Syd is a rock-solid unikernel to sandbox applications on Linux>=5.19.
Syd is similar to Bubblewrap, Firejail, GVisor, and minijail. Syd is
secure by default, and intends to provide a simple interface over
various intricate Linux sandboxing mechanisms such as LandLock,
Namespaces, Ptrace, and Seccomp-{BPF,Notify}, most of which have a
reputation of being brittle and difficult to use. You may run Syd as a
regular user, with no extra privileges, and you can even set Syd as your
login shell. Syd adheres to the UNIX philosophy and intends to do one
thing and do it well with least privilege: Neither SETUID is required
like Firejail, nor privileged kernel context is required like EBPF-based
alternatives such as Falco or this. Syd is based mostly on and shares
its Threat Model with Seccomp. Syd does not suffer from TOCTTOU issues
like GSWTK and Systrace: As a unikernel, it executes system calls on
behalf of the sandboxed process rather than continuing them in the
sandbox process. LandLock ABI version 3 is supported for additional
hardening. Use of Ptrace is minimal and optional with a negligible
overhead. Use of unprivileged user namespaces is optional and off by
default. A brief overview of Syd's capabilities are as follows:



Syd is an open-source sandboxing tool developed as part of the Exherbo Linux
project, serving as its default sandbox. With over 15 years of development, Syd
provides robust, privilege-free application sandboxing for Linux systems.
Similar to solutions like Bubblewrap, Firejail, GVisor, and minijail, Syd
uniquely operates without elevated privileges and is secure by default.

This talk introduces Syd's approach to application sandboxing, leveraging Linux
kernel features while maintaining simplicity. Key highlights include:

- No Elevated Privileges Required: Runs as a regular user without the need for
  root access, SETUID binaries, or privileged kernel contexts.
- Secure by Default: Adheres to the UNIX philosophy of doing one thing well
  with the least privilege necessary.
- Comprehensive Sandboxing Mechanisms: Offers fourteen types of sandboxing,
  including Read/Write/Exec controls, Network sandboxing, Memory and PID
  limits, and more.
- Learning Mode with Pandora: Features a learning mode powered by our tool
  Pandora, enabling dynamic policy generation based on application behavior.
- Namespace and Containerization Support: Provides support for Linux
  namespaces, facilitating process and device isolation without added
  complexity.
- Ease of Integration: Can be used as a login shell to create restricted user
  environments and integrates seamlessly into various workflows.

Attendees will learn how Syd enhances application security with minimal
overhead, making advanced sandboxing accessible and practical. We'll explore
its unique features, demonstrate real-world use cases, and show how Syd
leverages kernel capabilities to provide robust security. Join us to discover
how Syd, the default sandbox of Exherbo Linux, strengthens your Linux
environment's security in a straightforward and effective way.
