.\" Generated by scdoc 1.11.3
.\" Complete documentation for this program is not available as a GNU info page
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.nh
.ad l
.\" Begin generated content:
.TH "SYD" "2" "2025-02-14"
.PP
.SH NAME
.PP
\fB/dev/syd\fR virtual system call interface
.PP
.SH SYNOPSIS
.PP
.nf
.RS 4
#include <sys/types\&.h>
#include <sys/stat\&.h>
#include <fcntl\&.h>

/* Execute sandbox commands */
int stat("/dev/syd/[command]", NULL);         // "syd -m command"
int stat("/dev/syd/[config]?", NULL);
int stat("/dev/syd/[config]:[value]", NULL);  // "syd -m config:value"
int stat("/dev/syd/[list]+[value]", NULL);    // "syd -m list+value"
int stat("/dev/syd/[list]-[value]", NULL);    // "syd -m list-value"
int stat("/dev/syd/[list]^[value]", NULL);    // "syd -m list^value"
int stat("/dev/syd/[command]![value]", NULL);

/* Read sandbox state as JSON */
int open("/dev/syd", O_RDONLY);

/* Read syd\&.el which is the Emacs Lisp implementation of the API */
int open("/dev/syd\&.el", O_RDONLY);

/* Read syd\&.sh which exports esyd shell function */
int open("/dev/syd\&.sh", O_RDONLY);
.fi
.RE
.PP
.SH DESCRIPTION
.PP
The \fB/dev/syd\fR virtual system call interface is a unique mechanism designed for
runtime configuration of the Syd sandbox environment.\& It enables sandboxed
processes to interact with the Syd process to dynamically adjust sandbox
settings or query its state.\& This interaction is facilitated through the use of
virtual system calls, specifically via the \fIstat\fR(2) system call, applied to
specially constructed paths under \fB/dev/syd\fR.\&
.PP
This interface allows for a range of operations, including enabling or disabling
sandbox features, appending or removing elements from lists, querying the
sandbox state, and executing special Syd commands.\& Operations are specified
through paths constructed with \fB/dev/syd\fR as the prefix, followed by a sandbox
command and an operation character that denotes the desired action:
.PP
.PD 0
.IP \(bu 4
\fB:\fR for setting a value (boolean, integer, string),
.IP \(bu 4
\fB?\&\fR for querying a value,
.IP \(bu 4
\fB+\fR for appending to a string array,
.IP \(bu 4
\fB-\fR for removing an element from a string array,
.IP \(bu 4
\fB^\fR for removing all matching elements from a string array, and
.IP \(bu 4
\fB!\&\fR for executing a special Syd command.\&
.PD
.PP
This interface supports a flexible and powerful method for managing sandbox
policies dynamically, allowing for real-time adjustments to the security and
operational behavior of sandboxed processes.\& \fBlibsyd\fR is a comprehensive C
library designed for interfacing with the Syd stat interface.\& It offers
functionalities for managing sandbox states, and facilitating runtime
configuration and interaction with the Syd sandboxing environment.\& \fBgosyd\fR is
a Go module that uses \fIcgo\fR to use \fBlibsyd\fR.\& \fBplsyd\fR is a Perl module that uses
\fIFFI::Platypus\fR to use \fBlibsyd\fR.\& \fBpysyd\fR is a Python module that uses \fIctypes\fR
to use \fBlibsyd\fR.\& \fBrbsyd\fR is a Ruby module that uses \fIffi\fR gem to use \fBlibsyd\fR.\&
\fBsyd.\&el\fR is an \fIEmacs Lisp\fR implementation of the Syd stat interface.\&
.PP
.SH COMMANDS
.PP
The \fB/dev/syd\fR interface supports the following commands for runtime
configuration of the sandbox.\& Each command can be invoked through the \fIstat\fR(2)
system call on special paths under \fB/dev/syd\fR.\& Note, Syd provides similar
interfaces for the \fIstat\fR(2) interface, \fB-m\fR command-line option and the
configuration file.\& Some sandbox commands only take affect when they'\&re
submitted on startup, such as \fBunshare/user\fR, and \fBsandbox/lock\fR.\& Such commands
are noted as \fBstatic\fR in the descriptions below.\&
.PP
.SS stat
.PP
This command causes Syd to output sandbox state on standard error.\&
.PP
.SS reset
.PP
This command causes Syd to reset sandboxing to the default state.\&
Allowlists, denylists and filters are going to be cleared.\& The state of
the sandbox lock is not affected by reset.\& This ensures an unintended
reset cannot open window for a sandbox bypass.\& In addition, the state of
Crypt sandboxing is not affected by reset too.\& This ensures concurrent
or near-concurrent encryption operations continue uninterrupted.\&
.PP
.SS panic
.PP
This command causes Syd to exit immediately with code 127.\&
.PP
Due to security reasons, this command is only available via the virtual stat
call, it may not be used with the \fB-m\fR command line switch or in a configuration
file.\&
.PP
Due to safety reasons, panic may not be called when Crypt sandboxing is
on.\& In this case the virtual \fIstat\fR(2) returns -1 and sets errno to
"EBUSY".\& This ensures concurrent or near-concurrent encryption
operations continue uninterrupted.\&
.PP
.SS ghost
.PP
This command initiates Ghost mode.\& Ghost mode is irreversible so you can
call this command only once during Syd runtime.\& See Ghost mode section
in \fIsyd\fR(7) manual page for more information.\& In case of successful initiation,
the virtual \fIstat\fR(2) call returns -1 and sets the errno to "EOWNERDEAD".\&
.PP
Due to security reasons, this command implies "reset", ie.\& the sandbox
state is reset before Ghost mode initiation to ensure there'\&re no
run-away exec processes after the invocation of the "ghost" command.\&
.PP
Due to security reasons, this command is only available via the virtual stat
call, it may not be used with the \fB-m\fR command line switch or in a configuration
file.\&
.PP
.SS config/expand
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBinteger (u64)\fR
T}
T{
default
T}	T{
\fB0\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Given zero as timeout in seconds, which is the default, enables
environment variable and tilde expansion using the "shellexpand" crate.\&
This runs much faster as it does not require confinement, however it
does not support command substitution and recursive environment variable
expansion like \fIwordexp\fR(3) does.\& Notably, unset environment variables
are not expanded to empty strings.\& On environment variable lookup errors
and UTF-8 decoding errors Syd stops parsing and exits with error.\& This
is done for safety as an unintended empty-string expansion can
potentially cause the resulting sandboxing rule to allowlist unintended
paths without the user easily noticing it.\& The user is recommended to
set default values for environment variables using the familiar
"${HOME:-/var/empty}" notation.\&  If you really want empty-string
expansion on unset environment variables, you can get this effect using
the notation "${HOME:-}" but this is not recommended and should be used
with care.\&
.PP
Given a positive integer as timeout in seconds, enables environment
variable expansion and command substitutiton for configuration using
\fIwordexp\fR(3).\& The fork process which calls "/bin/sh" for expansion is
executed in a confined environment and it is terminated if its runtime
exceeds the given timeout.\& Confinement is done using Landlock,
namespaces and seccomp.\&
.PP
Note, this is a static, ie startup-only, setting: For safety reasons, no
expansion is performed for runtime configuration.\&
.PP
.SS lock
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring\fR
T}
.TE
.sp 1
Set the state of the sandbox lock.\& Possible values are \fBon\fR, \fBoff\fR and \fBexec\fR.\&
If the sandbox lock is \fBon\fR no sandbox commands are allowed.\& If \fBexec\fR is
specified, the sandbox lock is set to \fBon\fR for all processes except the initial
process, aka Syd exec child.\& Note, the sandbox lock used to default to \fBexec\fR
but as a hardening measure and to ensure security by default, as of version
3.\&17.\&0, this has been changed such that the default is \fIunset\fR and if no lock
clause has been specified by the time Syd executes the initial sandbox process,
then the sandbox lock is automatically set to \fBon\fR.\& This means if no "lock"
clause is specified in any of the profiles, configuration files or "-m" CLI
arguments, the lock will be \fBon\fR by default.\& Setting lock to \fBon\fR at any point
during configuration parsing prevents further commands from being emitted by the
sandbox.\& This feature may be used to lock site-wide defaults for a Syd login
shell by adding a "lock:on" clause at the end of the site-wide configuration
file which prevents Syd from subsequently parsing the user configuration file,
practically enforcing the site-wide defaults.\&
.PP
Note, setting lock to \fBoff\fR or \fBexec\fR at startup makes Syd skip preventing
\fIexecve\fR(2) and \fIexecveat\fR(2) system calls as part of the "Execution Control
(EEC)" feature.\& This is done to allow "cmd/exec" command to execute commands
outside the sandbox.\&
.PP
.SS log/level
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBwarn\fR
T}
.TE
.sp 1
Set the log level.\& Available log levels are "emerg", "alert", "crit",
"error", "warn", "notice", "info", and "debug".\& Defaults to "warn"
unless "SYD_LOG" environment variable is set at startup.\&  Notably, Syd
logs access violations with the "warn" log level.\& You may also use an
integer in the closed range \fI[0,7]\fR as an argument to set the level
where "0" corresponds to "emerg" and "7" corresponds to "debug".\&
.PP
.SS log/syslog
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
.TE
.sp 1
Set host syslogging.\& If this variable is set to on, Syd sends log
messages with log level "warn" and higher to \fIsyslog\fR(3).\& Defaults to on
unless "SYD_NO_SYSLOG" environment variable is set at startup.\&
.PP
.SS log/verbose
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
.TE
.sp 1
Set verbose logging.\& In verbose mode, Syd
acquires various details about the current \fIseccomp\fR(2) request and adds
this information to the JSON payload under the "req" key.\& When disabled,
Syd only logs the process ID of the current \fIseccomp\fR(2) request.\& This
option is on by default, turning it off can help reduce log size.\&
.PP
.SS sandbox/stat
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Stat sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/read
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Read sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/write
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Write sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/exec
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Exec sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/ioctl
.PP
.TS
allbox;l l
l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBoff\fR
T}
T{
query
T}	T{
\fByes\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Ioctl sandboxing \fBon\fR or \fBoff\fR.\&
.PP
For performance reasons, this only works at startup.\& If not given at
startup, Syd will just allow \fIioctl\fR(2) system calls at seccomp-bpf
level, and all \fIioctl\fR(2) requests \fIexcept those in the denylist\fR will be
allowed regardless of path.\& Turning this sandboxing off during runtime
is still possible, in this case the \fIioctl\fR(2) system call handler will
only check the \fIioctl\fR(2) request against the allowlist and the denylist
but will not check the path to the \fIioctl\fR(2) file descriptor for
access.\&
.PP
.SS sandbox/create
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Create sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/delete
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Delete sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/rename
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Rename sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/symlink
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Symlink sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/truncate
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Truncate sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/chdir
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Chdir sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/readdir
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Readdir sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/mkdir
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Readdir sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/chown
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Chown sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/chgrp
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Chgrp sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/chmod
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Chmod sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/chattr
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Chattr sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/chroot
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Chroot sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/utime
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Utime sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/mkdev
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Mkdev sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/mkfifo
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Mkfifo sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/mktemp
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Mktemp sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/net
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Network sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/lock
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
query
T}	T{
\fByes\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Landlock sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/force
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Force sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/tpe
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
default
T}	T{
\fBon\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Trusted Path Execution (TPE) sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS sandbox/crypt
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
query
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Crypt sandboxing \fBon\fR or \fBoff\fR.\&
.PP
To set this option \fBon\fR, a key must have already been specified with
"crypt/key".\&
.PP
Note, setting this sandboxing type to \fBon\fR implies
"trace/allow_safe_kcapi:1" to allow cryptographic operations using the
Kernel Cryptography API (KCAPI).\&
.PP
Note, setting this sandboxing type to \fBon\fR implies
"trace/exit_wait_all:1" so as not to leave any ongoing encryption
processes behind on sandbox process exit.\&
.PP
.SS sandbox/proxy
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
query
T}	T{
\fByes\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Proxy sandboxing \fBon\fR or \fBoff\fR.\&
.PP
Defaults to proxying through TOR.\& See the options "proxy/addr",
"proxy/port", "proxy/ext/host", and "proxy/ext/port" to configure a
different proxy.\&
.PP
Implies \fBunshare/net:1\fR.\&
.PP
.SS sandbox/mem
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
query
T}	T{
\fByes\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn Memory sandboxing \fBon\fR or \fBoff\fR.\&
.PP
For performance reasons, this only works at startup.\& If not given at startup,
Syd will just allow \fIbrk\fR(2), \fImmap\fR(2), \fImmap2\fR(2), and \fImremap\fR(2) system
calls at seccomp-bpf level.\& Turning this sandboxing off during runtime is still
possible, in this case the respective system calls handlers will do nothing and
just continue the calls.\&
.PP
.SS sandbox/pid
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
query
T}	T{
\fByes\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Turn PID sandboxing \fBon\fR or \fBoff\fR.\&
.PP
.SS default/stat
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Stat sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/read
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Read sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/write
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Write sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/exec
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Exec sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/ioctl
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Ioctl sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/create
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Create sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/delete
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Delete sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"stop", "kill", "panic", or "exit", where the default is "deny".\&
.PP
.SS default/rename
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Rename sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"stop", "kill", "panic", or "exit", where the default is "deny".\&
.PP
.SS default/symlink
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Symlink sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"stop", "kill", "panic", or "exit", where the default is "deny".\&
.PP
.SS default/truncate
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Truncate sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/chdir
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Chdir sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/readdir
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Readdir sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/mkdir
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Mkdir sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/chown
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Chown sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/chgrp
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Chgrp sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/chmod
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Chmod sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/chattr
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Chattr sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/chroot
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Chattr sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/utime
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Utime sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/mkdev
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Mkdev sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/mkfifo
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Mkfifo sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/mktemp
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Mktemp sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/net
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the default action for Network sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/block
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the action for IP blocklist violations.\&
.PP
The value must be exactly one of "warn", "filter", "deny", "panic",
"stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/force
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
For force sandboxing, define the default action to take when the path of
a binary is not in the Integrity Force map.\&
.PP
The value must be either one of "warn", "filter", "stop", "deny",
"panic", "stop", "kill", "exit", where the default is "deny".\&
.PP
.SS default/segvguard
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the action for SegvGuard access violations.\&
.PP
The value must be exactly one of "warn", "filter", "deny", "panic",
"stop", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/tpe
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the action for TPE sandboxing access violations.\&
.PP
The value must be exactly one of "warn", "filter", "deny", "panic",
"stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/mem
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBdeny\fR
T}
.TE
.sp 1
Specify the action for Memory sandboxing access violations.\&
.PP
The value must be exactly one of "allow", "warn", "filter", "deny",
"panic", "stop", "kill", or "exit", where the default is "deny".\&
.PP
.SS default/pid
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBkill\fR
T}
.TE
.sp 1
Specify the action for PID sandboxing access violations.\&
.PP
The value must be either one of "warn", "filter", "stop", "kill",
"exit", where the default is "kill".\&
.PP
.SS unshare/mount
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
query
T}	T{
\fByes\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Create Mount namespace on startup.\&
.PP
.SS unshare/uts
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
query
T}	T{
\fByes\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Create UTS namespace on startup.\&
.PP
.SS unshare/ipc
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
query
T}	T{
\fByes\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Create IPC namespace on startup.\&
.PP
.SS unshare/user
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
query
T}	T{
\fByes\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Create User namespace on startup.\&
.PP
.SS unshare/pid
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
query
T}	T{
\fByes\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Create Pid namespace on startup.\&
.PP
.SS unshare/net
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
query
T}	T{
\fByes\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Create Net namespace on startup.\&
.PP
.SS unshare/cgroup
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
query
T}	T{
\fByes\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Create CGroup namespace on startup.\&
.PP
.SS unshare/time
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
query
T}	T{
\fByes\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Create Time namespace on startup.\& Syd resets the boot-time clock
such that \fIuptime\fR(1) will report container uptime rather than
host uptime.\&
.PP
.SS root
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Change directory and chroot to root before starting the process.\& The
directory \fBroot/proc\fR \fImust\fR exist to mount private proc filesystem.\&
.PP
As of version 3.\&23.\&14, symbolic links are not followed in any part of
the root directory and path traversal using ".\&.\&" is not permitted.\& In
addition, root directory must be an absolute path, relative paths are
not permitted.\&
.PP
.SS root/map
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Map current user to root in the sandbox on startup.\&
.PP
This option does nothing without "unshare/user:1".\&
.PP
.SS root/fake
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
In \fBfakeroot\fR mode, the system will return a user/group id of \fB0\fR,
mimicking the \fBroot\fR user.\& This allows users to execute commands with
apparent root privileges, without actual superuser rights.\& It'\&s useful
for tasks like package building where root-like environment is needed,
but not actual root permissions.\&
.PP
.SS name/host
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fB<auto>\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Set host name in the sandbox.\& Only useful when combined with \fBunshare/uts:1\fR.\&
.PP
.SS name/domain
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBsyd-3\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Set NIS/YP domain name in the sandbox.\& Only useful when combined with \fBunshare/uts:1\fR.\&
.PP
.SS time
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBtime_t\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Set clock monotonic and boottime offset (seconds) in Time Namespace.\&
.PP
.SS ioctl/allow
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBpositive integer-array (u64)\fR
T}
T{
default
T}	T{
\fB[.\&.\&.\&]\fR
T}
.TE
.sp 1
Add to or remove a request from the \fIioctl\fR(2) request allowlist.\&
Accepts an unsigned 64-bit integer as argument.\& Prefix with "0x" for
hexadecimal and "0o" for octal input.\& Use "ioctl/allow+<request>" to add
to, and "ioctl/allow-<request>" to remove from the allowlist.\& By default
the list contains the \fIioctl\fR(2) requests FIOCLEX, FIONCLEX, FIONBIO,
FIOASYNC, FIOQSIZE, FIFREEZE, FITHAW, FS_IOC_FIEMAP, FIGETBSZ, FICLONE,
FICLONERANGE, FIDEDUPERANGE, FS_IOC_GETFSUUID, and
FS_IOC_GETFSSYSFSPATH.\&
.PP
Note, for rules added at startup deny rules have precedence over allow
rules because the denylist is checked at kernel-space, whereas the
allowlist is checked at user-space.\& For rules added after startup, the
last matching rule wins.\&
.PP
.SS ioctl/deny
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBpositive integer-array (u64)\fR
T}
T{
default
T}	T{
\fB[.\&.\&.\&]\fR
T}
T{
static
T}	T{
\fBadd is dynamic, remove is partly static\fR
T}
.TE
.sp 1
Add to or remove a request from the \fIioctl\fR(2) request denylist.\& Accepts
an unsigned 64-bit integer as argument.\& Prefix with "0x" for hexadecimal
and "0o" for octal input.\& Use "ioctl/deny+<request>" to add to, and
"ioctl/deny-<request>" to remove from the allowlist.\& By default the list
of denylisted \fIioctl\fR(2) requests are FIBMAP, FS_IOC_FSGETXATTR,
FS_IOC_FSSETXATTR, FS_IOC_SETFLAGS, KDSETKEYCODE, KDSIGACCEPT, TIOCCONS,
TIOCLINUX, TIOCSETD, and TIOCSTI.\&
.PP
Note, for security reasons, the \fIioctl\fR(2) denylist is applied at the
parent seccomp-bpf filter at startup.\& This means the Syd process is
included in this restriction as well.\& This also means, removing elements
from this list after startup has no effect.\& However, if Ioctl sandboxing
was enabled at startup, adding new elements to the \fIioctl\fR(2) denylist
will further restrict the \fIioctl\fR(2) request space.\&
.PP
Note, for rules added at startup, deny rules have precedence over allow
rules because the denylist is checked at kernel-space, whereas the
allowlist is checked at user-space.\& For rules added after startup, the
last matching rule wins.\&
.PP
Further reading about denylisted \fIioctl\fR(2) requests:
.PP
.PD 0
.IP 1. 4
https://cve.\&mitre.\&org/cgi-bin/cvename.\&cgi?\&name=CVE-2023-1523
.IP 2. 4
https://a13xp0p0v.\&github.\&io/2017/03/24/CVE-2017-2636.\&html
.IP 3. 4
http://phrack.\&org/issues/52/6.\&html#article
.IP 4. 4
https://git.\&kernel.\&org/pub/scm/linux/kernel/git/torvalds/linux.\&git/commit/?\&id=83efeeeb3d04b22aaed1df99bc70a48fe9d22c4d
.IP 5. 4
https://git.\&kernel.\&org/pub/scm/linux/kernel/git/torvalds/linux.\&git/commit/?\&id=8d1b43f6a6df7bcea20982ad376a000d90906b42
.IP 6. 4
https://seclists.\&org/oss-sec/2024/q1/13
.IP 7. 4
https://seclists.\&org/oss-sec/2024/q1/14
.IP 8. 4
https://forums.\&grsecurity.\&net/viewtopic.\&php?\&f=7&t=2522
.IP 9. 4
http://lkml.\&indiana.\&edu/hypermail/linux/kernel/9907.\&0/0132.\&html
.IP 10. 4
http://linux.\&derkeiler.\&com/Mailing-Lists/Kernel/2007-11/msg07723.\&html
.PD
.PP
.SS mem/max
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBpositive integer (u64)\fR
T}
T{
default
T}	T{
\fB128MB\fR
T}
.TE
.sp 1
This setting specifies the limit on per-process memory usage.\& Setting this value
to \fB0\fR disables testing for this type of memory usage.\& Note, the value is parsed
using the \fBparse-size\fR crate.\& Refer to their documentation for information on
formatting.\&
.PP
.SS mem/vm_max
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBpositive integer (u64)\fR
T}
T{
default
T}	T{
\fB0\fR
T}
.TE
.sp 1
This setting specifies the limit on per-process virtual memory usage.\& Setting
this value to \fB0\fR disables testing for this type of memory usage.\& Note, the
value is parsed using the \fBparse-size\fR crate.\& Refer to their documentation for
information on formatting.\&
.PP
.SS pid/max
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBpositive integer (u64)\fR
T}
T{
default
T}	T{
\fB1\fR
T}
.TE
.sp 1
This setting specifies the limit on the number of running tasks for pid
sandboxing.\& Setting this value to \fB0\fR is functionally equivalent to setting
\fBsandbox/pid\fR to \fBoff\fR.\&
.PP
.SS bind
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring-array\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
This command causes Syd to bind mount a directory on startup.\& The
format is \fBsource-dir:target-dir:mount-options,.\&.\&.\&\fR where \fIthe source and
target directories may be equal\fR.\& Mount options are a comma-separated list
of a combination of the following options:
.PP
.PD 0
.IP \(bu 4
"ro" to mount the filesystem read-only.\&
.IP \(bu 4
"nodev" to not interpret character or block special devices on the filesystem.\&
.IP \(bu 4
"noexec" to not permit direct execution of any binaries on the mounted 
filesystem.\&
.IP \(bu 4
"nosuid" to not honour set-user-ID and set-group-ID bits or file capabilities 
when executing programs from this filesystem.\& In addition, SELinux domain 
transitions require permission "nosuid_transition", which in turn needs also 
policy capability "nnp_nosuid_transition".\&
.IP \(bu 4
"nosymfollow" to not follow symbolic links when resolving paths.\& 
Symbolic links can still be created, and \fIreadlink\fR(1), 
\fIreadlink\fR(2), \fIrealpath\fR(1), and \fIrealpath\fR(3) all still work 
properly.\&
.IP \(bu 4
"noatime" to not update inode access times on this filesystem (e.\&g.\& for 
faster access on the news spool to speed up news servers).\& This works for all 
inode types (directories too), so it implies "nodiratime".\&
.IP \(bu 4
"nodiratime" to not update directory inode access times on this filesystem.\& 
(This option is implied when "noatime" is set.\&)
.IP \(bu 4
"relatime" to update inode access times relative to modify or change time.\&
.PD
.PP
Mount options may be omitted.\& If the source directory does not start
with a slash, it is interpreted as the filesystem type rather than the
source directory.\& This may be used to mount special filesystems such as
cgroupfs, overlayfs or \fItmpfs\fR(5) into the mount namespace.\& In this
case, any mount options supported by this filesystem type may be
submitted in options argument not just the ones listed above.\& You may
find some examples below:
.PP
.PD 0
.IP \(bu 4
bind+/:/:ro
.IP \(bu 4
bind+tmpfs:/tmp:noexec,size=16M
.IP \(bu 4
bind+cgroup2:/sys/fs/cgroup:nodev,noexec,nosuid
.IP \(bu 4
bind+overlay:/tmp/target:lowerdir=/tmp/lower,upperdir=/tmp/upper,workdir=/tmp/work,nosuid
.PD
.PP
This command may be used to create immutable containers.\& For example, the
command "bind+/:/:ro" is functionally equivalent to "deny/write+/***" except
the restriction happens at \fIkernel VFS layer\fR rather than at user level using
\fIseccomp-notify\fR.\& Alternatively this can also be achieved at the kernel level
using \fILandlock\fR.\&
.PP
Note, if the source or target directory does not exist, Syd logs an
"info" level entry and continues processing the rest of the mounts.\& Any
other error during bind mounting is fatal.\&
.PP
As of version 3.\&23.\&14, symbolic links are not followed in any part of
the source or target directory paths and path traversal using ".\&.\&" is
not permitted.\& In addition, target directory must be an absolute path,
relative paths are not permitted.\&
.PP
As of version 3.\&23.\&14, mounting the special "proc" filesystem under a
custom path is not permitted.\& Syd handles this mount itself specially
after all bind mounts are processed.\&
.PP
.SS crypt
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to encrypt for \fBCrypt sandboxing\fR.\&
.PP
.SS crypt/kdf/salt
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fB<empty>\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify salt used in key derivation function for \fBCrypt sandboxing\fR.\&
.PP
There are two usage options for the salt:
.PP
.PD 0
.IP \(bu 4
Empty or static for domain separation in a private setting
.IP \(bu 4
Guaranteed to be uniformly-distributed and unique in a public setting
.PD
.PP
.SS crypt/kdf/info/enc
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBSYD-ENC\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify informational context string for encryption key used in key
derivation function for \fBCrypt sandboxing\fR.\&
.PP
This information acts as a label and is not private.\&
.PP
.SS crypt/kdf/info/mac
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
\fBSYD-MAC\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify informational context string for authentication key used in key
derivation function for \fBCrypt sandboxing\fR.\&
.PP
This information acts as a label and is not private.\&
.PP
.SS crypt/key
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify 256-bit AES-CTR key for \fBCrypt sandboxing\fR.\& The key must be
encoded in hexadecimal and be exactly 64 characters.\&
.PP
.SS crypt/tmp
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBstring\fR
T}
T{
default
T}	T{
mem
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify temporary backing directory for transparent file decryption.\& The
argument must be an absolute path or the special value "mem".\& The user
must ensure this directory is secure as decrypted contents will be
written to temporary files under this directory.\& Specify the special
value "mem" to use anonymous files which live in RAM with a volatile
backing storage created with \fImemfd_create\fR(2).\& This is the default.\& The
user is encouraged to specify this option for efficient handling of
large files for \fBCrypt sandboxing\fR.\&
.PP
.SS force
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Add or remove an integrity force rule for Force Sandboxing.\& The format is
\fIforce+/path:hashhex:action\fR for addition and \fIforce-/path\fR for removal.\& Use
\fIforce^\fR to clear the Integrity Force map.\& Available actions are the following:
.PP
.PD 0
.IP \(bu 4
kill: Send the offending process SIGKILL signal, default if ":action" is omitted.\&
.IP \(bu 4
stop: Send the offending process SIGSTOP signal.\&
.IP \(bu 4
warn: Allow execution.\&
.PD
.PP
In all cases a warning to the syslog is written.\& hashhex is either a
8-character CRC32 checksum, 16-character CRC64 checksum, 32-character
MD5 checksum, a 40-character SHA1 checksum, a 64-character SHA3-256
checksum, a 96-character SHA3-384 checksum or a 128-character SHA3-512
checksum.\&
.PP
.PD 0
.IP \(bu 4
\fIsyd-sha\fR(1) is a helper tool to calculate checksums of files.\&
.IP \(bu 4
\fIsyd-path\fR(1) is a helper tool to write integrity force rules for binaries under PATH.\&
.PD
.PP
.SS proxy/addr
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBIP address\fR
T}
T{
default
T}	T{
\fB127.\&0.\&0.\&1\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Set internal address for Proxy sandboxing.\& This must be an IPv4 or an
IPv6 address.\& Defaults to 127.\&0.\&0.\&1.\&
.PP
.SS proxy/port
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBinteger\fR
T}
T{
default
T}	T{
\fB9050\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Set internal port for Proxy sandboxing.\& Defaults to 9050.\&
.PP
.SS proxy/ext/host
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBHostname or IP\fR
T}
T{
default
T}	T{
\fB127.\&0.\&0.\&1\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Set external address for Proxy sandboxing.\& This must either be an IPv4
address or an IPv6 address or a hostname.\& If the argument does not parse
as an IP address, Syd resolves the name using the system DNS resolver
and selects a response IP randomly.\&
.PP
Defaults to "127.\&0.\&0.\&1", which may be be overriden with the environment variable
\fBSYD_PROXY_HOST\fR at startup.\&
.PP
.SS proxy/ext/port
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBinteger\fR
T}
T{
default
T}	T{
\fB9050\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Set external port for Proxy sandboxing.\&
.PP
Defaults to 9050, which may be overriden with the environment variable
\fBSYD_PROXY_PORT\fR at startup.\&
.PP
.SS segvguard/expiry
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBinteger (u64)\fR
T}
T{
default
T}	T{
120
T}
.TE
.sp 1
Specify SegvGuard expiry timeout in seconds.\& Set to 0 to disable SegvGuard.\&
.PP
.SS segvguard/suspension
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBinteger (u64)\fR
T}
T{
default
T}	T{
600
T}
.TE
.sp 1
Specify SegvGuard suspension timeout in seconds.\&
.PP
.SS segvguard/maxcrashes
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBinteger (u8)\fR
T}
T{
default
T}	T{
5
T}
.TE
.sp 1
Specify SegvGuard max crashes.\&
.PP
.SS tpe/gid
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBinteger (uid_t)\fR
T}
.TE
.sp 1
Specify untrusted GID for Trusted Path Execution (TPE).\& By default, TPE
is applied to users of all groups including root and this setting can be
used to limit it to a certain group.\& To unset a previously set GID and
return to the default state set "none" as the value.\&
.PP
.SS tpe/negate
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBboolean\fR
T}
.TE
.sp 1
Negate GID logic for Trusted Path Execution (TPE).\& This turns "tpe/gid"
from untrusted into trusted such that users belonging to this group will
be exempt from TPE.\&
.PP
.SS tpe/root_owned
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBboolean\fR
T}
.TE
.sp 1
Ensure directory is root-owned for Trusted Path Execution (TPE).\&
.PP
Note, this option will misbehave with "unshare/user:1" if the real root
user is not mapped inside the container.\&
.PP
.SS tpe/user_owned
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBboolean\fR
T}
.TE
.sp 1
Ensure directory is user-owned or root for Trusted Path Execution (TPE).\&
.PP
Note, this option will misbehave with "unshare/user:1" if the real root
is not mapped inside the container.\&
.PP
.SS allow/stat
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBStat sandboxing\fR.\&
.PP
.SS allow/read
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBRead sandboxing\fR.\&
.PP
.SS allow/write
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBWrite sandboxing\fR.\&
.PP
.SS allow/exec
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBExec sandboxing\fR.\&
.PP
.SS allow/ioctl
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBIoctl sandboxing\fR.\&
.PP
.SS allow/create
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBCreate sandboxing\fR.\&
.PP
.SS allow/delete
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBDelete sandboxing\fR.\&
.PP
.SS allow/rename
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBRename sandboxing\fR.\&
.PP
.SS allow/symlink
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBSymlink sandboxing\fR.\&
.PP
.SS allow/truncate
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBTruncate sandboxing\fR.\&
.PP
.SS allow/chdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBChdir sandboxing\fR.\&
.PP
.SS allow/readdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBReaddir sandboxing\fR.\&
.PP
.SS allow/mkdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBMkdir sandboxing\fR.\&
.PP
.SS allow/chown
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBChown sandboxing\fR.\&
.PP
.SS allow/chgrp
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBChgrp sandboxing\fR.\&
.PP
.SS allow/chmod
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBChmod sandboxing\fR.\&
.PP
.SS allow/chattr
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBChattr sandboxing\fR.\&
.PP
.SS allow/chroot
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBChroot sandboxing\fR.\&
.PP
.SS allow/utime
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBUtime sandboxing\fR.\&
.PP
.SS allow/mkdev
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBMkdev sandboxing\fR.\&
.PP
.SS allow/mkfifo
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBMkfifo sandboxing\fR.\&
.PP
.SS allow/mktemp
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to allow for \fBMktemp sandboxing\fR.\&
.PP
.SS allow/net/bind
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to allow for \fBBind network sandboxing\fR.\&
.PP
.SS allow/net/connect
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to allow for \fBConnect network sandboxing\fR.\&
.PP
.SS allow/net/sendfd
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to allow for \fBSendFd network sandboxing\fR.\&
.PP
.SS allow/net/link
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBstring-array\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specifies a list of netlink families to allow for \fBLink network sandboxing\fR.\&
.PP
Accepts a comma-delimited list of the following items: "route",
"usersock", "firewall", "sock_diag", "nflog", "xfrm", "selinux",
"iscsi", "audit", "fib_lookup", "connector", "netfilter", "ip6_fw",
"dnrtmsg", "kobject_uevent", "generic", "scsitransport", "ecryptfs",
"rdma", "crypto", and "smc".\&
.PP
.SS allow/lock/read
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBstring-array\fR
T}
T{
static
T}	T{
\fByes\fR
T}
T{
default
T}	T{
\fI["/proc"]\fR
T}
.TE
.sp 1
Specifies a list of beneath paths to allow as read-only for \fBLandlock
sandboxing\fR.\& In this context, read-only includes execute operations.\&
.PP
As of version 3.\&21.\&0, this list includes the path "/proc" by default as
Syd is included in the Landlock sandbox and Syd requires access to this
directory to function correctly.\&
.PP
.SS allow/lock/write
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBstring-array\fR
T}
T{
static
T}	T{
\fByes\fR
T}
T{
default
T}	T{
\fI["/dev/null"]\fR
T}
.TE
.sp 1
Specifies a list of beneath paths to allow as read-write for \fBLandlock
sandboxing\fR.\& In this context, read-write includes execute and \fIioctl\fR(2)
operations.\&
.PP
Note, Landlock \fIioctl\fR(2) support requires ABI 5 or later.\& Fifth
Landlock ABI was introduced with Linux 6.\&10.\& On older kernels, this
command is not going to confine \fIioctl\fR(2) operations.\&
.PP
As of version 3.\&21.\&0, this list includes the path "/dev/null" by default
as Syd is included in the Landlock sandbox and Syd requires access to
this file to function correctly.\&
.PP
.SS allow/lock/bind
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBu16-array\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specifies a list of allowed \fIbind\fR(2) ports for \fBLandlock sandboxing\fR.\&
.PP
Argument is either a single port or a closed range in format \fBport1-port2\fR.\&
.PP
Note, Landlock network support requires ABI 4 or later.\& Fourth Landlock
ABI was introduced with Linux 6.\&7.\& On older kernels, this command is a
no-op.\&
.PP
.SS allow/lock/connect
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBu16-array\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specifies a list of allowed \fIconnect\fR(2) ports for \fBLandlock sandboxing\fR.\&
.PP
Argument is either a single port or a closed range in format \fBport1-port2\fR.\&
.PP
Note, Landlock network support requires ABI 4 or later.\& Fourth Landlock
ABI was introduced with Linux 6.\&7.\& On older kernels, this command is a
no-op.\&
.PP
.SS warn/stat
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBStat sandboxing\fR.\&
.PP
.SS warn/read
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBRead sandboxing\fR.\&
.PP
.SS warn/write
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBWrite sandboxing\fR.\&
.PP
.SS warn/exec
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBExec sandboxing\fR.\&
.PP
.SS warn/ioctl
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBIoctl sandboxing\fR.\&
.PP
.SS warn/create
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBCreate sandboxing\fR.\&
.PP
.SS warn/delete
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBDelete sandboxing\fR.\&
.PP
.SS warn/rename
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBRename sandboxing\fR.\&
.PP
.SS warn/symlink
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBSymlink sandboxing\fR.\&
.PP
.SS warn/truncate
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBTruncate sandboxing\fR.\&
.PP
.SS warn/chdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBChdir sandboxing\fR.\&
.PP
.SS warn/readdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBReaddir sandboxing\fR.\&
.PP
.SS warn/mkdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBMkdir sandboxing\fR.\&
.PP
.SS warn/chown
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBChown sandboxing\fR.\&
.PP
.SS warn/chgrp
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBChgrp sandboxing\fR.\&
.PP
.SS warn/chmod
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBChmod sandboxing\fR.\&
.PP
.SS warn/chattr
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBChattr sandboxing\fR.\&
.PP
.SS warn/chroot
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBChroot sandboxing\fR.\&
.PP
.SS warn/utime
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBUtime sandboxing\fR.\&
.PP
.SS warn/mkdev
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBMkdev sandboxing\fR.\&
.PP
.SS warn/mkfifo
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBMkfifo sandboxing\fR.\&
.PP
.SS warn/mktemp
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to warn for \fBMktemp sandboxing\fR.\&
.PP
.SS warn/net/bind
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to warn for \fBBind network sandboxing\fR.\&
.PP
.SS warn/net/connect
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to warn for \fBConnect network sandboxing\fR.\&
.PP
.SS warn/net/sendfd
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to warn for \fBSendFd network sandboxing\fR.\&
.PP
.SS deny/stat
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBStat sandboxing\fR.\&
.PP
.SS deny/read
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBRead sandboxing\fR.\&
.PP
.SS deny/write
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBWrite sandboxing\fR.\&
.PP
.SS deny/exec
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBExec sandboxing\fR.\&
.PP
.SS deny/ioctl
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBIoctl sandboxing\fR.\&
.PP
.SS deny/create
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBCreate sandboxing\fR.\&
.PP
.SS deny/delete
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBDelete sandboxing\fR.\&
.PP
.SS deny/rename
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBRename sandboxing\fR.\&
.PP
.SS deny/symlink
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBSymlink sandboxing\fR.\&
.PP
.SS deny/truncate
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBTruncate sandboxing\fR.\&
.PP
.SS deny/chdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBChdir sandboxing\fR.\&
.PP
.SS deny/readdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBReaddir sandboxing\fR.\&
.PP
.SS deny/mkdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBMkdir sandboxing\fR.\&
.PP
.SS deny/chown
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBChown sandboxing\fR.\&
.PP
.SS deny/chgrp
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBChgrp sandboxing\fR.\&
.PP
.SS deny/chmod
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBChmod sandboxing\fR.\&
.PP
.SS deny/chattr
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBChattr sandboxing\fR.\&
.PP
.SS deny/chroot
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBChroot sandboxing\fR.\&
.PP
.SS deny/utime
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBUtime sandboxing\fR.\&
.PP
.SS deny/mkdev
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBMkdev sandboxing\fR.\&
.PP
.SS deny/mkfifo
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBMkfifo sandboxing\fR.\&
.PP
.SS deny/mktemp
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to deny for \fBMktemp sandboxing\fR.\&
.PP
.SS deny/net/bind
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to deny for \fBBind network sandboxing\fR.\&
.PP
.SS deny/net/connect
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to deny for \fBConnect network sandboxing\fR.\&
.PP
.SS deny/net/sendfd
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to deny for \fBSendFd network sandboxing\fR.\&
.PP
.SS panic/stat
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBStat sandboxing\fR.\&
.PP
.SS panic/read
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBRead sandboxing\fR.\&
.PP
.SS panic/write
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBWrite sandboxing\fR.\&
.PP
.SS panic/exec
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBExec sandboxing\fR.\&
.PP
.SS panic/ioctl
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBIoctl sandboxing\fR.\&
.PP
.SS panic/create
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBCreate sandboxing\fR.\&
.PP
.SS panic/delete
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBDelete sandboxing\fR.\&
.PP
.SS panic/rename
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBRename sandboxing\fR.\&
.PP
.SS panic/symlink
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBSymlink sandboxing\fR.\&
.PP
.SS panic/truncate
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBTruncate sandboxing\fR.\&
.PP
.SS panic/chdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBChdir sandboxing\fR.\&
.PP
.SS panic/readdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBReaddir sandboxing\fR.\&
.PP
.SS panic/mkdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBMkdir sandboxing\fR.\&
.PP
.SS panic/chown
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBChown sandboxing\fR.\&
.PP
.SS panic/chgrp
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBChgrp sandboxing\fR.\&
.PP
.SS panic/chmod
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBChmod sandboxing\fR.\&
.PP
.SS panic/chattr
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBChattr sandboxing\fR.\&
.PP
.SS panic/chroot
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBChroot sandboxing\fR.\&
.PP
.SS panic/utime
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBUtime sandboxing\fR.\&
.PP
.SS panic/mkdev
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBMkdev sandboxing\fR.\&
.PP
.SS panic/mkfifo
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBMkfifo sandboxing\fR.\&
.PP
.SS panic/mktemp
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to panic for \fBMktemp sandboxing\fR.\&
.PP
.SS panic/net/bind
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to panic for \fBBind network sandboxing\fR.\&
.PP
.SS panic/net/connect
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to panic for \fBConnect network sandboxing\fR.\&
.PP
.SS panic/net/sendfd
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to panic for \fBSendFd network sandboxing\fR.\&
.PP
.SS stop/stat
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBStat sandboxing\fR.\&
.PP
.SS stop/read
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBRead sandboxing\fR.\&
.PP
.SS stop/write
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBWrite sandboxing\fR.\&
.PP
.SS stop/exec
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBExec sandboxing\fR.\&
.PP
.SS stop/ioctl
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBIoctl sandboxing\fR.\&
.PP
.SS stop/create
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBCreate sandboxing\fR.\&
.PP
.SS stop/delete
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBDelete sandboxing\fR.\&
.PP
.SS stop/rename
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBRename sandboxing\fR.\&
.PP
.SS stop/symlink
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBSymlink sandboxing\fR.\&
.PP
.SS stop/truncate
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBTruncate sandboxing\fR.\&
.PP
.SS stop/chdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBChdir sandboxing\fR.\&
.PP
.SS stop/readdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBReaddir sandboxing\fR.\&
.PP
.SS stop/mkdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBMkdir sandboxing\fR.\&
.PP
.SS stop/chown
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBChown sandboxing\fR.\&
.PP
.SS stop/chgrp
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBChgrp sandboxing\fR.\&
.PP
.SS stop/chmod
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBChmod sandboxing\fR.\&
.PP
.SS stop/chattr
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBChattr sandboxing\fR.\&
.PP
.SS stop/chroot
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBChroot sandboxing\fR.\&
.PP
.SS stop/utime
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBUtime sandboxing\fR.\&
.PP
.SS stop/mkdev
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBMkdev sandboxing\fR.\&
.PP
.SS stop/mkfifo
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBMkfifo sandboxing\fR.\&
.PP
.SS stop/mktemp
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to stop for \fBMktemp sandboxing\fR.\&
.PP
.SS stop/net/bind
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to stop for \fBBind network sandboxing\fR.\&
.PP
.SS stop/net/connect
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to stop for \fBConnect network sandboxing\fR.\&
.PP
.SS stop/net/sendfd
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to stop for \fBSendFd network sandboxing\fR.\&
.PP
.SS kill/stat
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBStat sandboxing\fR.\&
.PP
.SS kill/read
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBRead sandboxing\fR.\&
.PP
.SS kill/write
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBWrite sandboxing\fR.\&
.PP
.SS kill/exec
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBExec sandboxing\fR.\&
.PP
.SS kill/ioctl
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBIoctl sandboxing\fR.\&
.PP
.SS kill/create
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBCreate sandboxing\fR.\&
.PP
.SS kill/delete
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBDelete sandboxing\fR.\&
.PP
.SS kill/rename
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBRename sandboxing\fR.\&
.PP
.SS kill/symlink
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBSymlink sandboxing\fR.\&
.PP
.SS kill/truncate
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBTruncate sandboxing\fR.\&
.PP
.SS kill/chdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBChdir sandboxing\fR.\&
.PP
.SS kill/readdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBReaddir sandboxing\fR.\&
.PP
.SS kill/mkdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBMkdir sandboxing\fR.\&
.PP
.SS kill/chown
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBChown sandboxing\fR.\&
.PP
.SS kill/chgrp
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBChgrp sandboxing\fR.\&
.PP
.SS kill/chmod
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBChmod sandboxing\fR.\&
.PP
.SS kill/chattr
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBChattr sandboxing\fR.\&
.PP
.SS kill/chroot
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBChroot sandboxing\fR.\&
.PP
.SS kill/utime
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBUtime sandboxing\fR.\&
.PP
.SS kill/mkdev
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBMkdev sandboxing\fR.\&
.PP
.SS kill/mkfifo
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBMkfifo sandboxing\fR.\&
.PP
.SS kill/mktemp
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to kill for \fBMktemp sandboxing\fR.\&
.PP
.SS kill/net/bind
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to kill for \fBBind network sandboxing\fR.\&
.PP
.SS kill/net/connect
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to kill for \fBConnect network sandboxing\fR.\&
.PP
.SS kill/net/sendfd
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to kill for \fBSendFd network sandboxing\fR.\&
.PP
.SS exit/stat
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBStat sandboxing\fR.\&
.PP
.SS exit/read
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBRead sandboxing\fR.\&
.PP
.SS exit/write
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBWrite sandboxing\fR.\&
.PP
.SS exit/exec
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBExec sandboxing\fR.\&
.PP
.SS exit/ioctl
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBIoctl sandboxing\fR.\&
.PP
.SS exit/create
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBCreate sandboxing\fR.\&
.PP
.SS exit/delete
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBDelete sandboxing\fR.\&
.PP
.SS exit/rename
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBRename sandboxing\fR.\&
.PP
.SS exit/symlink
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBSymlink sandboxing\fR.\&
.PP
.SS exit/truncate
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBTruncate sandboxing\fR.\&
.PP
.SS exit/chdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBChdir sandboxing\fR.\&
.PP
.SS exit/readdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBReaddir sandboxing\fR.\&
.PP
.SS exit/mkdir
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBMkdir sandboxing\fR.\&
.PP
.SS exit/chown
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBChown sandboxing\fR.\&
.PP
.SS exit/chgrp
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBChgrp sandboxing\fR.\&
.PP
.SS exit/chmod
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBChmod sandboxing\fR.\&
.PP
.SS exit/chattr
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBChattr sandboxing\fR.\&
.PP
.SS exit/chroot
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBChroot sandboxing\fR.\&
.PP
.SS exit/utime
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBUtime sandboxing\fR.\&
.PP
.SS exit/mkdev
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBMkdev sandboxing\fR.\&
.PP
.SS exit/mkfifo
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBMkfifo sandboxing\fR.\&
.PP
.SS exit/mktemp
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to exit for \fBMktemp sandboxing\fR.\&
.PP
.SS exit/net/bind
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to exit for \fBBind network sandboxing\fR.\&
.PP
.SS exit/net/connect
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to exit for \fBConnect network sandboxing\fR.\&
.PP
.SS exit/net/sendfd
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of network address patterns to exit for \fBSendFd network sandboxing\fR.\&
.PP
.SS append
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to files that should be made
append-only for \fBWrite sandboxing\fR.\&
.PP
If a path is append-only, Syd adds "O_APPEND" and removes "O_TRUNC" from
flags on any sandbox granted attempt to \fIopen\fR(2) this path.\& Unsetting
the "O_APPEND" flag using \fIfcntl\fR(2) "F_SETFL" command is prevented.\&
Similarly, any attempt to \fIrename\fR(2), \fItruncate\fR(2) and \fIunlink\fR(2) the
file is prevented.\& This is typically useful for history and log files.\&
.PP
.SS mask
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBstring-array\fR
T}
.TE
.sp 1
Specifies a list of \fIglob\fR(3p) patterns to mask for \fBRead & Write sandboxing\fR.\&
.PP
If a path is masked, Syd returns a file descriptor to "/dev/null" on any
sandbox granted attempt to \fIopen\fR(2) this path.\& Masking can effectively
be used to hide the contents of a file in a more relaxed and compatible
way than denying read/write access to it.\& \fIstat\fR(2) calls on a masked
file returns the original file metadata and a masked file may be
executed.\&
.PP
.SS block
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBip-range\fR
T}
.TE
.sp 1
Specifies a range of IP networks to be blocked by \fBConnect network
sandboxing\fR.\& Use "block+<net>" and "block-<net>" to add and remove ip
networks from the range.\& Alternatively the range can also be populated
by including "ipset" and "netset" files from within Syd configuration.\&
Use "block^" to clear the list and "block!\&" to simplify the ip range by
aggregating networks together.\& "block!\&" is useful to call after
importing big IP blocklists, it helps reduce memory consumption and
improve matching performance.\&
.PP
.SS cmd/exec
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBcommand\fR
T}
.TE
.sp 1
Makes Syd execute an external command without sandboxing.\& The process is
executed in a new process group with its standard input closed.\& The
program name and arguments must be separated with the \fBUS\fR (unit
separator, octal: 037) character.\& To ease usage, the \fIsyd-exec\fR(1)
helper utility is provided to construct a sandbox command of this type:
.PP
.nf
.RS 4
;  syd -puser -- bash -c \&'test -c $(syd-exec echo hello world)\&'
hello world
{"cfg":"cmd/exec!echou001fhellou001fworld","cmd":"bash \&.\&.\&.}
;
.fi
.RE
.PP
.SS load
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBinteger (fd) or string (profile-name)\fR
T}
.TE
.sp 1
Read configuration from the given file descriptor, the file must be open for
reading.\& Syd uses \fIpidfd_getfd\fR(2) to acquire the file descriptor and reads
sandbox configuration from it.\& This command is useful to load a set of sandbox
commands into Syd in a single step and is typically used with \fBreset\fR, e.\&g:
.PP
.nf
.RS 4
int fd = open("/tmp", O_RDWR | O_TMPFILE | O_CLOEXEC, 0);
if (fd == -1) errx(1, "Failed to open temporary file");

const char *syd = "sandbox:stat/on\\nallow/stat+/***\\ndeny/stat+/\\nlock:on\\n";
errx(write(fd, syd, strlen(syd)) == -1, "Failed to write config");
errx(lseek(fd, 0, SEEK_SET) == -1, "Failed to seek in file");

char load[64];
sprintf(load, "/dev/syd/load/%d", fd);
errx(stat("/dev/syd/reset", NULL) == -1, "Failed to reset syd");
errx(stat(load, NULL) == -1, "Failed to load syd profile");

errx(execvp("/bin/sh", (char *[]){"/bin/sh", "-l", NULL}) == -1, "execvp failed");
.fi
.RE
.PP
Due to security reasons, this command is only available via the virtual
\fIstat\fR(2) call, it may not be used with the \fB-m\fR command line switch or
in a configuration file.\&
.PP
As of version 3.\&30.\&0, this command may be used to load builtin profiles,
when Syd falls back to parsing the "load" argument as a profile name if
parsing the argument as a file descriptor fails.\&
.PP
.SS trace/allow_safe_setuid
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify whether the Linux capability "CAP_SETUID" should be retained.\&
This option in combination with \fBSafeSetID\fR allows the sandbox process
to change UID.\& Note, Syd will change its UID with the sandbox process.\&
.PP
Note, because NPTL uses real-time signals to ensure all threads share
the same UID/GID, setting this option disables the SROP mitigator.\& See
the "Enhanced Execution Control (EEC)" section of the \fIsyd\fR(7) manual
page for more information.\&
.PP
.SS trace/allow_safe_setgid
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify whether the Linux capability "CAP_SETGID" should be retained.\&
This option in combination with \fBSafeSetID\fR allows the sandbox process
to change GID.\& Note, Syd will change its GID with the sandbox process.\&
.PP
Note, because NPTL uses real-time signals to ensure all threads share
the same UID/GID, setting this option disables the SROP mitigator.\& See
the "Enhanced Execution Control (EEC)" section of the \fIsyd\fR(7) manual
page for more information.\&
.PP
.SS setuid
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fB[(uid, uid)]\fR
T}
.TE
.sp 1
Add, remove a UID transition or reset UID transitions.\& Only a single transition
from a source UID can be defined.\& Transitions to root are not allowed.\&
.PP
Usage:
.PP
.nf
.RS 4
setuid+0:65534      # Define a UID transition from root to nobody\&.
setuid+root:nobody  # Same as above but using user names\&.
setuid-0:65534      # Remove a previously defined UID transition\&.
setuid^0            # Remove all UID transitions matching source UID\&.
setuid^             # Remove all UID transitions\&.
.fi
.RE
.PP
.SS setgid
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fB[(gid, gid)]\fR
T}
.TE
.sp 1
Add, remove a GID transition or reset GID transitions.\& Only a single transition
from a source GID can be defined.\& Transitions to root are not allowed.\&
.PP
Usage:
.PP
.nf
.RS 4
setgid+0:65534      # Define a GID transition from root to nogroup\&.
setgid+root:nogroup # Same as above but using group names\&.
setgid-0:65534      # Remove a previously defined GID transition\&.
setgid^0            # Remove all GID transitions matching source GID\&.
setgid^             # Remove all GID transitions\&.
.fi
.RE
.PP
.SS trace/allow_unsafe_cbpf
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
A boolean specifying whether Syd should allow additional \fIseccomp\fR(2)
cbpf filters to be installed by sandbox processes.\& By default, this is
denied to mitigate confused deputy problems and \fIerrno\fR(3) is set
to "EINVAL", aka "Invalid argument" for compatibility reasons.\& On the one
hand, stacked \fIseccomp\fR(2) cbpf filters allow for incremental
confinement and therefore added hardening, on the other hand they may be
abused to install system call filters with more precedent actions than
user-notify thereby bypassing Syd'\&s own \fIseccomp\fR(2) cbpf filters.\& To
quote the \fIseccomp_unotify\fR(2): ".\&.\&.\& a user-space notifier can be
bypassed if the existing filters allow the use of \fIseccomp\fR(2) or
\fIprctl\fR(2) to install a filter that returns an action value with a
higher precedence than "SECCOMP_RET_USER_NOTIF" (see \fIseccomp\fR(2)).\&"
Setting the option "trace/allow_unsafe_prctl:1" overrides this option
and allows the "PR_SET_SECCOMP" \fIprctl\fR(2) operation inside the sandbox.\&
This may be changed in the future for clearer separation of mitigations.\&
.PP
.SS trace/allow_unsafe_ebpf
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Allows direct eBPF use inside the Syd sandbox using the \fIbpf\fR(2) system
call, whose unprivileged use is permitted since Linux-4.\&4.\& On the one
hand, eBPF programs can be used for additional hardening, on the other
hand eBPF is a frequent source of vulnerabilities due to churn,
complexity, improper validation and complexity of validation.\& eBPF may
also be abused to implement efficient and portable rootkits.\&
.PP
.SS trace/allow_unsafe_dumpable
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
A boolean specifying whether Syd should skip from setting its process
dumpable attribute to false.\& This allows core dumps for the Syd process,
and allows debugging/profiling/tracing the Syd process.\& You should not
set this option unless you'\&re developing Syd.\&
.PP
.SS trace/allow_unsafe_exec
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
A boolean specifying whether exec calls with NULL argument and environment
pointers should be allowed.\&
.PP
.SS trace/allow_unsafe_ptrace
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
A boolean specifying whether \fIptrace\fR(2) should be used to secure the
exec handler.\& Setting this option to true effectively removes the
\fIptrace\fR(2) dependency from the sandbox.\& This is necessary to trace syd
together with its children, e.\&g.\& with "strace -f".\& \fBWarning\fR, this
option makes \fIsyd\fR(1) keep the "CAP_SYS_PTRACE" capability and disables
Force Sandboxing, SegvGuard and the exec-TOCTOU mitigator.\& It allows the
sandbox process to trivially break out of the sandbox by e.\&g.\& attaching
to the \fIsyd\fR(1) main thread with \fIptrace\fR(2) and getting a handle to the
\fIseccomp\fR(2) notify file descriptor.\& Therefore, \fBthis option should
only be used in trusted environments.\&\fR
.PP
.SS trace/allow_unsafe_perf
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
A boolean specifying whether perf calls should be allowed within the sandbox.\&
.PP
.SS trace/allow_unsafe_filename
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBboolean\fR
T}
.TE
.sp 1
A boolean specifying whether the restrictions on file names should be
lifted.\& By default, file names with control characters, forbidden
characters or invalid UTF-8 are denied with "EINVAL" as necessary.\&
Read "Enhanced Path Integrity Measures" of the \fIsyd\fR(7) manual page for
more information.\&
.PP
.SS trace/allow_unsafe_libc
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
A boolean specifying whether turning on secure mode for libc should be
skipped.\& Read "AT_SECURE" section of the \fIgetauxval\fR(3) manual page
about the implications of secure mode.\&
.PP
.SS trace/allow_unsafe_magiclinks
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBboolean\fR
T}
.TE
.sp 1
A boolean specifying whether /proc magic links should be followed even when
per-process directory id differs from the caller process id.\&  Magic links are
symbolic link-like objects that are most notably found in \fIproc\fR(5); examples
include "/proc/pid/exe" and "/proc/pid/fd/*".\&  See \fIsymlink\fR(7) for more
details.\& Unknowingly opening magic links can be risky for some applications.\&
Examples of such risks include the following:
.PP
.PD 0
.IP \(bu 4
If  the  process  opening a pathname is a controlling process that
currently has no controlling terminal (see \fIcredentials\fR(7)), then
opening a magic link inside "/proc/pid/fd" that happens to refer to a
terminal would cause the process to acquire a controlling terminal.\&
.IP \(bu 4
In a containerized environment, a magic link inside "/proc" may refer to
an object outside the container, and thus may provide a means to escape
from the container.\&
.PD
.PP
Because of such risks, Syd denies access to magic links which do not
belong to the current process by default.\&
.PP
.SS trace/allow_unsafe_nice
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
A boolean specifying whether process and I/O priority changes are
allowed for the sandbox.\& See the "Process Priority and Resource
Management" section of the \fIsyd\fR(7) manual page for more information.\&
.PP
.SS trace/allow_unsafe_nopie
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBboolean\fR
T}
.TE
.sp 1
A boolean specifying whether execution of non-PIE binaries should be
allowed.\& This is generally not recommended but may be necessary on some
systems.\&
.PP
.SS trace/allow_unsafe_chown
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Makes Syd keep the capability "CAP_CHOWN" and sandbox process will
inherit the capability from Syd.\&
.PP
.SS trace/allow_unsafe_open_path
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBboolean\fR
T}
.TE
.sp 1
A boolean specifying whether the mitigation to turn "O_PATH" file
descriptors into "O_RDONLY" file descriptors for safe emulation should
be disabled.\& With this option, syd continues the \fIopen\fR(2) system calls
with the "O_PATH" in the sandbox process which opens a TOCTOU vector.\&
.PP
.SS trace/allow_unsafe_open_cdev
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBboolean\fR
T}
.TE
.sp 1
A boolean specifying whether \fIopen\fR(2) calls to character devices should
be continued in the sandbox process rather than opening them in the Syd
emulator thread and sending the file descriptor.\& Some character devices,
e.\&g.\& "/dev/kfd" for AMD GPUs, require per-application access to the GPU
device, therefore opening the device in the Syd emulator thread and then
continuing the subsequent \fIioctl\fR(2) system calls in the sandbox process
is going to return "EBADF", aka "Bad file number".\& Until Syd has a way
to fully emulate the \fIioctl\fR(2) request space and is able to call the
\fIioctl\fR(2) system call directly from Syd emulator threads, this option
may be used to access such character devices.\& \fBNote, setting this option
opens a TOCTOU attack vector, whereby the sandbox process can open an
arbitrary file instead of the character device in question!\&\fR Syd applies
the following mitigations to limit the scope of the attack vector:
.PP
.PD 0
.IP \(bu 4
Syd \fBcontinues\fR the system call if and only if "O_RDWR" is set in the flags
argument.\&
.IP \(bu 4
Syd does not \fBcontinue\fR the system call if at least one of the flags
"O_CREAT", "O_TRUNC" or "O_TMPFILE" is set in the flags argument.\&
.IP \(bu 4
Syd returns "ENOSYS", aka "Function not implemented", for the
\fIopenat2\fR(2) system call rather than \fBcontinuing\fR it in the sandbox
process to prevent the "struct open_how" pointer indirection to bypass
the restrictions applied to the flags argument.\& Refer to the
\fIopenat2\fR(2) manual page for more information.\&
.IP \(bu 4
This option may be changed at runtime, and it is highly recommended to
unset this option using the \fIsyd\fR(2) virtual system call API right after
the character device is opened.\&
.PD
.PP
.SS trace/allow_unsafe_cpu
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify whether CPU emulation system calls should be allowed.\& By
default, as of version 3.\&22.\&1, Syd denies the \fImodify_ldt\fR(2),
\fIsubpage_prot\fR(2), \fIswitch_endian\fR(2), \fIvm86\fR(2), and \fIvm86old\fR(2)
system calls, which are associated with CPU emulation functionalities.\&
Enabling this option (trace/allow_unsafe_cpu:1) permits these calls,
thus relaxing the restriction.\& This option should be used with caution,
as allowing these system calls can introduce potential vulnerabilities
by enabling processes to modify CPU state or memory protections.\& Use
this setting only in trusted environments where the execution of these
system calls is necessary.\&
.PP
.SS trace/allow_unsafe_keyring
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify whether the \fIadd_key\fR(2), \fIkeyctl\fR(2), and \fIrequest_key\fR(2)
system calls should be allowed.\& Enabling this setting permits key
management within the sandbox, which can introduce security risks by
allowing keyring manipulations.\& Use only in trusted environments.\&
.PP
.SS trace/allow_unsafe_pkey
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specifies whether the \fIpkey_alloc\fR(2), \fIpkey_free\fR(2), and
\fIpkey_mprotect\fR(2) system calls should be allowed.\& By default, these
calls are denied to enhance security.\& Setting this option to true
enables these system calls, allowing the use of memory protection keys.\&
This option should be used with caution and only in trusted environments
where the use of these system calls is necessary.\&
.PP
.SS trace/allow_unsafe_msgsnd
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specifies whether the \fImsgsnd\fR(2) system call should be allowed.\& By
default, this call is denied to enhance security as the ability of this
system call to allocate large, contiguous blocks of memory in the kernel
heap is often used to orchestrate kernel heap spraying attacks.\& See the
"Mitigation Against Heap Spraying" section of the \fIsyd\fR(7) manual page
for more information.\&
.PP
.SS trace/allow_unsafe_time
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
A boolean specifying whether system calls which adjust the system time are
allowed.\& Note, this also causes Syd to keep the \fBCAP_SYS_TIME\fR capability.\&
Use \fBsyd-ls time\fR to see the list of system calls allowed by this setting.\&
.PP
.SS trace/allow_unsafe_uring
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
A boolean specifying whether system calls of the \fIio_uring\fR(7) interface are
allowed.\& Normally, these are denied because they may be used to bypass path
sandboxing.\& Use \fBsyd-ls uring\fR to see the list of system calls allowed by
this setting.\&
.PP
.SS trace/allow_unsafe_caps
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
boolean
T}
T{
static
T}	T{
yes
T}
.TE
.sp 1
A boolean specifying whether Syd should skip dropping Linux capabilities
at startup.\& This setting can be used to construct \fIprivileged
containers\fR and should be used with extreme care.\&
.PP
Note, \fIsyd-oci\fR(1) sets this option to honour the list of capabilities
specified by the container engine.\& You may unset it using the container
configuration file.\& See CONFIGURATION section in \fIsyd-oci\fR(1) manual
page for more information.\&
.PP
.SS trace/allow_unsafe_env
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify whether unsafe environment variables should be allowed into the
environment of the sandbox process.\& See \fBsyd-ls env\fR for the list of unsafe
environment variables.\&
.PP
.SS trace/allow_safe_kcapi
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBboolean\fR
T}
.TE
.sp 1
Specify whether access to the Linux kernel cryptography API (aka:
"KCAPI") should be allowed when network sandboxing is on.\& This option
has no effect when network sandboxing is off.\&
.PP
As most things in life, cryptography has good and evil uses: KCAPI is
convenient as it may be used to implement cryptography without depending
on user-space libraries such as OpenSSL but it may also enable malicious
code to efficiently turn itself into ransomware.\& Adhering to the goal to
be secure by default Syd disallows this access by default.\&
.PP
Note, Syd does not hook into \fIsetsockopt\fR(2) and the "ALG_SET_KEY"
operation to set the encryption key is directly handled by the host
kernel therefore the encryption key is not copied into Syd'\&s address
space.\&
.PP
Note again, Syd hooks into \fIbind\fR(2), \fIsendto\fR(2), \fIsendmsg\fR(2), and
\fIsendmmsg\fR(2) but \fBnot\fR \fIread\fR(2), \fIwrite\fR(2), \fIrecv\fR(2), or
\fIsplice\fR(2).\& To reduce syscall overhead, user is recommended to use the
unhooked system calls when they can to interact with KCAPI.\&
.PP
.SS trace/allow_safe_syslog
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify whether unprivileged sandbox processes can access Syd'\&s
\fIsyslog\fR(2) emulation using \fIdmesg\fR(8).\& Unprivileged processes include
the set of \fIall\fR sandbox processes with the sandbox lock "off", and \fIall
but the initial\fR sandbox process with the sandbox lock set to "exec".\&
Note, this option has nothing to do with access to the host syslog
which is never allowed.\&
.PP
.SS trace/allow_safe_bind
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify whether the socket address arguments of successful \fIbind\fR(2)
calls should be allowed for \fIconnect\fR(2), \fIsendto\fR(2), \fIsendmsg\fR(2), and
\fIsendmmsg\fR(2) system calls.\&
.PP
\fBNote\fR, these addresses are allowed globally and not per-process for
usability reasons.\& Thus, for example, a process which forks to call
\fIbind\fR(2) will have its address allowed for their parent as well.\&
.PP
.SS trace/allow_unsafe_bind
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify whether the Linux capability "CAP_NET_BIND_SERVICE", which allows a
process to \fIbind\fR(2) to ports lower than 1024, should be retained.\&
.PP
.SS trace/allow_unsafe_socket
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify whether unsafe socket families should be allowed.\& When set, Syd does
not drop the capability \fICAP_NET_RAW\fR on startup.\& This allows:
.PP
.PD 0
.IP 1. 4
use of RAW and PACKET sockets;
.IP 2. 4
bind to any address for transparent proxying.\&
.PD
.PP
.SS trace/allow_unsupp_socket
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBboolean\fR
T}
.TE
.sp 1
Specify whether unsupported socket families such as netlink sockets
should be allowed access when network sandboxing is on.\& By default Syd
allows sandboxed access to unix, ipv4 and ipv6 sockets.\& This option has
no effect when network sandboxing is off.\&
.PP
As of version 3.\&16.\&6 Syd allows access to alg sockets with the
"trace/allow_safe_kcapi" option rather than with this option.\& Alg
sockets are used to interact with the Linux kernel cryptography API.\&
.PP
Note, on architectures with a multiplexed \fIsocketcall\fR(2) system call,
enabling this option is insecure because it is vulnerable to TOCTOU.\&
You may use \fIsyd-sys\fR(1) utility to check if this system call is
available on your architecture using e.\&g: "syd-sys socketcall && echo
vulnerable".\&
.PP
.SS trace/allow_unsafe_prctl
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify whether \fIprctl\fR(2) restrictions should be lifted.\& See \fBsyd-ls prctl\fR for
the list of allowed prctl requests.\&
.PP
.SS trace/allow_unsafe_prlimit
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify whether \fIprlimit\fR(2) restrictions should be lifted.\&
.PP
.SS trace/allow_unsafe_syslog
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify whether the Linux capability "CAP_SYSLOG" should be retained.\& This
allows the process to perform privileged \fIsyslog\fR(2) operations.\& This is
useful when sandboxing a service such as syslogd.\&
.PP
.SS trace/allow_unsafe_sync
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify whether the \fIsync\fR(2) and \fIsyncfs\fR(2) system calls should be
allowed inside the sandbox.\& By default these system calls are turned
into no-ops to prevent potential local DoS, however it may be useful to
disable this restriction in scenarios where sync is actually expected to
work such as when sandboxing databases.\&
.PP
.SS trace/allow_unsafe_memfd
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBboolean\fR
T}
.TE
.sp 1
A boolean specifying whether secret memory file descriptors and
executable memory file descriptors should be enabled.\& By default Syd
strips the "MFD_EXEC" and adds the "MFD_NOEXEC_SEAL" flag to
\fImemfd_create\fR(2) flags argument.\& This ensures the memory file
descriptor can never be made executable.\& The "MFD_NOEXEC_SEAL" flag
requires Linux-6.\&3 or newer therefore on older kernels this option must
be enabled to make memory file descriptors work.\& However, the user
should be aware that allowing encrypted memory file descriptors does
allow an attacker to bypass Exec, Force and TPE sandboxing and execute
denylisted code.\&
.PP
.SS trace/allow_unsafe_memory
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify whether the Memory-Deny-Write-Execute (MDWE) protections should be
bypassed.\& See \fBMemory-Deny-Write-Execute Protections\fR section of the \fIsyd\fR(7)
manual page for more information.\&
.PP
.SS trace/deny_dotdot
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBboolean\fR
T}
.TE
.sp 1
Specify whether ".\&.\&" components should be denied during path resolution for
\fIchdir\fR(2) and \fIopen\fR(2) family system calls.\& This is useful in mitigating path
traversal attacks.\& See "Path Resolution Restriction For Chdir and Open Calls" of
the \fIsyd\fR(7) manual page for more information.\&
.PP
.SS trace/deny_elf32
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBboolean\fR
T}
.TE
.sp 1
Deny the execution of 32-bit ELF binaries.\&
.PP
.SS trace/deny_elf_dynamic
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBboolean\fR
T}
.TE
.sp 1
Deny the execution of dynamically linked ELF binaries.\&
.PP
.SS trace/deny_elf_static
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBboolean\fR
T}
.TE
.sp 1
Deny the execution of statically linked ELF binaries.\&
.PP
.SS trace/deny_script
.PP
.TS
allbox;l l.
T{
type
T}	T{
\fBboolean\fR
T}
.TE
.sp 1
Deny the execution of scripts (files with #!\&<interpreter> on first line).\&
.PP
Note, the \fIexecve\fR(2) TOCTOU mitigations do not cover this option which
means the functionality is vulnerable to TOCTOU.\& This allows an attacker
to execute a script whose path is denylisted.\& This TOCTOU is limited to
scripts and requires the interpreter binary to be allowlisted for exec.\&
Hence this vulnerability does not allow an attacker to execute
denylisted binaries.\& This is why the user is recommended to deny the
respective interpreter binaries for execution instead for a safe and
secure approach.\&
.PP
.SS trace/deny_tsc
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify whether reading the timestamp counter should be denied.\& Without an
accurate timer, many timing attacks are going to be harder to perform.\&
.PP
.PD 0
.IP \(bu 4
This works on \fBx86 only\fR.\&
.IP \(bu 4
This breaks time related calls in the \fBvDSO\fR, which can be trivially worked 
around by writing a \fBLD_PRELOAD\fR library to call the respective system calls 
directly.\& See \fBlibsydtime\fR, https://lib.\&rs/libsydtime, for a reference 
implementation.\&
.IP \(bu 4
This has a negative performance impact on programs that rely on 
\fIgettimeofday\fR(2) being a \fBvDSO\fR call.\&
.PD
.PP
.SS trace/lock_personality
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
If set, locks down the \fIpersonality\fR(2) system call so that the kernel execution
domain may not be changed from the default.\& This may be useful to improve
security, because odd personality emulations may be poorly tested and source of
vulnerabilities.\&
.PP
.SS trace/exit_wait_all
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify whether Syd should wait for all processes to exit before exiting.\& By
default, Syd exits with the eldest process and any leftover processes in the
background are automatically killed.\&
.PP
.SS trace/force_umask
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBoctal\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Specify an umask mode to force.\& To unset a previously configured force
umask use -1 as the value.\& As of version 3.\&15.\&6, \fIchmod\fR(2) family
system calls also honour force umask for added hardening.\& As of version
3.\&22.\&1, this setting does not apply to directory creation for \fImkdir\fR(2)
and \fImkdirat\fR(2) system calls.\& As of version 3.\&26.\&2, this setting does
not apply to UNIX domain socket creation for \fIbind\fR(2) system calls, and
non-regular file creation for \fImknod\fR(2) and \fImknodat\fR(2) system calls.\&
.PP
.SS trace/memory_access
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBinteger\fR
T}
T{
default
T}	T{
\fB0\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Set mode on cross memory attach and \fB/proc/pid/mem\fR usage.\& Cross memory attach
requires a Linux kernel with the \fBCONFIG_CROSS_MEMORY_ATTACH\fR option enabled.\&
Supported modes are:
.PP
.PD 0
.IP \(bu 4
\fB0\fR: Use cross memory attach if available, use \fB/proc/pid/mem\fR otherwise.\&
.IP \(bu 4
\fB1\fR: Use \fB/proc/pid/mem\fR unconditionally.\&
.PD
.PP
.nf
.RS 4
;  strace -q -eprocess_vm_readv -fc -- syd -m trace/memory_access:1 true
[pid 1100565] ????( <detached \&.\&.\&.>
;  strace -q -eprocess_vm_readv -fc -- syd -m trace/memory_access:0 true
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- -----------------
100,00    0,000155           6        24           process_vm_readv
------ ----------- ----------- --------- --------- -----------------
100,00    0,000155           6        24           total
;
.fi
.RE
.PP
.SS trace/sync_seccomp
.PP
.TS
allbox;l l
l l.
T{
type
T}	T{
\fBboolean\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Use synchronous mode for seccomp-notify so each Syd syscall handler thread wakes
up on the same CPU as the respective sandbox thread that executed the system
call.\& This option makes no functional difference and it may or may not help with
performance; it defaults to false unless \fBSYD_SYNC_SCMP\fR environment variable is
set at startup.\& This is because in our benchmarks setting this option typically
hurts performance which may be attributed to Syd'\&s multithreaded nature.\& Use
\fIperf\fR(1) to benchmark seccomp synchronous mode:
.PP
.nf
.RS 4
; perf bench sched seccomp-notify
# Running \&'sched/seccomp-notify\&' benchmark:
# Executed 1000000 system calls
Total time: 6\&.736 [sec]
6\&.736395 usecs/op
148447 ops/sec
; perf bench sched seccomp-notify --sync-mode
# Running \&'sched/seccomp-notify\&' benchmark:
# Executed 1000000 system calls
Total time: 4\&.188 [sec]
4\&.188846 usecs/op
238729 ops/sec
.fi
.RE
.PP
.SS cache/capacity/path
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBusize\fR
T}
T{
default
T}	T{
\fB4096\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Estimated items capacity of the security policy cache for paths.\&
.PP
.SS cache/capacity/addr
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBusize\fR
T}
T{
default
T}	T{
\fB1024\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Estimated items capacity of the security policy cache for IP addresses.\&
.PP
.SS cache/capacity/fd
.PP
.TS
allbox;l l
l l
l l.
T{
type
T}	T{
\fBusize\fR
T}
T{
default
T}	T{
\fB0\fR
T}
T{
static
T}	T{
\fByes\fR
T}
.TE
.sp 1
Estimated items capacity of the file descriptor cache for path
canonicalization.\&
.PP
If this value is set to 0, which is the default, Syd determines the
cache capacity automatically taking into account the file resource
limits and the system-wide limit set in the file "/proc/sys/fs/file-max".\&
.PP
.SH SHORTCUTS
.PP
\fBread\fR, \fBstat\fR, \fBwrite\fR, and \fBexec\fR may be passed to \fBallow\fR, \fBdeny\fR, and
\fBfilter\fR either as a single unit or as a comma-delimited list, e.\&g:
.PP
.nf
.RS 4
allow/read,write,stat,exec+/***
allow/read,write,stat-/***
deny/read,write,stat+/***
deny/read,write-/***
filter/read,write,stat+/dev/mem
filter/read,write-/dev/mem
.fi
.RE
.PP
Since 3.\&18.\&14, sandboxing modes may be specified as a single unit or as a
comma-delimited list, e.\&g:
.PP
.nf
.RS 4
sandbox/read,write,stat,exec:on
sandbox/net,lock:off
.fi
.RE
.PP
Since 3.\&19.\&0, namespace types may be specified as a single unit or as a
comma-delimited list, e.\&g.\&:
.PP
.nf
.RS 4
unshare/user,pid,mount:on
unshare/net,cgroup:off
.fi
.RE
.PP
.SH PATTERN MATCHING
.PP
Syd uses shell-style pattern matching for allowlists and filters.\& The
matching code uses the \fBglobset\fR crate.\& Check their documentation for more
information about patterns.\& Note, patterns are \fIcase sensitive\fR, the \fBempty
alternates\fR option is set when building patterns, i.\&e.\& \fBfoo{,.\&txt}\fR in a pattern
will match both \fBfoo\fR and \fBfoo.\&txt\fR and Syd applies the \fBtriple star\fR
extension to patterns, i.\&e.\& \fB/dev/***\fR matches both \fB/dev\fR and any file
recursively under \fB/dev\fR.\& Note also, Syd gets patterns from multiple sources:
a configuration file, a profile, the \fB-m\fR command line switch, or a \fBstat\fR call
with \fB/dev/syd\fR prefix.\& There is no precedence between different sources.\& All
patterns in a list are compiled together in a \fBGlobSet\fR and pattern matching
during access control happens in a single step where \fIthe last matching pattern
decides the outcome.\&\fR
.PP
.SH ADDRESS MATCHING
.PP
Syd has a simple address scheme to match network addresses.\& The addresses can
either be a \fBglob\fR pattern to match \fBUNIX\fR and \fBabstract UNIX\fR socket addresses,
or \fBIP CIDR\fR followed by a port range to match \fBIPv4\fR and \fBIPv6\fR addresses.\& Port
range can either be a single port or a closed range in format \fBport1-port2\fR.\& The
address and the port range must be split by the character \fB!\&\fR.\&  The precedence
logic is same as \fBPattern Matching\fR where \fIthe last matching pattern decides the
outcome.\&\fR
.PP
In addition there are some \fBaliases\fR, you may use instead of specifying an address:
.PP
.PD 0
.IP \(bu 4
\fBany\fR: Expanded to \fBany4\fR + \fBany6\fR.\&
.IP \(bu 4
\fBany4\fR: Expanded to \fB0.\&0.\&0.\&0/0\fR which matches the whole Ipv4 address space.\&
.IP \(bu 4
\fBany6\fR: Expanded to \fB::/0\fR which matches the whole Ipv6 address space.\&
.IP \(bu 4
\fBloopback\fR: Expanded to \fBloopback4\fR + \fBloopback6\fR.\&
.IP \(bu 4
\fBloopback4\fR: Expanded to \fB127.\&0.\&0.\&0/8\fR
.IP \(bu 4
\fBloopback6\fR: Expanded to \fB::1/128\fR
.IP \(bu 4
\fBlinklocal\fR: Expanded to \fBlinklocal4\fR + \fBlinklocal6\fR.\&
.IP \(bu 4
\fBlinklocal4\fR: Expanded to \fB169.\&254.\&0.\&0/16\fR
.IP \(bu 4
\fBlinklocal6\fR: Expanded to \fBfe80::/10\fR
.IP \(bu 4
\fBlocal\fR: Expanded to \fBlocal4\fR + \fBlocal6\fR.\&
.IP \(bu 4
\fBlocal4\fR: Expanded to four addresses as defined in \fBRFC1918\fR:
.RS 4
.IP \(bu 4
\fB127.\&0.\&0.\&0/8\fR
.IP \(bu 4
\fB10.\&0.\&0.\&0/8\fR
.IP \(bu 4
\fB172.\&16.\&0.\&0/12\fR
.IP \(bu 4
\fB192.\&168.\&0.\&0/16\fR
.RE
.IP \(bu 4
\fBlocal6\fR: Expanded to four addresses:
.RS 4
.IP \(bu 4
\fB::1/128\fR
.IP \(bu 4
\fBfe80::/7\fR
.IP \(bu 4
\fBfc00::/7\fR
.IP \(bu 4
\fBfec0::/7\fR
.PD
.PP
.RE
.SH SECURITY
.PP
The interface is only available if the sandbox lock is not set for the calling
process.\& Similarly, command-line option parsing and configuration file parsing
stops once a \fBlock:on\fR clause is executed.\&
.PP
.SH RETURN VALUE
.PP
For \fIstat\fR(2) calls, on success, zero is returned.\& On error, -1 is returned, and
errno is set to indicate the error.\&
.PP
For \fIopen\fR(2) calls, on success the new file descriptor (a nonnegative integer)
is returned.\& On error, -1 is returned and errno is set to indicate the error.\&
.PP
.SH ERRORS
.PP
.TS
l lx.
T{
\fBEBUSY\fR
T}	T{
Attempted to edit a setting at runtime that must be configured at startup
T}
.TE
.sp 1
.TS
l lx.
T{
\fBEEXIST\fR
T}	T{
Attempted to add an UID/GID transition for SafeSetID but a transition with the same source UID/GID exists.\&
T}
.TE
.sp 1
.TS
l lx.
T{
\fBEINVAL\fR
T}	T{
Sandbox command is syntactically incorrect.\&
T}
.TE
.sp 1
.TS
l lx.
T{
\fBENOENT\fR
T}	T{
Result of the given sandbox query is false (e.\&g.\& "test -c /dev/syd/sandbox/stat?\&").\&
T}
.TE
.sp 1
.TS
l lx.
T{
\fBENOENT\fR
T}	T{
Sandbox lock is on, no commands are allowed.\&
T}
.TE
.sp 1
.TS
l lx.
T{
\fBENOSYS\fR
T}	T{
elf feature is disabled and command is one of "trace/deny_elf32", "trace/deny_dynamic", or "trace/deny_static".\&
T}
.TE
.sp 1
.SH SEE ALSO
.PP
\fIsyd\fR(1), \fIsyd\fR(5), \fIsyd\fR(7), \fIsyd-ls\fR(1) \fIopen\fR(2), \fIstat\fR(2),
\fIperf\fR(1), \fIpledge\fR(2), \fIptrace\fR(2), \fIseccomp\fR(2), \fIstrace\fR(1),
\fIglob\fR(3p), \fIio_uring\fR(7), \fIgdb\fR(1), \fIvalgrind\fR(1), \fIwordexp\fR(3)
.PP
.PD 0
.IP \(bu 4
\fBsyd\fR homepage: https://sydbox.\&exherbolinux.\&org
.IP \(bu 4
\fBlibsyd\fR homepage: https://libsyd.\&exherbolinux.\&org
.IP \(bu 4
\fBgosyd\fR homepage: https://gosyd.\&exherbolinux.\&org
.IP \(bu 4
\fBplsyd\fR homepage:  https://plsyd.\&exherbolinux.\&org
.IP \(bu 4
\fBpysyd\fR homepage: https://pysyd.\&exherbolinux.\&org
.IP \(bu 4
\fBrbsyd\fR homepage: https://rbsyd.\&exherbolinux.\&org
.IP \(bu 4
\fBsyd.\&el\fR homepage: https://sydel.\&exherbolinux.\&org
.IP \(bu 4
\fBlibsydtime\fR homepage: https://lib.\&rs/libsydtime
.IP \(bu 4
\fBLandLock\fR homepage: https://landlock.\&io/
.IP \(bu 4
\fBvDSO\fR wiki: https://en.\&wikipedia.\&org/wiki/VDSO
.IP \(bu 4
\fBparse-size\fR documentation: https://docs.\&rs/parse-size/1.\&0.\&0/parse_size/
.IP \(bu 4
\fBglobset\fR documentation: https://docs.\&rs/globset
.IP \(bu 4
\fBGlobSet\fR documentation: https://docs.\&rs/globset/latest/globset/struct.\&GlobSet.\&html
.IP \(bu 4
GlobBuilder \fBempty_alternates\fR method: https://docs.\&rs/globset/latest/globset/struct.\&GlobBuilder.\&html#method.\&empty_alternates
.IP \(bu 4
\fBipnetwork\fR documentation: https://docs.\&rs/ipnetwork
.PD
.PP
.SH AUTHORS
.PP
Maintained by Ali Polatel.\& Up-to-date sources can be found at
https://gitlab.\&exherbo.\&org/sydbox/sydbox.\&git and bugs/patches can be
submitted to https://gitlab.\&exherbo.\&org/groups/sydbox/-/issues.\& Discuss
in #sydbox on Libera Chat.\&