Implement network access restriction in sorna-jail

[achimnol]

Sorna's "jail" subproject⁽¹⁾ is a seccomp-based sandbox written in Go. We use it for all kernel containers to prevent malicious user codes from executing potentially dangerous system calls as well as to enforce our customized ACL upon file systems and networks.

⁽¹⁾ This will be moved to a separate repository.

Already implemented:

• Limitation of the maximum allowed number of threads/processes
• seccomp-based system call filter

Half-implemented:

• Path-based file system operation check: reading path string from syscall arguments works but there is no detailed policy implementation. This would be a practice before getting into the network restriction work.

To do for you:

• Host-based and IP-based network connection restriction. For example, allow only HTTPS/SSH access to GitHub but forbid network connections to everything else.
  • This requires intercepting DNS resolution and connect() system call with some inspection to the socket file descriptor.

┆Issue is synchronized with this Asana task by Unito

[achimnol]

Probably could be revisited with CNI compatible networking layer.