201 stable releases

3.29.4 Dec 1, 2024
3.29.1 Nov 30, 2024
3.27.0 Oct 11, 2024
3.23.17 Jul 25, 2024
3.6.2 Nov 30, 2023

#45 in Unix APIs

Download history 128130/week @ 2024-08-23 127461/week @ 2024-08-30 111151/week @ 2024-09-06 117427/week @ 2024-09-13 123794/week @ 2024-09-20 122935/week @ 2024-09-27 124256/week @ 2024-10-04 124825/week @ 2024-10-11 124544/week @ 2024-10-18 124630/week @ 2024-10-25 119639/week @ 2024-11-01 125658/week @ 2024-11-08 124204/week @ 2024-11-15 93717/week @ 2024-11-22 23296/week @ 2024-11-29 29426/week @ 2024-12-06

288,660 downloads per month

GPL-3.0 license

3.5MB
86K SLoC

Change returns success. Going and coming without error. Action brings good fortune.

lev(syd,bsd)<e Shine On You Crazy Diamond! Try to Avoid Chance!

syd:discord #sydbox:mailstation.de #sydbox:irc.libera.chat

msrv repology build status pipeline status

license maintenance-status dependency status OpenSSF best practices

Syd is a rock-solid application kernel to sandbox applications on Linux>=5.19. Syd is similar to Bubblewrap, Firejail, GVisor, and minijail. As an application kernel it implements a subset of the Linux kernel interface in user space, intercepting system calls to provide strong isolation without the overhead of full virtualization. Syd is secure by default, and intends to provide a simple interface over various intricate Linux sandboxing mechanisms such as LandLock, Namespaces, Ptrace, and Seccomp-{BPF,Notify}, most of which have a reputation of being brittle and difficult to use. You may run Syd as a regular user, with no extra privileges, and you can even set Syd as your login shell. Syd adheres to the UNIX philosophy and intends to do one thing and do it well with least privilege: Neither SETUID is required like Firejail, nor privileged kernel context is required like EBPF-based alternatives such as Falco or this. Syd is based mostly on and shares its Threat Model with Seccomp. Syd does not suffer from TOCTTOU issues like GSWTK and Systrace: As an application kernel, it executes system calls on behalf of the sandboxed process rather than continuing them in the sandbox process. LandLock, up to ABI version 6, is supported for additional hardening. Use of Ptrace is minimal and optional with a negligible overhead. Use of unprivileged user namespaces is optional and off by default. A brief overview of Syd's capabilities are as follows:

Read the fine manuals of syd, libsyd, gosyd, plsyd, pysyd, rbsyd, syd.el and watch the asciicasts Memory Sandboxing, PID Sandboxing, Network Sandboxing, and Sandboxing Emacs with syd. Join the CTF event at https://ctftime.org/event/2178 and try to read the file /etc/CTF¹ on syd.chesswob.org with ssh user/pass: syd.²

Maintained by Ali Polatel. Up-to-date sources can be found at https://gitlab.exherbo.org/sydbox/sydbox.git and bugs/patches can be submitted to https://gitlab.exherbo.org/groups/sydbox/-/issues. Follow toots with the #sydbox hashtag and discuss in #sydbox on Libera Chat.

¹: SHA256(/etc/CTF)=f1af8d3946546f9d3b1af4fe15f0209b2298166208d51a481cf51ac8c5f4b294

²: Start by reading the CTF sandbox profile.

³: That cat's something I can't explain!

Dependencies

~12–26MB
~395K SLoC