1: ; syd.el --- Emacs Lisp binding for the syd(2) API -*- lexical-binding: t -*-
2:
3: ; Syd: rock-solid application kernel
4: ;
5: ; Copyright (c) 2023, 2024, 2025, 2026 Ali Polatel <alip@chesswob.org>
6: ;
7: ; Author: Ali Polatel <alip@chesswob.org>
8: ; SPDX-License-Identifier: GPL-3.0
9:
10: ; Commentary:
11:
12: ; This is the Emacs Lisp implementation of the virtual syd(2) stat
13: ; interface. A sandboxed process configures and queries the Syd
14: ; application kernel by issuing stat(2) calls on magic paths under
15: ; /dev/syd. Syd answers each with a character-special device. Every
16: ; public function here builds such a magic path and validates the
17: ; response with `syd--stat'.
18:
19: ; Code:
20:
21: ; Define lock states as keywords
22: (defconst syd-lock-off :lock-off
23: "The sandbox lock is off, allowing all sandbox commands.")
24:
25: (defconst syd-lock-exec :lock-exec
26: "Sandbox commands are allowed only from the syd exec child (the default).")
27:
28: (defconst syd-lock-drop :lock-drop
29: "Sandbox commands are allowed only to drop privileges.")
30:
31: (defconst syd-lock-read :lock-read
32: "Sandbox commands are allowed only to read sandbox state.")
33:
34: (defconst syd-lock-on :lock-on
35: "The sandbox lock is on, disallowing all sandbox commands.")
36:
37: ; Define sandbox actions as keywords
38: (defconst syd-action-allow :action-allow
39: "Allow system call.")
40:
41: (defconst syd-action-warn :action-warn
42: "Allow system call and warn.")
43:
44: (defconst syd-action-filter :action-filter
45: "Deny system call silently.")
46:
47: (defconst syd-action-deny :action-deny
48: "Deny system call and warn.")
49:
50: (defconst syd-action-panic :action-panic
51: "Deny system call, warn and panic the current Syd thread.")
52:
53: (defconst syd-action-stop :action-stop
54: "Deny system call, warn and stop offending process.")
55:
56: (defconst syd-action-abort :action-abort
57: "Deny system call, warn and abort offending process.")
58:
59: (defconst syd-action-kill :action-kill
60: "Deny system call, warn and kill offending process.")
61:
62: (defconst syd-action-exit :action-exit
63: "Warn, and exit Syd immediately with deny errno as exit value.")
64:
65: (defun syd-info ()
66: "Read the state of the syd sandbox from /dev/syd and return it as an alist.
67: If the `json' module is not available, returns nil."
68: (if (require 'json nil t)
69: (condition-case nil
70: (with-temp-buffer
71: (insert-file-contents "/dev/syd" nil nil (* 16 1024 1024))
72: (with-no-warnings
73: (let ((json-object-type 'alist)
74: (json-array-type 'list)
75: (json-key-type 'symbol)
76: (json-false nil)
77: (json-null nil))
78: (json-read))))
79: (file-error
80: (message "Error reading /dev/syd.")
81: nil)
82: (json-error
83: (message "JSON decoding error.")
84: nil))
85: (progn
86: (message "JSON module not available.")
87: nil)))
88:
89: (defun syd-api ()
90: "Perform a syd API check."
91: (if (syd--stat "/dev/syd/3")
92: 3 ; API number on success
93: nil)) ; On error, return nil
94:
95: (defun syd-check ()
96: "Check if '/dev/syd' is a character device."
97: (syd--stat "/dev/syd"))
98:
99: (defun syd-panic ()
100: "Cause syd to exit immediately with code 127."
101: (syd--stat "/dev/syd/panic"))
102:
103: (defun syd-ghost ()
104: "Initiate Ghost mode."
105: (syd--stat "/dev/syd/ghost"))
106:
107: (defun syd-load (fd)
108: "Cause syd to read configuration from the given file descriptor FD."
109: (let ((path (concat "/dev/syd/load/" (number-to-string fd))))
110: (syd--stat path)))
111:
112: (defun syd-lock (state)
113: "Set the sandbox lock to STATE.
114: STATE is one of the keywords `:lock-off', `:lock-exec', `:lock-drop',
115: `:lock-read' or `:lock-on'.
116: Return t on success, nil on failure."
117: (cond
118: ((eq state syd-lock-off) (syd--stat "/dev/syd/lock:off"))
119: ((eq state syd-lock-exec) (syd--stat "/dev/syd/lock:exec"))
120: ((eq state syd-lock-drop) (syd--stat "/dev/syd/lock:drop"))
121: ((eq state syd-lock-read) (syd--stat "/dev/syd/lock:read"))
122: ((eq state syd-lock-on) (syd--stat "/dev/syd/lock:on"))
123: (t nil))) ; Invalid state
124:
125: (defun syd-enabled-fs ()
126: "Check whether Filesystem sandboxing is enabled."
127: (syd--stat "/dev/syd/sandbox/fs?"))
128:
129: (defun syd-enable-fs ()
130: "Enable Filesystem sandboxing."
131: (syd--stat "/dev/syd/sandbox/fs:on"))
132:
133: (defun syd-disable-fs ()
134: "Disable Filesystem sandboxing."
135: (syd--stat "/dev/syd/sandbox/fs:off"))
136:
137: (defun syd-enabled-walk ()
138: "Check whether Walk sandboxing is enabled."
139: (syd--stat "/dev/syd/sandbox/walk?"))
140:
141: (defun syd-enable-walk ()
142: "Enable Walk sandboxing."
143: (syd--stat "/dev/syd/sandbox/walk:on"))
144:
145: (defun syd-disable-walk ()
146: "Disable Walk sandboxing."
147: (syd--stat "/dev/syd/sandbox/walk:off"))
148:
149: (defun syd-enabled-list ()
150: "Check whether List sandboxing is enabled."
151: (syd--stat "/dev/syd/sandbox/list?"))
152:
153: (defun syd-enable-list ()
154: "Enable List sandboxing."
155: (syd--stat "/dev/syd/sandbox/list:on"))
156:
157: (defun syd-disable-list ()
158: "Disable List sandboxing."
159: (syd--stat "/dev/syd/sandbox/list:off"))
160:
161: (defun syd-enabled-stat ()
162: "Check whether Stat sandboxing is enabled."
163: (syd--stat "/dev/syd/sandbox/stat?"))
164:
165: (defun syd-enable-stat ()
166: "Enable Stat sandboxing."
167: (syd--stat "/dev/syd/sandbox/stat:on"))
168:
169: (defun syd-disable-stat ()
170: "Disable Stat sandboxing."
171: (syd--stat "/dev/syd/sandbox/stat:off"))
172:
173: (defun syd-enabled-read ()
174: "Check whether Read sandboxing is enabled."
175: (syd--stat "/dev/syd/sandbox/read?"))
176:
177: (defun syd-enable-read ()
178: "Enable Read sandboxing."
179: (syd--stat "/dev/syd/sandbox/read:on"))
180:
181: (defun syd-disable-read ()
182: "Disable Read sandboxing."
183: (syd--stat "/dev/syd/sandbox/read:off"))
184:
185: (defun syd-enabled-write ()
186: "Check whether Write sandboxing is enabled."
187: (syd--stat "/dev/syd/sandbox/write?"))
188:
189: (defun syd-enable-write ()
190: "Enable Write sandboxing."
191: (syd--stat "/dev/syd/sandbox/write:on"))
192:
193: (defun syd-disable-write ()
194: "Disable Write sandboxing."
195: (syd--stat "/dev/syd/sandbox/write:off"))
196:
197: (defun syd-enabled-exec ()
198: "Check whether Exec sandboxing is enabled."
199: (syd--stat "/dev/syd/sandbox/exec?"))
200:
201: (defun syd-enable-exec ()
202: "Enable Exec sandboxing."
203: (syd--stat "/dev/syd/sandbox/exec:on"))
204:
205: (defun syd-disable-exec ()
206: "Disable Exec sandboxing."
207: (syd--stat "/dev/syd/sandbox/exec:off"))
208:
209: (defun syd-enabled-ioctl ()
210: "Check whether Ioctl sandboxing is enabled."
211: (syd--stat "/dev/syd/sandbox/ioctl?"))
212:
213: (defun syd-enable-ioctl ()
214: "Enable Ioctl sandboxing."
215: (syd--stat "/dev/syd/sandbox/ioctl:on"))
216:
217: (defun syd-disable-ioctl ()
218: "Disable Ioctl sandboxing."
219: (syd--stat "/dev/syd/sandbox/ioctl:off"))
220:
221: (defun syd-enabled-create ()
222: "Check whether create sandboxing is enabled."
223: (syd--stat "/dev/syd/sandbox/create?"))
224:
225: (defun syd-enable-create ()
226: "Enable create sandboxing."
227: (syd--stat "/dev/syd/sandbox/create:on"))
228:
229: (defun syd-disable-create ()
230: "Disable create sandboxing."
231: (syd--stat "/dev/syd/sandbox/create:off"))
232:
233: (defun syd-enabled-delete ()
234: "Check whether delete sandboxing is enabled."
235: (syd--stat "/dev/syd/sandbox/delete?"))
236:
237: (defun syd-enable-delete ()
238: "Enable delete sandboxing."
239: (syd--stat "/dev/syd/sandbox/delete:on"))
240:
241: (defun syd-disable-delete ()
242: "Disable delete sandboxing."
243: (syd--stat "/dev/syd/sandbox/delete:off"))
244:
245: (defun syd-enabled-rename ()
246: "Check whether rename sandboxing is enabled."
247: (syd--stat "/dev/syd/sandbox/rename?"))
248:
249: (defun syd-enable-rename ()
250: "Enable rename sandboxing."
251: (syd--stat "/dev/syd/sandbox/rename:on"))
252:
253: (defun syd-disable-rename ()
254: "Disable rename sandboxing."
255: (syd--stat "/dev/syd/sandbox/rename:off"))
256:
257: (defun syd-enabled-readlink ()
258: "Check whether readlink sandboxing is enabled."
259: (syd--stat "/dev/syd/sandbox/readlink?"))
260:
261: (defun syd-enable-readlink ()
262: "Enable readlink sandboxing."
263: (syd--stat "/dev/syd/sandbox/readlink:on"))
264:
265: (defun syd-disable-readlink ()
266: "Disable readlink sandboxing."
267: (syd--stat "/dev/syd/sandbox/readlink:off"))
268:
269: (defun syd-enabled-symlink ()
270: "Check whether symlink sandboxing is enabled."
271: (syd--stat "/dev/syd/sandbox/symlink?"))
272:
273: (defun syd-enable-symlink ()
274: "Enable symlink sandboxing."
275: (syd--stat "/dev/syd/sandbox/symlink:on"))
276:
277: (defun syd-disable-symlink ()
278: "Disable symlink sandboxing."
279: (syd--stat "/dev/syd/sandbox/symlink:off"))
280:
281: (defun syd-enabled-truncate ()
282: "Check whether Truncate sandboxing is enabled."
283: (syd--stat "/dev/syd/sandbox/truncate?"))
284:
285: (defun syd-enable-truncate ()
286: "Enable Truncate sandboxing."
287: (syd--stat "/dev/syd/sandbox/truncate:on"))
288:
289: (defun syd-disable-truncate ()
290: "Disable Truncate sandboxing."
291: (syd--stat "/dev/syd/sandbox/truncate:off"))
292:
293: (defun syd-enabled-chdir ()
294: "Check whether chdir sandboxing is enabled."
295: (syd--stat "/dev/syd/sandbox/chdir?"))
296:
297: (defun syd-enable-chdir ()
298: "Enable chdir sandboxing."
299: (syd--stat "/dev/syd/sandbox/chdir:on"))
300:
301: (defun syd-disable-chdir ()
302: "Disable chdir sandboxing."
303: (syd--stat "/dev/syd/sandbox/chdir:off"))
304:
305: (defun syd-enabled-readdir ()
306: "Check whether readdir sandboxing is enabled."
307: (syd--stat "/dev/syd/sandbox/readdir?"))
308:
309: (defun syd-enable-readdir ()
310: "Enable readdir sandboxing."
311: (syd--stat "/dev/syd/sandbox/readdir:on"))
312:
313: (defun syd-disable-readdir ()
314: "Disable readdir sandboxing."
315: (syd--stat "/dev/syd/sandbox/readdir:off"))
316:
317: (defun syd-enabled-mkdir ()
318: "Check whether mkdir sandboxing is enabled."
319: (syd--stat "/dev/syd/sandbox/mkdir?"))
320:
321: (defun syd-enable-mkdir ()
322: "Enable mkdir sandboxing."
323: (syd--stat "/dev/syd/sandbox/mkdir:on"))
324:
325: (defun syd-disable-mkdir ()
326: "Disable mkdir sandboxing."
327: (syd--stat "/dev/syd/sandbox/mkdir:off"))
328:
329: (defun syd-enabled-rmdir ()
330: "Check whether rmdir sandboxing is enabled."
331: (syd--stat "/dev/syd/sandbox/rmdir?"))
332:
333: (defun syd-enable-rmdir ()
334: "Enable rmdir sandboxing."
335: (syd--stat "/dev/syd/sandbox/rmdir:on"))
336:
337: (defun syd-disable-rmdir ()
338: "Disable rmdir sandboxing."
339: (syd--stat "/dev/syd/sandbox/rmdir:off"))
340:
341: (defun syd-enabled-chown ()
342: "Check whether chown sandboxing is enabled."
343: (syd--stat "/dev/syd/sandbox/chown?"))
344:
345: (defun syd-enable-chown ()
346: "Enable chown sandboxing."
347: (syd--stat "/dev/syd/sandbox/chown:on"))
348:
349: (defun syd-disable-chown ()
350: "Disable chown sandboxing."
351: (syd--stat "/dev/syd/sandbox/chown:off"))
352:
353: (defun syd-enabled-chgrp ()
354: "Check whether chgrp sandboxing is enabled."
355: (syd--stat "/dev/syd/sandbox/chgrp?"))
356:
357: (defun syd-enable-chgrp ()
358: "Enable chgrp sandboxing."
359: (syd--stat "/dev/syd/sandbox/chgrp:on"))
360:
361: (defun syd-disable-chgrp ()
362: "Disable chgrp sandboxing."
363: (syd--stat "/dev/syd/sandbox/chgrp:off"))
364:
365: (defun syd-enabled-chmod ()
366: "Check whether chmod sandboxing is enabled."
367: (syd--stat "/dev/syd/sandbox/chmod?"))
368:
369: (defun syd-enable-chmod ()
370: "Enable chmod sandboxing."
371: (syd--stat "/dev/syd/sandbox/chmod:on"))
372:
373: (defun syd-disable-chmod ()
374: "Disable chmod sandboxing."
375: (syd--stat "/dev/syd/sandbox/chmod:off"))
376:
377: (defun syd-enabled-chattr ()
378: "Check whether chattr sandboxing is enabled."
379: (syd--stat "/dev/syd/sandbox/chattr?"))
380:
381: (defun syd-enable-chattr ()
382: "Enable chattr sandboxing."
383: (syd--stat "/dev/syd/sandbox/chattr:on"))
384:
385: (defun syd-disable-chattr ()
386: "Disable chattr sandboxing."
387: (syd--stat "/dev/syd/sandbox/chattr:off"))
388:
389: (defun syd-enabled-chroot ()
390: "Check whether chroot sandboxing is enabled."
391: (syd--stat "/dev/syd/sandbox/chroot?"))
392:
393: (defun syd-enable-chroot ()
394: "Enable chroot sandboxing."
395: (syd--stat "/dev/syd/sandbox/chroot:on"))
396:
397: (defun syd-disable-chroot ()
398: "Disable chroot sandboxing."
399: (syd--stat "/dev/syd/sandbox/chroot:off"))
400:
401: (defun syd-enabled-notify ()
402: "Check whether notify sandboxing is enabled."
403: (syd--stat "/dev/syd/sandbox/notify?"))
404:
405: (defun syd-enable-notify ()
406: "Enable notify sandboxing."
407: (syd--stat "/dev/syd/sandbox/notify:on"))
408:
409: (defun syd-disable-notify ()
410: "Disable notify sandboxing."
411: (syd--stat "/dev/syd/sandbox/notify:off"))
412:
413: (defun syd-enabled-utime ()
414: "Check whether utime sandboxing is enabled."
415: (syd--stat "/dev/syd/sandbox/utime?"))
416:
417: (defun syd-enable-utime ()
418: "Enable utime sandboxing."
419: (syd--stat "/dev/syd/sandbox/utime:on"))
420:
421: (defun syd-disable-utime ()
422: "Disable utime sandboxing."
423: (syd--stat "/dev/syd/sandbox/utime:off"))
424:
425: (defun syd-enabled-mkbdev ()
426: "Check whether mkbdev sandboxing is enabled."
427: (syd--stat "/dev/syd/sandbox/mkbdev?"))
428:
429: (defun syd-enable-mkbdev ()
430: "Enable mkbdev sandboxing."
431: (syd--stat "/dev/syd/sandbox/mkbdev:on"))
432:
433: (defun syd-disable-mkbdev ()
434: "Disable mkbdev sandboxing."
435: (syd--stat "/dev/syd/sandbox/mkbdev:off"))
436:
437: (defun syd-enabled-mkcdev ()
438: "Check whether mkcdev sandboxing is enabled."
439: (syd--stat "/dev/syd/sandbox/mkcdev?"))
440:
441: (defun syd-enable-mkcdev ()
442: "Enable mkcdev sandboxing."
443: (syd--stat "/dev/syd/sandbox/mkcdev:on"))
444:
445: (defun syd-disable-mkcdev ()
446: "Disable mkcdev sandboxing."
447: (syd--stat "/dev/syd/sandbox/mkcdev:off"))
448:
449: (defun syd-enabled-mkfifo ()
450: "Check whether mkfifo sandboxing is enabled."
451: (syd--stat "/dev/syd/sandbox/mkfifo?"))
452:
453: (defun syd-enable-mkfifo ()
454: "Enable mkfifo sandboxing."
455: (syd--stat "/dev/syd/sandbox/mkfifo:on"))
456:
457: (defun syd-disable-mkfifo ()
458: "Disable mkfifo sandboxing."
459: (syd--stat "/dev/syd/sandbox/mkfifo:off"))
460:
461: (defun syd-enabled-mktemp ()
462: "Check whether mktemp sandboxing is enabled."
463: (syd--stat "/dev/syd/sandbox/mktemp?"))
464:
465: (defun syd-enable-mktemp ()
466: "Enable mktemp sandboxing."
467: (syd--stat "/dev/syd/sandbox/mktemp:on"))
468:
469: (defun syd-disable-mktemp ()
470: "Disable mktemp sandboxing."
471: (syd--stat "/dev/syd/sandbox/mktemp:off"))
472:
473: (defun syd-enabled-net ()
474: "Check whether Network sandboxing is enabled."
475: (syd--stat "/dev/syd/sandbox/net?"))
476:
477: (defun syd-enable-net ()
478: "Enable Network sandboxing."
479: (syd--stat "/dev/syd/sandbox/net:on"))
480:
481: (defun syd-disable-net ()
482: "Disable Network sandboxing."
483: (syd--stat "/dev/syd/sandbox/net:off"))
484:
485: (defun syd-enabled-lock ()
486: "Check whether lock sandboxing is enabled."
487: (syd--stat "/dev/syd/sandbox/lock?"))
488:
489: (defun syd-enabled-crypt ()
490: "Check whether crypt sandboxing is enabled."
491: (syd--stat "/dev/syd/sandbox/crypt?"))
492:
493: (defun syd-enabled-proxy ()
494: "Check whether proxy sandboxing is enabled."
495: (syd--stat "/dev/syd/sandbox/proxy?"))
496:
497: (defun syd-enabled-mem ()
498: "Check whether memory sandboxing is enabled."
499: (syd--stat "/dev/syd/sandbox/mem?"))
500:
501: (defun syd-disable-mem ()
502: "Disable memory sandboxing."
503: (syd--stat "/dev/syd/sandbox/mem:off"))
504:
505: (defun syd-enabled-pid ()
506: "Check whether PID sandboxing is enabled."
507: (syd--stat "/dev/syd/sandbox/pid?"))
508:
509: (defun syd-enable-pid ()
510: "Enable PID sandboxing."
511: (syd--stat "/dev/syd/sandbox/pid:on"))
512:
513: (defun syd-disable-pid ()
514: "Disable PID sandboxing."
515: (syd--stat "/dev/syd/sandbox/pid:off"))
516:
517: (defun syd-enabled-force ()
518: "Check whether force sandboxing is enabled."
519: (syd--stat "/dev/syd/sandbox/force?"))
520:
521: (defun syd-disable-force ()
522: "Disable force sandboxing."
523: (syd--stat "/dev/syd/sandbox/force:off"))
524:
525: (defun syd-enabled-tpe ()
526: "Check whether TPE sandboxing is enabled."
527: (syd--stat "/dev/syd/sandbox/tpe?"))
528:
529: (defun syd-enable-tpe ()
530: "Enable TPE sandboxing."
531: (syd--stat "/dev/syd/sandbox/tpe:on"))
532:
533: (defun syd-disable-tpe ()
534: "Disable TPE sandboxing."
535: (syd--stat "/dev/syd/sandbox/tpe:off"))
536:
537: (defun syd-default-fs (action)
538: "Set default action for Filesystem sandboxing.
539: ACTION is a constant representing the sandboxing action."
540: (let ((action (cond
541: ((eq action :action-allow) "allow")
542: ((eq action :action-warn) "warn")
543: ((eq action :action-filter) "filter")
544: ((eq action :action-deny) "deny")
545: ((eq action :action-panic) "panic")
546: ((eq action :action-stop) "stop")
547: ((eq action :action-abort) "abort")
548: ((eq action :action-kill) "kill")
549: ((eq action :action-exit) "exit"))))
550: (when action
551: (let ((cmd (format "/dev/syd/default/fs:%s" action)))
552: (syd--stat cmd)))))
553:
554: (defun syd-default-walk (action)
555: "Set default action for Walk sandboxing.
556: ACTION is a constant representing the sandboxing action."
557: (let ((action (cond
558: ((eq action :action-allow) "allow")
559: ((eq action :action-warn) "warn")
560: ((eq action :action-filter) "filter")
561: ((eq action :action-deny) "deny")
562: ((eq action :action-panic) "panic")
563: ((eq action :action-stop) "stop")
564: ((eq action :action-abort) "abort")
565: ((eq action :action-kill) "kill")
566: ((eq action :action-exit) "exit"))))
567: (when action
568: (let ((cmd (format "/dev/syd/default/walk:%s" action)))
569: (syd--stat cmd)))))
570:
571: (defun syd-default-list (action)
572: "Set default action for List sandboxing.
573: ACTION is a constant representing the sandboxing action."
574: (let ((action (cond
575: ((eq action :action-allow) "allow")
576: ((eq action :action-warn) "warn")
577: ((eq action :action-filter) "filter")
578: ((eq action :action-deny) "deny")
579: ((eq action :action-panic) "panic")
580: ((eq action :action-stop) "stop")
581: ((eq action :action-abort) "abort")
582: ((eq action :action-kill) "kill")
583: ((eq action :action-exit) "exit"))))
584: (when action
585: (let ((cmd (format "/dev/syd/default/list:%s" action)))
586: (syd--stat cmd)))))
587:
588: (defun syd-default-stat (action)
589: "Set default action for Stat sandboxing.
590: ACTION is a constant representing the sandboxing action."
591: (let ((action (cond
592: ((eq action :action-allow) "allow")
593: ((eq action :action-warn) "warn")
594: ((eq action :action-filter) "filter")
595: ((eq action :action-deny) "deny")
596: ((eq action :action-panic) "panic")
597: ((eq action :action-stop) "stop")
598: ((eq action :action-abort) "abort")
599: ((eq action :action-kill) "kill")
600: ((eq action :action-exit) "exit"))))
601: (when action
602: (let ((cmd (format "/dev/syd/default/stat:%s" action)))
603: (syd--stat cmd)))))
604:
605: (defun syd-default-read (action)
606: "Set default action for Read sandboxing.
607: ACTION is a constant representing the sandboxing action."
608: (let ((action (cond
609: ((eq action :action-allow) "allow")
610: ((eq action :action-warn) "warn")
611: ((eq action :action-filter) "filter")
612: ((eq action :action-deny) "deny")
613: ((eq action :action-panic) "panic")
614: ((eq action :action-stop) "stop")
615: ((eq action :action-abort) "abort")
616: ((eq action :action-kill) "kill")
617: ((eq action :action-exit) "exit"))))
618: (when action
619: (let ((cmd (format "/dev/syd/default/read:%s" action)))
620: (syd--stat cmd)))))
621:
622: (defun syd-default-write (action)
623: "Set default action for Write sandboxing.
624: ACTION is a constant representing the sandboxing action."
625: (let ((action (cond
626: ((eq action :action-allow) "allow")
627: ((eq action :action-warn) "warn")
628: ((eq action :action-filter) "filter")
629: ((eq action :action-deny) "deny")
630: ((eq action :action-panic) "panic")
631: ((eq action :action-stop) "stop")
632: ((eq action :action-abort) "abort")
633: ((eq action :action-kill) "kill")
634: ((eq action :action-exit) "exit"))))
635: (when action
636: (let ((cmd (format "/dev/syd/default/write:%s" action)))
637: (syd--stat cmd)))))
638:
639: (defun syd-default-exec (action)
640: "Set default action for Exec sandboxing.
641: ACTION is a constant representing the sandboxing action."
642: (let ((action (cond
643: ((eq action :action-allow) "allow")
644: ((eq action :action-warn) "warn")
645: ((eq action :action-filter) "filter")
646: ((eq action :action-deny) "deny")
647: ((eq action :action-panic) "panic")
648: ((eq action :action-stop) "stop")
649: ((eq action :action-abort) "abort")
650: ((eq action :action-kill) "kill")
651: ((eq action :action-exit) "exit"))))
652: (when action
653: (let ((cmd (format "/dev/syd/default/exec:%s" action)))
654: (syd--stat cmd)))))
655:
656: (defun syd-default-ioctl (action)
657: "Set default action for Ioctl sandboxing.
658: ACTION is a constant representing the sandboxing action."
659: (let ((action (cond
660: ((eq action :action-allow) "allow")
661: ((eq action :action-warn) "warn")
662: ((eq action :action-filter) "filter")
663: ((eq action :action-deny) "deny")
664: ((eq action :action-panic) "panic")
665: ((eq action :action-stop) "stop")
666: ((eq action :action-abort) "abort")
667: ((eq action :action-kill) "kill")
668: ((eq action :action-exit) "exit"))))
669: (when action
670: (let ((cmd (format "/dev/syd/default/ioctl:%s" action)))
671: (syd--stat cmd)))))
672:
673: (defun syd-default-create (action)
674: "Set default action for Create sandboxing.
675: ACTION is a constant representing the sandboxing action."
676: (let ((action (cond
677: ((eq action :action-allow) "allow")
678: ((eq action :action-warn) "warn")
679: ((eq action :action-filter) "filter")
680: ((eq action :action-deny) "deny")
681: ((eq action :action-panic) "panic")
682: ((eq action :action-stop) "stop")
683: ((eq action :action-abort) "abort")
684: ((eq action :action-kill) "kill")
685: ((eq action :action-exit) "exit"))))
686: (when action
687: (let ((cmd (format "/dev/syd/default/create:%s" action)))
688: (syd--stat cmd)))))
689:
690: (defun syd-default-delete (action)
691: "Set default action for Delete sandboxing.
692: ACTION is a constant representing the sandboxing action."
693: (let ((action (cond
694: ((eq action :action-allow) "allow")
695: ((eq action :action-warn) "warn")
696: ((eq action :action-filter) "filter")
697: ((eq action :action-deny) "deny")
698: ((eq action :action-panic) "panic")
699: ((eq action :action-stop) "stop")
700: ((eq action :action-abort) "abort")
701: ((eq action :action-kill) "kill")
702: ((eq action :action-exit) "exit"))))
703: (when action
704: (let ((cmd (format "/dev/syd/default/delete:%s" action)))
705: (syd--stat cmd)))))
706:
707: (defun syd-default-rename (action)
708: "Set default action for rename sandboxing.
709: ACTION is a constant representing the sandboxing action."
710: (let ((action (cond
711: ((eq action :action-allow) "allow")
712: ((eq action :action-warn) "warn")
713: ((eq action :action-filter) "filter")
714: ((eq action :action-deny) "deny")
715: ((eq action :action-panic) "panic")
716: ((eq action :action-stop) "stop")
717: ((eq action :action-abort) "abort")
718: ((eq action :action-kill) "kill")
719: ((eq action :action-exit) "exit"))))
720: (when action
721: (let ((cmd (format "/dev/syd/default/rename:%s" action)))
722: (syd--stat cmd)))))
723:
724: (defun syd-default-readlink (action)
725: "Set default action for readlink sandboxing.
726: ACTION is a constant representing the sandboxing action."
727: (let ((action (cond
728: ((eq action :action-allow) "allow")
729: ((eq action :action-warn) "warn")
730: ((eq action :action-filter) "filter")
731: ((eq action :action-deny) "deny")
732: ((eq action :action-panic) "panic")
733: ((eq action :action-stop) "stop")
734: ((eq action :action-abort) "abort")
735: ((eq action :action-kill) "kill")
736: ((eq action :action-exit) "exit"))))
737: (when action
738: (let ((cmd (format "/dev/syd/default/readlink:%s" action)))
739: (syd--stat cmd)))))
740:
741: (defun syd-default-symlink (action)
742: "Set default action for symlink sandboxing.
743: ACTION is a constant representing the sandboxing action."
744: (let ((action (cond
745: ((eq action :action-allow) "allow")
746: ((eq action :action-warn) "warn")
747: ((eq action :action-filter) "filter")
748: ((eq action :action-deny) "deny")
749: ((eq action :action-panic) "panic")
750: ((eq action :action-stop) "stop")
751: ((eq action :action-abort) "abort")
752: ((eq action :action-kill) "kill")
753: ((eq action :action-exit) "exit"))))
754: (when action
755: (let ((cmd (format "/dev/syd/default/symlink:%s" action)))
756: (syd--stat cmd)))))
757:
758: (defun syd-default-truncate (action)
759: "Set default action for Truncate sandboxing.
760: ACTION is a constant representing the sandboxing action."
761: (let ((action (cond
762: ((eq action :action-allow) "allow")
763: ((eq action :action-warn) "warn")
764: ((eq action :action-filter) "filter")
765: ((eq action :action-deny) "deny")
766: ((eq action :action-panic) "panic")
767: ((eq action :action-stop) "stop")
768: ((eq action :action-abort) "abort")
769: ((eq action :action-kill) "kill")
770: ((eq action :action-exit) "exit"))))
771: (when action
772: (let ((cmd (format "/dev/syd/default/truncate:%s" action)))
773: (syd--stat cmd)))))
774:
775: (defun syd-default-chdir (action)
776: "Set default action for chdir sandboxing.
777: ACTION is a constant representing the sandboxing action."
778: (let ((action (cond
779: ((eq action :action-allow) "allow")
780: ((eq action :action-warn) "warn")
781: ((eq action :action-filter) "filter")
782: ((eq action :action-deny) "deny")
783: ((eq action :action-panic) "panic")
784: ((eq action :action-stop) "stop")
785: ((eq action :action-abort) "abort")
786: ((eq action :action-kill) "kill")
787: ((eq action :action-exit) "exit"))))
788: (when action
789: (let ((cmd (format "/dev/syd/default/chdir:%s" action)))
790: (syd--stat cmd)))))
791:
792: (defun syd-default-readdir (action)
793: "Set default action for readdir sandboxing.
794: ACTION is a constant representing the sandboxing action."
795: (let ((action (cond
796: ((eq action :action-allow) "allow")
797: ((eq action :action-warn) "warn")
798: ((eq action :action-filter) "filter")
799: ((eq action :action-deny) "deny")
800: ((eq action :action-panic) "panic")
801: ((eq action :action-stop) "stop")
802: ((eq action :action-abort) "abort")
803: ((eq action :action-kill) "kill")
804: ((eq action :action-exit) "exit"))))
805: (when action
806: (let ((cmd (format "/dev/syd/default/readdir:%s" action)))
807: (syd--stat cmd)))))
808:
809: (defun syd-default-mkdir (action)
810: "Set default action for mkdir sandboxing.
811: ACTION is a constant representing the sandboxing action."
812: (let ((action (cond
813: ((eq action :action-allow) "allow")
814: ((eq action :action-warn) "warn")
815: ((eq action :action-filter) "filter")
816: ((eq action :action-deny) "deny")
817: ((eq action :action-panic) "panic")
818: ((eq action :action-stop) "stop")
819: ((eq action :action-abort) "abort")
820: ((eq action :action-kill) "kill")
821: ((eq action :action-exit) "exit"))))
822: (when action
823: (let ((cmd (format "/dev/syd/default/mkdir:%s" action)))
824: (syd--stat cmd)))))
825:
826: (defun syd-default-rmdir (action)
827: "Set default action for rmdir sandboxing.
828: ACTION is a constant representing the sandboxing action."
829: (let ((action (cond
830: ((eq action :action-allow) "allow")
831: ((eq action :action-warn) "warn")
832: ((eq action :action-filter) "filter")
833: ((eq action :action-deny) "deny")
834: ((eq action :action-panic) "panic")
835: ((eq action :action-stop) "stop")
836: ((eq action :action-abort) "abort")
837: ((eq action :action-kill) "kill")
838: ((eq action :action-exit) "exit"))))
839: (when action
840: (let ((cmd (format "/dev/syd/default/rmdir:%s" action)))
841: (syd--stat cmd)))))
842:
843: (defun syd-default-chown (action)
844: "Set default action for Chown sandboxing.
845: ACTION is a constant representing the sandboxing action."
846: (let ((action (cond
847: ((eq action :action-allow) "allow")
848: ((eq action :action-warn) "warn")
849: ((eq action :action-filter) "filter")
850: ((eq action :action-deny) "deny")
851: ((eq action :action-panic) "panic")
852: ((eq action :action-stop) "stop")
853: ((eq action :action-abort) "abort")
854: ((eq action :action-kill) "kill")
855: ((eq action :action-exit) "exit"))))
856: (when action
857: (let ((cmd (format "/dev/syd/default/chown:%s" action)))
858: (syd--stat cmd)))))
859:
860: (defun syd-default-chgrp (action)
861: "Set default action for Chgrp sandboxing.
862: ACTION is a constant representing the sandboxing action."
863: (let ((action (cond
864: ((eq action :action-allow) "allow")
865: ((eq action :action-warn) "warn")
866: ((eq action :action-filter) "filter")
867: ((eq action :action-deny) "deny")
868: ((eq action :action-panic) "panic")
869: ((eq action :action-stop) "stop")
870: ((eq action :action-abort) "abort")
871: ((eq action :action-kill) "kill")
872: ((eq action :action-exit) "exit"))))
873: (when action
874: (let ((cmd (format "/dev/syd/default/chgrp:%s" action)))
875: (syd--stat cmd)))))
876:
877: (defun syd-default-chmod (action)
878: "Set default action for chmod sandboxing.
879: ACTION is a constant representing the sandboxing action."
880: (let ((action (cond
881: ((eq action :action-allow) "allow")
882: ((eq action :action-warn) "warn")
883: ((eq action :action-filter) "filter")
884: ((eq action :action-deny) "deny")
885: ((eq action :action-panic) "panic")
886: ((eq action :action-stop) "stop")
887: ((eq action :action-abort) "abort")
888: ((eq action :action-kill) "kill")
889: ((eq action :action-exit) "exit"))))
890: (when action
891: (let ((cmd (format "/dev/syd/default/chmod:%s" action)))
892: (syd--stat cmd)))))
893:
894: (defun syd-default-chattr (action)
895: "Set default action for chattr sandboxing.
896: ACTION is a constant representing the sandboxing action."
897: (let ((action (cond
898: ((eq action :action-allow) "allow")
899: ((eq action :action-warn) "warn")
900: ((eq action :action-filter) "filter")
901: ((eq action :action-deny) "deny")
902: ((eq action :action-panic) "panic")
903: ((eq action :action-stop) "stop")
904: ((eq action :action-abort) "abort")
905: ((eq action :action-kill) "kill")
906: ((eq action :action-exit) "exit"))))
907: (when action
908: (let ((cmd (format "/dev/syd/default/chattr:%s" action)))
909: (syd--stat cmd)))))
910:
911: (defun syd-default-chroot (action)
912: "Set default action for chroot sandboxing.
913: ACTION is a constant representing the sandboxing action."
914: (let ((action (cond
915: ((eq action :action-allow) "allow")
916: ((eq action :action-warn) "warn")
917: ((eq action :action-filter) "filter")
918: ((eq action :action-deny) "deny")
919: ((eq action :action-panic) "panic")
920: ((eq action :action-stop) "stop")
921: ((eq action :action-abort) "abort")
922: ((eq action :action-kill) "kill")
923: ((eq action :action-exit) "exit"))))
924: (when action
925: (let ((cmd (format "/dev/syd/default/chroot:%s" action)))
926: (syd--stat cmd)))))
927:
928: (defun syd-default-notify (action)
929: "Set default action for notify sandboxing.
930: ACTION is a constant representing the sandboxing action."
931: (let ((action (cond
932: ((eq action :action-allow) "allow")
933: ((eq action :action-warn) "warn")
934: ((eq action :action-filter) "filter")
935: ((eq action :action-deny) "deny")
936: ((eq action :action-panic) "panic")
937: ((eq action :action-stop) "stop")
938: ((eq action :action-abort) "abort")
939: ((eq action :action-kill) "kill")
940: ((eq action :action-exit) "exit"))))
941: (when action
942: (let ((cmd (format "/dev/syd/default/notify:%s" action)))
943: (syd--stat cmd)))))
944:
945: (defun syd-default-utime (action)
946: "Set default action for utime sandboxing.
947: ACTION is a constant representing the sandboxing action."
948: (let ((action (cond
949: ((eq action :action-allow) "allow")
950: ((eq action :action-warn) "warn")
951: ((eq action :action-filter) "filter")
952: ((eq action :action-deny) "deny")
953: ((eq action :action-panic) "panic")
954: ((eq action :action-stop) "stop")
955: ((eq action :action-abort) "abort")
956: ((eq action :action-kill) "kill")
957: ((eq action :action-exit) "exit"))))
958: (when action
959: (let ((cmd (format "/dev/syd/default/utime:%s" action)))
960: (syd--stat cmd)))))
961:
962: (defun syd-default-mkbdev (action)
963: "Set default action for mkbdev sandboxing.
964: ACTION is a constant representing the sandboxing action."
965: (let ((action (cond
966: ((eq action :action-allow) "allow")
967: ((eq action :action-warn) "warn")
968: ((eq action :action-filter) "filter")
969: ((eq action :action-deny) "deny")
970: ((eq action :action-panic) "panic")
971: ((eq action :action-stop) "stop")
972: ((eq action :action-abort) "abort")
973: ((eq action :action-kill) "kill")
974: ((eq action :action-exit) "exit"))))
975: (when action
976: (let ((cmd (format "/dev/syd/default/mkbdev:%s" action)))
977: (syd--stat cmd)))))
978:
979: (defun syd-default-mkcdev (action)
980: "Set default action for mkcdev sandboxing.
981: ACTION is a constant representing the sandboxing action."
982: (let ((action (cond
983: ((eq action :action-allow) "allow")
984: ((eq action :action-warn) "warn")
985: ((eq action :action-filter) "filter")
986: ((eq action :action-deny) "deny")
987: ((eq action :action-panic) "panic")
988: ((eq action :action-stop) "stop")
989: ((eq action :action-abort) "abort")
990: ((eq action :action-kill) "kill")
991: ((eq action :action-exit) "exit"))))
992: (when action
993: (let ((cmd (format "/dev/syd/default/mkcdev:%s" action)))
994: (syd--stat cmd)))))
995:
996: (defun syd-default-mkfifo (action)
997: "Set default action for mkfifo sandboxing.
998: ACTION is a constant representing the sandboxing action."
999: (let ((action (cond
1000: ((eq action :action-allow) "allow")
1001: ((eq action :action-warn) "warn")
1002: ((eq action :action-filter) "filter")
1003: ((eq action :action-deny) "deny")
1004: ((eq action :action-panic) "panic")
1005: ((eq action :action-stop) "stop")
1006: ((eq action :action-abort) "abort")
1007: ((eq action :action-kill) "kill")
1008: ((eq action :action-exit) "exit"))))
1009: (when action
1010: (let ((cmd (format "/dev/syd/default/mkfifo:%s" action)))
1011: (syd--stat cmd)))))
1012:
1013: (defun syd-default-mktemp (action)
1014: "Set default action for mktemp sandboxing.
1015: ACTION is a constant representing the sandboxing action."
1016: (let ((action (cond
1017: ((eq action :action-allow) "allow")
1018: ((eq action :action-warn) "warn")
1019: ((eq action :action-filter) "filter")
1020: ((eq action :action-deny) "deny")
1021: ((eq action :action-panic) "panic")
1022: ((eq action :action-stop) "stop")
1023: ((eq action :action-abort) "abort")
1024: ((eq action :action-kill) "kill")
1025: ((eq action :action-exit) "exit"))))
1026: (when action
1027: (let ((cmd (format "/dev/syd/default/mktemp:%s" action)))
1028: (syd--stat cmd)))))
1029:
1030: (defun syd-default-net (action)
1031: "Set default action for Network sandboxing.
1032: ACTION is a constant representing the sandboxing action."
1033: (let ((action (cond
1034: ((eq action :action-allow) "allow")
1035: ((eq action :action-warn) "warn")
1036: ((eq action :action-filter) "filter")
1037: ((eq action :action-deny) "deny")
1038: ((eq action :action-panic) "panic")
1039: ((eq action :action-stop) "stop")
1040: ((eq action :action-abort) "abort")
1041: ((eq action :action-kill) "kill")
1042: ((eq action :action-exit) "exit"))))
1043: (when action
1044: (let ((cmd (format "/dev/syd/default/net:%s" action)))
1045: (syd--stat cmd)))))
1046:
1047: ; TODO: syd-default-block!
1048:
1049: (defun syd-default-mem (action)
1050: "Set default action for Memory sandboxing.
1051: ACTION is a constant representing the sandboxing action."
1052: (let ((action (cond
1053: ((eq action :action-allow) "allow")
1054: ((eq action :action-warn) "warn")
1055: ((eq action :action-filter) "filter")
1056: ((eq action :action-deny) "deny")
1057: ((eq action :action-panic) "panic")
1058: ((eq action :action-stop) "stop")
1059: ((eq action :action-abort) "abort")
1060: ((eq action :action-kill) "kill")
1061: ((eq action :action-exit) "exit"))))
1062: (when action
1063: (let ((cmd (format "/dev/syd/default/mem:%s" action)))
1064: (syd--stat cmd)))))
1065:
1066: (defun syd-default-pid (action)
1067: "Set default action for PID sandboxing.
1068: ACTION is a constant representing the sandboxing action."
1069: (let ((action (cond
1070: ((eq action :action-allow) "allow")
1071: ((eq action :action-warn) "warn")
1072: ((eq action :action-filter) "filter")
1073: ((eq action :action-deny) "deny")
1074: ((eq action :action-panic) "panic")
1075: ((eq action :action-stop) "stop")
1076: ((eq action :action-abort) "abort")
1077: ((eq action :action-kill) "kill")
1078: ((eq action :action-exit) "exit"))))
1079: (when action
1080: (let ((cmd (format "/dev/syd/default/pid:%s" action)))
1081: (syd--stat cmd)))))
1082:
1083: (defun syd-default-force (action)
1084: "Set default action for Force sandboxing.
1085: ACTION is a constant representing the sandboxing action."
1086: (let ((action (cond
1087: ((eq action :action-allow) "allow")
1088: ((eq action :action-warn) "warn")
1089: ((eq action :action-filter) "filter")
1090: ((eq action :action-deny) "deny")
1091: ((eq action :action-panic) "panic")
1092: ((eq action :action-stop) "stop")
1093: ((eq action :action-abort) "abort")
1094: ((eq action :action-kill) "kill")
1095: ((eq action :action-exit) "exit"))))
1096: (when action
1097: (let ((cmd (format "/dev/syd/default/force:%s" action)))
1098: (syd--stat cmd)))))
1099:
1100: (defun syd-default-segvguard (action)
1101: "Set default action for SegvGuard.
1102: ACTION is a constant representing the sandboxing action."
1103: (let ((action (cond
1104: ((eq action :action-allow) "allow")
1105: ((eq action :action-warn) "warn")
1106: ((eq action :action-filter) "filter")
1107: ((eq action :action-deny) "deny")
1108: ((eq action :action-panic) "panic")
1109: ((eq action :action-stop) "stop")
1110: ((eq action :action-abort) "abort")
1111: ((eq action :action-kill) "kill")
1112: ((eq action :action-exit) "exit"))))
1113: (when action
1114: (let ((cmd (format "/dev/syd/default/segvguard:%s" action)))
1115: (syd--stat cmd)))))
1116:
1117: (defun syd-default-tpe (action)
1118: "Set default action for TPE sandboxing.
1119: ACTION is a constant representing the sandboxing action."
1120: (let ((action (cond
1121: ((eq action :action-allow) "allow")
1122: ((eq action :action-warn) "warn")
1123: ((eq action :action-filter) "filter")
1124: ((eq action :action-deny) "deny")
1125: ((eq action :action-panic) "panic")
1126: ((eq action :action-stop) "stop")
1127: ((eq action :action-abort) "abort")
1128: ((eq action :action-kill) "kill")
1129: ((eq action :action-exit) "exit"))))
1130: (when action
1131: (let ((cmd (format "/dev/syd/default/tpe:%s" action)))
1132: (syd--stat cmd)))))
1133:
1134: (defun syd-ioctl-deny (request)
1135: "Add a request to the _ioctl_(2) denylist.
1136: REQUEST is the _ioctl_(2) request number to add to the denylist."
1137: (unless (numberp request)
1138: (error "Request must be a number"))
1139: (let ((path (format "/dev/syd/deny/ioctl+%d" request)))
1140: (syd--stat path)))
1141:
1142: (defun syd-fs-add (action glob)
1143: "Add to the given actionlist of Filesystem sandboxing.
1144: ACTION is a constant representing the sandboxing action.
1145: GLOB is a string representing the glob pattern."
1146: (let ((action (cond
1147: ((eq action :action-allow) "allow")
1148: ((eq action :action-warn) "warn")
1149: ((eq action :action-filter) "filter")
1150: ((eq action :action-deny) "deny")
1151: ((eq action :action-panic) "panic")
1152: ((eq action :action-stop) "stop")
1153: ((eq action :action-abort) "abort")
1154: ((eq action :action-kill) "kill")
1155: ((eq action :action-exit) "exit"))))
1156: (when action
1157: (let ((cmd (format "%s/fs" action)))
1158: (syd--stat (syd--rule cmd glob ?+))))))
1159:
1160: (defun syd-fs-del (action glob)
1161: "Remove the first matching Filesystem sandboxing actionlist entry.
1162: ACTION is a constant representing the sandboxing action.
1163: GLOB is a string representing the glob pattern."
1164: (let ((action (cond
1165: ((eq action :action-allow) "allow")
1166: ((eq action :action-warn) "warn")
1167: ((eq action :action-filter) "filter")
1168: ((eq action :action-deny) "deny")
1169: ((eq action :action-panic) "panic")
1170: ((eq action :action-stop) "stop")
1171: ((eq action :action-abort) "abort")
1172: ((eq action :action-kill) "kill")
1173: ((eq action :action-exit) "exit"))))
1174: (when action
1175: (let ((cmd (format "%s/fs" action)))
1176: (syd--stat (syd--rule cmd glob ?-))))))
1177:
1178: (defun syd-fs-rem (action glob)
1179: "Remove all matching Filesystem sandboxing actionlist entries.
1180: ACTION is a constant representing the sandboxing action.
1181: GLOB is a string representing the glob pattern."
1182: (let ((action (cond
1183: ((eq action :action-allow) "allow")
1184: ((eq action :action-warn) "warn")
1185: ((eq action :action-filter) "filter")
1186: ((eq action :action-deny) "deny")
1187: ((eq action :action-panic) "panic")
1188: ((eq action :action-stop) "stop")
1189: ((eq action :action-abort) "abort")
1190: ((eq action :action-kill) "kill")
1191: ((eq action :action-exit) "exit"))))
1192: (when action
1193: (let ((cmd (format "%s/fs" action)))
1194: (syd--stat (syd--rule cmd glob ?^))))))
1195:
1196: (defun syd-walk-add (action glob)
1197: "Add to the given actionlist of walk sandboxing.
1198: ACTION is a constant representing the sandboxing action.
1199: GLOB is a string representing the glob pattern."
1200: (let ((action (cond
1201: ((eq action :action-allow) "allow")
1202: ((eq action :action-warn) "warn")
1203: ((eq action :action-filter) "filter")
1204: ((eq action :action-deny) "deny")
1205: ((eq action :action-panic) "panic")
1206: ((eq action :action-stop) "stop")
1207: ((eq action :action-abort) "abort")
1208: ((eq action :action-kill) "kill")
1209: ((eq action :action-exit) "exit"))))
1210: (when action
1211: (let ((cmd (format "%s/walk" action)))
1212: (syd--stat (syd--rule cmd glob ?+))))))
1213:
1214: (defun syd-walk-del (action glob)
1215: "Remove the first matching walk sandboxing actionlist entry.
1216: ACTION is a constant representing the sandboxing action.
1217: GLOB is a string representing the glob pattern."
1218: (let ((action (cond
1219: ((eq action :action-allow) "allow")
1220: ((eq action :action-warn) "warn")
1221: ((eq action :action-filter) "filter")
1222: ((eq action :action-deny) "deny")
1223: ((eq action :action-panic) "panic")
1224: ((eq action :action-stop) "stop")
1225: ((eq action :action-abort) "abort")
1226: ((eq action :action-kill) "kill")
1227: ((eq action :action-exit) "exit"))))
1228: (when action
1229: (let ((cmd (format "%s/walk" action)))
1230: (syd--stat (syd--rule cmd glob ?-))))))
1231:
1232: (defun syd-walk-rem (action glob)
1233: "Remove all matching walk sandboxing actionlist entries.
1234: ACTION is a constant representing the sandboxing action.
1235: GLOB is a string representing the glob pattern."
1236: (let ((action (cond
1237: ((eq action :action-allow) "allow")
1238: ((eq action :action-warn) "warn")
1239: ((eq action :action-filter) "filter")
1240: ((eq action :action-deny) "deny")
1241: ((eq action :action-panic) "panic")
1242: ((eq action :action-stop) "stop")
1243: ((eq action :action-abort) "abort")
1244: ((eq action :action-kill) "kill")
1245: ((eq action :action-exit) "exit"))))
1246: (when action
1247: (let ((cmd (format "%s/walk" action)))
1248: (syd--stat (syd--rule cmd glob ?^))))))
1249:
1250: (defun syd-list-add (action glob)
1251: "Add to the given actionlist of list sandboxing.
1252: ACTION is a constant representing the sandboxing action.
1253: GLOB is a string representing the glob pattern."
1254: (let ((action (cond
1255: ((eq action :action-allow) "allow")
1256: ((eq action :action-warn) "warn")
1257: ((eq action :action-filter) "filter")
1258: ((eq action :action-deny) "deny")
1259: ((eq action :action-panic) "panic")
1260: ((eq action :action-stop) "stop")
1261: ((eq action :action-abort) "abort")
1262: ((eq action :action-kill) "kill")
1263: ((eq action :action-exit) "exit"))))
1264: (when action
1265: (let ((cmd (format "%s/list" action)))
1266: (syd--stat (syd--rule cmd glob ?+))))))
1267:
1268: (defun syd-list-del (action glob)
1269: "Remove the first matching list sandboxing actionlist entry.
1270: ACTION is a constant representing the sandboxing action.
1271: GLOB is a string representing the glob pattern."
1272: (let ((action (cond
1273: ((eq action :action-allow) "allow")
1274: ((eq action :action-warn) "warn")
1275: ((eq action :action-filter) "filter")
1276: ((eq action :action-deny) "deny")
1277: ((eq action :action-panic) "panic")
1278: ((eq action :action-stop) "stop")
1279: ((eq action :action-abort) "abort")
1280: ((eq action :action-kill) "kill")
1281: ((eq action :action-exit) "exit"))))
1282: (when action
1283: (let ((cmd (format "%s/list" action)))
1284: (syd--stat (syd--rule cmd glob ?-))))))
1285:
1286: (defun syd-list-rem (action glob)
1287: "Remove all matching list sandboxing actionlist entries.
1288: ACTION is a constant representing the sandboxing action.
1289: GLOB is a string representing the glob pattern."
1290: (let ((action (cond
1291: ((eq action :action-allow) "allow")
1292: ((eq action :action-warn) "warn")
1293: ((eq action :action-filter) "filter")
1294: ((eq action :action-deny) "deny")
1295: ((eq action :action-panic) "panic")
1296: ((eq action :action-stop) "stop")
1297: ((eq action :action-abort) "abort")
1298: ((eq action :action-kill) "kill")
1299: ((eq action :action-exit) "exit"))))
1300: (when action
1301: (let ((cmd (format "%s/list" action)))
1302: (syd--stat (syd--rule cmd glob ?^))))))
1303:
1304: (defun syd-stat-add (action glob)
1305: "Add to the given actionlist of stat sandboxing.
1306: ACTION is a constant representing the sandboxing action.
1307: GLOB is a string representing the glob pattern."
1308: (let ((action (cond
1309: ((eq action :action-allow) "allow")
1310: ((eq action :action-warn) "warn")
1311: ((eq action :action-filter) "filter")
1312: ((eq action :action-deny) "deny")
1313: ((eq action :action-panic) "panic")
1314: ((eq action :action-stop) "stop")
1315: ((eq action :action-abort) "abort")
1316: ((eq action :action-kill) "kill")
1317: ((eq action :action-exit) "exit"))))
1318: (when action
1319: (let ((cmd (format "%s/stat" action)))
1320: (syd--stat (syd--rule cmd glob ?+))))))
1321:
1322: (defun syd-stat-del (action glob)
1323: "Remove the first matching stat sandboxing actionlist entry.
1324: ACTION is a constant representing the sandboxing action.
1325: GLOB is a string representing the glob pattern."
1326: (let ((action (cond
1327: ((eq action :action-allow) "allow")
1328: ((eq action :action-warn) "warn")
1329: ((eq action :action-filter) "filter")
1330: ((eq action :action-deny) "deny")
1331: ((eq action :action-panic) "panic")
1332: ((eq action :action-stop) "stop")
1333: ((eq action :action-abort) "abort")
1334: ((eq action :action-kill) "kill")
1335: ((eq action :action-exit) "exit"))))
1336: (when action
1337: (let ((cmd (format "%s/stat" action)))
1338: (syd--stat (syd--rule cmd glob ?-))))))
1339:
1340: (defun syd-stat-rem (action glob)
1341: "Remove all matching stat sandboxing actionlist entries.
1342: ACTION is a constant representing the sandboxing action.
1343: GLOB is a string representing the glob pattern."
1344: (let ((action (cond
1345: ((eq action :action-allow) "allow")
1346: ((eq action :action-warn) "warn")
1347: ((eq action :action-filter) "filter")
1348: ((eq action :action-deny) "deny")
1349: ((eq action :action-panic) "panic")
1350: ((eq action :action-stop) "stop")
1351: ((eq action :action-abort) "abort")
1352: ((eq action :action-kill) "kill")
1353: ((eq action :action-exit) "exit"))))
1354: (when action
1355: (let ((cmd (format "%s/stat" action)))
1356: (syd--stat (syd--rule cmd glob ?^))))))
1357:
1358: (defun syd-read-add (action glob)
1359: "Add to the given actionlist of read sandboxing.
1360: ACTION is a constant representing the sandboxing action.
1361: GLOB is a string representing the glob pattern."
1362: (let ((action (cond
1363: ((eq action :action-allow) "allow")
1364: ((eq action :action-warn) "warn")
1365: ((eq action :action-filter) "filter")
1366: ((eq action :action-deny) "deny")
1367: ((eq action :action-panic) "panic")
1368: ((eq action :action-stop) "stop")
1369: ((eq action :action-abort) "abort")
1370: ((eq action :action-kill) "kill")
1371: ((eq action :action-exit) "exit"))))
1372: (when action
1373: (let ((cmd (format "%s/read" action)))
1374: (syd--stat (syd--rule cmd glob ?+))))))
1375:
1376: (defun syd-read-del (action glob)
1377: "Remove the first matching read sandboxing actionlist entry.
1378: ACTION is a constant representing the sandboxing action.
1379: GLOB is a string representing the glob pattern."
1380: (let ((action (cond
1381: ((eq action :action-allow) "allow")
1382: ((eq action :action-warn) "warn")
1383: ((eq action :action-filter) "filter")
1384: ((eq action :action-deny) "deny")
1385: ((eq action :action-panic) "panic")
1386: ((eq action :action-stop) "stop")
1387: ((eq action :action-abort) "abort")
1388: ((eq action :action-kill) "kill")
1389: ((eq action :action-exit) "exit"))))
1390: (when action
1391: (let ((cmd (format "%s/read" action)))
1392: (syd--stat (syd--rule cmd glob ?-))))))
1393:
1394: (defun syd-read-rem (action glob)
1395: "Remove all matching read sandboxing actionlist entries.
1396: ACTION is a constant representing the sandboxing action.
1397: GLOB is a string representing the glob pattern."
1398: (let ((action (cond
1399: ((eq action :action-allow) "allow")
1400: ((eq action :action-warn) "warn")
1401: ((eq action :action-filter) "filter")
1402: ((eq action :action-deny) "deny")
1403: ((eq action :action-panic) "panic")
1404: ((eq action :action-stop) "stop")
1405: ((eq action :action-abort) "abort")
1406: ((eq action :action-kill) "kill")
1407: ((eq action :action-exit) "exit"))))
1408: (when action
1409: (let ((cmd (format "%s/read" action)))
1410: (syd--stat (syd--rule cmd glob ?^))))))
1411:
1412: (defun syd-write-add (action glob)
1413: "Add to the given actionlist of write sandboxing.
1414: ACTION is a constant representing the sandboxing action.
1415: GLOB is a string representing the glob pattern."
1416: (let ((action (cond
1417: ((eq action :action-allow) "allow")
1418: ((eq action :action-warn) "warn")
1419: ((eq action :action-filter) "filter")
1420: ((eq action :action-deny) "deny")
1421: ((eq action :action-panic) "panic")
1422: ((eq action :action-stop) "stop")
1423: ((eq action :action-abort) "abort")
1424: ((eq action :action-kill) "kill")
1425: ((eq action :action-exit) "exit"))))
1426: (when action
1427: (let ((cmd (format "%s/write" action)))
1428: (syd--stat (syd--rule cmd glob ?+))))))
1429:
1430: (defun syd-write-del (action glob)
1431: "Remove the first matching write sandboxing actionlist entry.
1432: ACTION is a constant representing the sandboxing action.
1433: GLOB is a string representing the glob pattern."
1434: (let ((action (cond
1435: ((eq action :action-allow) "allow")
1436: ((eq action :action-warn) "warn")
1437: ((eq action :action-filter) "filter")
1438: ((eq action :action-deny) "deny")
1439: ((eq action :action-panic) "panic")
1440: ((eq action :action-stop) "stop")
1441: ((eq action :action-abort) "abort")
1442: ((eq action :action-kill) "kill")
1443: ((eq action :action-exit) "exit"))))
1444: (when action
1445: (let ((cmd (format "%s/write" action)))
1446: (syd--stat (syd--rule cmd glob ?-))))))
1447:
1448: (defun syd-write-rem (action glob)
1449: "Remove all matching write sandboxing actionlist entries.
1450: ACTION is a constant representing the sandboxing action.
1451: GLOB is a string representing the glob pattern."
1452: (let ((action (cond
1453: ((eq action :action-allow) "allow")
1454: ((eq action :action-warn) "warn")
1455: ((eq action :action-filter) "filter")
1456: ((eq action :action-deny) "deny")
1457: ((eq action :action-panic) "panic")
1458: ((eq action :action-stop) "stop")
1459: ((eq action :action-abort) "abort")
1460: ((eq action :action-kill) "kill")
1461: ((eq action :action-exit) "exit"))))
1462: (when action
1463: (let ((cmd (format "%s/write" action)))
1464: (syd--stat (syd--rule cmd glob ?^))))))
1465:
1466: (defun syd-exec-add (action glob)
1467: "Add to the given actionlist of exec sandboxing.
1468: ACTION is a constant representing the sandboxing action.
1469: GLOB is a string representing the glob pattern."
1470: (let ((action (cond
1471: ((eq action :action-allow) "allow")
1472: ((eq action :action-warn) "warn")
1473: ((eq action :action-filter) "filter")
1474: ((eq action :action-deny) "deny")
1475: ((eq action :action-panic) "panic")
1476: ((eq action :action-stop) "stop")
1477: ((eq action :action-abort) "abort")
1478: ((eq action :action-kill) "kill")
1479: ((eq action :action-exit) "exit"))))
1480: (when action
1481: (let ((cmd (format "%s/exec" action)))
1482: (syd--stat (syd--rule cmd glob ?+))))))
1483:
1484: (defun syd-exec-del (action glob)
1485: "Remove the first matching exec sandboxing actionlist entry.
1486: ACTION is a constant representing the sandboxing action.
1487: GLOB is a string representing the glob pattern."
1488: (let ((action (cond
1489: ((eq action :action-allow) "allow")
1490: ((eq action :action-warn) "warn")
1491: ((eq action :action-filter) "filter")
1492: ((eq action :action-deny) "deny")
1493: ((eq action :action-panic) "panic")
1494: ((eq action :action-stop) "stop")
1495: ((eq action :action-abort) "abort")
1496: ((eq action :action-kill) "kill")
1497: ((eq action :action-exit) "exit"))))
1498: (when action
1499: (let ((cmd (format "%s/exec" action)))
1500: (syd--stat (syd--rule cmd glob ?-))))))
1501:
1502: (defun syd-exec-rem (action glob)
1503: "Remove all matching exec sandboxing actionlist entries.
1504: ACTION is a constant representing the sandboxing action.
1505: GLOB is a string representing the glob pattern."
1506: (let ((action (cond
1507: ((eq action :action-allow) "allow")
1508: ((eq action :action-warn) "warn")
1509: ((eq action :action-filter) "filter")
1510: ((eq action :action-deny) "deny")
1511: ((eq action :action-panic) "panic")
1512: ((eq action :action-stop) "stop")
1513: ((eq action :action-abort) "abort")
1514: ((eq action :action-kill) "kill")
1515: ((eq action :action-exit) "exit"))))
1516: (when action
1517: (let ((cmd (format "%s/exec" action)))
1518: (syd--stat (syd--rule cmd glob ?^))))))
1519:
1520: (defun syd-ioctl-add (action glob)
1521: "Add to the given actionlist of ioctl sandboxing.
1522: ACTION is a constant representing the sandboxing action.
1523: GLOB is a string representing the glob pattern."
1524: (let ((action (cond
1525: ((eq action :action-allow) "allow")
1526: ((eq action :action-warn) "warn")
1527: ((eq action :action-filter) "filter")
1528: ((eq action :action-deny) "deny")
1529: ((eq action :action-panic) "panic")
1530: ((eq action :action-stop) "stop")
1531: ((eq action :action-abort) "abort")
1532: ((eq action :action-kill) "kill")
1533: ((eq action :action-exit) "exit"))))
1534: (when action
1535: (let ((cmd (format "%s/ioctl" action)))
1536: (syd--stat (syd--rule cmd glob ?+))))))
1537:
1538: (defun syd-ioctl-del (action glob)
1539: "Remove the first matching ioctl sandboxing actionlist entry.
1540: ACTION is a constant representing the sandboxing action.
1541: GLOB is a string representing the glob pattern."
1542: (let ((action (cond
1543: ((eq action :action-allow) "allow")
1544: ((eq action :action-warn) "warn")
1545: ((eq action :action-filter) "filter")
1546: ((eq action :action-deny) "deny")
1547: ((eq action :action-panic) "panic")
1548: ((eq action :action-stop) "stop")
1549: ((eq action :action-abort) "abort")
1550: ((eq action :action-kill) "kill")
1551: ((eq action :action-exit) "exit"))))
1552: (when action
1553: (let ((cmd (format "%s/ioctl" action)))
1554: (syd--stat (syd--rule cmd glob ?-))))))
1555:
1556: (defun syd-ioctl-rem (action glob)
1557: "Remove all matching ioctl sandboxing actionlist entries.
1558: ACTION is a constant representing the sandboxing action.
1559: GLOB is a string representing the glob pattern."
1560: (let ((action (cond
1561: ((eq action :action-allow) "allow")
1562: ((eq action :action-warn) "warn")
1563: ((eq action :action-filter) "filter")
1564: ((eq action :action-deny) "deny")
1565: ((eq action :action-panic) "panic")
1566: ((eq action :action-stop) "stop")
1567: ((eq action :action-abort) "abort")
1568: ((eq action :action-kill) "kill")
1569: ((eq action :action-exit) "exit"))))
1570: (when action
1571: (let ((cmd (format "%s/ioctl" action)))
1572: (syd--stat (syd--rule cmd glob ?^))))))
1573:
1574: (defun syd-create-add (action glob)
1575: "Add to the given actionlist of create sandboxing.
1576: ACTION is a constant representing the sandboxing action.
1577: GLOB is a string representing the glob pattern."
1578: (let ((action (cond
1579: ((eq action :action-allow) "allow")
1580: ((eq action :action-warn) "warn")
1581: ((eq action :action-filter) "filter")
1582: ((eq action :action-deny) "deny")
1583: ((eq action :action-panic) "panic")
1584: ((eq action :action-stop) "stop")
1585: ((eq action :action-abort) "abort")
1586: ((eq action :action-kill) "kill")
1587: ((eq action :action-exit) "exit"))))
1588: (when action
1589: (let ((cmd (format "%s/create" action)))
1590: (syd--stat (syd--rule cmd glob ?+))))))
1591:
1592: (defun syd-create-del (action glob)
1593: "Remove the first matching create sandboxing actionlist entry.
1594: ACTION is a constant representing the sandboxing action.
1595: GLOB is a string representing the glob pattern."
1596: (let ((action (cond
1597: ((eq action :action-allow) "allow")
1598: ((eq action :action-warn) "warn")
1599: ((eq action :action-filter) "filter")
1600: ((eq action :action-deny) "deny")
1601: ((eq action :action-panic) "panic")
1602: ((eq action :action-stop) "stop")
1603: ((eq action :action-abort) "abort")
1604: ((eq action :action-kill) "kill")
1605: ((eq action :action-exit) "exit"))))
1606: (when action
1607: (let ((cmd (format "%s/create" action)))
1608: (syd--stat (syd--rule cmd glob ?-))))))
1609:
1610: (defun syd-create-rem (action glob)
1611: "Remove all matching create sandboxing actionlist entries.
1612: ACTION is a constant representing the sandboxing action.
1613: GLOB is a string representing the glob pattern."
1614: (let ((action (cond
1615: ((eq action :action-allow) "allow")
1616: ((eq action :action-warn) "warn")
1617: ((eq action :action-filter) "filter")
1618: ((eq action :action-deny) "deny")
1619: ((eq action :action-panic) "panic")
1620: ((eq action :action-stop) "stop")
1621: ((eq action :action-abort) "abort")
1622: ((eq action :action-kill) "kill")
1623: ((eq action :action-exit) "exit"))))
1624: (when action
1625: (let ((cmd (format "%s/create" action)))
1626: (syd--stat (syd--rule cmd glob ?^))))))
1627:
1628: (defun syd-delete-add (action glob)
1629: "Add to the given actionlist of delete sandboxing.
1630: ACTION is a constant representing the sandboxing action.
1631: GLOB is a string representing the glob pattern."
1632: (let ((action (cond
1633: ((eq action :action-allow) "allow")
1634: ((eq action :action-warn) "warn")
1635: ((eq action :action-filter) "filter")
1636: ((eq action :action-deny) "deny")
1637: ((eq action :action-panic) "panic")
1638: ((eq action :action-stop) "stop")
1639: ((eq action :action-abort) "abort")
1640: ((eq action :action-kill) "kill")
1641: ((eq action :action-exit) "exit"))))
1642: (when action
1643: (let ((cmd (format "%s/delete" action)))
1644: (syd--stat (syd--rule cmd glob ?+))))))
1645:
1646: (defun syd-delete-del (action glob)
1647: "Remove the first matching delete sandboxing actionlist entry.
1648: ACTION is a constant representing the sandboxing action.
1649: GLOB is a string representing the glob pattern."
1650: (let ((action (cond
1651: ((eq action :action-allow) "allow")
1652: ((eq action :action-warn) "warn")
1653: ((eq action :action-filter) "filter")
1654: ((eq action :action-deny) "deny")
1655: ((eq action :action-panic) "panic")
1656: ((eq action :action-stop) "stop")
1657: ((eq action :action-abort) "abort")
1658: ((eq action :action-kill) "kill")
1659: ((eq action :action-exit) "exit"))))
1660: (when action
1661: (let ((cmd (format "%s/delete" action)))
1662: (syd--stat (syd--rule cmd glob ?-))))))
1663:
1664: (defun syd-delete-rem (action glob)
1665: "Remove all matching delete sandboxing actionlist entries.
1666: ACTION is a constant representing the sandboxing action.
1667: GLOB is a string representing the glob pattern."
1668: (let ((action (cond
1669: ((eq action :action-allow) "allow")
1670: ((eq action :action-warn) "warn")
1671: ((eq action :action-filter) "filter")
1672: ((eq action :action-deny) "deny")
1673: ((eq action :action-panic) "panic")
1674: ((eq action :action-stop) "stop")
1675: ((eq action :action-abort) "abort")
1676: ((eq action :action-kill) "kill")
1677: ((eq action :action-exit) "exit"))))
1678: (when action
1679: (let ((cmd (format "%s/delete" action)))
1680: (syd--stat (syd--rule cmd glob ?^))))))
1681:
1682: (defun syd-rename-add (action glob)
1683: "Add to the given actionlist of rename sandboxing.
1684: ACTION is a constant representing the sandboxing action.
1685: GLOB is a string representing the glob pattern."
1686: (let ((action (cond
1687: ((eq action :action-allow) "allow")
1688: ((eq action :action-warn) "warn")
1689: ((eq action :action-filter) "filter")
1690: ((eq action :action-deny) "deny")
1691: ((eq action :action-panic) "panic")
1692: ((eq action :action-stop) "stop")
1693: ((eq action :action-abort) "abort")
1694: ((eq action :action-kill) "kill")
1695: ((eq action :action-exit) "exit"))))
1696: (when action
1697: (let ((cmd (format "%s/rename" action)))
1698: (syd--stat (syd--rule cmd glob ?+))))))
1699:
1700: (defun syd-rename-del (action glob)
1701: "Remove the first matching rename sandboxing actionlist entry.
1702: ACTION is a constant representing the sandboxing action.
1703: GLOB is a string representing the glob pattern."
1704: (let ((action (cond
1705: ((eq action :action-allow) "allow")
1706: ((eq action :action-warn) "warn")
1707: ((eq action :action-filter) "filter")
1708: ((eq action :action-deny) "deny")
1709: ((eq action :action-panic) "panic")
1710: ((eq action :action-stop) "stop")
1711: ((eq action :action-abort) "abort")
1712: ((eq action :action-kill) "kill")
1713: ((eq action :action-exit) "exit"))))
1714: (when action
1715: (let ((cmd (format "%s/rename" action)))
1716: (syd--stat (syd--rule cmd glob ?-))))))
1717:
1718: (defun syd-rename-rem (action glob)
1719: "Remove all matching rename sandboxing actionlist entries.
1720: ACTION is a constant representing the sandboxing action.
1721: GLOB is a string representing the glob pattern."
1722: (let ((action (cond
1723: ((eq action :action-allow) "allow")
1724: ((eq action :action-warn) "warn")
1725: ((eq action :action-filter) "filter")
1726: ((eq action :action-deny) "deny")
1727: ((eq action :action-panic) "panic")
1728: ((eq action :action-stop) "stop")
1729: ((eq action :action-abort) "abort")
1730: ((eq action :action-kill) "kill")
1731: ((eq action :action-exit) "exit"))))
1732: (when action
1733: (let ((cmd (format "%s/rename" action)))
1734: (syd--stat (syd--rule cmd glob ?^))))))
1735:
1736: (defun syd-readlink-add (action glob)
1737: "Add to the given actionlist of readlink sandboxing.
1738: ACTION is a constant representing the sandboxing action.
1739: GLOB is a string representing the glob pattern."
1740: (let ((action (cond
1741: ((eq action :action-allow) "allow")
1742: ((eq action :action-warn) "warn")
1743: ((eq action :action-filter) "filter")
1744: ((eq action :action-deny) "deny")
1745: ((eq action :action-panic) "panic")
1746: ((eq action :action-stop) "stop")
1747: ((eq action :action-abort) "abort")
1748: ((eq action :action-kill) "kill")
1749: ((eq action :action-exit) "exit"))))
1750: (when action
1751: (let ((cmd (format "%s/readlink" action)))
1752: (syd--stat (syd--rule cmd glob ?+))))))
1753:
1754: (defun syd-readlink-del (action glob)
1755: "Remove the first matching readlink sandboxing actionlist entry.
1756: ACTION is a constant representing the sandboxing action.
1757: GLOB is a string representing the glob pattern."
1758: (let ((action (cond
1759: ((eq action :action-allow) "allow")
1760: ((eq action :action-warn) "warn")
1761: ((eq action :action-filter) "filter")
1762: ((eq action :action-deny) "deny")
1763: ((eq action :action-panic) "panic")
1764: ((eq action :action-stop) "stop")
1765: ((eq action :action-abort) "abort")
1766: ((eq action :action-kill) "kill")
1767: ((eq action :action-exit) "exit"))))
1768: (when action
1769: (let ((cmd (format "%s/readlink" action)))
1770: (syd--stat (syd--rule cmd glob ?-))))))
1771:
1772: (defun syd-readlink-rem (action glob)
1773: "Remove all matching readlink sandboxing actionlist entries.
1774: ACTION is a constant representing the sandboxing action.
1775: GLOB is a string representing the glob pattern."
1776: (let ((action (cond
1777: ((eq action :action-allow) "allow")
1778: ((eq action :action-warn) "warn")
1779: ((eq action :action-filter) "filter")
1780: ((eq action :action-deny) "deny")
1781: ((eq action :action-panic) "panic")
1782: ((eq action :action-stop) "stop")
1783: ((eq action :action-abort) "abort")
1784: ((eq action :action-kill) "kill")
1785: ((eq action :action-exit) "exit"))))
1786: (when action
1787: (let ((cmd (format "%s/readlink" action)))
1788: (syd--stat (syd--rule cmd glob ?^))))))
1789:
1790: (defun syd-symlink-add (action glob)
1791: "Add to the given actionlist of symlink sandboxing.
1792: ACTION is a constant representing the sandboxing action.
1793: GLOB is a string representing the glob pattern."
1794: (let ((action (cond
1795: ((eq action :action-allow) "allow")
1796: ((eq action :action-warn) "warn")
1797: ((eq action :action-filter) "filter")
1798: ((eq action :action-deny) "deny")
1799: ((eq action :action-panic) "panic")
1800: ((eq action :action-stop) "stop")
1801: ((eq action :action-abort) "abort")
1802: ((eq action :action-kill) "kill")
1803: ((eq action :action-exit) "exit"))))
1804: (when action
1805: (let ((cmd (format "%s/symlink" action)))
1806: (syd--stat (syd--rule cmd glob ?+))))))
1807:
1808: (defun syd-symlink-del (action glob)
1809: "Remove the first matching symlink sandboxing actionlist entry.
1810: ACTION is a constant representing the sandboxing action.
1811: GLOB is a string representing the glob pattern."
1812: (let ((action (cond
1813: ((eq action :action-allow) "allow")
1814: ((eq action :action-warn) "warn")
1815: ((eq action :action-filter) "filter")
1816: ((eq action :action-deny) "deny")
1817: ((eq action :action-panic) "panic")
1818: ((eq action :action-stop) "stop")
1819: ((eq action :action-abort) "abort")
1820: ((eq action :action-kill) "kill")
1821: ((eq action :action-exit) "exit"))))
1822: (when action
1823: (let ((cmd (format "%s/symlink" action)))
1824: (syd--stat (syd--rule cmd glob ?-))))))
1825:
1826: (defun syd-symlink-rem (action glob)
1827: "Remove all matching symlink sandboxing actionlist entries.
1828: ACTION is a constant representing the sandboxing action.
1829: GLOB is a string representing the glob pattern."
1830: (let ((action (cond
1831: ((eq action :action-allow) "allow")
1832: ((eq action :action-warn) "warn")
1833: ((eq action :action-filter) "filter")
1834: ((eq action :action-deny) "deny")
1835: ((eq action :action-panic) "panic")
1836: ((eq action :action-stop) "stop")
1837: ((eq action :action-abort) "abort")
1838: ((eq action :action-kill) "kill")
1839: ((eq action :action-exit) "exit"))))
1840: (when action
1841: (let ((cmd (format "%s/symlink" action)))
1842: (syd--stat (syd--rule cmd glob ?^))))))
1843:
1844: (defun syd-truncate-add (action glob)
1845: "Add to the given actionlist of truncate sandboxing.
1846: ACTION is a constant representing the sandboxing action.
1847: GLOB is a string representing the glob pattern."
1848: (let ((action (cond
1849: ((eq action :action-allow) "allow")
1850: ((eq action :action-warn) "warn")
1851: ((eq action :action-filter) "filter")
1852: ((eq action :action-deny) "deny")
1853: ((eq action :action-panic) "panic")
1854: ((eq action :action-stop) "stop")
1855: ((eq action :action-abort) "abort")
1856: ((eq action :action-kill) "kill")
1857: ((eq action :action-exit) "exit"))))
1858: (when action
1859: (let ((cmd (format "%s/truncate" action)))
1860: (syd--stat (syd--rule cmd glob ?+))))))
1861:
1862: (defun syd-truncate-del (action glob)
1863: "Remove the first matching truncate sandboxing actionlist entry.
1864: ACTION is a constant representing the sandboxing action.
1865: GLOB is a string representing the glob pattern."
1866: (let ((action (cond
1867: ((eq action :action-allow) "allow")
1868: ((eq action :action-warn) "warn")
1869: ((eq action :action-filter) "filter")
1870: ((eq action :action-deny) "deny")
1871: ((eq action :action-panic) "panic")
1872: ((eq action :action-stop) "stop")
1873: ((eq action :action-abort) "abort")
1874: ((eq action :action-kill) "kill")
1875: ((eq action :action-exit) "exit"))))
1876: (when action
1877: (let ((cmd (format "%s/truncate" action)))
1878: (syd--stat (syd--rule cmd glob ?-))))))
1879:
1880: (defun syd-truncate-rem (action glob)
1881: "Remove all matching truncate sandboxing actionlist entries.
1882: ACTION is a constant representing the sandboxing action.
1883: GLOB is a string representing the glob pattern."
1884: (let ((action (cond
1885: ((eq action :action-allow) "allow")
1886: ((eq action :action-warn) "warn")
1887: ((eq action :action-filter) "filter")
1888: ((eq action :action-deny) "deny")
1889: ((eq action :action-panic) "panic")
1890: ((eq action :action-stop) "stop")
1891: ((eq action :action-abort) "abort")
1892: ((eq action :action-kill) "kill")
1893: ((eq action :action-exit) "exit"))))
1894: (when action
1895: (let ((cmd (format "%s/truncate" action)))
1896: (syd--stat (syd--rule cmd glob ?^))))))
1897:
1898: (defun syd-chdir-add (action glob)
1899: "Add to the given actionlist of chdir sandboxing.
1900: ACTION is a constant representing the sandboxing action.
1901: GLOB is a string representing the glob pattern."
1902: (let ((action (cond
1903: ((eq action :action-allow) "allow")
1904: ((eq action :action-warn) "warn")
1905: ((eq action :action-filter) "filter")
1906: ((eq action :action-deny) "deny")
1907: ((eq action :action-panic) "panic")
1908: ((eq action :action-stop) "stop")
1909: ((eq action :action-abort) "abort")
1910: ((eq action :action-kill) "kill")
1911: ((eq action :action-exit) "exit"))))
1912: (when action
1913: (let ((cmd (format "%s/chdir" action)))
1914: (syd--stat (syd--rule cmd glob ?+))))))
1915:
1916: (defun syd-chdir-del (action glob)
1917: "Remove the first matching chdir sandboxing actionlist entry.
1918: ACTION is a constant representing the sandboxing action.
1919: GLOB is a string representing the glob pattern."
1920: (let ((action (cond
1921: ((eq action :action-allow) "allow")
1922: ((eq action :action-warn) "warn")
1923: ((eq action :action-filter) "filter")
1924: ((eq action :action-deny) "deny")
1925: ((eq action :action-panic) "panic")
1926: ((eq action :action-stop) "stop")
1927: ((eq action :action-abort) "abort")
1928: ((eq action :action-kill) "kill")
1929: ((eq action :action-exit) "exit"))))
1930: (when action
1931: (let ((cmd (format "%s/chdir" action)))
1932: (syd--stat (syd--rule cmd glob ?-))))))
1933:
1934: (defun syd-chdir-rem (action glob)
1935: "Remove all matching chdir sandboxing actionlist entries.
1936: ACTION is a constant representing the sandboxing action.
1937: GLOB is a string representing the glob pattern."
1938: (let ((action (cond
1939: ((eq action :action-allow) "allow")
1940: ((eq action :action-warn) "warn")
1941: ((eq action :action-filter) "filter")
1942: ((eq action :action-deny) "deny")
1943: ((eq action :action-panic) "panic")
1944: ((eq action :action-stop) "stop")
1945: ((eq action :action-abort) "abort")
1946: ((eq action :action-kill) "kill")
1947: ((eq action :action-exit) "exit"))))
1948: (when action
1949: (let ((cmd (format "%s/chdir" action)))
1950: (syd--stat (syd--rule cmd glob ?^))))))
1951:
1952: (defun syd-readdir-add (action glob)
1953: "Add to the given actionlist of readdir sandboxing.
1954: ACTION is a constant representing the sandboxing action.
1955: GLOB is a string representing the glob pattern."
1956: (let ((action (cond
1957: ((eq action :action-allow) "allow")
1958: ((eq action :action-warn) "warn")
1959: ((eq action :action-filter) "filter")
1960: ((eq action :action-deny) "deny")
1961: ((eq action :action-panic) "panic")
1962: ((eq action :action-stop) "stop")
1963: ((eq action :action-abort) "abort")
1964: ((eq action :action-kill) "kill")
1965: ((eq action :action-exit) "exit"))))
1966: (when action
1967: (let ((cmd (format "%s/readdir" action)))
1968: (syd--stat (syd--rule cmd glob ?+))))))
1969:
1970: (defun syd-readdir-del (action glob)
1971: "Remove the first matching readdir sandboxing actionlist entry.
1972: ACTION is a constant representing the sandboxing action.
1973: GLOB is a string representing the glob pattern."
1974: (let ((action (cond
1975: ((eq action :action-allow) "allow")
1976: ((eq action :action-warn) "warn")
1977: ((eq action :action-filter) "filter")
1978: ((eq action :action-deny) "deny")
1979: ((eq action :action-panic) "panic")
1980: ((eq action :action-stop) "stop")
1981: ((eq action :action-abort) "abort")
1982: ((eq action :action-kill) "kill")
1983: ((eq action :action-exit) "exit"))))
1984: (when action
1985: (let ((cmd (format "%s/readdir" action)))
1986: (syd--stat (syd--rule cmd glob ?-))))))
1987:
1988: (defun syd-readdir-rem (action glob)
1989: "Remove all matching readdir sandboxing actionlist entries.
1990: ACTION is a constant representing the sandboxing action.
1991: GLOB is a string representing the glob pattern."
1992: (let ((action (cond
1993: ((eq action :action-allow) "allow")
1994: ((eq action :action-warn) "warn")
1995: ((eq action :action-filter) "filter")
1996: ((eq action :action-deny) "deny")
1997: ((eq action :action-panic) "panic")
1998: ((eq action :action-stop) "stop")
1999: ((eq action :action-abort) "abort")
2000: ((eq action :action-kill) "kill")
2001: ((eq action :action-exit) "exit"))))
2002: (when action
2003: (let ((cmd (format "%s/readdir" action)))
2004: (syd--stat (syd--rule cmd glob ?^))))))
2005:
2006: (defun syd-mkdir-add (action glob)
2007: "Add to the given actionlist of mkdir sandboxing.
2008: ACTION is a constant representing the sandboxing action.
2009: GLOB is a string representing the glob pattern."
2010: (let ((action (cond
2011: ((eq action :action-allow) "allow")
2012: ((eq action :action-warn) "warn")
2013: ((eq action :action-filter) "filter")
2014: ((eq action :action-deny) "deny")
2015: ((eq action :action-panic) "panic")
2016: ((eq action :action-stop) "stop")
2017: ((eq action :action-abort) "abort")
2018: ((eq action :action-kill) "kill")
2019: ((eq action :action-exit) "exit"))))
2020: (when action
2021: (let ((cmd (format "%s/mkdir" action)))
2022: (syd--stat (syd--rule cmd glob ?+))))))
2023:
2024: (defun syd-mkdir-del (action glob)
2025: "Remove the first matching mkdir sandboxing actionlist entry.
2026: ACTION is a constant representing the sandboxing action.
2027: GLOB is a string representing the glob pattern."
2028: (let ((action (cond
2029: ((eq action :action-allow) "allow")
2030: ((eq action :action-warn) "warn")
2031: ((eq action :action-filter) "filter")
2032: ((eq action :action-deny) "deny")
2033: ((eq action :action-panic) "panic")
2034: ((eq action :action-stop) "stop")
2035: ((eq action :action-abort) "abort")
2036: ((eq action :action-kill) "kill")
2037: ((eq action :action-exit) "exit"))))
2038: (when action
2039: (let ((cmd (format "%s/mkdir" action)))
2040: (syd--stat (syd--rule cmd glob ?-))))))
2041:
2042: (defun syd-mkdir-rem (action glob)
2043: "Remove all matching mkdir sandboxing actionlist entries.
2044: ACTION is a constant representing the sandboxing action.
2045: GLOB is a string representing the glob pattern."
2046: (let ((action (cond
2047: ((eq action :action-allow) "allow")
2048: ((eq action :action-warn) "warn")
2049: ((eq action :action-filter) "filter")
2050: ((eq action :action-deny) "deny")
2051: ((eq action :action-panic) "panic")
2052: ((eq action :action-stop) "stop")
2053: ((eq action :action-abort) "abort")
2054: ((eq action :action-kill) "kill")
2055: ((eq action :action-exit) "exit"))))
2056: (when action
2057: (let ((cmd (format "%s/mkdir" action)))
2058: (syd--stat (syd--rule cmd glob ?^))))))
2059:
2060: (defun syd-rmdir-add (action glob)
2061: "Add to the given actionlist of rmdir sandboxing.
2062: ACTION is a constant representing the sandboxing action.
2063: GLOB is a string representing the glob pattern."
2064: (let ((action (cond
2065: ((eq action :action-allow) "allow")
2066: ((eq action :action-warn) "warn")
2067: ((eq action :action-filter) "filter")
2068: ((eq action :action-deny) "deny")
2069: ((eq action :action-panic) "panic")
2070: ((eq action :action-stop) "stop")
2071: ((eq action :action-abort) "abort")
2072: ((eq action :action-kill) "kill")
2073: ((eq action :action-exit) "exit"))))
2074: (when action
2075: (let ((cmd (format "%s/rmdir" action)))
2076: (syd--stat (syd--rule cmd glob ?+))))))
2077:
2078: (defun syd-rmdir-del (action glob)
2079: "Remove the first matching rmdir sandboxing actionlist entry.
2080: ACTION is a constant representing the sandboxing action.
2081: GLOB is a string representing the glob pattern."
2082: (let ((action (cond
2083: ((eq action :action-allow) "allow")
2084: ((eq action :action-warn) "warn")
2085: ((eq action :action-filter) "filter")
2086: ((eq action :action-deny) "deny")
2087: ((eq action :action-panic) "panic")
2088: ((eq action :action-stop) "stop")
2089: ((eq action :action-abort) "abort")
2090: ((eq action :action-kill) "kill")
2091: ((eq action :action-exit) "exit"))))
2092: (when action
2093: (let ((cmd (format "%s/rmdir" action)))
2094: (syd--stat (syd--rule cmd glob ?-))))))
2095:
2096: (defun syd-rmdir-rem (action glob)
2097: "Remove all matching rmdir sandboxing actionlist entries.
2098: ACTION is a constant representing the sandboxing action.
2099: GLOB is a string representing the glob pattern."
2100: (let ((action (cond
2101: ((eq action :action-allow) "allow")
2102: ((eq action :action-warn) "warn")
2103: ((eq action :action-filter) "filter")
2104: ((eq action :action-deny) "deny")
2105: ((eq action :action-panic) "panic")
2106: ((eq action :action-stop) "stop")
2107: ((eq action :action-abort) "abort")
2108: ((eq action :action-kill) "kill")
2109: ((eq action :action-exit) "exit"))))
2110: (when action
2111: (let ((cmd (format "%s/rmdir" action)))
2112: (syd--stat (syd--rule cmd glob ?^))))))
2113:
2114: (defun syd-chown-add (action glob)
2115: "Add to the given actionlist of chown sandboxing.
2116: ACTION is a constant representing the sandboxing action.
2117: GLOB is a string representing the glob pattern."
2118: (let ((action (cond
2119: ((eq action :action-allow) "allow")
2120: ((eq action :action-warn) "warn")
2121: ((eq action :action-filter) "filter")
2122: ((eq action :action-deny) "deny")
2123: ((eq action :action-panic) "panic")
2124: ((eq action :action-stop) "stop")
2125: ((eq action :action-abort) "abort")
2126: ((eq action :action-kill) "kill")
2127: ((eq action :action-exit) "exit"))))
2128: (when action
2129: (let ((cmd (format "%s/chown" action)))
2130: (syd--stat (syd--rule cmd glob ?+))))))
2131:
2132: (defun syd-chown-del (action glob)
2133: "Remove the first matching chown sandboxing actionlist entry.
2134: ACTION is a constant representing the sandboxing action.
2135: GLOB is a string representing the glob pattern."
2136: (let ((action (cond
2137: ((eq action :action-allow) "allow")
2138: ((eq action :action-warn) "warn")
2139: ((eq action :action-filter) "filter")
2140: ((eq action :action-deny) "deny")
2141: ((eq action :action-panic) "panic")
2142: ((eq action :action-stop) "stop")
2143: ((eq action :action-abort) "abort")
2144: ((eq action :action-kill) "kill")
2145: ((eq action :action-exit) "exit"))))
2146: (when action
2147: (let ((cmd (format "%s/chown" action)))
2148: (syd--stat (syd--rule cmd glob ?-))))))
2149:
2150: (defun syd-chown-rem (action glob)
2151: "Remove all matching chown sandboxing actionlist entries.
2152: ACTION is a constant representing the sandboxing action.
2153: GLOB is a string representing the glob pattern."
2154: (let ((action (cond
2155: ((eq action :action-allow) "allow")
2156: ((eq action :action-warn) "warn")
2157: ((eq action :action-filter) "filter")
2158: ((eq action :action-deny) "deny")
2159: ((eq action :action-panic) "panic")
2160: ((eq action :action-stop) "stop")
2161: ((eq action :action-abort) "abort")
2162: ((eq action :action-kill) "kill")
2163: ((eq action :action-exit) "exit"))))
2164: (when action
2165: (let ((cmd (format "%s/chown" action)))
2166: (syd--stat (syd--rule cmd glob ?^))))))
2167:
2168: (defun syd-chgrp-add (action glob)
2169: "Add to the given actionlist of chgrp sandboxing.
2170: ACTION is a constant representing the sandboxing action.
2171: GLOB is a string representing the glob pattern."
2172: (let ((action (cond
2173: ((eq action :action-allow) "allow")
2174: ((eq action :action-warn) "warn")
2175: ((eq action :action-filter) "filter")
2176: ((eq action :action-deny) "deny")
2177: ((eq action :action-panic) "panic")
2178: ((eq action :action-stop) "stop")
2179: ((eq action :action-abort) "abort")
2180: ((eq action :action-kill) "kill")
2181: ((eq action :action-exit) "exit"))))
2182: (when action
2183: (let ((cmd (format "%s/chgrp" action)))
2184: (syd--stat (syd--rule cmd glob ?+))))))
2185:
2186: (defun syd-chgrp-del (action glob)
2187: "Remove the first matching chgrp sandboxing actionlist entry.
2188: ACTION is a constant representing the sandboxing action.
2189: GLOB is a string representing the glob pattern."
2190: (let ((action (cond
2191: ((eq action :action-allow) "allow")
2192: ((eq action :action-warn) "warn")
2193: ((eq action :action-filter) "filter")
2194: ((eq action :action-deny) "deny")
2195: ((eq action :action-panic) "panic")
2196: ((eq action :action-stop) "stop")
2197: ((eq action :action-abort) "abort")
2198: ((eq action :action-kill) "kill")
2199: ((eq action :action-exit) "exit"))))
2200: (when action
2201: (let ((cmd (format "%s/chgrp" action)))
2202: (syd--stat (syd--rule cmd glob ?-))))))
2203:
2204: (defun syd-chgrp-rem (action glob)
2205: "Remove all matching chgrp sandboxing actionlist entries.
2206: ACTION is a constant representing the sandboxing action.
2207: GLOB is a string representing the glob pattern."
2208: (let ((action (cond
2209: ((eq action :action-allow) "allow")
2210: ((eq action :action-warn) "warn")
2211: ((eq action :action-filter) "filter")
2212: ((eq action :action-deny) "deny")
2213: ((eq action :action-panic) "panic")
2214: ((eq action :action-stop) "stop")
2215: ((eq action :action-abort) "abort")
2216: ((eq action :action-kill) "kill")
2217: ((eq action :action-exit) "exit"))))
2218: (when action
2219: (let ((cmd (format "%s/chgrp" action)))
2220: (syd--stat (syd--rule cmd glob ?^))))))
2221:
2222: (defun syd-chmod-add (action glob)
2223: "Add to the given actionlist of chmod sandboxing.
2224: ACTION is a constant representing the sandboxing action.
2225: GLOB is a string representing the glob pattern."
2226: (let ((action (cond
2227: ((eq action :action-allow) "allow")
2228: ((eq action :action-warn) "warn")
2229: ((eq action :action-filter) "filter")
2230: ((eq action :action-deny) "deny")
2231: ((eq action :action-panic) "panic")
2232: ((eq action :action-stop) "stop")
2233: ((eq action :action-abort) "abort")
2234: ((eq action :action-kill) "kill")
2235: ((eq action :action-exit) "exit"))))
2236: (when action
2237: (let ((cmd (format "%s/chmod" action)))
2238: (syd--stat (syd--rule cmd glob ?+))))))
2239:
2240: (defun syd-chmod-del (action glob)
2241: "Remove the first matching chmod sandboxing actionlist entry.
2242: ACTION is a constant representing the sandboxing action.
2243: GLOB is a string representing the glob pattern."
2244: (let ((action (cond
2245: ((eq action :action-allow) "allow")
2246: ((eq action :action-warn) "warn")
2247: ((eq action :action-filter) "filter")
2248: ((eq action :action-deny) "deny")
2249: ((eq action :action-panic) "panic")
2250: ((eq action :action-stop) "stop")
2251: ((eq action :action-abort) "abort")
2252: ((eq action :action-kill) "kill")
2253: ((eq action :action-exit) "exit"))))
2254: (when action
2255: (let ((cmd (format "%s/chmod" action)))
2256: (syd--stat (syd--rule cmd glob ?-))))))
2257:
2258: (defun syd-chmod-rem (action glob)
2259: "Remove all matching chmod sandboxing actionlist entries.
2260: ACTION is a constant representing the sandboxing action.
2261: GLOB is a string representing the glob pattern."
2262: (let ((action (cond
2263: ((eq action :action-allow) "allow")
2264: ((eq action :action-warn) "warn")
2265: ((eq action :action-filter) "filter")
2266: ((eq action :action-deny) "deny")
2267: ((eq action :action-panic) "panic")
2268: ((eq action :action-stop) "stop")
2269: ((eq action :action-abort) "abort")
2270: ((eq action :action-kill) "kill")
2271: ((eq action :action-exit) "exit"))))
2272: (when action
2273: (let ((cmd (format "%s/chmod" action)))
2274: (syd--stat (syd--rule cmd glob ?^))))))
2275:
2276: (defun syd-chattr-add (action glob)
2277: "Add to the given actionlist of chattr sandboxing.
2278: ACTION is a constant representing the sandboxing action.
2279: GLOB is a string representing the glob pattern."
2280: (let ((action (cond
2281: ((eq action :action-allow) "allow")
2282: ((eq action :action-warn) "warn")
2283: ((eq action :action-filter) "filter")
2284: ((eq action :action-deny) "deny")
2285: ((eq action :action-panic) "panic")
2286: ((eq action :action-stop) "stop")
2287: ((eq action :action-abort) "abort")
2288: ((eq action :action-kill) "kill")
2289: ((eq action :action-exit) "exit"))))
2290: (when action
2291: (let ((cmd (format "%s/chattr" action)))
2292: (syd--stat (syd--rule cmd glob ?+))))))
2293:
2294: (defun syd-chattr-del (action glob)
2295: "Remove the first matching chattr sandboxing actionlist entry.
2296: ACTION is a constant representing the sandboxing action.
2297: GLOB is a string representing the glob pattern."
2298: (let ((action (cond
2299: ((eq action :action-allow) "allow")
2300: ((eq action :action-warn) "warn")
2301: ((eq action :action-filter) "filter")
2302: ((eq action :action-deny) "deny")
2303: ((eq action :action-panic) "panic")
2304: ((eq action :action-stop) "stop")
2305: ((eq action :action-abort) "abort")
2306: ((eq action :action-kill) "kill")
2307: ((eq action :action-exit) "exit"))))
2308: (when action
2309: (let ((cmd (format "%s/chattr" action)))
2310: (syd--stat (syd--rule cmd glob ?-))))))
2311:
2312: (defun syd-chattr-rem (action glob)
2313: "Remove all matching chattr sandboxing actionlist entries.
2314: ACTION is a constant representing the sandboxing action.
2315: GLOB is a string representing the glob pattern."
2316: (let ((action (cond
2317: ((eq action :action-allow) "allow")
2318: ((eq action :action-warn) "warn")
2319: ((eq action :action-filter) "filter")
2320: ((eq action :action-deny) "deny")
2321: ((eq action :action-panic) "panic")
2322: ((eq action :action-stop) "stop")
2323: ((eq action :action-abort) "abort")
2324: ((eq action :action-kill) "kill")
2325: ((eq action :action-exit) "exit"))))
2326: (when action
2327: (let ((cmd (format "%s/chattr" action)))
2328: (syd--stat (syd--rule cmd glob ?^))))))
2329:
2330: (defun syd-chroot-add (action glob)
2331: "Add to the given actionlist of chroot sandboxing.
2332: ACTION is a constant representing the sandboxing action.
2333: GLOB is a string representing the glob pattern."
2334: (let ((action (cond
2335: ((eq action :action-allow) "allow")
2336: ((eq action :action-warn) "warn")
2337: ((eq action :action-filter) "filter")
2338: ((eq action :action-deny) "deny")
2339: ((eq action :action-panic) "panic")
2340: ((eq action :action-stop) "stop")
2341: ((eq action :action-abort) "abort")
2342: ((eq action :action-kill) "kill")
2343: ((eq action :action-exit) "exit"))))
2344: (when action
2345: (let ((cmd (format "%s/chroot" action)))
2346: (syd--stat (syd--rule cmd glob ?+))))))
2347:
2348: (defun syd-chroot-del (action glob)
2349: "Remove the first matching chroot sandboxing actionlist entry.
2350: ACTION is a constant representing the sandboxing action.
2351: GLOB is a string representing the glob pattern."
2352: (let ((action (cond
2353: ((eq action :action-allow) "allow")
2354: ((eq action :action-warn) "warn")
2355: ((eq action :action-filter) "filter")
2356: ((eq action :action-deny) "deny")
2357: ((eq action :action-panic) "panic")
2358: ((eq action :action-stop) "stop")
2359: ((eq action :action-abort) "abort")
2360: ((eq action :action-kill) "kill")
2361: ((eq action :action-exit) "exit"))))
2362: (when action
2363: (let ((cmd (format "%s/chroot" action)))
2364: (syd--stat (syd--rule cmd glob ?-))))))
2365:
2366: (defun syd-chroot-rem (action glob)
2367: "Remove all matching chroot sandboxing actionlist entries.
2368: ACTION is a constant representing the sandboxing action.
2369: GLOB is a string representing the glob pattern."
2370: (let ((action (cond
2371: ((eq action :action-allow) "allow")
2372: ((eq action :action-warn) "warn")
2373: ((eq action :action-filter) "filter")
2374: ((eq action :action-deny) "deny")
2375: ((eq action :action-panic) "panic")
2376: ((eq action :action-stop) "stop")
2377: ((eq action :action-abort) "abort")
2378: ((eq action :action-kill) "kill")
2379: ((eq action :action-exit) "exit"))))
2380: (when action
2381: (let ((cmd (format "%s/chroot" action)))
2382: (syd--stat (syd--rule cmd glob ?^))))))
2383:
2384: (defun syd-notify-add (action glob)
2385: "Add to the given actionlist of notify sandboxing.
2386: ACTION is a constant representing the sandboxing action.
2387: GLOB is a string representing the glob pattern."
2388: (let ((action (cond
2389: ((eq action :action-allow) "allow")
2390: ((eq action :action-warn) "warn")
2391: ((eq action :action-filter) "filter")
2392: ((eq action :action-deny) "deny")
2393: ((eq action :action-panic) "panic")
2394: ((eq action :action-stop) "stop")
2395: ((eq action :action-abort) "abort")
2396: ((eq action :action-kill) "kill")
2397: ((eq action :action-exit) "exit"))))
2398: (when action
2399: (let ((cmd (format "%s/notify" action)))
2400: (syd--stat (syd--rule cmd glob ?+))))))
2401:
2402: (defun syd-notify-del (action glob)
2403: "Remove the first matching notify sandboxing actionlist entry.
2404: ACTION is a constant representing the sandboxing action.
2405: GLOB is a string representing the glob pattern."
2406: (let ((action (cond
2407: ((eq action :action-allow) "allow")
2408: ((eq action :action-warn) "warn")
2409: ((eq action :action-filter) "filter")
2410: ((eq action :action-deny) "deny")
2411: ((eq action :action-panic) "panic")
2412: ((eq action :action-stop) "stop")
2413: ((eq action :action-abort) "abort")
2414: ((eq action :action-kill) "kill")
2415: ((eq action :action-exit) "exit"))))
2416: (when action
2417: (let ((cmd (format "%s/notify" action)))
2418: (syd--stat (syd--rule cmd glob ?-))))))
2419:
2420: (defun syd-notify-rem (action glob)
2421: "Remove all matching notify sandboxing actionlist entries.
2422: ACTION is a constant representing the sandboxing action.
2423: GLOB is a string representing the glob pattern."
2424: (let ((action (cond
2425: ((eq action :action-allow) "allow")
2426: ((eq action :action-warn) "warn")
2427: ((eq action :action-filter) "filter")
2428: ((eq action :action-deny) "deny")
2429: ((eq action :action-panic) "panic")
2430: ((eq action :action-stop) "stop")
2431: ((eq action :action-abort) "abort")
2432: ((eq action :action-kill) "kill")
2433: ((eq action :action-exit) "exit"))))
2434: (when action
2435: (let ((cmd (format "%s/notify" action)))
2436: (syd--stat (syd--rule cmd glob ?^))))))
2437:
2438: (defun syd-utime-add (action glob)
2439: "Add to the given actionlist of utime sandboxing.
2440: ACTION is a constant representing the sandboxing action.
2441: GLOB is a string representing the glob pattern."
2442: (let ((action (cond
2443: ((eq action :action-allow) "allow")
2444: ((eq action :action-warn) "warn")
2445: ((eq action :action-filter) "filter")
2446: ((eq action :action-deny) "deny")
2447: ((eq action :action-panic) "panic")
2448: ((eq action :action-stop) "stop")
2449: ((eq action :action-abort) "abort")
2450: ((eq action :action-kill) "kill")
2451: ((eq action :action-exit) "exit"))))
2452: (when action
2453: (let ((cmd (format "%s/utime" action)))
2454: (syd--stat (syd--rule cmd glob ?+))))))
2455:
2456: (defun syd-utime-del (action glob)
2457: "Remove the first matching utime sandboxing actionlist entry.
2458: ACTION is a constant representing the sandboxing action.
2459: GLOB is a string representing the glob pattern."
2460: (let ((action (cond
2461: ((eq action :action-allow) "allow")
2462: ((eq action :action-warn) "warn")
2463: ((eq action :action-filter) "filter")
2464: ((eq action :action-deny) "deny")
2465: ((eq action :action-panic) "panic")
2466: ((eq action :action-stop) "stop")
2467: ((eq action :action-abort) "abort")
2468: ((eq action :action-kill) "kill")
2469: ((eq action :action-exit) "exit"))))
2470: (when action
2471: (let ((cmd (format "%s/utime" action)))
2472: (syd--stat (syd--rule cmd glob ?-))))))
2473:
2474: (defun syd-utime-rem (action glob)
2475: "Remove all matching utime sandboxing actionlist entries.
2476: ACTION is a constant representing the sandboxing action.
2477: GLOB is a string representing the glob pattern."
2478: (let ((action (cond
2479: ((eq action :action-allow) "allow")
2480: ((eq action :action-warn) "warn")
2481: ((eq action :action-filter) "filter")
2482: ((eq action :action-deny) "deny")
2483: ((eq action :action-panic) "panic")
2484: ((eq action :action-stop) "stop")
2485: ((eq action :action-abort) "abort")
2486: ((eq action :action-kill) "kill")
2487: ((eq action :action-exit) "exit"))))
2488: (when action
2489: (let ((cmd (format "%s/utime" action)))
2490: (syd--stat (syd--rule cmd glob ?^))))))
2491:
2492: (defun syd-mkbdev-add (action glob)
2493: "Add to the given actionlist of mkbdev sandboxing.
2494: ACTION is a constant representing the sandboxing action.
2495: GLOB is a string representing the glob pattern."
2496: (let ((action (cond
2497: ((eq action :action-allow) "allow")
2498: ((eq action :action-warn) "warn")
2499: ((eq action :action-filter) "filter")
2500: ((eq action :action-deny) "deny")
2501: ((eq action :action-panic) "panic")
2502: ((eq action :action-stop) "stop")
2503: ((eq action :action-abort) "abort")
2504: ((eq action :action-kill) "kill")
2505: ((eq action :action-exit) "exit"))))
2506: (when action
2507: (let ((cmd (format "%s/mkbdev" action)))
2508: (syd--stat (syd--rule cmd glob ?+))))))
2509:
2510: (defun syd-mkbdev-del (action glob)
2511: "Remove the first matching mkbdev sandboxing actionlist entry.
2512: ACTION is a constant representing the sandboxing action.
2513: GLOB is a string representing the glob pattern."
2514: (let ((action (cond
2515: ((eq action :action-allow) "allow")
2516: ((eq action :action-warn) "warn")
2517: ((eq action :action-filter) "filter")
2518: ((eq action :action-deny) "deny")
2519: ((eq action :action-panic) "panic")
2520: ((eq action :action-stop) "stop")
2521: ((eq action :action-abort) "abort")
2522: ((eq action :action-kill) "kill")
2523: ((eq action :action-exit) "exit"))))
2524: (when action
2525: (let ((cmd (format "%s/mkbdev" action)))
2526: (syd--stat (syd--rule cmd glob ?-))))))
2527:
2528: (defun syd-mkbdev-rem (action glob)
2529: "Remove all matching mkbdev sandboxing actionlist entries.
2530: ACTION is a constant representing the sandboxing action.
2531: GLOB is a string representing the glob pattern."
2532: (let ((action (cond
2533: ((eq action :action-allow) "allow")
2534: ((eq action :action-warn) "warn")
2535: ((eq action :action-filter) "filter")
2536: ((eq action :action-deny) "deny")
2537: ((eq action :action-panic) "panic")
2538: ((eq action :action-stop) "stop")
2539: ((eq action :action-abort) "abort")
2540: ((eq action :action-kill) "kill")
2541: ((eq action :action-exit) "exit"))))
2542: (when action
2543: (let ((cmd (format "%s/mkbdev" action)))
2544: (syd--stat (syd--rule cmd glob ?^))))))
2545:
2546: (defun syd-mkcdev-add (action glob)
2547: "Add to the given actionlist of mkcdev sandboxing.
2548: ACTION is a constant representing the sandboxing action.
2549: GLOB is a string representing the glob pattern."
2550: (let ((action (cond
2551: ((eq action :action-allow) "allow")
2552: ((eq action :action-warn) "warn")
2553: ((eq action :action-filter) "filter")
2554: ((eq action :action-deny) "deny")
2555: ((eq action :action-panic) "panic")
2556: ((eq action :action-stop) "stop")
2557: ((eq action :action-abort) "abort")
2558: ((eq action :action-kill) "kill")
2559: ((eq action :action-exit) "exit"))))
2560: (when action
2561: (let ((cmd (format "%s/mkcdev" action)))
2562: (syd--stat (syd--rule cmd glob ?+))))))
2563:
2564: (defun syd-mkcdev-del (action glob)
2565: "Remove the first matching mkcdev sandboxing actionlist entry.
2566: ACTION is a constant representing the sandboxing action.
2567: GLOB is a string representing the glob pattern."
2568: (let ((action (cond
2569: ((eq action :action-allow) "allow")
2570: ((eq action :action-warn) "warn")
2571: ((eq action :action-filter) "filter")
2572: ((eq action :action-deny) "deny")
2573: ((eq action :action-panic) "panic")
2574: ((eq action :action-stop) "stop")
2575: ((eq action :action-abort) "abort")
2576: ((eq action :action-kill) "kill")
2577: ((eq action :action-exit) "exit"))))
2578: (when action
2579: (let ((cmd (format "%s/mkcdev" action)))
2580: (syd--stat (syd--rule cmd glob ?-))))))
2581:
2582: (defun syd-mkcdev-rem (action glob)
2583: "Remove all matching mkcdev sandboxing actionlist entries.
2584: ACTION is a constant representing the sandboxing action.
2585: GLOB is a string representing the glob pattern."
2586: (let ((action (cond
2587: ((eq action :action-allow) "allow")
2588: ((eq action :action-warn) "warn")
2589: ((eq action :action-filter) "filter")
2590: ((eq action :action-deny) "deny")
2591: ((eq action :action-panic) "panic")
2592: ((eq action :action-stop) "stop")
2593: ((eq action :action-abort) "abort")
2594: ((eq action :action-kill) "kill")
2595: ((eq action :action-exit) "exit"))))
2596: (when action
2597: (let ((cmd (format "%s/mkcdev" action)))
2598: (syd--stat (syd--rule cmd glob ?^))))))
2599:
2600: (defun syd-mkfifo-add (action glob)
2601: "Add to the given actionlist of mkfifo sandboxing.
2602: ACTION is a constant representing the sandboxing action.
2603: GLOB is a string representing the glob pattern."
2604: (let ((action (cond
2605: ((eq action :action-allow) "allow")
2606: ((eq action :action-warn) "warn")
2607: ((eq action :action-filter) "filter")
2608: ((eq action :action-deny) "deny")
2609: ((eq action :action-panic) "panic")
2610: ((eq action :action-stop) "stop")
2611: ((eq action :action-abort) "abort")
2612: ((eq action :action-kill) "kill")
2613: ((eq action :action-exit) "exit"))))
2614: (when action
2615: (let ((cmd (format "%s/mkfifo" action)))
2616: (syd--stat (syd--rule cmd glob ?+))))))
2617:
2618: (defun syd-mkfifo-del (action glob)
2619: "Remove the first matching mkfifo sandboxing actionlist entry.
2620: ACTION is a constant representing the sandboxing action.
2621: GLOB is a string representing the glob pattern."
2622: (let ((action (cond
2623: ((eq action :action-allow) "allow")
2624: ((eq action :action-warn) "warn")
2625: ((eq action :action-filter) "filter")
2626: ((eq action :action-deny) "deny")
2627: ((eq action :action-panic) "panic")
2628: ((eq action :action-stop) "stop")
2629: ((eq action :action-abort) "abort")
2630: ((eq action :action-kill) "kill")
2631: ((eq action :action-exit) "exit"))))
2632: (when action
2633: (let ((cmd (format "%s/mkfifo" action)))
2634: (syd--stat (syd--rule cmd glob ?-))))))
2635:
2636: (defun syd-mkfifo-rem (action glob)
2637: "Remove all matching mkfifo sandboxing actionlist entries.
2638: ACTION is a constant representing the sandboxing action.
2639: GLOB is a string representing the glob pattern."
2640: (let ((action (cond
2641: ((eq action :action-allow) "allow")
2642: ((eq action :action-warn) "warn")
2643: ((eq action :action-filter) "filter")
2644: ((eq action :action-deny) "deny")
2645: ((eq action :action-panic) "panic")
2646: ((eq action :action-stop) "stop")
2647: ((eq action :action-abort) "abort")
2648: ((eq action :action-kill) "kill")
2649: ((eq action :action-exit) "exit"))))
2650: (when action
2651: (let ((cmd (format "%s/mkfifo" action)))
2652: (syd--stat (syd--rule cmd glob ?^))))))
2653:
2654: (defun syd-mktemp-add (action glob)
2655: "Add to the given actionlist of mktemp sandboxing.
2656: ACTION is a constant representing the sandboxing action.
2657: GLOB is a string representing the glob pattern."
2658: (let ((action (cond
2659: ((eq action :action-allow) "allow")
2660: ((eq action :action-warn) "warn")
2661: ((eq action :action-filter) "filter")
2662: ((eq action :action-deny) "deny")
2663: ((eq action :action-panic) "panic")
2664: ((eq action :action-stop) "stop")
2665: ((eq action :action-abort) "abort")
2666: ((eq action :action-kill) "kill")
2667: ((eq action :action-exit) "exit"))))
2668: (when action
2669: (let ((cmd (format "%s/mktemp" action)))
2670: (syd--stat (syd--rule cmd glob ?+))))))
2671:
2672: (defun syd-mktemp-del (action glob)
2673: "Remove the first matching mktemp sandboxing actionlist entry.
2674: ACTION is a constant representing the sandboxing action.
2675: GLOB is a string representing the glob pattern."
2676: (let ((action (cond
2677: ((eq action :action-allow) "allow")
2678: ((eq action :action-warn) "warn")
2679: ((eq action :action-filter) "filter")
2680: ((eq action :action-deny) "deny")
2681: ((eq action :action-panic) "panic")
2682: ((eq action :action-stop) "stop")
2683: ((eq action :action-abort) "abort")
2684: ((eq action :action-kill) "kill")
2685: ((eq action :action-exit) "exit"))))
2686: (when action
2687: (let ((cmd (format "%s/mktemp" action)))
2688: (syd--stat (syd--rule cmd glob ?-))))))
2689:
2690: (defun syd-mktemp-rem (action glob)
2691: "Remove all matching mktemp sandboxing actionlist entries.
2692: ACTION is a constant representing the sandboxing action.
2693: GLOB is a string representing the glob pattern."
2694: (let ((action (cond
2695: ((eq action :action-allow) "allow")
2696: ((eq action :action-warn) "warn")
2697: ((eq action :action-filter) "filter")
2698: ((eq action :action-deny) "deny")
2699: ((eq action :action-panic) "panic")
2700: ((eq action :action-stop) "stop")
2701: ((eq action :action-abort) "abort")
2702: ((eq action :action-kill) "kill")
2703: ((eq action :action-exit) "exit"))))
2704: (when action
2705: (let ((cmd (format "%s/mktemp" action)))
2706: (syd--stat (syd--rule cmd glob ?^))))))
2707:
2708: (defun syd-net-bind-add (action addr)
2709: "Add to the given actionlist of net/bind sandboxing.
2710: ACTION is a constant representing the sandboxing action.
2711: ADDR is a string representing the address pattern."
2712: (let ((action (cond
2713: ((eq action :action-allow) "allow")
2714: ((eq action :action-warn) "warn")
2715: ((eq action :action-filter) "filter")
2716: ((eq action :action-deny) "deny")
2717: ((eq action :action-panic) "panic")
2718: ((eq action :action-stop) "stop")
2719: ((eq action :action-abort) "abort")
2720: ((eq action :action-kill) "kill")
2721: ((eq action :action-exit) "exit"))))
2722: (when action
2723: (let ((cmd (format "%s/net/bind" action)))
2724: (syd--stat (syd--rule cmd addr ?+))))))
2725:
2726: (defun syd-net-bind-del (action addr)
2727: "Remove the first matching net/bind sandboxing actionlist entry.
2728: ACTION is a constant representing the sandboxing action.
2729: ADDR is a string representing the address pattern."
2730: (let ((action (cond
2731: ((eq action :action-allow) "allow")
2732: ((eq action :action-warn) "warn")
2733: ((eq action :action-filter) "filter")
2734: ((eq action :action-deny) "deny")
2735: ((eq action :action-panic) "panic")
2736: ((eq action :action-stop) "stop")
2737: ((eq action :action-abort) "abort")
2738: ((eq action :action-kill) "kill")
2739: ((eq action :action-exit) "exit"))))
2740: (when action
2741: (let ((cmd (format "%s/net/bind" action)))
2742: (syd--stat (syd--rule cmd addr ?-))))))
2743:
2744: (defun syd-net-bind-rem (action addr)
2745: "Remove all matching net/bind sandboxing actionlist entries.
2746: ACTION is a constant representing the sandboxing action.
2747: ADDR is a string representing the address pattern."
2748: (let ((action (cond
2749: ((eq action :action-allow) "allow")
2750: ((eq action :action-warn) "warn")
2751: ((eq action :action-filter) "filter")
2752: ((eq action :action-deny) "deny")
2753: ((eq action :action-panic) "panic")
2754: ((eq action :action-stop) "stop")
2755: ((eq action :action-abort) "abort")
2756: ((eq action :action-kill) "kill")
2757: ((eq action :action-exit) "exit"))))
2758: (when action
2759: (let ((cmd (format "%s/net/bind" action)))
2760: (syd--stat (syd--rule cmd addr ?^))))))
2761:
2762: (defun syd-net-connect-add (action addr)
2763: "Add to the given actionlist of net/connect sandboxing.
2764: ACTION is a constant representing the sandboxing action.
2765: ADDR is a string representing the address pattern."
2766: (let ((action (cond
2767: ((eq action :action-allow) "allow")
2768: ((eq action :action-warn) "warn")
2769: ((eq action :action-filter) "filter")
2770: ((eq action :action-deny) "deny")
2771: ((eq action :action-panic) "panic")
2772: ((eq action :action-stop) "stop")
2773: ((eq action :action-abort) "abort")
2774: ((eq action :action-kill) "kill")
2775: ((eq action :action-exit) "exit"))))
2776: (when action
2777: (let ((cmd (format "%s/net/connect" action)))
2778: (syd--stat (syd--rule cmd addr ?+))))))
2779:
2780: (defun syd-net-connect-del (action addr)
2781: "Remove the first matching net/connect sandboxing actionlist entry.
2782: ACTION is a constant representing the sandboxing action.
2783: ADDR is a string representing the address pattern."
2784: (let ((action (cond
2785: ((eq action :action-allow) "allow")
2786: ((eq action :action-warn) "warn")
2787: ((eq action :action-filter) "filter")
2788: ((eq action :action-deny) "deny")
2789: ((eq action :action-panic) "panic")
2790: ((eq action :action-stop) "stop")
2791: ((eq action :action-abort) "abort")
2792: ((eq action :action-kill) "kill")
2793: ((eq action :action-exit) "exit"))))
2794: (when action
2795: (let ((cmd (format "%s/net/connect" action)))
2796: (syd--stat (syd--rule cmd addr ?-))))))
2797:
2798: (defun syd-net-connect-rem (action addr)
2799: "Remove all matching net/connect sandboxing actionlist entries.
2800: ACTION is a constant representing the sandboxing action.
2801: ADDR is a string representing the address pattern."
2802: (let ((action (cond
2803: ((eq action :action-allow) "allow")
2804: ((eq action :action-warn) "warn")
2805: ((eq action :action-filter) "filter")
2806: ((eq action :action-deny) "deny")
2807: ((eq action :action-panic) "panic")
2808: ((eq action :action-stop) "stop")
2809: ((eq action :action-abort) "abort")
2810: ((eq action :action-kill) "kill")
2811: ((eq action :action-exit) "exit"))))
2812: (when action
2813: (let ((cmd (format "%s/net/connect" action)))
2814: (syd--stat (syd--rule cmd addr ?^))))))
2815:
2816: (defun syd-net-sendfd-add (action addr)
2817: "Add to the given actionlist of net/sendfd sandboxing.
2818: ACTION is a constant representing the sandboxing action.
2819: ADDR is a string representing the address pattern."
2820: (let ((action (cond
2821: ((eq action :action-allow) "allow")
2822: ((eq action :action-warn) "warn")
2823: ((eq action :action-filter) "filter")
2824: ((eq action :action-deny) "deny")
2825: ((eq action :action-panic) "panic")
2826: ((eq action :action-stop) "stop")
2827: ((eq action :action-abort) "abort")
2828: ((eq action :action-kill) "kill")
2829: ((eq action :action-exit) "exit"))))
2830: (when action
2831: (let ((cmd (format "%s/net/sendfd" action)))
2832: (syd--stat (syd--rule cmd addr ?+))))))
2833:
2834: (defun syd-net-sendfd-del (action addr)
2835: "Remove the first matching net/sendfd sandboxing actionlist entry.
2836: ACTION is a constant representing the sandboxing action.
2837: ADDR is a string representing the address pattern."
2838: (let ((action (cond
2839: ((eq action :action-allow) "allow")
2840: ((eq action :action-warn) "warn")
2841: ((eq action :action-filter) "filter")
2842: ((eq action :action-deny) "deny")
2843: ((eq action :action-panic) "panic")
2844: ((eq action :action-stop) "stop")
2845: ((eq action :action-abort) "abort")
2846: ((eq action :action-kill) "kill")
2847: ((eq action :action-exit) "exit"))))
2848: (when action
2849: (let ((cmd (format "%s/net/sendfd" action)))
2850: (syd--stat (syd--rule cmd addr ?-))))))
2851:
2852: (defun syd-net-sendfd-rem (action addr)
2853: "Remove all matching net/sendfd sandboxing actionlist entries.
2854: ACTION is a constant representing the sandboxing action.
2855: ADDR is a string representing the address pattern."
2856: (let ((action (cond
2857: ((eq action :action-allow) "allow")
2858: ((eq action :action-warn) "warn")
2859: ((eq action :action-filter) "filter")
2860: ((eq action :action-deny) "deny")
2861: ((eq action :action-panic) "panic")
2862: ((eq action :action-stop) "stop")
2863: ((eq action :action-abort) "abort")
2864: ((eq action :action-kill) "kill")
2865: ((eq action :action-exit) "exit"))))
2866: (when action
2867: (let ((cmd (format "%s/net/sendfd" action)))
2868: (syd--stat (syd--rule cmd addr ?^))))))
2869:
2870: (defun syd-net-link-add (action addr)
2871: "Add to the given actionlist of net/link sandboxing.
2872: ACTION is a constant representing the sandboxing action.
2873: ADDR is a string representing the address pattern."
2874: (let ((action (cond
2875: ((eq action :action-allow) "allow")
2876: ((eq action :action-warn) "warn")
2877: ((eq action :action-filter) "filter")
2878: ((eq action :action-deny) "deny")
2879: ((eq action :action-panic) "panic")
2880: ((eq action :action-stop) "stop")
2881: ((eq action :action-abort) "abort")
2882: ((eq action :action-kill) "kill")
2883: ((eq action :action-exit) "exit"))))
2884: (when action
2885: (let ((cmd (format "%s/net/link" action)))
2886: (syd--stat (syd--rule cmd addr ?+))))))
2887:
2888: (defun syd-net-link-del (action addr)
2889: "Remove the first matching net/link sandboxing actionlist entry.
2890: ACTION is a constant representing the sandboxing action.
2891: ADDR is a string representing the address pattern."
2892: (let ((action (cond
2893: ((eq action :action-allow) "allow")
2894: ((eq action :action-warn) "warn")
2895: ((eq action :action-filter) "filter")
2896: ((eq action :action-deny) "deny")
2897: ((eq action :action-panic) "panic")
2898: ((eq action :action-stop) "stop")
2899: ((eq action :action-abort) "abort")
2900: ((eq action :action-kill) "kill")
2901: ((eq action :action-exit) "exit"))))
2902: (when action
2903: (let ((cmd (format "%s/net/link" action)))
2904: (syd--stat (syd--rule cmd addr ?-))))))
2905:
2906: (defun syd-net-link-rem (action addr)
2907: "Remove all matching net/link sandboxing actionlist entries.
2908: ACTION is a constant representing the sandboxing action.
2909: ADDR is a string representing the address pattern."
2910: (let ((action (cond
2911: ((eq action :action-allow) "allow")
2912: ((eq action :action-warn) "warn")
2913: ((eq action :action-filter) "filter")
2914: ((eq action :action-deny) "deny")
2915: ((eq action :action-panic) "panic")
2916: ((eq action :action-stop) "stop")
2917: ((eq action :action-abort) "abort")
2918: ((eq action :action-kill) "kill")
2919: ((eq action :action-exit) "exit"))))
2920: (when action
2921: (let ((cmd (format "%s/net/link" action)))
2922: (syd--stat (syd--rule cmd addr ?^))))))
2923:
2924: (defun syd-force-add (path alg hash action)
2925: "Add an entry to the Integrity Force map for Force Sandboxing.
2926: PATH is a fully-qualified file name.
2927: ALG is the hash algorithm (e.g. \"sha256\").
2928: HASH is a hexadecimal encoded checksum.
2929: ACTION is one of `:action-warn', `:action-filter', `:action-deny',
2930: `:action-panic', `:action-stop', `:action-abort', `:action-kill' or
2931: `:action-exit'."
2932: (let ((action (cond ((eq action :action-warn) "warn")
2933: ((eq action :action-filter) "filter")
2934: ((eq action :action-deny) "deny")
2935: ((eq action :action-panic) "panic")
2936: ((eq action :action-stop) "stop")
2937: ((eq action :action-abort) "abort")
2938: ((eq action :action-kill) "kill")
2939: ((eq action :action-exit) "exit"))))
2940: (when action
2941: (let ((cmd (format "/dev/syd/force+%s:%s:%s:%s" path alg hash action)))
2942: (syd--stat cmd)))))
2943:
2944: (defun syd-force-del (path)
2945: "Remove an entry from the Integrity Force map for Force Sandboxing.
2946: PATH is a fully-qualified file name."
2947: (let ((cmd (format "/dev/syd/force-%s" path)))
2948: (syd--stat cmd)))
2949:
2950: (defun syd-force-clr ()
2951: "Clear the Integrity Force map for Force Sandboxing."
2952: (syd--stat "/dev/syd/force^"))
2953:
2954: (defun syd-mem-max (size)
2955: "Set syd maximum per-process memory usage limit.
2956: SIZE can be an integer or a string representing the memory limit."
2957: (let ((size-str (cond ((integerp size) (number-to-string size))
2958: ((stringp size) size)
2959: (t (error "Size must be an integer or a string")))))
2960: (syd--stat (syd--rule "mem/max" size-str ?:))))
2961:
2962: (defun syd-mem-vm-max (size)
2963: "Set syd maximum per-process virtual memory usage limit.
2964: SIZE can be an integer or a string representing the memory limit."
2965: (let ((size-str (cond ((integerp size) (number-to-string size))
2966: ((stringp size) size)
2967: (t (error "Size must be an integer or a string")))))
2968: (syd--stat (syd--rule "mem/vm_max" size-str ?:))))
2969:
2970: (defun syd-pid-max (size)
2971: "Set syd maximum process ID limit for PID sandboxing.
2972: SIZE is a number representing the PID limit."
2973: (unless (numberp size)
2974: (error "Size must be a number"))
2975: (let ((path (format "/dev/syd/pid/max:%d" size)))
2976: (syd--stat path)))
2977:
2978: (defun syd-segvguard-expiry (timeout)
2979: "Specify SegvGuard entry expiry timeout in seconds.
2980: Setting this timeout to 0 effectively disables SegvGuard.
2981: TIMEOUT is a number representing the timeout in seconds."
2982: (unless (numberp timeout)
2983: (error "Timeout must be a number"))
2984: (let ((path (format "/dev/syd/segvguard/expiry:%d" timeout)))
2985: (syd--stat path)))
2986:
2987: (defun syd-segvguard-suspension (timeout)
2988: "Specify SegvGuard entry suspension timeout in seconds.
2989: TIMEOUT is a number representing the timeout in seconds."
2990: (unless (numberp timeout)
2991: (error "Timeout must be a number"))
2992: (let ((path (format "/dev/syd/segvguard/suspension:%d" timeout)))
2993: (syd--stat path)))
2994:
2995: (defun syd-segvguard-maxcrashes (limit)
2996: "Specify SegvGuard max number of crashes before suspension.
2997: LIMIT is a number representing the crash limit."
2998: (unless (numberp limit)
2999: (error "Limit must be a number"))
3000: (let ((path (format "/dev/syd/segvguard/maxcrashes:%d" limit)))
3001: (syd--stat path)))
3002:
3003: (defun syd-exec (file argv)
3004: "Execute a command outside the sandbox without sandboxing.
3005: FILE is the file path of the command as a string.
3006: ARGV is a list of strings representing the arguments to the command."
3007: (unless (stringp file)
3008: (error "File must be a string"))
3009: (let ((all-strings t))
3010: (dolist (arg argv)
3011: (unless (stringp arg)
3012: (setq all-strings nil)))
3013: (unless all-strings
3014: (error "All elements in ARGV must be strings")))
3015:
3016: (let ((cmd (mapconcat 'identity (cons file argv) "\x1F")))
3017: (syd--stat (concat "/dev/syd/cmd/exec!" cmd))))
3018:
3019: (defun syd--rule (rule elem op)
3020: "Helper function to construct a path for syd operations.
3021: RULE is a string representing the rule.
3022: ELEM is a string representing the element.
3023: OP is a character representing the operation."
3024: (unless (member op '(?+ ?- ?^ ?:))
3025: (error "Invalid operation"))
3026: (when (string-empty-p elem)
3027: (error "Element cannot be empty"))
3028: (concat "/dev/syd/" rule (char-to-string op) elem))
3029:
3030: (defun syd--stat (path)
3031: "Issue a single virtual syd stat(2) on PATH and report success."
3032: (condition-case nil
3033: (and (file-modes path 'nofollow) t)
3034: (error nil))) ; On error, return nil
3035:
3036: ;
3037: ; syd-3-mode: Font-lock highlighting for Syd v3 profiles (.syd-3 files).
3038: ;
3039:
3040: (defgroup syd-3 nil
3041: "Syntax highlighting for Syd v3 profiles."
3042: :group 'languages
3043: :prefix "syd-3-")
3044:
3045: (defface syd-3-error '((t :inherit error))
3046: "Face for an invalid syd-3 command, sub-key or value." :group 'syd-3)
3047: (defface syd-3-comment '((t :inherit font-lock-comment-face))
3048: "Face for a syd-3 comment." :group 'syd-3)
3049: (defface syd-3-identifier '((t :inherit font-lock-function-name-face))
3050: "Face for a syd-3 command name and its structural punctuation." :group 'syd-3)
3051: (defface syd-3-boolean '((t :inherit font-lock-constant-face))
3052: "Face for a syd-3 boolean value." :group 'syd-3)
3053: (defface syd-3-number '((t :inherit font-lock-constant-face))
3054: "Face for a syd-3 numeric value: integer, size, duration or port." :group 'syd-3)
3055: (defface syd-3-string '((t :inherit font-lock-string-face))
3056: "Face for a syd-3 string or path value." :group 'syd-3)
3057: (defface syd-3-constant '((t :inherit font-lock-constant-face))
3058: "Face for a syd-3 network address value." :group 'syd-3)
3059: (defface syd-3-type '((t :inherit font-lock-type-face))
3060: "Face for a syd-3 enumerated keyword value: none, tmpfs, an alias, ..." :group 'syd-3)
3061: (defface syd-3-special '((t :inherit font-lock-builtin-face))
3062: "Face for a syd-3 special value: action, netlink family, ioctl const, ..." :group 'syd-3)
3063:
3064: (defvar syd-3-font-lock-keywords
3065: (let* ((caps "all-l\\|all-x\\|all\\|lpath\\|rpath\\|wpath\\|cpath\\|dpath\\|spath\\|tpath\\|fown\\|fattr\\|inet\\|bnet\\|cnet\\|snet\\|crypt\\|exec\\|force\\|lock\\|mem\\|pid\\|proxy\\|pty\\|tpe\\|fs\\|walk\\|list\\|stat\\|read\\|write\\|ioctl\\|create\\|delete\\|rename\\|readlink\\|symlink\\|truncate\\|chdir\\|readdir\\|mkdir\\|rmdir\\|chown\\|chgrp\\|chmod\\|chattr\\|chroot\\|notify\\|utime\\|mkbdev\\|mkcdev\\|mkfifo\\|mktemp\\|net/bind\\|net/connect\\|net/sendfd\\|net")
3066: (dcaps (concat caps "\\|block\\|segvguard"))
3067: (ns "all\\|mount\\|uts\\|ipc\\|user\\|pid\\|net\\|cgroup\\|time")
3068: (act "allow\\|warn\\|filter\\|deny\\|panic\\|stop\\|abort\\|kill\\|exit")
3069: (fc "all-l\\|all-x\\|all\\|lpath\\|rpath\\|wpath\\|cpath\\|dpath\\|spath\\|tpath\\|fown\\|fattr\\|fs\\|walk\\|list\\|stat\\|read\\|write\\|exec\\|create\\|delete\\|rename\\|readlink\\|symlink\\|truncate\\|chdir\\|readdir\\|mkdir\\|rmdir\\|chown\\|chgrp\\|chmod\\|chattr\\|chroot\\|notify\\|utime\\|mkbdev\\|mkcdev\\|mkfifo\\|mktemp")
3070: (nc "net\\|inet\\|bnet\\|cnet\\|snet")
3071: (nsub "bind\\|connect\\|sendfd")
3072: (lc "all-x\\|all\\|rpath\\|wpath\\|cpath\\|dpath\\|spath\\|tpath\\|inet\\|read\\|write\\|exec\\|ioctl\\|create\\|delete\\|rename\\|symlink\\|truncate\\|readdir\\|mkdir\\|rmdir\\|mkbdev\\|mkcdev\\|mkfifo\\|bind\\|connect\\|net\\|bnet\\|cnet")
3073: (clist (lambda (s) (concat "\\(?:" s "\\)\\(?:,\\(?:" s "\\)\\)*")))
3074: (fm (concat "\\(?:" fc "\\|" nc "\\)"))
3075: (link "all\\|route\\|usersock\\|firewall\\|sock_diag\\|nflog\\|xfrm\\|selinux\\|iscsi\\|audit\\|fib_lookup\\|inet_diag\\|connector\\|netfilter\\|ip6_fw\\|dnrtmsg\\|kobject_uevent\\|generic\\|scsitransport\\|ecryptfs\\|rdma\\|crypto\\|smc")
3076: (sev "emerg\\|alert\\|crit\\|error\\|warn\\|notice\\|info\\|debug")
3077: (tsafe "allow_safe_bind\\|allow_safe_setuid\\|allow_safe_setgid\\|allow_safe_syslog\\|deny_dotdot\\|deny_exec_elf32\\|deny_exec_elf_dynamic\\|deny_exec_elf_static\\|deny_exec_script\\|deny_tsc\\|deny_vdso\\|exit_wait_all\\|force_cloexec\\|force_local_net\\|force_no_symlinks\\|force_rand_fd\\|force_ro_open\\|force_wx_open\\|force_no_magiclinks\\|force_no_xdev\\|sync_seccomp")
3078: (tunsafe "allow_unsafe_any_addr\\|allow_unsafe_bind\\|allow_unsafe_cap_fixup\\|allow_unsafe_caps\\|allow_unsafe_cbpf\\|allow_unsafe_chown\\|allow_unsafe_chroot\\|allow_unsafe_copy\\|allow_unsafe_cpu\\|allow_unsafe_create\\|allow_unsafe_deleted\\|allow_unsafe_deprecated\\|allow_unsafe_dumpable\\|allow_unsafe_ebpf\\|allow_unsafe_env\\|allow_unsafe_exec_interactive\\|allow_unsafe_exec_ldso\\|allow_unsafe_exec_libc\\|allow_unsafe_exec_memory\\|allow_unsafe_exec_nopie\\|allow_unsafe_exec_null\\|allow_unsafe_exec_script\\|allow_unsafe_exec_speculative\\|allow_unsafe_exec_stack\\|allow_unsafe_fcntl\\|allow_unsafe_filename\\|allow_unsafe_hardlinks\\|allow_unsafe_ip_pktinfo\\|allow_unsafe_ip_retopts\\|allow_unsafe_ipv6_rthdr\\|allow_unsafe_ipv6_scope\\|allow_unsafe_kcapi\\|allow_unsafe_keyring\\|allow_unsafe_kptr\\|allow_unsafe_machine_id\\|allow_unsafe_madvise\\|allow_unsafe_magiclinks\\|allow_unsafe_memfd\\|allow_unsafe_mkbdev\\|allow_unsafe_mkcdev\\|allow_unsafe_msgqueue\\|allow_unsafe_nice\\|allow_unsafe_nocookie\\|allow_unsafe_nomseal\\|allow_unsafe_notify_bdev\\|allow_unsafe_notify_cdev\\|allow_unsafe_noxom\\|allow_unsafe_numa\\|allow_unsafe_oob\\|allow_unsafe_open_kfd\\|allow_unsafe_open_path\\|allow_unsafe_open_suid\\|allow_unsafe_page_cache\\|allow_unsafe_perf\\|allow_unsafe_perm_msgqueue\\|allow_unsafe_perm_shm\\|allow_unsafe_personality\\|allow_unsafe_pipe\\|allow_unsafe_pivot_root\\|allow_unsafe_pkey\\|allow_unsafe_prctl\\|allow_unsafe_proc_files\\|allow_unsafe_prlimit\\|allow_unsafe_proc_pid_status\\|allow_unsafe_ptrace\\|allow_unsafe_recvmsg\\|allow_unsafe_rseq\\|allow_unsafe_sendfd_bdev\\|allow_unsafe_sendfd_cdev\\|allow_unsafe_sendfd_dir\\|allow_unsafe_sendfd_fifo\\|allow_unsafe_sendfd_magiclink\\|allow_unsafe_sendfd_memfd\\|allow_unsafe_sendfd_misc\\|allow_unsafe_sendfd_secretmem\\|allow_unsafe_sendfd_socket\\|allow_unsafe_sendfd_symlink\\|allow_unsafe_setid\\|allow_unsafe_setsockopt\\|allow_unsafe_shm\\|allow_unsafe_sigreturn\\|allow_unsafe_socket\\|allow_unsafe_stat_bdev\\|allow_unsafe_stat_cdev\\|allow_unsafe_sticky\\|allow_unsafe_symlinks\\|allow_unsafe_sync\\|allow_unsafe_sysinfo\\|allow_unsafe_syslog\\|allow_unsafe_time\\|allow_unsafe_uname\\|allow_unsafe_uring\\|allow_unsafe_vmsplice\\|allow_unsafe_xattr\\|allow_unsupp_cmsg\\|allow_unsupp_socket")
3079: (rlk "as\\|core\\|cpu\\|data\\|fsize\\|memlock\\|msgqueue\\|nice\\|nofile\\|nproc\\|rtprio\\|rttime\\|sigpending\\|stack")
3080: (bool "\\(?:1\\|on\\|t\\|tr\\|tru\\|true\\|✓\\|0\\|off\\|f\\|fa\\|fal\\|fals\\|false\\|✗\\)")
3081: (lock "\\(?:on\\|off\\|exec\\|ipc\\|drop\\|read-only\\|readonly\\|read\\|ro\\|1\\|0\\|x\\|r\\|i\\|d\\)")
3082: (int "[-+]?[0-9]+")
3083: (uint "[0-9]+")
3084: (size "[0-9]+[kKmMgGtTpP]?[bB]?")
3085: (dur "[0-9]+\\(?:\\.[0-9]+\\)?\\(?:us\\|ms\\|s\\|m\\|h\\|d\\|w\\)?")
3086: (id '(0 'syd-3-identifier))
3087: (bln '(1 'syd-3-boolean t)) (num '(1 'syd-3-number t)) (str '(1 'syd-3-string t))
3088: (con '(1 'syd-3-constant t)) (typ '(1 'syd-3-type t)) (spc '(1 'syd-3-special t))
3089: (caplist (funcall clist caps))
3090: (dclist (funcall clist dcaps))
3091: (nslist (funcall clist ns))
3092: (fmlist (funcall clist fm))
3093: (nclist (funcall clist nc))
3094: (lclist (funcall clist lc)))
3095: (list
3096: (list "^[ \t]*#.*$" '(0 'syd-3-comment))
3097: (list (concat "^lock:\\(?1:" lock "\\)$") id bln)
3098: (list "^\\(?:l\\|lock\\|stat\\|dump\\|panic\\|ghost\\)$" id)
3099: (list "^ipc:\\(?1:.+\\)$" id str)
3100: (list "^ipc/\\(?:uid\\|gid\\):\\(?1:none\\)$" id typ)
3101: (list (concat "^ipc/\\(?:uid\\|gid\\|max\\):\\(?1:" int "\\)$") id num)
3102: (list (concat "^ipc/idle:\\(?1:" dur "\\)$") id num)
3103: (list (concat "^config/expand:\\(?1:" dur "\\)$") id num)
3104: (list (concat "^log/level:\\(?1:" sev "\\)$") id typ)
3105: (list (concat "^log/level:\\(?1:" uint "\\)$") id num)
3106: (list (concat "^log/\\(?:verbose\\|rlimit_burst\\):\\(?1:" uint "\\)$") id num)
3107: (list (concat "^log/rlimit_interval:\\(?1:" dur "\\)$") id num)
3108: (list (concat "^log/lock/\\(?:same_exec_off\\|new_exec_on\\|subdomains_off\\):\\(?1:" bool "\\)$") id bln)
3109: (list "^pty/\\(?:row\\|col\\):\\(?1:none\\)$" id typ)
3110: (list (concat "^pty/\\(?:row\\|col\\):\\(?1:" uint "\\)$") id num)
3111: (list (concat "^mem/\\(?:max\\|vm_max\\):\\(?1:" size "\\)$") id num)
3112: (list (concat "^pid/max:\\(?1:" uint "\\)$") id num)
3113: (list (concat "^\\(?:mem\\|pid\\)/kill:\\(?1:" bool "\\)$") id bln)
3114: (list (concat "^rlimit/\\(?:" rlk "\\):.+$") id)
3115: (list (concat "^segvguard/\\(?:expiry\\|suspension\\|maxcrashes\\):\\(?1:" dur "\\)$") id num)
3116: (list (concat "^tpe/\\(?:negate\\|root_owned\\|user_owned\\|root_mount\\):\\(?1:" bool "\\)$") id bln)
3117: (list (concat "^tpe/gid:\\(?1:" uint "\\)$") id num)
3118: (list "^tpe/gid:none$" id)
3119: (list "^proxy/addr:\\(?1:.+\\)$" id con)
3120: (list (concat "^proxy/\\(?:port\\|ext/port\\):\\(?1:" int "\\)$") id num)
3121: (list "^proxy/ext/\\(?:host\\|unix\\):\\(?1:.+\\)$" id str)
3122: (list "^time:\\(?1:none\\)$" id typ)
3123: (list (concat "^time:\\(?1:" int "\\)$") id num)
3124: (list (concat "^time/\\(?:boot\\|mono\\):\\(?1:" int "\\)$") id num)
3125: (list "^timeout:\\(?1:none\\)$" id typ)
3126: (list (concat "^timeout:\\(?1:" dur "\\)$") id num)
3127: (list "^uts/\\(?:host\\|domain\\|version\\):\\(?1:.+\\)$" id str)
3128: (list "^root:\\(?1:/.*\\)$" id str)
3129: (list "^root:\\(?1:tmpfs\\|tmp\\|t\\|ramfs\\|ram\\|r\\|none\\|off\\)$" id typ)
3130: (list (concat "^root/\\(?:fake\\|map\\):\\(?1:" bool "\\)$") id bln)
3131: (list "^workdir:\\(?1:/.*\\)$" id str)
3132: (list "^workdir:\\(?1:none\\|off\\)$" id typ)
3133: (list (concat "^sandbox/\\(?:" caplist "\\):\\(?1:" bool "\\)$") id bln)
3134: (list (concat "^sandbox/\\(?:" caplist "\\)\\?$") id)
3135: (list (concat "^unshare/\\(?:" nslist "\\):\\(?1:" bool "\\)$") id bln)
3136: (list (concat "^unshare/\\(?:" nslist "\\)\\?$") id)
3137: (list (concat "^default/\\(?:" dclist "\\):\\(?1:" act "\\)$") id spc)
3138: (list (concat "^trace/\\(?:" tsafe "\\|" tunsafe "\\):\\(?1:" bool "\\)$") id bln)
3139: (list "^trace/force_umask:\\(?1:-1\\|off\\|f\\|fa\\|fal\\|fals\\|false\\|✗\\|[0-7]+\\)$" id num)
3140: (list "^trace/memory_access:\\(?1:[012]\\)$" id num)
3141: (list (concat "^trace/allow_unsafe_namespace:\\(?1:all\\|none\\|off\\|" (funcall clist ns) "\\)$") id typ)
3142: (list "^setenv!.*$" id)
3143: (list "^unsetenv!.*$" id)
3144: (list "^clearenv!$" id)
3145: (list "^passenv[-+^].*$" id)
3146: (list "^cmd/exec!.*$" id)
3147: (list "^append[-+^]\\(?1:.*\\)$" id str)
3148: (list "^mask[-+^].*$" id)
3149: (list "^block[-+^!].*$" id)
3150: (list (concat "^crypt/key\\(?:/\\(?:enc\\|mac\\)\\)?:\\(?1:" int "\\)$") id num)
3151: (list "^crypt/tmp:\\(?1:.+\\)$" id str)
3152: (list "^crypt[-+^].*$" id)
3153: (list "^force[-^].*$" id)
3154: (list "^force\\+/[^:]+:[a-z][a-z0-9_-]*:[0-9a-fA-F]+\\(?::[a-z]+\\)?$" id)
3155: (list "^set[ug]id[-+^].*$" id)
3156: (list "^bind\\(?:-try\\)?[-+^].*$" id)
3157: (list "^\\(?:sym\\)?link\\(?:-try\\)?[-+^].*$" id)
3158: (list "^mkdir\\(?:-try\\)?[-+^].*$" id)
3159: (list "^mkfile\\(?:-try\\)?[-+^].*$" id)
3160: (list "^mkfifo\\(?:-try\\)?[-+^].*$" id)
3161: (list "^\\(?:allow\\|deny\\)/ioctl[-+]\\(?1:0x[0-9A-Fa-f]+\\|0o[0-7]+\\|[0-9]+\\)$" id num)
3162: (list "^\\(?:allow\\|deny\\)/ioctl[-+]\\(?1:[A-Z][A-Z0-9_]+!?\\)$" id spc)
3163: (list (concat "^allow/net/link[-+^]\\(?1:" link "\\)$") id spc)
3164: (list (concat "^allow/lock/\\(?:" lclist "\\)[-+^]\\(?1:[0-9]+\\(?:-[0-9]+\\)?\\(?:,[0-9]+\\(?:-[0-9]+\\)?\\)*\\)$") id num)
3165: (list (concat "^allow/lock/\\(?:" lclist "\\)[-+^]\\(?1:/.*\\)$") id str)
3166: (list (concat "^\\(?:" act "\\)/\\(?:" fmlist "\\)[-+^]\\(?1:.+\\)$") id str)
3167: (list (concat "^\\(?:" act "\\)/\\(?:\\(?:" nclist "\\)\\|net/\\(?:" nsub "\\)\\)[-+^]\\(?1:[^!@]+\\)\\(?2:[!@][0-9-]+\\)?$")
3168: id con '(2 'syd-3-number t t))
3169: (list "^include .*$" id)
3170: (list "^include_profile .*$" id)
3171: (list "^.+$" '(0 'syd-3-error))))
3172: "Font-lock keywords for `syd-3-mode'.
3173: Valid commands are highlighted (their value by colour class) the final
3174: catch-all flags any remaining line as an error.")
3175:
3176: ;###autoload
3177: (define-derived-mode syd-3-mode prog-mode "Syd3"
3178: "Major mode for editing Syd v3 profiles (.syd-3 files)."
3179: (setq-local comment-start "#")
3180: (setq-local comment-start-skip "#+[ \t]*")
3181: (setq-local font-lock-defaults '(syd-3-font-lock-keywords t nil)))
3182:
3183: ;###autoload
3184: (add-to-list 'auto-mode-alist '("\\.syd-3\\'" . syd-3-mode))
3185:
3186: (defun syd-3--value-classes (line)
3187: "Fontify LINE in `syd-3-mode' and report its highlighting."
3188: (let ((g2c '((syd-3-boolean . "B") (syd-3-number . "N") (syd-3-string . "S")
3189: (syd-3-constant . "C") (syd-3-type . "T") (syd-3-special . "P"))))
3190: (with-temp-buffer
3191: (insert line)
3192: (syd-3-mode)
3193: (font-lock-ensure)
3194: (let ((err nil) (classes '()) (pos (point-min)))
3195: (while (< pos (point-max))
3196: (let* ((face (get-text-property pos 'face))
3197: (class (cdr (assq face g2c))))
3198: (when (eq face 'syd-3-error) (setq err t))
3199: (when (and class (not (member class classes)))
3200: (setq classes (cons class classes))))
3201: (setq pos (1+ pos)))
3202: (cons err classes)))))
3203:
3204: (defconst syd-3--syntax-cases
3205: '(("lock:on" nil "B") ("lock:drop" nil "B") ("l" nil) ("lock" nil)
3206: ("stat" nil) ("dump" nil) ("panic" nil) ("ghost" nil)
3207: ("ipc:@/run/syd.sock" nil "S") ("ipc:none" nil) ("ipc/uid:1000" nil "N")
3208: ("ipc/uid:none" nil "T") ("ipc/gid:0" nil "N") ("ipc/max:64" nil "N")
3209: ("ipc/idle:30" nil "N") ("ipc/idle:5m" nil "N")
3210: ("config/expand:0" nil "N") ("config/expand:5m" nil "N")
3211: ("log/level:debug" nil "T") ("log/verbose:3" nil "N") ("log/rlimit_burst:5" nil "N")
3212: ("log/rlimit_interval:5s" nil "N") ("log/lock/new_exec_on:1" nil "B")
3213: ("log/lock/same_exec_off:true" nil "B")
3214: ("pty/row:80" nil "N") ("pty/col:24" nil "N") ("pty/col:none" nil "T")
3215: ("mem/max:1G" nil "N") ("mem/vm_max:512M" nil "N") ("pid/max:100" nil "N")
3216: ("mem/kill:1" nil "B") ("pid/kill:0" nil "B")
3217: ("rlimit/nofile:1024" nil) ("rlimit/as:1G" nil) ("rlimit/nice:10" nil) ("rlimit/cpu:30" nil)
3218: ("segvguard/expiry:5m" nil "N") ("segvguard/suspension:300" nil "N") ("segvguard/maxcrashes:3" nil "N")
3219: ("tpe/gid:1000" nil "N") ("tpe/gid:none" nil) ("tpe/negate:on" nil "B")
3220: ("tpe/root_owned:off" nil "B") ("tpe/root_mount:1" nil "B") ("tpe/user_owned:true" nil "B")
3221: ("proxy/addr:127.0.0.1" nil "C") ("proxy/port:8080" nil "N") ("proxy/ext/host:example.com" nil "S")
3222: ("proxy/ext/port:443" nil "N") ("proxy/ext/unix:/run/p.sock" nil "S")
3223: ("time:5" nil "N") ("time:-5" nil "N") ("time/boot:100" nil "N") ("time/mono:-42" nil "N")
3224: ("time:none" nil "T") ("timeout:30" nil "N") ("timeout:none" nil "T")
3225: ("uts/host:myhost" nil "S") ("uts/domain:example" nil "S") ("uts/version:1.0" nil "S")
3226: ("root:/newroot" nil "S") ("root:tmpfs" nil "T") ("root:ramfs" nil "T") ("root:none" nil "T")
3227: ("root/map:on" nil "B") ("root/fake:off" nil "B") ("workdir:/home" nil "S")
3228: ("sandbox/fs:on" nil "B") ("sandbox/readlink:on" nil "B") ("sandbox/mkbdev:off" nil "B")
3229: ("sandbox/mkcdev:on" nil "B") ("sandbox/all:on" nil "B") ("sandbox/all-l:on" nil "B")
3230: ("sandbox/all-x:off" nil "B") ("sandbox/lpath:on" nil "B") ("sandbox/bnet:on" nil "B")
3231: ("sandbox/read,write:off" nil "B") ("sandbox/pty:on" nil "B") ("sandbox/fs?" nil)
3232: ("default/fs:deny" nil "P") ("default/read:allow" nil "P") ("default/readlink:warn" nil "P")
3233: ("default/block:deny" nil "P") ("default/segvguard:kill" nil "P") ("default/all-l:deny" nil "P")
3234: ("default/read,write:deny" nil "P")
3235: ("unshare/mount:on" nil "B") ("unshare/all:on" nil "B") ("unshare/mount,net:off" nil "B")
3236: ("unshare/mount?" nil)
3237: ("trace/allow_unsafe_ptrace:1" nil "B") ("trace/allow_unsafe_fcntl:0" nil "B")
3238: ("trace/allow_unsafe_proc_files:on" nil "B") ("trace/sync_seccomp:1" nil "B")
3239: ("trace/deny_dotdot:on" nil "B") ("trace/force_cloexec:on" nil "B")
3240: ("trace/allow_safe_bind:on" nil "B") ("trace/force_umask:022" nil "N")
3241: ("trace/force_umask:off" nil "N") ("trace/memory_access:2" nil "N")
3242: ("trace/allow_unsafe_namespace:mount,net" nil "T") ("trace/allow_unsafe_namespace:all" nil "T")
3243: ("setenv!FOO=bar" nil) ("unsetenv!FOO" nil) ("clearenv!" nil)
3244: ("passenv+LD_*" nil) ("passenv-FOO" nil) ("passenv^FOO" nil) ("cmd/exec!/bin/echo" nil)
3245: ("append+/etc/foo" nil "S") ("mask+/proc:/dev/null" nil) ("mask^" nil)
3246: ("block+1.2.3.0/24" nil) ("block-1.2.3.4" nil) ("block^" nil)
3247: ("crypt+/secret" nil) ("crypt/key:42" nil "N") ("crypt/key:-5" nil "N")
3248: ("crypt/key/enc:7" nil "N") ("crypt/key/mac:9" nil "N") ("crypt/tmp:/tmp/x" nil "S")
3249: ("force+/usr/bin/x:sha256:deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef:deny" nil)
3250: ("force-/usr/bin/x" nil) ("force^" nil)
3251: ("setuid+1000:2000" nil) ("setgid+1000:2000" nil) ("setuid^1000" nil)
3252: ("bind+/src:/dst" nil) ("bind-try+/src:/dst" nil) ("bind-/dst" nil)
3253: ("link+/a:/b" nil) ("link-try+/a:/b" nil) ("symlink+/a:/b" nil) ("symlink-try+/a:/b" nil)
3254: ("link^" nil) ("mkdir+/tmp/d:0755" nil) ("mkdir-try+/tmp/d" nil)
3255: ("mkfile+/tmp/f" nil) ("mkfifo+/tmp/f" nil) ("mkfifo-try+/tmp/f" nil)
3256: ("allow/ioctl+0x5401" nil "N") ("deny/ioctl+TIOCSTI" nil "P") ("allow/ioctl-0o21505" nil "N")
3257: ("allow/read+/etc/**" nil "S") ("warn/write+/etc" nil "S") ("filter/exec+/bin/sh" nil "S")
3258: ("deny/stat+/x" nil "S") ("panic/create+/x" nil "S") ("stop/delete+/x" nil "S")
3259: ("abort/rename+/x" nil "S") ("kill/chmod+/x" nil "S") ("exit/chown+/x" nil "S")
3260: ("allow/readlink+/etc" nil "S") ("allow/mkbdev+/dev/x" nil "S") ("allow/mkcdev+/dev/x" nil "S")
3261: ("allow/all-l+/x" nil "S") ("allow/all-x+/x" nil "S") ("allow/read,write+/x" nil "S")
3262: ("allow/net/bind+1.2.3.4!80" nil "C" "S") ("allow/net/connect+127.0.0.1!443" nil "C" "S")
3263: ("allow/net+1.2.3.4!22" nil "C" "S") ("allow/net/bind+any!80" nil nil "S")
3264: ("allow/inet+loopback" nil nil "S")
3265: ("allow/net/link+route" nil "P") ("allow/net/link+inet_diag" nil "P")
3266: ("allow/lock/read+/etc" nil "S") ("allow/lock/mkbdev+/dev" nil "S")
3267: ("allow/lock/connect+22" nil "N") ("allow/lock/bind+80" nil "N")
3268: ("include /etc/foo.syd-3" nil) ("include_profile linux" nil)
3269: ("totallyunknown:x" t) ("bogusdirective" t) ("sandbox/raed:on" t) ("sandbox/mkdev:on" t)
3270: ("sandbox/bogus:on" t) ("default/boguscap:deny" t) ("default/mkdev:deny" t)
3271: ("unshare/bogus:on" t) ("uts/bogus:x" t) ("root/bogus:on" t) ("ipc/bogus:1" t)
3272: ("log/bogus:1" t) ("log/lock/bogus:1" t) ("mem/bogus:1" t) ("pid/bogus:1" t)
3273: ("tpe/bogus:on" t) ("segvguard/bogus:1" t) ("proxy/bogus:1" t) ("proxy/ext/bogus:1" t)
3274: ("crypt/bogus:1" t) ("trace/allow_unsafe_bogus:on" t) ("trace/bogus:on" t)
3275: ("time/bogus:1" t) ("warn/ioctl+foo" t) ("allow/bogus+/x" t) ("allow/net/accept+any" t)
3276: ("allow/net/bogus+any" t) ("allow/lock/bogus+/x" t) ("pty/bogus:1" t)
3277: ("config/bogus:1" t) ("mkbogus+/x" t))
3278: "Syntax-highlighting test cases for `syd-3-mode'.
3279: Each entry is (LINE EXPECT-ERROR [VALUE-CLASS [FORBIDDEN-CLASS]]).")
3280:
3281: (defun syd-3-syntax-test ()
3282: "Run the `syd-3-mode' highlighting suite, report TAP, then exit."
3283: (let ((out (list "TAP version 13"
3284: (format "1..%d" (length syd-3--syntax-cases))))
3285: (count 0)
3286: (failures 0))
3287: (dolist (case syd-3--syntax-cases)
3288: (setq count (1+ count))
3289: (let* ((line (nth 0 case))
3290: (want-error (nth 1 case))
3291: (want-class (nth 2 case))
3292: (forbid-class (nth 3 case))
3293: (result (syd-3--value-classes line))
3294: (have-error (car result))
3295: (have-classes (cdr result))
3296: (names '(("B" . "Boolean") ("N" . "Number") ("S" . "String")
3297: ("C" . "Constant") ("T" . "Type") ("P" . "Special")))
3298: (full (lambda (code) (or (cdr (assoc code names)) code)))
3299: (actual (if have-classes
3300: (mapconcat full
3301: (sort (copy-sequence have-classes) #'string<) ",")
3302: "-"))
3303: (reasons '()))
3304: (when (and want-error (not have-error))
3305: (push '("error" . "ok") reasons))
3306: (when (and (not want-error) have-error)
3307: (push '("ok" . "error") reasons))
3308: (when (and want-class (not (member want-class have-classes)))
3309: (push (cons (funcall full want-class) actual) reasons))
3310: (when (and forbid-class (member forbid-class have-classes))
3311: (push (cons (concat "not " (funcall full forbid-class)) actual) reasons))
3312: (if (null reasons)
3313: (push (format "ok %d - %s" count line) out)
3314: (setq failures (1+ failures))
3315: (push (format "not ok %d - %s" count line) out)
3316: (dolist (r reasons)
3317: (push (format "# expected: %s" (car r)) out)
3318: (push (format "# actual: %s" (cdr r)) out)))))
3319: (push (format "# %d tests, %d failures" (length syd-3--syntax-cases) failures)
3320: out)
3321: (princ (mapconcat #'identity (nreverse out) "\n"))
3322: (princ "\n")
3323: (kill-emacs (if (zerop failures) 0 1))))
3324:
3325: (defun syd-el-main-test ()
3326: "Define and run the embedded ERT test suite for syd.el, then exit."
3327: (require 'ert)
3328: (eval
3329: '(progn
3330: (ert-deftest syd-el-api ()
3331: "API version query and liveness check."
3332: (should (eq (syd-api) 3))
3333: (should (syd-check)))
3334:
3335: (ert-deftest syd-el-stat-validation ()
3336: (should (syd--stat "/dev/null"))
3337: (should-not (syd--stat "/syd-el-no-such-path-xyzzy"))
3338: (let ((reg (make-temp-file "syd-el-")))
3339: (unwind-protect
3340: (should (syd--stat reg))
3341: (delete-file reg))
3342: (should-not (syd--stat reg))))
3343:
3344: (ert-deftest syd-el-toggle ()
3345: (dolist (cat '("fs" "walk" "read" "write" "exec" "ioctl"
3346: "create" "delete" "rename" "symlink" "truncate"
3347: "readdir" "mkdir" "rmdir" "chown" "chgrp" "chmod"
3348: "chattr" "chroot" "utime" "mkbdev" "mkcdev"
3349: "mkfifo" "mktemp" "net" "tpe"))
3350: (let ((enabled (intern (format "syd-enabled-%s" cat)))
3351: (enable (intern (format "syd-enable-%s" cat)))
3352: (disable (intern (format "syd-disable-%s" cat))))
3353: (let ((was (funcall enabled)))
3354: (should (funcall enable))
3355: (should (funcall enabled))
3356: (should (funcall disable))
3357: (should-not (funcall enabled))
3358: (if was (funcall enable) (funcall disable))
3359: (should (eq (and (funcall enabled) t) (and was t)))))))
3360:
3361: (ert-deftest syd-el-force-startup ()
3362: (should (syd-enabled-force))
3363: (should (syd-disable-force))
3364: (should-not (syd-enabled-force)))
3365:
3366: (ert-deftest syd-el-query ()
3367: (dolist (q '(syd-enabled-crypt syd-enabled-proxy syd-enabled-lock
3368: syd-enabled-mem))
3369: (should (memq (funcall q) '(t nil))))
3370: (should (syd-disable-mem))
3371: (should-not (syd-enabled-mem)))
3372:
3373: (ert-deftest syd-el-startup-only ()
3374: (dolist (cat '("chdir" "list" "notify" "readlink" "stat" "pid"))
3375: (let ((enabled (intern (format "syd-enabled-%s" cat)))
3376: (enable (intern (format "syd-enable-%s" cat)))
3377: (disable (intern (format "syd-disable-%s" cat))))
3378: (should-not (funcall enable))
3379: (should (funcall disable))
3380: (should-not (funcall enabled)))))
3381:
3382: (ert-deftest syd-el-default ()
3383: (dolist (act '(:action-allow :action-warn :action-filter :action-deny
3384: :action-panic :action-stop :action-abort :action-kill
3385: :action-exit))
3386: (should (syd-default-fs act)))
3387: (dolist (cap '("fs" "walk" "list" "stat" "read" "write" "exec"
3388: "ioctl" "create" "delete" "rename" "readlink"
3389: "symlink" "truncate" "chdir" "readdir" "mkdir"
3390: "rmdir" "chown" "chgrp" "chmod" "chattr" "chroot"
3391: "notify" "utime" "mkbdev" "mkcdev" "mkfifo" "mktemp"
3392: "net" "mem" "force" "tpe" "segvguard"))
3393: (should (funcall (intern (format "syd-default-%s" cap))
3394: :action-deny)))
3395: (should (syd-default-pid :action-stop))
3396: (dolist (cap '("mem" "force" "tpe" "segvguard"))
3397: (should-not (funcall (intern (format "syd-default-%s" cap))
3398: :action-allow)))
3399: (should-not (syd-default-pid :action-deny))
3400: (should (syd-default-fs :action-deny)))
3401:
3402: (ert-deftest syd-el-rules ()
3403: (should (syd-fs-add :action-deny "securityfs"))
3404: (should (syd-fs-del :action-deny "securityfs"))
3405: (should (syd-fs-rem :action-deny "securityfs"))
3406: (let ((glob "/tmp/syd-el-test"))
3407: (dolist (cap '("walk" "list" "stat" "read" "write" "exec"
3408: "create" "delete" "rename" "readlink" "symlink"
3409: "truncate" "chdir" "readdir" "mkdir" "rmdir"
3410: "chown" "chgrp" "chmod" "chattr" "chroot" "notify"
3411: "utime" "mkbdev" "mkcdev" "mkfifo" "mktemp"))
3412: (let ((add (intern (format "syd-%s-add" cap)))
3413: (del (intern (format "syd-%s-del" cap)))
3414: (rem (intern (format "syd-%s-rem" cap))))
3415: (should (funcall add :action-deny glob))
3416: (should (funcall del :action-deny glob))
3417: (should (funcall rem :action-deny glob))))))
3418:
3419: (ert-deftest syd-el-net-rules ()
3420: (dolist (spec '(("net-bind" . "127.0.0.1!8080")
3421: ("net-connect" . "::1!443")
3422: ("net-sendfd" . "!unnamed")))
3423: (let* ((cap (car spec))
3424: (addr (cdr spec))
3425: (add (intern (format "syd-%s-add" cap)))
3426: (del (intern (format "syd-%s-del" cap)))
3427: (rem (intern (format "syd-%s-rem" cap))))
3428: (should (funcall add :action-allow addr))
3429: (should (funcall del :action-allow addr))
3430: (should (funcall rem :action-allow addr))))
3431: (should-not (syd-net-link-add :action-allow "route"))
3432: (should-not (syd-net-link-del :action-allow "route"))
3433: (should-not (syd-net-link-rem :action-allow "route")))
3434:
3435: (ert-deftest syd-el-limits ()
3436: (should (syd-mem-max "1G"))
3437: (should (syd-mem-max 1073741824))
3438: (should (syd-mem-vm-max "2G"))
3439: (should (syd-pid-max 4096)))
3440:
3441: (ert-deftest syd-el-segvguard ()
3442: (should (syd-segvguard-expiry 120))
3443: (should (syd-segvguard-suspension 300))
3444: (should (syd-segvguard-maxcrashes 5)))
3445:
3446: (ert-deftest syd-el-force-rule ()
3447: (let ((hash (make-string 64 ?a)))
3448: (should (syd-force-add "/usr/bin/syd-el-test" "sha256" hash
3449: :action-deny))
3450: (should (syd-force-del "/usr/bin/syd-el-test"))
3451: (should (syd-force-clr))))
3452:
3453: (ert-deftest syd-el-rule-helper ()
3454: (should (equal (syd--rule "fs" "/tmp/x" ?+) "/dev/syd/fs+/tmp/x"))
3455: (should (equal (syd--rule "allow/net/bind" "127.0.0.1!80" ?+)
3456: "/dev/syd/allow/net/bind+127.0.0.1!80"))
3457: (should (equal (syd--rule "fs" "/x" ?-) "/dev/syd/fs-/x"))
3458: (should (equal (syd--rule "fs" "/x" ?^) "/dev/syd/fs^/x"))
3459: (should (equal (syd--rule "fs" "/x" ?:) "/dev/syd/fs:/x"))
3460: (should-error (syd--rule "fs" "/x" ?z))
3461: (should-error (syd--rule "fs" "" ?+)))
3462:
3463: (ert-deftest syd-el-info ()
3464: (let ((info (syd-info)))
3465: (should (consp info))
3466: (should (stringp (cdr (assq 'default_fs info))))))
3467:
3468: (ert-deftest syd-el-ioctl ()
3469: (should (syd-ioctl-add :action-allow "FIONREAD"))
3470: (should (syd-ioctl-del :action-allow "FIONREAD"))
3471: (should (syd-ioctl-rem :action-allow "FIONREAD"))
3472: (should (syd-ioctl-deny #xDEADCA11))
3473: (should-error (syd-ioctl-deny "not-a-number")))
3474:
3475: (ert-deftest syd-el-exec ()
3476: (should-error (syd-exec 42 nil))
3477: (should-error (syd-exec "/bin/true" '("ok" 7)))
3478: (let ((true (if (file-executable-p "/bin/true")
3479: "/bin/true" "/usr/bin/true")))
3480: (should (syd-exec true nil))))
3481:
3482: (ert-deftest syd-el-load ()
3483: (should-not (syd-load 9999)))
3484:
3485: (ert-deftest syd-el-lock ()
3486: (should-not (syd-lock :lock-off))
3487: (should (syd-lock :lock-exec))
3488: (should (syd-lock :lock-drop))
3489: (should (syd-lock :lock-on))
3490: (dolist (st '(:lock-off :lock-exec :lock-drop :lock-read :lock-on))
3491: (should-not (syd-lock st)))
3492: (should-not (syd-lock :lock-bogus))))
3493: t)
3494: (let ((tests '(syd-el-rule-helper
3495: syd-el-api
3496: syd-el-info
3497: syd-el-stat-validation
3498: syd-el-toggle
3499: syd-el-startup-only
3500: syd-el-force-startup
3501: syd-el-query
3502: syd-el-default
3503: syd-el-rules
3504: syd-el-net-rules
3505: syd-el-ioctl
3506: syd-el-limits
3507: syd-el-segvguard
3508: syd-el-force-rule
3509: syd-el-exec
3510: syd-el-load
3511: syd-el-lock))
3512: (count 0)
3513: (failures 0))
3514: (princ "TAP version 13\n")
3515: (princ (format "1..%d\n" (length tests)))
3516: (dolist (name tests)
3517: (setq count (1+ count))
3518: (let* ((result (ert-run-test (ert-get-test name)))
3519: (passed (ert-test-passed-p result)))
3520: (if passed
3521: (princ (format "ok %d - %s\n" count name))
3522: (setq failures (1+ failures))
3523: (princ (format "not ok %d - %s\n" count name))
3524: (let ((condition
3525: (ignore-errors
3526: (ert-test-result-with-condition-condition result))))
3527: (when condition
3528: (dolist (line (split-string (format "%S" condition) "\n" t))
3529: (princ (format "# %s\n" line))))))))
3530: (princ (format "# %d tests, %d failures\n" (length tests) failures))
3531: (kill-emacs (if (zerop failures) 0 1))))
3532:
3533: (provide 'syd)
3534: ; syd.el ends here
3535:
04/06/2026 12:26:49, src/syd.el, Ali Polatel