> for example, silently turning O_RDWR into O_WRONLY
This is only done for Crypt sandboxing and admittedly it's mostly aimed for encrypting small files that are rarely rewritten, such as config.
> prohibiting PROT_EXEC on memfds
Syd is secure by default and almost always gives you options to relax specific restrictions. For this one, you want: https://man.exherbolinux.org/syd.2.html#trace/allow_unsafe_m...
> Syd also blocks executable+anonymous memory
Same, can be disabled if not needed: https://man.exherbolinux.org/syd.2.html#trace/allow_unsafe_m...
> > As of version 3.19.0, Syd turns the "O_PATH" flag in open(2) system call arguments to the "O_RDONLY" flag and emulates the system call as usual which avoids the TOCTOU vector
This is a kernel limitation and there's an open kernel bug to implement O_PATH similar to O_CLOEXEC: https://bugzilla.kernel.org/show_bug.cgi?id=218501
> for example, silently turning O_RDWR into O_WRONLY
This is only done for Crypt sandboxing and admittedly it's mostly aimed for encrypting small files that are rarely rewritten, such as config.
> prohibiting PROT_EXEC on memfds
Syd is secure by default and almost always gives you options to relax specific restrictions. For this one, you want: https://man.exherbolinux.org/syd.2.html#trace/allow_unsafe_m...
> Syd also blocks executable+anonymous memory
Same, can be disabled if not needed: https://man.exherbolinux.org/syd.2.html#trace/allow_unsafe_m...
> > As of version 3.19.0, Syd turns the "O_PATH" flag in open(2) system call arguments to the "O_RDONLY" flag and emulates the system call as usual which avoids the TOCTOU vector
This is a kernel limitation and there's an open kernel bug to implement O_PATH similar to O_CLOEXEC: https://bugzilla.kernel.org/show_bug.cgi?id=218501