Huh. Does anyone know how it works without additional privileges?
I ran syd as a normal user on my system and it blocked network calls. Does it fall back to ptrace? I don't think my user has the ability to create network namespaces.
edit: Ah, ok. There's a little more here: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/doc/toc.... And the readme does mention ptrace. Would be great to understand how to introspect what this is using and when. ie: in some cases I might not be able to tolerate the performance penalty of ptrace.
I ran syd as a normal user on my system and it blocked network calls. Does it fall back to ptrace? I don't think my user has the ability to create network namespaces.
edit: Ah, ok. There's a little more here: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/doc/toc.... And the readme does mention ptrace. Would be great to understand how to introspect what this is using and when. ie: in some cases I might not be able to tolerate the performance penalty of ptrace.
edit2: ah ok wayyyy more info here: https://man.exherbolinux.org/syd.1.html
and benchmarks: https://man.exherbolinux.org/syd.1.html#BENCHMARKS
So it is slower, but much faster than I would have expected. Wild.