Thank you for your kind words. As the author of syd and an Exherbo developer, I am working on a sibling distro called "Hardened Exherbo": https://hexsys.org. The idea is to contain all service daemons with Syd. I don't have much to show yet but I have successfully contained some daemons:
rsyslog and openntpd profiles may be slightly outdated. I am particularly proud about the nginx profile, it demonstrates many things above all SafeSetID and Binary verification. Note, nginx profile is only configured for static file serving, if you have app servers you're gonna have to allow them as well.
Syd has a trace mode when the access violations are only logged and allowed. The utility Pandora uses this mode to provide a learning mode. You can read more about pandora here: https://crates.io/crates/pandora_box
Pandora is really nice, it'll trim too long paths turning them into globs and calculate checksums for all the binaries and libraries used and invoking it is as easy as e.g. "pandora profile firefox".
1. rsyslog: https://gitlab.exherbo.org/exherbo/arbor/-/blob/hex/packages...
2. openntpd: https://gitlab.exherbo.org/exherbo/arbor/-/blob/hex/packages...
3. nginx: https://gitlab.exherbo.org/exherbo/net/-/blob/hex/packages/w...
rsyslog and openntpd profiles may be slightly outdated. I am particularly proud about the nginx profile, it demonstrates many things above all SafeSetID and Binary verification. Note, nginx profile is only configured for static file serving, if you have app servers you're gonna have to allow them as well.
Syd has a trace mode when the access violations are only logged and allowed. The utility Pandora uses this mode to provide a learning mode. You can read more about pandora here: https://crates.io/crates/pandora_box
Pandora is really nice, it'll trim too long paths turning them into globs and calculate checksums for all the binaries and libraries used and invoking it is as easy as e.g. "pandora profile firefox".