SYD-SEC(1) General Commands Manual SYD-SEC(1) NAME syd-sec - Print secure bits or run command with secure bits set SYNOPSIS syd-sec [-ahikprsxAIKPRSX] {command [args...]} DESCRIPTION Given no arguments, print information on process secure bits in compact JSON. Given no command, one or more of the secure bit options [-aikprsx] may be given to test for secure bits. Use capital letter options, [-AIKPRSX], to test for locked versions of respective secure bits. Given a command and arguments, with at least one of the secure bit options [-aikprsxAIKRSX] set the specified securebits, execute the command and exit with the same status. OPTIONS -h Display help and exit. -p, -P Set/test process no_new_privs attribute. -r, -R Set/test secure bit SECBIT_NOROOT. -s, -S Set/test secure bit SECBIT_NO_SETUID_FIXUP. -k, -K Set/test secure bit SECBIT_KEEP_CAPS. -a, -A Set/test secure bit SECBIT_NO_CAP_AMBIENT_RAISE. -x, -X Set/test secure bit SECBIT_EXEC_RESTRICT_FILE. -i, -I Set/test secure bit SECBIT_EXEC_DENY_INTERACTIVE. SECURE BITS +----------------------+-----------------------+-----------------------+ |Securebit | Description | CAP_SETPCAP required? | +----------------------+-----------------------+-----------------------+ |NO_NEW_PRIVS | When set, execve(2) | No | | | will not grant new | | | | privileges (e.g., | | | | set-user-ID/set-group-ID| | | | mode bits and file | | | | capabilities are | | | | ignored). Inherited | | | | across fork(2), | | | | clone(2), and | | | | execve(2); once set, | | | | cannot be unset. | | +----------------------+-----------------------+-----------------------+ |NOROOT | Disable special | Yes | | | handling of UID 0 for | | | | gaining capabilities | | | | on exec/setuid. | | | | NOROOT_LOCKED is lock | | | | for NOROOT (prevents | | | | further changes; | | | | irreversible). | | +----------------------+-----------------------+-----------------------+ |NO_SETUID_FIXUP | Stop kernel | Yes | | | adjustments to | | | | permitted/effective/ambient| | | | capability sets when | | | | effective/filesystem | | | | UIDs toggle between 0 | | | | and nonzero. | | | | NO_SETUID_FIXUP_LOCKED| | | | is lock for | | | | NO_SETUID_FIXUP | | | | (prevents further | | | | changes; | | | | irreversible). | | +----------------------+-----------------------+-----------------------+ |KEEP_CAPS | Allow retaining | Yes | | | permitted | | | | capabilities when | | | | switching all UIDs | | | | from 0 to nonzero; | | | | always cleared on | | | | execve(2). | | | | KEEP_CAPS_LOCKED is | | | | lock for KEEP_CAPS | | | | (prevents further | | | | changes; | | | | irreversible). | | +----------------------+-----------------------+-----------------------+ |NO_CAP_AMBIENT_RAISE | Disallow raising | Yes | | | ambient capabilities | | | | via | | | | prctl(PR_CAP_AMBIENT_RAISE).| | | | NO_CAP_AMBIENT_RAISE_LOCKED| | | | is lock for | | | | NO_CAP_AMBIENT_RAISE | | | | (prevents further | | | | changes; | | | | irreversible). | | +----------------------+-----------------------+-----------------------+ |EXEC_RESTRICT_FILE | Interpreter/dynamic | No | | | linker should execute | | | | a file only if | | | | execveat(2) with | | | | AT_EXECVE_CHECK on | | | | the related file | | | | descriptor succeeds. | | | | EXEC_RESTRICT_FILE_LOCKED| | | | is lock for | | | | EXEC_RESTRICT_FILE | | | | (prevents further | | | | changes; | | | | irreversible). | | +----------------------+-----------------------+-----------------------+ |EXEC_DENY_INTERACTIVE | Interpreter should | No | | | not accept | | | | interactive user | | | | commands; content via | | | | a file descriptor is | | | | allowed only if | | | | execveat(2) with | | | | AT_EXECVE_CHECK | | | | succeeds. | | | | EXEC_DENY_INTERACTIVE_LOCKED| | | | is lock for | | | | EXEC_DENY_INTERACTIVE | | | | (prevents further | | | | changes; | | | | irreversible). | | +----------------------+-----------------------+-----------------------+ EXIT STATUS When querying secure bits, syd-sec exits with success if all the specified secure bits are set in process secure bits. When running a command, syd-sec exits with the same code as the child process. If PR_SET_SECUREBITS(2const) prctl(2) operation fails prior to command execution, syd-sec exits with errno(3). SEE ALSO syd(1), syd(2), syd(5), syd-lock(1), syd-mdwe(1), syd-ofd(1), syd- pds(1), PR_GET_SECUREBITS(2const), PR_SET_SECUREBITS(2const) syd homepage: https://sydbox.exherbo.org/ AUTHORS Maintained by Ali Polatel. Up-to-date sources can be found at https://gitlab.exherbo.org/sydbox/sydbox.git and bugs/patches can be submitted to https://gitlab.exherbo.org/groups/sydbox/-/issues. Discuss in #sydbox on Libera Chat or in #sydbox:mailstation.de on Matrix. 2025-12-02 SYD-SEC(1)