129 stable releases
| new 3.16.7 | Apr 24, 2024 |
|---|---|
| 3.16.5 | Apr 22, 2024 |
| 3.15.7 | Mar 27, 2024 |
| 3.14.2 | Feb 29, 2024 |
| 3.2.1 | Oct 30, 2023 |
#65 in Unix APIs
35,368 downloads per month
2.5MB
53K
SLoC
Syd is a rock-solid user-space kernel to sandbox applications on Linux>=5.19. Syd is similar to GVisor, Firejail, and Bubblewrap. A brief overview of Syd's capabilities are as follows:
- Read sandboxing
- Write sandboxing (and Path Masking)
- Stat sandboxing (aka Path Hiding)
- Exec sandboxing (and SegvGuard)
- Force sandboxing (aka Binary verification)
- Network sandboxing (feat. UNIX, IPv4, IPv6, and KCAPI sockets)
- Lock sandboxing (uses Landlock LSM)
- Memory sandboxing
- PID sandboxing (simpler alternatives to Control Groups)
- Namespaces and Containerization
Read the fine manuals of syd,
libsyd,
gosyd,
plsyd,
pysyd,
rbsyd,
syd.el and watch the asciicasts Memory
Sandboxing, PID
Sandboxing, Network
Sandboxing, and Sandboxing Emacs with
syd. Join the CTF event at
https://ctftime.org/event/2178 and try to read the file /etc/CTF¹ on
syd.chesswob.org with ssh user/pass: syd.
- Use cargo to install from source, requires libseccomp.
- Packaged on Exherbo as
sys-apps/sydbox. - Packaged on Gentoo as
sys-apps/syd. - Binary releases located at https://distfiles.exherbolinux.org/#sydbox/
- Releases are signed with this key: https://keybase.io/alip/pgp_keys.asc
- Change Log is here: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md
- Tested on arm64, armv7, x86, and x86-64 with GitLab Pipelines, and SourceHut Builds.
Maintained by Ali Polatel. Up-to-date sources can be found at https://gitlab.exherbo.org/sydbox/sydbox.git and bugs/patches can be submitted to https://gitlab.exherbo.org/groups/sydbox/-/issues. Follow toots with the #sydbox hashtag and discuss in #sydbox on Libera Chat.
¹: The SHA256
checksum is f1af8d3946546f9d3b1af4fe15f0209b2298166208d51a481cf51ac8c5f4b294.
Dependencies
~17–32MB
~476K SLoC