| Imho, you're judging syd too harshly without really understanding it: > for example, silently turning O_RDWR into O_WRONLY This is only done for Crypt sandboxing and admittedly it's mostly aimed for encrypting small files that are rarely rewritten, such as config. > prohibiting PROT_EXEC on memfds Syd is secure by default and almost always gives you options to relax specific restrictions. For this one, you want: https://man.exherbolinux.org/syd.2.html#trace/allow_unsafe_m... > Syd also blocks executable+anonymous memory Same, can be disabled if not needed: https://man.exherbolinux.org/syd.2.html#trace/allow_unsafe_m... > > As of version 3.19.0, Syd turns the "O_PATH" flag in open(2) system call arguments to the "O_RDONLY" flag and emulates the system call as usual which avoids the TOCTOU vector This is a kernel limitation and there's an open kernel bug to implement O_PATH similar to O_CLOEXEC: https://bugzilla.kernel.org/show_bug.cgi?id=218501 |