Syd: An Advanced Introduction to Secure Application Sandboxing
In this advanced session, we explore Syd's Rust-based application kernel
as a true security boundary: its multithreaded seccomp-notify engine
intercepts and emulates syscalls on behalf of sandboxed processes to
eliminate TOCTTOU races; syd-mdwe(1) applies Memory-Deny-Write-Execute
protections via PR_SET_MDWE and seccomp filters; syd-lock(1) drives
Landlock confinement for paths and ports; and Force sandboxing enforces
cryptographic integrity checks. Through a live demonstration, you'll
learn to craft fine-grained Syd profiles for a production NGINX
server locking down document roots, configs, logs, and runtime
directories; restricting network bind/connect to HTTP(S) ports; enabling
SegvGuard crash throttling; integrating with systemd; auditing
violations via syslog; and iteratively refining policies for real-world
deployments.
