In this talk, I will introduce Syd, a GPL-3 licensed, rock-solid application kernel designed for sandboxing applications on Linux systems (version 5.19 and above). Over the past 16 years, Syd has evolved from a tool used within Exherbo Linux to detect package build mishaps into a robust security boundary for applications. The recent rewrite in Rust leverages modern Linux APIs such as seccomp-unotify(2), openat2(2), and pidfd_getfd(2) to eliminate time-of-check to time-of-use (TOCTTOU) vulnerabilities, which is essential for building a secure sandbox.
better go for the latest version syd-3.32.0 which I've released shortly after fosdem. This release (hopefully) finishes the sandbox categorization work, check out https://man.exherbolinux.org/syd.7.html#SANDBOXING if you know about OpenBSD pledge(2), you'll feel mostly at home ;)
hayali|1 year ago
yjftsjthsd-h|1 year ago
hayali|1 year ago