(no title)

Here is a snapshot from the first ever server in the observable universe running Hardened Exherbo, https://0x0.st/8Z3h.png, which displays a very interesting and afaik novel usecase of notify action. if you read seccomp-unotify(2) and linux kernel docs it'll go telling you about how to run "higher privileges" in the handler process (such as mount, finit_module fancy for containers), however here we do _exactly_ the opposite (because why not), as you may easily observe the threads "syd_emu" running the syscalls are running as nginx user, however the "nginx master process" which is sandboxed by syd is still running as root (it spawns new workers who change uid, dont ask me why), so e.g. if you compromise the nginx master and run a syscall, it'll run as nginx user in a syd_emu thread anyhow. this we call SafeSetID (like that of linux kernel), i plan to do more in the future, imagine syd_emu threads are processes that're fork+execed with different address spaces with the sandbox policy shared behind a memfd that's sealed for write on sandbox getting locked.

Finally, this nginx serves https://hexsys.org atm from which you'll hopefully and eventually download iso's one day ;) So far I have sydboxed dhcp, rsyslog and ntpd, stay tuned!