Replies: 3 comments
-
|
(Previous discussion about syd started by you in #6411.) |
Beta Was this translation helpful? Give feedback.
-
How many programs support it? How many of them have more than 10(0) users? How many are the "dangerous" program on your system? (rhetorical questions) Short: It is an interesting thing you can study and learn. However unless something like systemd (or Linux itself) adds such a thing it will to see wild use. |
Beta Was this translation helpful? Give feedback.
-
|
I forget this discussion. |
Beta Was this translation helpful? Give feedback.
-
https://fosdem.org/2025/schedule/event/fosdem-2025-4176-syd-an-introduction-to-secure-application-sandboxing-for-linux/
Especially ghost mode of syd, could this be useful for firejail too?
Maybe we can get ghost mode in firejail too.
Ghost Mode, introduced in Syd version 3.20.0, is the final sandboxing type, closely resembling Seccomp Level 1, also known as Strict Mode. This mode enhances security by allowing a process to transition to a highly restrictive state after completing its initial setup. When a sandboxed process is ready for this higher level of confinement, it invokes Ghost Mode by executing the "ghost" command using the virtual stat API, e.g. with stat("/dev/syd/ghost", NULL). This system call invocation is going to fail with the errno "EOWNERDEAD" if Ghost mode is successfully initiated. Upon receiving this command, Syd closes the seccomp(2) notify file descriptor. This action elevates all previously hooked system calls to a kernel-level deny with the "ENOSYS" errno, effectively making them unavailable. The transition to Ghost Mode is irreversible; once the file descriptor is closed, the process is locked into this restricted state. This mechanism ensures that the sandboxed process can only perform a very limited set of operations, akin to those allowed in Seccomp Level 1, thus significantly reducing its potential attack surface. Ghost Mode provides a robust security measure by denying all but the most essential system calls, which is crucial for applications that require maximum isolation and security after their initial configuration phase.
The mode is aptly named "Ghost" because, upon closing the seccomp(2) notify file descriptor, the sandboxed process effectively detaches from Syd and becomes independent, much like a ghost. From this point onwards, Syd no longer intervenes or manages the process's system calls but merely waits for the process to exit. This detachment underscores the finality and isolation of the Ghost Mode, ensuring that the process operates in a secure, tightly confined environment without further interaction from Syd. This mechanism is particularly useful for processes that require maximum security and minimal system call exposure after their initial configuration phase, providing a robust layer of protection against various exploits and vulnerabilities.
Note, a process cannot enter Ghost mode once the sandbox lock is set. Alternatively, though, a process can set its process dumpable attribute to zero using the "PR_SET_DUMPABLE" prctl(2). Under Syd, this achieves almost the same effect as Syd will not be able to emulate system calls with the per-process directory inaccessible. This provides an unprivileged way to enter Ghost mode.
Thanks and
Best regards
Beta Was this translation helpful? Give feedback.
All reactions