2025-09-20 –, Tesla
In this advanced session, we explore Syd's Rust-based application kernel
as a true security boundary: its multithreaded seccomp-notify engine
intercepts and emulates syscalls on behalf of sandboxed processes to
eliminate TOCTTOU races; syd-mdwe(1) applies Memory-Deny-Write-Execute
protections via PR_SET_MDWE and seccomp filters; syd-lock(1) drives
Landlock confinement for paths and ports; and Force sandboxing enforces
cryptographic integrity checks. Through a live demonstration, you'll
learn to craft fine-grained Syd profiles for a production NGINX
server locking down document roots, configs, logs, and runtime
directories; restricting network bind/connect to HTTP(S) ports; enabling
SegvGuard crash throttling; integrating with systemd; auditing
violations via syslog; and iteratively refining policies for real-world
deployments.
Attendees will gain hands-on mastery of Syd's core components --
seccomp-notify syscall mediation, MDWE enforcement, Landlock-based
sandboxing, SegvGuard, and Force sandboxing -- by following a
step-by-step NGINX tutorial: writing concise policy files to confine
filesystem and network operations, launching NGINX under Syd within
systemd, observing logged policy violations, and refining profiles to
achieve robust isolation and minimal overhead in production
environments.
Exherbo Linux developer