the default action for Truncate sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/chdir

Specify the default action for Chdir sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/readdir

Specify the default action for Readdir sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/mkdir

Specify the default action for Mkdir sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/rmdir

Specify the default action for Rmdir sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/chown

Specify the default action for Chown sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/chgrp

Specify the default action for Chgrp sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/chmod

Specify the default action for Chmod sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/chattr

Specify the default action for Chattr sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/chroot

Specify the default action for Chattr sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/utime

Specify the default action for Utime sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/mkdev

Specify the default action for Mkdev sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/mkfifo

Specify the default action for Mkfifo sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/mktemp

Specify the default action for Mktemp sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/net

Specify the default action for Network sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/block

Specify the action for IP blocklist violations.

The value must be exactly one of "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/force

For force sandboxing, define the default action to take when the path of a binary is not in the Integrity Force map.

The value must be either one of "warn", "filter", "deny", "panic", "stop", "abort", "kill", "exit", where the default is "deny".

default/segvguard

Specify the action for SegvGuard access violations.

The value must be exactly one of "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/tpe

Specify the action for TPE sandboxing access violations.

The value must be exactly one of "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "deny".

default/mem

Specify the action for Memory sandboxing access violations.

The value must be exactly one of "allow", "warn", "filter", "deny", "panic", "stop", "abort", "kill", or "exit", where the default is "kill".

default/pid

Specify the action for PID sandboxing access violations.

The value must be either one of "warn", "filter", "stop", "abort", "kill", "exit", where the default is "kill".

default/lock

Specify the compatibility level for Lock sandboxing.

The value must be either one of "kill", "deny", "warn". "kill" stands for the Landlock compatibility level "hard-requirement", whereas "deny" stands for "soft-requirement" and "warn" stands for "best-effort".

As of version 3.35.0, the default level has been promoted from "warn" to "kill" to adhere to the principle of secure defaults. Again, as of this version "ENOENT", aka "No such file or directory" errors are fatal unless compatibility level is set to "best-effort" at startup using "default/lock:warn".

For more information on Landlock compatibility levels, see: https://landlock.io/rust-landlock/landlock/trait.Compatible.html

unshare/mount

Create Mount namespace on startup, implies "unshare/pid:1".

unshare/uts

Create UTS namespace on startup.

unshare/ipc

Create IPC namespace on startup.

unshare/user

Create User namespace on startup.

unshare/pid

Create Pid namespace on startup, implies "unshare/mount:1".

unshare/net

Create Net namespace on startup.

unshare/cgroup

Create CGroup namespace on startup.

unshare/time

Create Time namespace on startup. Syd resets the boot-time clock such that uptime(1) will report container uptime rather than host uptime. Use time command to override default and set alternative time.

root

Change the root mount to the given new root directory at startup using pivot_root(2). Destination path arguments of "bind" commands are interpreted relative to this directory. The directories "$root/dev", and "$root/proc" must exist to mount private filesystems. In addition, target paths of the "bind" commands must also be manually created by the user.

This option does nothing without "unshare/mount:1".

As of version 3.23.14, symbolic links are not followed in any part of the root directory and path traversal using ".." is not permitted. In addition, root directory must be an absolute path, relative paths are not permitted.

As of version 3.35.0, the special keyword tmpfs is supported to make Syd create a temporary, private new root directory with the path "/tmp/syd.XXXXXX" where the last 6 characters are replaced by random characters. See mkdtemp(3) for more information. Syd uses this directory to mount a tmpfs(5) filesystem over the new root filesystem. In this mode, Syd is going to attempt to create target paths inside the private temporary filesystem.

As of version 3.35.2, the special keywords none and off may be used to unset a previously set root directory.

root/map

Map current user to root in the sandbox on startup.

This option does nothing without "unshare/user:1".

root/fake

In fakeroot mode, the system will return a user/group id of 0, mimicking the root user. This allows users to execute commands with apparent root privileges, without actual superuser rights. It's useful for tasks like package building where root-like environment is needed, but not actual root permissions.

name/host

Set host name in the sandbox. Only useful when combined with unshare/uts:1.

name/domain

Set NIS/YP domain name in the sandbox. Only useful when combined with unshare/uts:1.

time

Set clock monotonic and boottime offset (seconds) in Time Namespace.

ioctl/allow

Add to or remove a request from the ioctl(2) request allowlist. Accepts an unsigned 64-bit integer as argument. Prefix with 0x for hexadecimal and 0o for octal input. Use ioctl/allow+<request> to add to, and ioctl/allow-<request> to remove from the allowlist. As of version 3.38.0, ioctl(2) requests may also be specified by case-insensitive name and multiple requests may be added or removed by separating them as a comma-delimited list. Specifying ioctl(2) requests by name is strongly recommended because request numbers may vary by architecture which is handled transparently when the request is specified as a name.

By default the list contains the ioctl(2) requests FIOCLEX, FIONCLEX, FIONBIO, FIONREAD, FIOASYNC, FIOQSIZE, FIFREEZE, FITHAW, FS_IOC_FIEMAP, FIGETBSZ, FICLONE, FICLONERANGE, FIDEDUPERANGE, FS_IOC_GETFSUUID, and FS_IOC_GETFSSYSFSPATH.

Note, for rules added at startup deny rules have precedence over allow rules because the denylist is checked at kernel-space, whereas the allowlist is checked at user-space. For rules added after startup, the last matching rule wins.

ioctl/deny

Add to or remove a request from the ioctl(2) request denylist. Accepts an unsigned 64-bit integer as argument. Prefix with 0x for hexadecimal and 0o for octal input. Use ioctl/deny+<request> to add to, and ioctl/deny-<request> to remove from the allowlist. As of version 3.38.0, ioctl(2) requests may also be specified by case-insensitive name and multiple requests may be added or removed by separating them as a comma-delimited list. Specifying ioctl(2) requests by name is strongly recommended because request numbers may vary by architecture which is handled transparently when the request is specified as a name.

By default the list of denylisted ioctl(2) requests are FIBMAP, FS_IOC_FSGETXATTR, FS_IOC_FSSETXATTR, FS_IOC_SETFLAGS, KDSETKEYCODE, KDSIGACCEPT, TIOCCONS, TIOCLINUX, TIOCSETD, and TIOCSTI.

Note, for security reasons, the ioctl(2) denylist is applied at the parent seccomp-bpf filter at startup. This means the Syd process is included in this restriction as well. This also means, removing elements from this list after startup has no effect. However, if Ioctl sandboxing was enabled at startup, adding new elements to the ioctl(2) denylist will further restrict the ioctl(2) request space.

Note, for rules added at startup, deny rules have precedence over allow rules because the denylist is checked at kernel-space, whereas the allowlist is checked at user-space. For rules added after startup, the last matching rule wins.

Further reading about denylisted ioctl(2) requests:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523
• https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
• http://phrack.org/issues/52/6.html#article
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=83efeeeb3d04b22aaed1df99bc70a48fe9d22c4d
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8d1b43f6a6df7bcea20982ad376a000d90906b42
• https://seclists.org/oss-sec/2024/q1/13
• https://seclists.org/oss-sec/2024/q1/14
• https://forums.grsecurity.net/viewtopic.php?f=7&t=2522
• http://lkml.indiana.edu/hypermail/linux/kernel/9907.0/0132.html
• http://linux.derkeiler.com/Mailing-Lists/Kernel/2007-11/msg07723.html

mem/max

This setting specifies the limit on per-process memory usage. Setting this value to 0 disables testing for this type of memory usage. Note, the value is parsed using the parse-size crate. Refer to their documentation for information on formatting.

mem/vm_max

This setting specifies the limit on per-process virtual memory usage. Setting this value to 0 disables testing for this type of memory usage. Note, the value is parsed using the parse-size crate. Refer to their documentation for information on formatting.

pid/max

This setting specifies the limit on the number of running tasks for pid sandboxing. Setting this value to 0 is functionally equivalent to setting sandbox/pid to off.

bind

This command causes Syd to bind mount a directory on startup. The format is source-dir:target-dir:mount-options,... where the source and target directories may be equal. Mount options are a comma-separated list of a combination of the following options:

• ro to mount the filesystem read-only.
• nodev to not interpret character or block special devices on the filesystem.
• noexec to not permit direct execution of any binaries on the mounted filesystem.
• nosuid to not honour set-user-ID and set-group-ID bits or file capabilities when executing programs from this filesystem. In addition, SELinux domain transitions require permission nosuid_transition, which in turn needs also policy capability nnp_nosuid_transition.
• nosymfollow to not follow symbolic links when resolving paths. Symbolic links can still be created, and readlink(1), readlink(2), realpath(1), and realpath(3) all still work properly.
• noatime to not update inode access times on this filesystem (e.g. for faster access on the news spool to speed up news servers). This works for all inode types (directories too), so it implies nodiratime.
• nodiratime to not update directory inode access times on this filesystem. (This option is implied when noatime is set.)
• relatime to update inode access times relative to modify or change time.

Mount options may be omitted. If the source directory is not an absolute path, it is interpreted as the filesystem type rather than the source directory. This may be used to mount special filesystems such as cgroupfs, overlayfs or tmpfs(5) into the mount namespace. In this case, any mount options supported by this filesystem type may be submitted in options argument not just the ones listed above. You may find some examples below:

• bind+/:/:ro
• bind+tmpfs:/tmp:noexec,size=16M
• bind+cgroup2:/sys/fs/cgroup:nodev,noexec,nosuid
• bind+overlay:/tmp/target:lowerdir=/tmp/lower,upperdir=/tmp/upper,workdir=/tmp/work,nosuid

This option does nothing without unshare/mount:1.

This command may be used to create immutable containers. For example, the command bind+/:/:ro is functionally equivalent to deny/write+/*** except the restriction happens at kernel VFS layer rather than at user level using seccomp(2) notify. Alternatively this can also be achieved at the kernel level using landlock(7).

As of version 3.23.14, symbolic links are not followed in any part of the source or target directory paths and path traversal using .. is not permitted. In addition, target directory must be an absolute path, relative paths are not permitted.

As of version 3.23.14, mounting the special proc(5) filesystem under a custom path is not permitted. Syd handles this mount itself specially after all bind mounts are processed.

crypt

Specifies a list of glob(3p) patterns to encrypt for Crypt sandboxing.

crypt/kdf/salt

Specify salt used in key derivation function for Crypt sandboxing.

There are two usage options for the salt:

• Empty or static for domain separation in a private setting
• Guaranteed to be uniformly-distributed and unique in a public setting

crypt/kdf/info/enc

Specify informational context string for encryption key used in key derivation function for Crypt sandboxing.

This information acts as a label and is not private.

crypt/kdf/info/mac

Specify informational context string for authentication key used in key derivation function for Crypt sandboxing.

This information acts as a label and is not private.

crypt/key

Specify 256-bit AES-CTR key for Crypt sandboxing. The key must be encoded in hexadecimal and be exactly 64 characters.

crypt/tmp

Specify temporary backing directory for transparent file decryption. The argument must be an absolute path or the special value "mem". The user must ensure this directory is secure as decrypted contents will be written to temporary files under this directory. Specify the special value "mem" to use anonymous files which live in RAM with a volatile backing storage created with memfd_create(2). This is the default. The user is encouraged to specify this option for efficient handling of large files for Crypt sandboxing.

force

Add or remove an integrity force rule for Force Sandboxing. The format is force+/path:hashhex:action for addition and force-/path for removal. Use force^ to clear the Integrity Force map. Available actions are "warn", "filter", "deny", "panic", "stop", "abort", "kill" and "exit" where the default is "deny". hashhex is either a 8-character CRC32 checksum, 16-character CRC64 checksum, 32-character MD5 checksum, a 40-character SHA1 checksum, a 64-character SHA3-256 checksum, a 96-character SHA3-384 checksum or a 128-character SHA3-512 checksum.

• syd-sha(1) is a helper tool to calculate checksums of files.
• syd-path(1) is a helper tool to write integrity force rules for binaries under PATH.

proxy/addr

Set internal address for Proxy sandboxing. This must be an IPv4 or an IPv6 address. Defaults to 127.0.0.1.

proxy/port

Set internal port for Proxy sandboxing. Defaults to 9050.

proxy/ext/host

Set external address for Proxy sandboxing. This must either be an IPv4 address or an IPv6 address or a hostname. If the argument does not parse as an IP address, Syd resolves the name using the system DNS resolver and selects a response IP randomly.

Defaults to "127.0.0.1", which may be be overriden with the environment variable SYD_PROXY_HOST at startup.

proxy/ext/port

Set external port for Proxy sandboxing.

Defaults to 9050, which may be overriden with the environment variable SYD_PROXY_PORT at startup.

proxy/ext/unix

Set external UNIX domain socket for Proxy sandboxing.

The argument may also be set using the environment variable SYD_PROXY_UNIX at startup.

This option has precedence over the option "proxy/ext/host", ie. when both are given Syd will connect to the UNIX domain socket.

segvguard/expiry

Specify SegvGuard expiry timeout in seconds. Set to 0 to disable SegvGuard.

segvguard/suspension

Specify SegvGuard suspension timeout in seconds.

segvguard/maxcrashes

Specify SegvGuard max crashes.

tpe/gid

Specify untrusted GID for Trusted Path Execution (TPE). By default, TPE is applied to users of all groups including root and this setting can be used to limit it to a certain group. To unset a previously set GID and return to the default state set "none" as the value.

tpe/negate

Negate GID logic for Trusted Path Execution (TPE). This turns "tpe/gid" from untrusted into trusted such that users belonging to this group will be exempt from TPE.

tpe/root_owned

Ensure file and parent directory are root-owned for Trusted Path Execution (TPE).

Note, this option will misbehave with "unshare/user:1" if the real root user is not mapped inside the container.

tpe/user_owned

Ensure file and parent directory are user-owned or root-owned for Trusted Path Execution (TPE).

Note, this option may misbehave with "unshare/user:1" if the real root user is not mapped inside the container.

tpe/root_mount

Ensure file and parent directory are on root filesystem for Trusted Path Execution (TPE).

This option may be used to pin all executions to a single safe mountpoint.

allow/stat

Specifies a list of glob(3p) patterns to allow for Stat sandboxing.

allow/read

Specifies a list of glob(3p) patterns to allow for Read sandboxing.

allow/write

Specifies a list of glob(3p) patterns to allow for Write sandboxing.

allow/exec

Specifies a list of glob(3p) patterns to allow for Exec sandboxing.

allow/ioctl

Specifies a list of glob(3p) patterns to allow for Ioctl sandboxing.

allow/create

Specifies a list of glob(3p) patterns to allow for Create sandboxing.

allow/delete

Specifies a list of glob(3p) patterns to allow for Delete sandboxing.

allow/rename

Specifies a list of glob(3p) patterns to allow for Rename sandboxing.

allow/symlink

Specifies a list of glob(3p) patterns to allow for Symlink sandboxing.

allow/truncate

Specifies a list of glob(3p) patterns to allow for Truncate sandboxing.

allow/chdir

Specifies a list of glob(3p) patterns to allow for Chdir sandboxing.

allow/readdir

Specifies a list of glob(3p) patterns to allow for Readdir sandboxing.

allow/mkdir

Specifies a list of glob(3p) patterns to allow for Mkdir sandboxing.

allow/rmdir

Specifies a list of glob(3p) patterns to allow for Rmdir sandboxing.

allow/chown

Specifies a list of glob(3p) patterns to allow for Chown sandboxing.

allow/chgrp

Specifies a list of glob(3p) patterns to allow for Chgrp sandboxing.

allow/chmod

Specifies a list of glob(3p) patterns to allow for Chmod sandboxing.

allow/chattr

Specifies a list of glob(3p) patterns to allow for Chattr sandboxing.

allow/chroot

Specifies a list of glob(3p) patterns to allow for Chroot sandboxing.

allow/utime

Specifies a list of glob(3p) patterns to allow for Utime sandboxing.

allow/mkdev

Specifies a list of glob(3p) patterns to allow for Mkdev sandboxing.

allow/mkfifo

Specifies a list of glob(3p) patterns to allow for Mkfifo sandboxing.

allow/mktemp

Specifies a list of glob(3p) patterns to allow for Mktemp sandboxing.

allow/net/bind

Specifies a list of network address patterns to allow for Bind network sandboxing.

allow/net/connect

Specifies a list of network address patterns to allow for Connect network sandboxing.

allow/net/sendfd

Specifies a list of network address patterns to allow for SendFd network sandboxing.

allow/net/link

Specifies a list of netlink families to allow for Link network sandboxing.

Accepts a comma-delimited list of the following items: route, usersock, firewall, sock_diag, nflog, xfrm, selinux, iscsi, audit, fib_lookup, connector, netfilter, ip6_fw, dnrtmsg, kobject_uevent, generic, scsitransport, ecryptfs, rdma, crypto, and smc. Use all to specifiy all families.

allow/lock/read

Specifies a set of beneath paths to grant file read access for Lock sandboxing. This category corresponds to the Landlock access right "LANDLOCK_ACCESS_FS_READ_FILE" and only applies to the content of the directory not the directory itself. As of version 3.21.0, this set includes the paths "/dev/null" and "/proc" by default as Syd is included in the Landlock sandbox and Syd requires read access to these paths to function correctly.

allow/lock/write

Specifies a set of beneath paths to grant file write access for Lock sandboxing. This category corresponds to the Landlock access right "LANDLOCK_ACCESS_FS_WRITE_FILE" and only applies to the content of the directory not the directory itself. As of version 3.21.0, this set includes the path "/dev/null" by default as Syd is included in the Landlock sandbox and Syd requires write access to this file to function correctly.

allow/lock/exec

Specifies a set of beneath paths to grant file execute access for Lock sandboxing. This category corresponds to the Landlock access right "LANDLOCK_ACCESS_FS_EXECUTE" and only applies to the content of the directory not the directory itself.

allow/lock/ioctl

Specifies a set of beneath paths to grant ioctl(2) access for Lock sandboxing. This category corresponds to the Landlock access right "LANDLOCK_ACCESS_FS_IOCTL_DEV" and only applies to the content of the directory not the directory itself. Landlock ioctl(2) support requires ABI 5 or later. Fifth Landlock ABI was introduced with Linux 6.10. On older kernels, this command is a no-op and is not going to confine ioctl(2) operations.

allow/lock/create

Specifies a set of beneath paths to grant file creation, rename and link access for Lock sandboxing. This category corresponds to the Landlock access right "LANDLOCK_ACCESS_FS_MAKE_REG" and only applies to the content of the directory not the directory itself.

allow/lock/delete

Specifies a set of beneath paths to grant file unlink, rename and link access for Lock sandboxing. This category corresponds to the Landlock access right "LANDLOCK_ACCESS_FS_REMOVE_FILE" and only applies to the content of the directory not the directory itself.

allow/lock/rename

Specifies a set of beneath paths to grant access to link or rename a file from or to a different directory (i.e. reparent a file hierarchy) for Lock sandboxing. This category corresponds to the Landlock access right "LANDLOCK_ACCESS_FS_REFER" and only applies to the content of the directory not the directory itself. Landlock rename support requires ABI 2 or later. Second Landlock ABI was introduced with Linux 5.19. On older kernels, this type of access is always denied with Landlock.

allow/lock/symlink

Specifies a set of beneath paths to grant symbolic link creation, rename and link access for Lock sandboxing. This category corresponds to the Landlock access right "LANDLOCK_ACCESS_FS_MAKE_SYM" and only applies to the content of the directory not the directory itself.

allow/lock/truncate

Specifies a set of beneath paths to grant file truncation access for Lock sandboxing. This category corresponds to the Landlock access right "LANDLOCK_ACCESS_FS_TRUNCATE" and only applies to the content of the directory not the directory itself. Landlock file truncation support requires ABI 3 or later. Third Landlock ABI was introduced with Linux 6.2. On older kernels, this command is a no-op and is not going to confine file truncation operations. As of version 3.21.0, this set includes the path "/dev/null" by default as Syd is included in the Landlock sandbox and Syd requires truncation access to this file to function correctly.

allow/lock/readdir

Specifies a set of beneath paths to grant directory list access for Lock sandboxing. This category corresponds to the Landlock access right "LANDLOCK_ACCESS_FS_READ_DIR" and applies to the directory and the directories beneath it. As of version 3.21.0, this set includes the directory "/proc" by default as Syd is included in the Landlock sandbox and Syd requires readdir access to this directory to function correctly.

allow/lock/mkdir

Specifies a set of beneath paths to grant directory creation and rename access for Lock sandboxing. This category corresponds to the Landlock access right "LANDLOCK_ACCESS_FS_MAKE_DIR" and only applies to the content of the directory not the directory itself.

allow/lock/rmdir

Specifies a set of beneath paths to grant directory deletion and rename access for Lock sandboxing. This category corresponds to the Landlock access right "LANDLOCK_ACCESS_FS_REMOVE_DIR" and only applies to the content of the directory not the directory itself.

allow/lock/mkdev

Specifies a set of beneath paths to grant character device creation access for Lock sandboxing. This category corresponds to the Landlock access right "LANDLOCK_ACCESS_FS_MAKE_CHAR" and only applies to the content of the directory not the directory itself.

allow/lock/mkfifo

Specifies a set of beneath paths to grant named pipe (FIFO) creation access for Lock sandboxing. This category corresponds to the Landlock access right "LANDLOCK_ACCESS_FS_MAKE_FIFO" and only applies to the content of the directory not the directory itself.

allow/lock/bind

Specifies a list of allowed bind(2) ports and UNIX domain socket paths for Lock sandboxing. This category corresponds to the Landlock access rights "LANDLOCK_ACCESS_NET_BIND_TCP" and "LANDLOCK_ACCESS_FS_MAKE_SOCK" and only applies to the content of the directory not the directory itself. Argument is either a single port or a closed range in format port1-port2, or an absolute UNIX domain socket path. Landlock network support requires ABI 4 or later. Fourth Landlock ABI was introduced with Linux 6.7. On older kernels, this command is a no-op when specified with port arguments and does not do any network confinement.

allow/lock/connect

Specifies a list of allowed connect(2) ports for Lock sandboxing. This category corresponds to the Landlock access right "LANDLOCK_ACCESS_NET_BIND_CONNECT". Argument is either a single port or a closed range in format port1-port2. Landlock network support requires ABI 4 or later. Fourth Landlock ABI was introduced with Linux 6.7. On older kernels, this command is a no-op and does not do any network confinement.

warn/stat

Specifies a list of glob(3p) patterns to warn for Stat sandboxing.

warn/read

Specifies a list of glob(3p) patterns to warn for Read sandboxing.

warn/write

Specifies a list of glob(3p) patterns to warn for Write sandboxing.

warn/exec

Specifies a list of glob(3p) patterns to warn for Exec sandboxing.

warn/ioctl

Specifies a list of glob(3p) patterns to warn for Ioctl sandboxing.

warn/create

Specifies a list of glob(3p) patterns to warn for Create sandboxing.

warn/delete

Specifies a list of glob(3p) patterns to warn for Delete sandboxing.

warn/rename

Specifies a list of glob(3p) patterns to warn for Rename sandboxing.

warn/symlink

Specifies a list of glob(3p) patterns to warn for Symlink sandboxing.

warn/truncate

Specifies a list of glob(3p) patterns to warn for Truncate sandboxing.

warn/chdir

Specifies a list of glob(3p) patterns to warn for Chdir sandboxing.

warn/readdir

Specifies a list of glob(3p) patterns to warn for Readdir sandboxing.

warn/mkdir

Specifies a list of glob(3p) patterns to warn for Mkdir sandboxing.

warn/rmdir

Specifies a list of glob(3p) patterns to warn for Rmdir sandboxing.

warn/chown

Specifies a list of glob(3p) patterns to warn for Chown sandboxing.

warn/chgrp

Specifies a list of glob(3p) patterns to warn for Chgrp sandboxing.

warn/chmod

Specifies a list of glob(3p) patterns to warn for Chmod sandboxing.

warn/chattr

Specifies a list of glob(3p) patterns to warn for Chattr sandboxing.

warn/chroot

Specifies a list of glob(3p) patterns to warn for Chroot sandboxing.

warn/utime

Specifies a list of glob(3p) patterns to warn for Utime sandboxing.

warn/mkdev

Specifies a list of glob(3p) patterns to warn for Mkdev sandboxing.

warn/mkfifo

Specifies a list of glob(3p) patterns to warn for Mkfifo sandboxing.

warn/mktemp

Specifies a list of glob(3p) patterns to warn for Mktemp sandboxing.

warn/net/bind

Specifies a list of network address patterns to warn for Bind network sandboxing.

warn/net/connect

Specifies a list of network address patterns to warn for Connect network sandboxing.

warn/net/sendfd

Specifies a list of network address patterns to warn for SendFd network sandboxing.

deny/stat

Specifies a list of glob(3p) patterns to deny for Stat sandboxing.

deny/read

Specifies a list of glob(3p) patterns to deny for Read sandboxing.

deny/write

Specifies a list of glob(3p) patterns to deny for Write sandboxing.

deny/exec

Specifies a list of glob(3p) patterns to deny for Exec sandboxing.

deny/ioctl

Specifies a list of glob(3p) patterns to deny for Ioctl sandboxing.

deny/create

Specifies a list of glob(3p) patterns to deny for Create sandboxing.

deny/delete

Specifies a list of glob(3p) patterns to deny for Delete sandboxing.

deny/rename

Specifies a list of glob(3p) patterns to deny for Rename sandboxing.

deny/symlink

Specifies a list of glob(3p) patterns to deny for Symlink sandboxing.

deny/truncate

Specifies a list of glob(3p) patterns to deny for Truncate sandboxing.

deny/chdir

Specifies a list of glob(3p) patterns to deny for Chdir sandboxing.

deny/readdir

Specifies a list of glob(3p) patterns to deny for Readdir sandboxing.

deny/mkdir

Specifies a list of glob(3p) patterns to deny for Mkdir sandboxing.

deny/rmdir

Specifies a list of glob(3p) patterns to deny for Rmdir sandboxing.

deny/chown

Specifies a list of glob(3p) patterns to deny for Chown sandboxing.

deny/chgrp

Specifies a list of glob(3p) patterns to deny for Chgrp sandboxing.

deny/chmod

Specifies a list of glob(3p) patterns to deny for Chmod sandboxing.

deny/chattr

Specifies a list of glob(3p) patterns to deny for Chattr sandboxing.

deny/chroot

Specifies a list of glob(3p) patterns to deny for Chroot sandboxing.

deny/utime

Specifies a list of glob(3p) patterns to deny for Utime sandboxing.

deny/mkdev

Specifies a list of glob(3p) patterns to deny for Mkdev sandboxing.

deny/mkfifo

Specifies a list of glob(3p) patterns to deny for Mkfifo sandboxing.

deny/mktemp

Specifies a list of glob(3p) patterns to deny for Mktemp sandboxing.

deny/net/bind

Specifies a list of network address patterns to deny for Bind network sandboxing.

deny/net/connect

Specifies a list of network address patterns to deny for Connect network sandboxing.

deny/net/sendfd

Specifies a list of network address patterns to deny for SendFd network sandboxing.

panic/stat

Specifies a list of glob(3p) patterns to panic for Stat sandboxing.

panic/read

Specifies a list of glob(3p) patterns to panic for Read sandboxing.

panic/write

Specifies a list of glob(3p) patterns to panic for Write sandboxing.

panic/exec

Specifies a list of glob(3p) patterns to panic for Exec sandboxing.

panic/ioctl

Specifies a list of glob(3p) patterns to panic for Ioctl sandboxing.

panic/create

Specifies a list of glob(3p) patterns to panic for Create sandboxing.

panic/delete

Specifies a list of glob(3p) patterns to panic for Delete sandboxing.

panic/rename

Specifies a list of glob(3p) patterns to panic for Rename sandboxing.

panic/symlink

Specifies a list of glob(3p) patterns to panic for Symlink sandboxing.

panic/truncate

Specifies a list of glob(3p) patterns to panic for Truncate sandboxing.

panic/chdir

Specifies a list of glob(3p) patterns to panic for Chdir sandboxing.

panic/readdir

Specifies a list of glob(3p) patterns to panic for Readdir sandboxing.

panic/mkdir

Specifies a list of glob(3p) patterns to panic for Mkdir sandboxing.

panic/rmdir

Specifies a list of glob(3p) patterns to panic for Rmdir sandboxing.

panic/chown

Specifies a list of glob(3p) patterns to panic for Chown sandboxing.

panic/chgrp

Specifies a list of glob(3p) patterns to panic for Chgrp sandboxing.

panic/chmod

Specifies a list of glob(3p) patterns to panic for Chmod sandboxing.

panic/chattr

Specifies a list of glob(3p) patterns to panic for Chattr sandboxing.

panic/chroot

Specifies a list of glob(3p) patterns to panic for Chroot sandboxing.

panic/utime

Specifies a list of glob(3p) patterns to panic for Utime sandboxing.

panic/mkdev

Specifies a list of glob(3p) patterns to panic for Mkdev sandboxing.

panic/mkfifo

Specifies a list of glob(3p) patterns to panic for Mkfifo sandboxing.

panic/mktemp

Specifies a list of glob(3p) patterns to panic for Mktemp sandboxing.

panic/net/bind

Specifies a list of network address patterns to panic for Bind network sandboxing.

panic/net/connect

Specifies a list of network address patterns to panic for Connect network sandboxing.

panic/net/sendfd

Specifies a list of network address patterns to panic for SendFd network sandboxing.

stop/stat

Specifies a list of glob(3p) patterns to stop for Stat sandboxing.

stop/read

Specifies a list of glob(3p) patterns to stop for Read sandboxing.

stop/write

Specifies a list of glob(3p) patterns to stop for Write sandboxing.

stop/exec

Specifies a list of glob(3p) patterns to stop for Exec sandboxing.

stop/ioctl

Specifies a list of glob(3p) patterns to stop for Ioctl sandboxing.

stop/create

Specifies a list of glob(3p) patterns to stop for Create sandboxing.

stop/delete

Specifies a list of glob(3p) patterns to stop for Delete sandboxing.

stop/rename

Specifies a list of glob(3p) patterns to stop for Rename sandboxing.

stop/symlink

Specifies a list of glob(3p) patterns to stop for Symlink sandboxing.

stop/truncate

Specifies a list of glob(3p) patterns to stop for Truncate sandboxing.

stop/chdir

Specifies a list of glob(3p) patterns to stop for Chdir sandboxing.

stop/readdir

Specifies a list of glob(3p) patterns to stop for Readdir sandboxing.

stop/mkdir

Specifies a list of glob(3p) patterns to stop for Mkdir sandboxing.

stop/rmdir

Specifies a list of glob(3p) patterns to stop for Rmdir sandboxing.

stop/chown

Specifies a list of glob(3p) patterns to stop for Chown sandboxing.

stop/chgrp

Specifies a list of glob(3p) patterns to stop for Chgrp sandboxing.

stop/chmod

Specifies a list of glob(3p) patterns to stop for Chmod sandboxing.

stop/chattr

Specifies a list of glob(3p) patterns to stop for Chattr sandboxing.

stop/chroot

Specifies a list of glob(3p) patterns to stop for Chroot sandboxing.

stop/utime

Specifies a list of glob(3p) patterns to stop for Utime sandboxing.

stop/mkdev

Specifies a list of glob(3p) patterns to stop for Mkdev sandboxing.

stop/mkfifo

Specifies a list of glob(3p) patterns to stop for Mkfifo sandboxing.

stop/mktemp

Specifies a list of glob(3p) patterns to stop for Mktemp sandboxing.

stop/net/bind

Specifies a list of network address patterns to stop for Bind network sandboxing.

stop/net/connect

Specifies a list of network address patterns to stop for Connect network sandboxing.

stop/net/sendfd

Specifies a list of network address patterns to stop for SendFd network sandboxing.

abort/stat

Specifies a list of glob(3p) patterns to abort for Stat sandboxing.

abort/read

Specifies a list of glob(3p) patterns to abort for Read sandboxing.

abort/write

Specifies a list of glob(3p) patterns to abort for Write sandboxing.

abort/exec

Specifies a list of glob(3p) patterns to abort for Exec sandboxing.

abort/ioctl

Specifies a list of glob(3p) patterns to abort for Ioctl sandboxing.

abort/create

Specifies a list of glob(3p) patterns to abort for Create sandboxing.

abort/delete

Specifies a list of glob(3p) patterns to abort for Delete sandboxing.

abort/rename

Specifies a list of glob(3p) patterns to abort for Rename sandboxing.

abort/symlink

Specifies a list of glob(3p) patterns to abort for Symlink sandboxing.

abort/truncate

Specifies a list of glob(3p) patterns to abort for Truncate sandboxing.

abort/chdir

Specifies a list of glob(3p) patterns to abort for Chdir sandboxing.

abort/readdir

Specifies a list of glob(3p) patterns to abort for Readdir sandboxing.

abort/mkdir

Specifies a list of glob(3p) patterns to abort for Mkdir sandboxing.

abort/rmdir

Specifies a list of glob(3p) patterns to abort for Rmdir sandboxing.

abort/chown

Specifies a list of glob(3p) patterns to abort for Chown sandboxing.

abort/chgrp

Specifies a list of glob(3p) patterns to abort for Chgrp sandboxing.

abort/chmod

Specifies a list of glob(3p) patterns to abort for Chmod sandboxing.

abort/chattr

Specifies a list of glob(3p) patterns to abort for Chattr sandboxing.

abort/chroot

Specifies a list of glob(3p) patterns to abort for Chroot sandboxing.

abort/utime

Specifies a list of glob(3p) patterns to abort for Utime sandboxing.

abort/mkdev

Specifies a list of glob(3p) patterns to abort for Mkdev sandboxing.

abort/mkfifo

Specifies a list of glob(3p) patterns to abort for Mkfifo sandboxing.

abort/mktemp

Specifies a list of glob(3p) patterns to abort for Mktemp sandboxing.

abort/net/bind

Specifies a list of network address patterns to abort for Bind network sandboxing.

abort/net/connect

Specifies a list of network address patterns to abort for Connect network sandboxing.

abort/net/sendfd

Specifies a list of network address patterns to abort for SendFd network sandboxing.

kill/stat

Specifies a list of glob(3p) patterns to kill for Stat sandboxing.

kill/read

Specifies a list of glob(3p) patterns to kill for Read sandboxing.

kill/write

Specifies a list of glob(3p) patterns to kill for Write sandboxing.

kill/exec

Specifies a list of glob(3p) patterns to kill for Exec sandboxing.

kill/ioctl

Specifies a list of glob(3p) patterns to kill for Ioctl sandboxing.

kill/create

Specifies a list of glob(3p) patterns to kill for Create sandboxing.

kill/delete

Specifies a list of glob(3p) patterns to kill for Delete sandboxing.

kill/rename

Specifies a list of glob(3p) patterns to kill for Rename sandboxing.

kill/symlink

Specifies a list of glob(3p) patterns to kill for Symlink sandboxing.

kill/truncate

Specifies a list of glob(3p) patterns to kill for Truncate sandboxing.

kill/chdir

Specifies a list of glob(3p) patterns to kill for Chdir sandboxing.

kill/readdir

Specifies a list of glob(3p) patterns to kill for Readdir sandboxing.

kill/mkdir

Specifies a list of glob(3p) patterns to kill for Mkdir sandboxing.

kill/rmdir

Specifies a list of glob(3p) patterns to kill for Rmdir sandboxing.

kill/chown

Specifies a list of glob(3p) patterns to kill for Chown sandboxing.

kill/chgrp

Specifies a list of glob(3p) patterns to kill for Chgrp sandboxing.

kill/chmod

Specifies a list of glob(3p) patterns to kill for Chmod sandboxing.

kill/chattr

Specifies a list of glob(3p) patterns to kill for Chattr sandboxing.

kill/chroot

Specifies a list of glob(3p) patterns to kill for Chroot sandboxing.

kill/utime

Specifies a list of glob(3p) patterns to kill for Utime sandboxing.

kill/mkdev

Specifies a list of glob(3p) patterns to kill for Mkdev sandboxing.

kill/mkfifo

Specifies a list of glob(3p) patterns to kill for Mkfifo sandboxing.

kill/mktemp

Specifies a list of glob(3p) patterns to kill for Mktemp sandboxing.

kill/net/bind

Specifies a list of network address patterns to kill for Bind network sandboxing.

kill/net/connect

Specifies a list of network address patterns to kill for Connect network sandboxing.

kill/net/sendfd

Specifies a list of network address patterns to kill for SendFd network sandboxing.

exit/stat

Specifies a list of glob(3p) patterns to exit for Stat sandboxing.

exit/read

Specifies a list of glob(3p) patterns to exit for Read sandboxing.

exit/write

Specifies a list of glob(3p) patterns to exit for Write sandboxing.

exit/exec

Specifies a list of glob(3p) patterns to exit for Exec sandboxing.

exit/ioctl

Specifies a list of glob(3p) patterns to exit for Ioctl sandboxing.

exit/create

Specifies a list of glob(3p) patterns to exit for Create sandboxing.

exit/delete

Specifies a list of glob(3p) patterns to exit for Delete sandboxing.

exit/rename

Specifies a list of glob(3p) patterns to exit for Rename sandboxing.

exit/symlink

Specifies a list of glob(3p) patterns to exit for Symlink sandboxing.

exit/truncate

Specifies a list of glob(3p) patterns to exit for Truncate sandboxing.

exit/chdir

Specifies a list of glob(3p) patterns to exit for Chdir sandboxing.

exit/readdir

Specifies a list of glob(3p) patterns to exit for Readdir sandboxing.

exit/mkdir

Specifies a list of glob(3p) patterns to exit for Mkdir sandboxing.

exit/rmdir

Specifies a list of glob(3p) patterns to exit for Rmdir sandboxing.

exit/chown

Specifies a list of glob(3p) patterns to exit for Chown sandboxing.

exit/chgrp

Specifies a list of glob(3p) patterns to exit for Chgrp sandboxing.

exit/chmod

Specifies a list of glob(3p) patterns to exit for Chmod sandboxing.

exit/chattr

Specifies a list of glob(3p) patterns to exit for Chattr sandboxing.

exit/chroot

Specifies a list of glob(3p) patterns to exit for Chroot sandboxing.

exit/utime

Specifies a list of glob(3p) patterns to exit for Utime sandboxing.

exit/mkdev

Specifies a list of glob(3p) patterns to exit for Mkdev sandboxing.

exit/mkfifo

Specifies a list of glob(3p) patterns to exit for Mkfifo sandboxing.

exit/mktemp

Specifies a list of glob(3p) patterns to exit for Mktemp sandboxing.

exit/net/bind

Specifies a list of network address patterns to exit for Bind network sandboxing.

exit/net/connect

Specifies a list of network address patterns to exit for Connect network sandboxing.

exit/net/sendfd

Specifies a list of network address patterns to exit for SendFd network sandboxing.

append

Specifies a list of glob(3p) patterns to files that should be made append-only for Write sandboxing.

If a path is append-only, Syd adds O_APPEND and removes O_TRUNC from flags on any sandbox granted attempt to open(2) this path. Unsetting the O_APPEND flag using fcntl(2) F_SETFL command is prevented. Similarly, any attempt to rename(2), truncate(2) and unlink(2) the file is prevented. This is typically useful for history and log files.

mask

Specifies a list of glob(3p) patterns to mask for Read & Write sandboxing.

If a path is masked, Syd returns a file descriptor to "/dev/null" on any sandbox granted attempt to open(2) this path. Masking can effectively be used to hide the contents of a file in a more relaxed and compatible way than denying read/write access to it. stat(2) calls on a masked file returns the original file metadata and a masked file may be executed. After a successful mask operation, the mask path is not checked for sandbox access.

As of version 3.35.1, the default mask path "/dev/null" may be changed by specifying a colon-separated extra path to the mask-add command, e.g. "mask+/dev/[fn]ull:/dev/zero" when both of the paths "/dev/full" and "/dev/null" will be masked with the path "/dev/zero". The mask path must be a fully canonicalized path without symbolic links.

As of version 3.36.0, the default mask path may be overriden for directories by specifying an additional colon-separated extra path to the mask-add command, e.g. "mask+/proc/acpi/***:/dev/null:/var/empty" when the path "/proc/acpi/wakeup" which is a regular file will return "/dev/null" at open(2) boundary but the directory "/proc/acpi" and any subdirectory within will return "/var/empty" at open(2) boundary. The mask path must be a fully canonicalized path without symbolic links.

This feature provides a non-privileged alternative to the bind command because it does not require the creation of a mount namespace. Moreover, mask commands may be specified dynamically after startup using the syd(2) API allowing for fine-tuned and/or incremental confinement.

block

Specifies a range of IP networks to be blocked when specified as the target address of "connect" group system calls which are connect(2), sendto(2), sendmsg(2), sendmmsg(2) and when received as the source address in return from accept(2) and accept4(2) system calls for IPv4 and IPv6 family sockets. Use "block+<net>" and "block-<net>" to add and remove ip networks from the range. Alternatively the range can also be populated by including "ipset" and "netset" files from within Syd configuration. Use "block^" to clear the list and "block!" to simplify the ip range by aggregating networks together. "block!" is useful to call after importing big IP blocklists, it helps reduce memory consumption and improve matching performance. Below is a configuration snippet that imports Feodo and DShield blocklists:

# Enable IP blocklists
# Source: https://github.com/firehol/blocklist-ipsets.git
include /usr/src/blocklist-ipsets/feodo.ipset
include /usr/src/blocklist-ipsets/feodo_badips.ipset
include /usr/src/blocklist-ipsets/dshield.netset
include /usr/src/blocklist-ipsets/dshield_1d.netset
include /usr/src/blocklist-ipsets/dshield_30d.netset
include /usr/src/blocklist-ipsets/dshield_7d.netset
include /usr/src/blocklist-ipsets/dshield_top_1000.ipset
block!

cmd/exec

Makes Syd execute an external command without sandboxing. The process is executed in a new process group with its standard input attached to "/dev/null". Standard output and standard error file descriptors are inherited. Syd also ensures no non-standard file descriptors leak into the new process utilizing the close_range(2) system call. Current working directory is changed to the root directory, aka "/". The umask(2) is set to 077. The program name and arguments must be separated with the US (unit separator, hex: 0x1f, octal: 037) character. To ease usage, the syd-exec(1) helper utility is provided to construct a sandbox command of this type:

; syd -puser -mlock:exec -- sh -c 'test -c $(syd-exec echo hello world)'
hello world
;

load

Read configuration from the given file descriptor, the file must be open for reading. Syd uses pidfd_getfd(2) to acquire the file descriptor and reads sandbox configuration from it. This command is useful to load a set of sandbox commands into Syd in a single step and is typically used with reset, e.g:

int fd = open("/tmp", O_RDWR | O_TMPFILE | O_CLOEXEC, 0);
if (fd == -1) errx(1, "Failed to open temporary file");
const char *syd = "sandbox:stat/on\nallow/stat+/***\ndeny/stat+/\nlock:on\n";
errx(write(fd, syd, strlen(syd)) == -1, "Failed to write config");
errx(lseek(fd, 0, SEEK_SET) == -1, "Failed to seek in file");
char load[64];
sprintf(load, "/dev/syd/load/%d", fd);
errx(stat("/dev/syd/reset", NULL) == -1, "Failed to reset syd");
errx(stat(load, NULL) == -1, "Failed to load syd profile");
errx(execvp("/bin/sh", (char *[]){"/bin/sh", "-l", NULL}) == -1, "execvp failed");

Due to security reasons, this command is only available via the virtual stat(2) call, it may not be used with the -m command line switch or in a configuration file.

As of version 3.30.0, this command may be used to load builtin profiles, when Syd falls back to parsing the "load" argument as a profile name if parsing the argument as a file descriptor fails.

trace/allow_safe_setuid

Specify whether the Linux capability "CAP_SETUID" should be retained. This option in combination with SafeSetID allows the sandbox process to change UID. Note, Syd will change its UID with the sandbox process.

Note, because NPTL uses reserved signals to ensure all threads share the same UID/GID, setting this option disables the SROP mitigator. See the "Enhanced Execution Control (EEC)" section of the syd(7) manual page for more information.

trace/allow_safe_setgid

Specify whether the Linux capability "CAP_SETGID" should be retained. This option in combination with SafeSetID allows the sandbox process to change GID. Note, Syd will change its GID with the sandbox process.

Note, because NPTL uses reserved signals to ensure all threads share the same UID/GID, setting this option disables the SROP mitigator. See the "Enhanced Execution Control (EEC)" section of the syd(7) manual page for more information.

setuid

Add, remove a UID transition or reset UID transitions. Only a single transition from a source UID can be defined. Transitions to root are not allowed.

Usage:

setuid+0:65534      # Define a UID transition from root to nobody.
setuid+root:nobody  # Same as above but using user names.
setuid-0:65534      # Remove a previously defined UID transition.
setuid^0            # Remove all UID transitions matching source UID.
setuid^             # Remove all UID transitions.

setgid

Add, remove a GID transition or reset GID transitions. Only a single transition from a source GID can be defined. Transitions to root are not allowed.

Usage:

setgid+0:65534      # Define a GID transition from root to nogroup.
setgid+root:nogroup # Same as above but using group names.
setgid-0:65534      # Remove a previously defined GID transition.
setgid^0            # Remove all GID transitions matching source GID.
setgid^             # Remove all GID transitions.

trace/allow_unsafe_cbpf

A boolean specifying whether Syd should allow additional seccomp(2) cbpf filters to be installed by sandbox processes. By default, this is denied to mitigate confused deputy problems and errno(3) is set to "EINVAL", aka "Invalid argument" for compatibility reasons. On the one hand, stacked seccomp(2) cbpf filters allow for incremental confinement and therefore added hardening, on the other hand they may be abused to install system call filters with more precedent actions than user-notify thereby bypassing Syd's own seccomp(2) cbpf filters. To quote the seccomp_unotify(2): "... a user-space notifier can be bypassed if the existing filters allow the use of seccomp(2) or prctl(2) to install a filter that returns an action value with a higher precedence than "SECCOMP_RET_USER_NOTIF" (see seccomp(2))." Setting the option "trace/allow_unsafe_prctl:1" overrides this option and allows the "PR_SET_SECCOMP" prctl(2) operation inside the sandbox. This may be changed in the future for clearer separation of mitigations.

trace/allow_unsafe_ebpf

Allows direct eBPF use inside the Syd sandbox using the bpf(2) system call, whose unprivileged use is permitted since Linux-4.4. On the one hand, eBPF programs can be used for additional hardening, on the other hand eBPF is a frequent source of vulnerabilities due to churn, complexity, improper validation and complexity of validation. eBPF may also be abused to implement efficient and portable rootkits.

Note, as of version 3.32.8, Syd includes the uretprobe(2) system call into this mitigation. uretprobe(2) system call is implemented in Linux-6.11 or newer and is used by the kernel to execute pending return uprobes.

Note, as of version 3.37.0, Syd drops the capability "CAP_BPF" and denies the privileged bpf(2) commands "BPF_MAP_CREATE" and "BPF_PROG_LOAD" with the errno(3) "EPERM", aka "Operation not permitted" regardless of the value of this option. This is in consistence with the Linux kernel checks for the "kernel.unprivileged_bpf_disabled" sysctl(8). Consult the bpf(2) and capabilities(7) manual pages for more information about the "CAP_BPF" Linux capability which is implemented in Linux-5.8 or newer.

trace/allow_unsafe_dumpable

A boolean specifying whether Syd should skip from setting its process dumpable attribute to false. This allows core dumps for the Syd process, and allows debugging/profiling/tracing the Syd process. You should not set this option unless you're developing Syd.

trace/allow_unsafe_exec

A boolean specifying whether exec calls with NULL argument and environment pointers should be allowed. As of version 3.37.0, this option also specifies whether ld.so(8) exec indirection should be allowed.

trace/allow_unsafe_ptrace

A boolean specifying whether ptrace(2) should be used to secure the exec handler. Setting this option to true effectively removes the ptrace(2) dependency from the sandbox. This is necessary to trace syd together with its children, e.g. with "strace -f". Warning, this option makes syd(1) keep the "CAP_SYS_PTRACE" capability and disables Force Sandboxing, SegvGuard and the exec-TOCTOU mitigator. It allows the sandbox process to trivially break out of the sandbox by e.g. attaching to the syd(1) main thread with ptrace(2) and getting a handle to the seccomp(2) notify file descriptor. Therefore, this option should only be used in trusted environments.

trace/allow_unsafe_perf

A boolean specifying whether perf calls should be allowed within the sandbox.

trace/allow_unsafe_create

A boolean specifying whether to allow unsafe file creation. Refer to the "Trusted File Creation" section of the syd(7) manual page for more information.

trace/allow_unsafe_filename

A boolean specifying whether the restrictions on file names should be lifted. By default, file names with control characters, forbidden characters or invalid UTF-8 are denied with EINVAL as necessary. Read Enhanced Path Integrity Measures of the syd(7) manual page for more information.

trace/allow_unsafe_hardlinks

A boolean specifying whether to allow unsafe hardlink targets. Refer to the Trusted Hardlinks section of the syd(7) manual page for more information.

trace/allow_unsafe_libc

A boolean specifying whether turning on secure-execution mode for libc should be skipped. Refer to the Enforcing AT_SECURE and UID/GID Verification section of the syd(7) manual page for more information.

trace/allow_unsafe_proc_status

A boolean specifying whether masking security-sensitive fields in proc_pid_status(5) files should be disabled. Refer to the Hardening proc_pid_status(5) section of the syd(7) manual page for more information.

trace/allow_unsafe_magiclinks

A boolean specifying whether /proc magic links should be followed even when per-process directory id differs from the caller process id. Magic links are symbolic link-like objects that are most notably found in proc(5); examples include "/proc/pid/exe" and "/proc/pid/fd/*". See symlink(7) for more details. Unknowingly opening magic links can be risky for some applications. Examples of such risks include the following:

• If the process opening a pathname is a controlling process that currently has no controlling terminal (see credentials(7)), then opening a magic link inside "/proc/pid/fd" that happens to refer to a terminal would cause the process to acquire a controlling terminal.
• In a containerized environment, a magic link inside "/proc" may refer to an object outside the container, and thus may provide a means to escape from the container.

Because of such risks, Syd denies access to magic links which do not belong to the current process by default.

As of version 3.36.0, ioctl(2) requests to magic links are denied unless this option is set.

trace/allow_unsafe_symlinks

A boolean specifying whether to allow following symlinks in untrusted directories. Untrusted directories are either group-writable, world-writable, or have the sticky-bit set. Refer to the "Trusted Symbolic Links" section of the syd(7) manual page for more information.

trace/allow_unsafe_namespace

A list of namespaces to allow creation under the sandbox. Must be a comma-separated list of "mount", "uts", "ipc", "user, "pid", "net", "cgroup" and "time". The special value "all" is supported as a placeholder to specify all namespaces. An invocation of this command overrides all previous invocations, ie only the list of subnamespaces in the last invocation of this command will be allowed. By default, subnamespace creation is not allowed. As of version 3.35.2, the system calls sethostname(2) and setdomainname(2) are only allowed in the sandbox if "uts" subnamespace is allowed. This is similar to the mount family system calls which are only allowed if "mount" subnamespace is allowed.

trace/allow_unsafe_nice

A boolean specifying whether process and I/O priority changes are allowed for the sandbox. See the "Process Priority and Resource Management" section of the syd(7) manual page for more information.

trace/allow_unsafe_nocookie

A boolean specifying whether enforcement of syscall argument cookies should be disabled. See the "Syscall Argument Cookies" section of the syd(7) manual page for more information.

trace/allow_unsafe_nomseal

A boolean specifying whether read-only sealing critical regions of the Syd sandbox policy using mseal(2) when sandbox is locked should be disabled. See the "Memory Sealing of Sandbox Policy Regions on Lock" section of the syd(7) manual page for more information.

trace/allow_unsafe_nopie

A boolean specifying whether execution of non-PIE binaries should be allowed. This is generally not recommended but may be necessary on some systems.

trace/allow_unsafe_chown

Makes Syd keep the capability "CAP_CHOWN" and sandbox process will inherit the capability from Syd.

trace/allow_unsafe_chroot

Disable Chroot sandboxing and turn chroot(2) system call into a no-op like the pivot_root(2) system call. See the explanation in "chroot" category in "SANDBOXING" section of the syd(7) manual page for more information.

trace/allow_unsafe_oob

Allow the "MSG_OOB" flag for send(2), sendto(2), sendmsg(2), and sendmmsg(2) system calls to send out-of-band data. Refer to the "Denying MSG_OOB Flag in send System Calls" subsection of the syd(7) manual page for more information.

trace/allow_unsafe_open_path

A boolean specifying whether the mitigation to turn "O_PATH" file descriptors into "O_RDONLY" file descriptors for safe emulation should be disabled. With this option, syd continues the open(2) system calls with the "O_PATH" in the sandbox process which opens a TOCTOU vector.

trace/allow_unsafe_mkbdev

Specify whether unsafe block device access should be allowed. When set, Syd does not drop the capability CAP_MKNOD on startup. This allows:

• block device creation with mknod(2).
• ioctl(2) calls on block devices.
• open block devices with open(2).
• list block devices with getdents64(2).

trace/allow_unsafe_mkcdev

Specify whether unsafe character device creation should be allowed. When set, Syd does not drop the capability CAP_MKNOD on startup. This allows creation of character devices with mknod(2).

trace/allow_unsafe_cpu

Specify whether CPU emulation system calls should be allowed. By default, as of version 3.22.1, Syd denies the modify_ldt(2), subpage_prot(2), switch_endian(2), vm86(2), and vm86old(2) system calls, which are associated with CPU emulation functionalities. Enabling this option (trace/allow_unsafe_cpu:1) permits these calls, thus relaxing the restriction. This option should be used with caution, as allowing these system calls can introduce potential vulnerabilities by enabling processes to modify CPU state or memory protections. Use this setting only in trusted environments where the execution of these system calls is necessary.

trace/allow_unsafe_keyring

Specify whether the add_key(2), keyctl(2), and request_key(2) system calls should be allowed. Enabling this setting permits key management within the sandbox, which can introduce security risks by allowing keyring manipulations. Use only in trusted environments.

trace/allow_unsafe_kfd

A boolean specifying whether open(2) calls to AMD KFD character devices should be continued in the sandbox process rather than opening them in the Syd emulator thread and sending the file descriptor. The /dev/kfd character device requires per-application access to the GPU device, therefore opening the device in the Syd emulator thread and then continuing the subsequent ioctl(2) system calls in the sandbox process is going to return EBADF ("Bad file number"). Until Syd has a way to fully emulate the ioctl(2) request space and is able to call the ioctl(2) system call directly from Syd emulator threads, this option may be used to access such character devices. Setting this option opens a TOCTOU attack vector, whereby the sandbox process can open an arbitrary file instead of the character device in question! Syd applies the following mitigations to limit the scope of the attack vector:

• Syd continues the system call if and only if "O_RDWR" is set in the flags argument.
• Syd does not continue the system call if at least one of the flags "O_CREAT", "O_TRUNC" or "O_TMPFILE" is set in the flags argument.
• Syd returns "ENOSYS", aka "Function not implemented", for the openat2(2) system call rather than continuing it in the sandbox process to prevent the "struct open_how" pointer indirection to bypass the restrictions applied to the flags argument. Refer to the openat2(2) manual page for more information.
• This option may be changed at runtime, and it is highly recommended to unset this option using the syd(2) virtual system call API right after the character device is opened.

trace/allow_unsafe_pipe

Allow creating notification pipes using the "O_NOTIFICATION_PIPE" flag to the pipe2(2) system call. See the "Denying O_NOTIFICATION_PIPE Flag in pipe2" subsection of the syd(7) manual page for more information.

trace/allow_unsafe_pkey

Specifies whether the pkey_alloc(2), pkey_free(2), and pkey_mprotect(2) system calls should be allowed. By default, these calls are denied to enhance security. Setting this option to true enables these system calls, allowing the use of memory protection keys. This option should be used with caution and only in trusted environments where the use of these system calls is necessary.

trace/allow_unsafe_msgsnd

Specifies whether the msgsnd(2) system call should be allowed. By default, this call is denied to enhance security as the ability of this system call to allocate large, contiguous blocks of memory in the kernel heap is often used to orchestrate kernel heap spraying attacks. See the "Mitigation Against Heap Spraying" section of the syd(7) manual page for more information.

trace/allow_unsafe_page_cache

Specifies whether the system calls cachestat(2) and mincore(2) should be allowed. By default, these calls are denied to enhance security as it has been documented that they can be misused to perform page-cache attacks. See the "Mitigation against Page Cache Attacks" section of the syd(7) manual page for more information.

trace/allow_unsafe_time

A boolean specifying whether system calls which adjust the system time are allowed. Note, this also causes Syd to keep the CAP_SYS_TIME capability. Use syd-ls time to see the list of system calls allowed by this setting.

trace/allow_unsafe_uring

A boolean specifying whether system calls of the io_uring(7) interface are allowed. Normally, these are denied because they may be used to bypass path sandboxing. Use syd-ls uring to see the list of system calls allowed by this setting.

trace/allow_unsafe_xattr

A boolean specifying whether the extended attributes restrictions on "user.syd.*" and "security.*" should be lifted. If this option is not set only sandbox processes with access to the sandbox lock can view or change these extended attributes.

trace/allow_unsafe_caps

A boolean specifying whether Syd should skip dropping Linux capabilities at startup. This setting can be used to construct privileged containers and should be used with extreme care.

Note, syd-oci(1) sets this option to honour the list of capabilities specified by the container engine. You may unset it using the container configuration file. See CONFIGURATION section in syd-oci(1) manual page for more information.

trace/allow_unsafe_env

Specify whether unsafe environment variables should be allowed into the environment of the sandbox process. See syd-ls env for the list of unsafe environment variables.

trace/allow_safe_kcapi

Specify whether access to the Linux kernel cryptography API (aka: "KCAPI") should be allowed when network sandboxing is on. This option has no effect when network sandboxing is off.

As most things in life, cryptography has good and evil uses: KCAPI is convenient as it may be used to implement cryptography without depending on user-space libraries such as OpenSSL but it may also enable malicious code to efficiently turn itself into ransomware. Adhering to the goal to be secure by default Syd disallows this access by default.

Note, Syd does not hook into setsockopt(2) and the "ALG_SET_KEY" operation to set the encryption key is directly handled by the host kernel therefore the encryption key is not copied into Syd's address space.

Note again, Syd hooks into bind(2), sendto(2), sendmsg(2), and sendmmsg(2) but not read(2), write(2), recv(2), or splice(2). To reduce syscall overhead, user is recommended to use the unhooked system calls when they can to interact with KCAPI.

trace/allow_safe_syslog

Specify whether unprivileged sandbox processes can access Syd's syslog(2) emulation using dmesg(8). Unprivileged processes include the set of all sandbox processes with the sandbox lock "off", and all but the initial sandbox process with the sandbox lock set to "exec". Note, this option has nothing to do with access to the host syslog which is never allowed.

trace/allow_safe_bind

Specify whether the socket address arguments of successful bind(2) calls should be allowed for connect(2), sendto(2), sendmsg(2), and sendmmsg(2) system calls.

Note, these addresses are allowed globally and not per-process for usability reasons. Thus, for example, a process which forks to call bind(2) will have its address allowed for their parent as well.

trace/allow_unsafe_bind

Specify whether the Linux capability "CAP_NET_BIND_SERVICE", which allows a process to bind(2) to ports lower than 1024, should be retained.

trace/allow_unsafe_socket

Specify whether unsafe socket families should be allowed. When set, Syd does not drop the capability CAP_NET_RAW on startup. This allows:

• use of RAW and PACKET sockets;
• bind to any address for transparent proxying.

trace/allow_unsupp_socket

Specify whether unsupported socket families such as netlink sockets should be allowed access when network sandboxing is on. By default Syd allows sandboxed access to unix, ipv4 and ipv6 sockets. This option has no effect when network sandboxing is off.

As of version 3.16.6 Syd allows access to alg sockets with the "trace/allow_safe_kcapi" option rather than with this option. Alg sockets are used to interact with the Linux kernel cryptography API.

Note, on architectures with a multiplexed socketcall(2) system call, enabling this option is insecure because it is vulnerable to TOCTOU. You may use syd-sys(1) utility to check if this system call is available on your architecture using e.g: "syd-sys socketcall && echo vulnerable".

trace/allow_unsafe_personality

Specify whether personality(2) restrictions should be lifted. See syd-ls personality for the list of allowlisted personality(2) personas. See the "Personality Syscall Restrictions" of the syd(7) manual page for more information.

trace/allow_unsafe_prctl

Specify whether prctl(2) restrictions should be lifted. See syd-ls prctl for the list of allowed prctl requests.

trace/allow_unsafe_prlimit

Specify whether prlimit(2) restrictions should be lifted.

trace/allow_unsafe_mqueue

Specify whether unsafe permissions in mode argument of mq_open(2) system call should be permitted. See the "Shared Memory Permissions Hardening" section of the syd(7) manual page for more information.

trace/allow_unsafe_rseq

Specify whether unsafe Restartable Sequences with the rseq(2) system call should be permitted. See the "Denying Restartable Sequences" section of the syd(7) manual page for more information.

trace/allow_unsafe_shm

Specify whether unsafe permissions in mode arguments of shmget(2), msgget(2), and semget(2) system calls and the "IPC_SET" operation of shmctl(2), msgctl(2), and semctl(2) system calls should be permitted. See the "Shared Memory Permissions Hardening" section of the syd(7) manual page for more information.

trace/allow_unsafe_sysinfo

Specify whether the sysinfo(2) randomizer should be disabled at startup. If this option is set at startup the sysinfo(2) system call becomes allowed and provides identical info to the files "/proc/loadavg" and "/proc/meminfo" which are disabled by default by common profiles such as the "linux" and "user" profiles. Notably this mitigation is unset for the "paludis" profile because leaking this side-channel is irrelevant for package builds.

trace/allow_unsafe_syslog

Specify whether the Linux capability "CAP_SYSLOG" should be retained. This allows the process to perform privileged syslog(2) operations. This is useful when sandboxing a service such as syslogd.

trace/allow_unsafe_sync

Specify whether the sync(2) and syncfs(2) system calls should be allowed inside the sandbox. By default these system calls are turned into no-ops to prevent potential local DoS, however it may be useful to disable this restriction in scenarios where sync is actually expected to work such as when sandboxing databases.

trace/allow_unsafe_memfd

A boolean specifying whether secret memory file descriptors and executable memory file descriptors should be enabled. By default Syd strips the "MFD_EXEC" and adds the "MFD_NOEXEC_SEAL" flag to memfd_create(2) flags argument. This ensures the memory file descriptor can never be made executable. The "MFD_NOEXEC_SEAL" flag requires Linux-6.3 or newer therefore on older kernels this option must be enabled to make memory file descriptors work. However, the user should be aware that allowing encrypted memory file descriptors does allow an attacker to bypass Exec, Force and TPE sandboxing and execute denylisted code.

trace/allow_unsafe_memory

Specify whether the Memory-Deny-Write-Execute (MDWE) protections should be bypassed. See Memory-Deny-Write-Execute Protections section of the syd(7) manual page for more information.

trace/deny_dotdot

Specify whether ".." components should be denied during path resolution for chdir(2) and open(2) family system calls. This is useful in mitigating path traversal attacks. See "Path Resolution Restriction For Chdir and Open Calls" of the syd(7) manual page for more information.

trace/deny_elf32

Deny the execution of 32-bit ELF binaries.

trace/deny_elf_dynamic

Deny the execution of dynamically linked ELF binaries.

trace/deny_elf_static

Deny the execution of statically linked ELF binaries.

trace/deny_script

Deny the execution of scripts (files with #!<interpreter> on first line).

Note, the execve(2) TOCTOU mitigations do not cover this option which means the functionality is vulnerable to TOCTOU. This allows an attacker to execute a script whose path is denylisted. This TOCTOU is limited to scripts and requires the interpreter binary to be allowlisted for exec. Hence this vulnerability does not allow an attacker to execute denylisted binaries. This is why the user is recommended to deny the respective interpreter binaries for execution instead for a safe and secure approach.

trace/deny_tsc

Specify whether reading the timestamp counter should be denied. Without an accurate timer, many timing attacks are going to be harder to perform.

• This works on x86 only.
• This breaks time related calls in the vDSO, which can be trivially worked around by writing a LD_PRELOAD library to call the respective system calls directly. See libsydtime, https://lib.rs/libsydtime, for a reference implementation.
• This has a negative performance impact on programs that rely on gettimeofday(2) being a vDSO call.

trace/exit_wait_all

Specify whether Syd should wait for all processes to exit before exiting. By default, Syd exits with the eldest process and any leftover processes in the background are automatically killed.

trace/force_cloexec

Specify whether the "O_CLOEXEC" flag should be enforced for all creat(2), open(2), openat(2), openat2(2), memfd_create(2), socket(2), accept(2), and accept4(2) system calls made by the sandbox process. When this feature is enabled, Syd ensures that every file descriptor opened by the sandbox process is automatically set with the "O_CLOEXEC" flag, which prevents these file descriptors from being inherited by newly executed programs. This measure enhances security by closing file descriptors during exec(3) calls, thereby mitigating the risk of file descriptor leakage which could lead to unauthorized access to sensitive files or resources. The feature can be toggled at runtime using Syd's virtual stat API, providing flexible control over the confinement level of sandboxed processes.

trace/force_rand_fd

Specify whether file descriptors returned by all creat(2), open(2), openat(2), openat2(2), memfd_create(2), socket(2), accept(2), and accept4(2) system calls made by the sandbox process should be randomized. When this feature is enabled, Syd specifies a random available slot (rather than the lowest-numbered one) to the SECCOMP_IOCTL_NOTIF_ADDFD operation which is used to install a file descriptor to the sandbox process. Randomizing file descriptor numbers makes it significantly harder for an attacker to predict or deliberately reuse critical descriptors, thereby raising the bar against file-descriptor reuse and collision attacks. Note that enabling this may break programs which rely on the POSIX guarantee that open(2) returns the lowest available descriptor. This behavior can be toggled at runtime via Syd's virtual stat API, allowing operators to enable or disable descriptor randomization without restarting or recompiling the sandboxed process. We're also cooperating with the HardenedBSD project to implement a similar feature in the BSD kernel. Refer to the following link for more information: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/117

This feature uses the kcmp(2) system call and requires a Linux kernel configured with the CONFIG_KCMP option. On a kernel without this option, all system calls that are part of this feature will return ENOSYS (Function not implemented).

As of version 3.38.0, this option is enabled for the user profile.

trace/force_ro_open

Specify whether creating and writing open(2) family system calls should be denied regardless of the path argument. This option is restricted to creat(2), open(2), openat(2), and openat2(2) system calls and provided for convenience. To stop all write-like access completely, including e.g. mkdir(2), truncate(2) etc., use the readonly profile instead which uses the rule "deny/wrset/***" to prevent all write-like access. See "PROFILES" section of the syd(5) manual page for more information.

trace/force_umask

Specify an umask mode to force. To unset a previously configured force umask use -1 as the value. As of version 3.15.6, chmod(2) family system calls also honour force umask for added hardening. As of version 3.22.1, this setting does not apply to directory creation for mkdir(2) and mkdirat(2) system calls. As of version 3.26.2, this setting does not apply to UNIX domain socket creation for bind(2) system calls, and non-regular file creation for mknod(2) and mknodat(2) system calls.

trace/memory_access

Set mode on cross memory attach and proc_pid_mem(5) usage. Cross memory attach is done using the system calls process_vm_readv(2) and process_vm_writev(2) which requires a Linux kernel configured with the CONFIG_CROSS_MEMORY_ATTACH option enabled. Supported modes are:

• 0: Use cross memory attach if available, use proc_pid_mem(5) otherwise.
• 1: Use /proc/pid/mem(5) unconditionally.
• 2: Use cross memory attach unconditionally.

From a security point of view, these two modes of access have an important distinction where cross memory attach honours page protections of the target process, however using /proc/pid/mem(5) does not. This makes direct proc_pid_mem(5) access dangerous in that a Syd deputy process may be confused into corrupting or even controlling memory regions the sandbox process otherwise does not have direct access to. This is the main reason why mode 2 has been added as of version 3.32.6 as a secure default alternative to the previous default mode 0 whose fallback behaviour can be unpredictable and is against the idea of secure defaults. Therefore as of version 3.32.6, the user is asked to change the memory access mode explicitly if their Linux kernel is not configured with the CONFIG_CROSS_MEMORY_ATTACH option. You may also use the environment variables SYD_NO_CROSS_MEMORY_ATTACH and SYD_PROC_PID_MEM_FALLBACK, see the "ENVIRONMENT" section of the syd(1) manual page for more information. For further information about the security impact of proc_pid_mem(5) writes refer to the following links:

• https://lore.kernel.org/lkml/202403011451.C236A38@keescook/T/
• https://lwn.net/Articles/476947/
• https://issues.chromium.org/issues/40089045

; strace -q -eprocess_vm_readv -fc -- syd -poff -pD -mtrace/memory_access:0 true
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- -----------------
100.00    0.000031          10         3           process_vm_readv
------ ----------- ----------- --------- --------- -----------------
100.00    0.000031          10         3           total
; strace -q -eprocess_vm_readv -fc -- syd -poff -pD -mtrace/memory_access:1 true
; strace -q -eprocess_vm_readv -fc -- syd -poff -pD -mtrace/memory_access:2 true
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- -----------------
100.00    0.000008           2         3           process_vm_readv
------ ----------- ----------- --------- --------- -----------------
100.00    0.000008           2         3           total

trace/sync_seccomp

Use synchronous mode for seccomp-notify so each Syd syscall handler thread wakes up on the same CPU as the respective sandbox thread that executed the system call. This option makes no functional difference and typically helps with performance. Use perf(1) to benchmark seccomp synchronous mode on your system:

; perf bench sched seccomp-notify
# Running 'sched/seccomp-notify' benchmark:
# Executed 1000000 system calls
Total time: 6.736 [sec]
6.736395 usecs/op
148447 ops/sec
; perf bench sched seccomp-notify --sync-mode
# Running 'sched/seccomp-notify' benchmark:
# Executed 1000000 system calls
Total time: 4.188 [sec]
4.188846 usecs/op
238729 ops/sec

SETS

As of v3.38.0, multiple categories may be specified split by commas and the following sets are defined to streamline sandbox profile composition. Names are intentionally chosen to be consistent with OpenBSD's pledge(2).

Some examples are given below:

default/all:kill
sandbox/inet:off
deny/cpath,rpath,wpath+${HOME}/.ssh/***
kill/spath+/tmp/***
allow/inet+loopback!1024-65535
kill/unix+/dev/log