Syd: An Introduction to Secure Application Sandboxing for Linux [video]

hayali · 2025-02-12T15:08:25 1739372905

In this talk, I will introduce Syd, a GPL-3 licensed, rock-solid application kernel designed for sandboxing applications on Linux systems (version 5.19 and above). Over the past 16 years, Syd has evolved from a tool used within Exherbo Linux to detect package build mishaps into a robust security boundary for applications. The recent rewrite in Rust leverages modern Linux APIs such as seccomp-unotify(2), openat2(2), and pidfd_getfd(2) to eliminate time-of-check to time-of-use (TOCTTOU) vulnerabilities, which is essential for building a secure sandbox.

yjftsjthsd-h · 2025-02-12T20:27:07 1739392027

I don't currently run Exherbo, but it looks like this is packaged in nixpkgs as sydbox. I'll have to try it:)

hayali · 2025-02-12T22:55:12 1739400912

better go for the latest version syd-3.32.0 which I've released shortly after fosdem. This release (hopefully) finishes the sandbox categorization work, check out https://man.exherbolinux.org/syd.7.html#SANDBOXING if you know about OpenBSD pledge(2), you'll feel mostly at home ;)

hayali · 2025-02-12T23:33:17 1739403197

Here is a snapshot from the first ever server in the observable universe running Hardened Exherbo, https://0x0.st/8Z3h.png, which displays a very interesting and afaik novel usecase of notify action. if you read seccomp-unotify(2) and linux kernel docs it'll go telling you about how to run "higher privileges" in the handler process (such as mount, finit_module fancy for containers), however here we do _exactly_ the opposite (because why not), as you may easily observe the threads "syd_emu" running the syscalls are running as nginx user, however the "nginx master process" which is sandboxed by syd is still running as root (it spawns new workers who change uid, dont ask me why), so e.g. if you compromise the nginx master and run a syscall, it'll run as nginx user in a syd_emu thread anyhow. this we call SafeSetID (like that of linux kernel), i plan to do more in the future, imagine syd_emu threads are processes that're fork+execed with different address spaces with the sandbox policy shared behind a memfd that's sealed for write on sandbox getting locked.

Finally, this nginx serves https://hexsys.org atm from which you'll hopefully and eventually download iso's one day ;) So far I have sydboxed dhcp, rsyslog and ntpd, stay tuned!