Open osevan opened 8 months ago
For landlock
I would say we should deny to bind to any tcp port and allow to connect to all tcp ports.
For fine grained control options we could use landlock.bind-tcp
/landlock.connect-tcp
(or namespaced landlock[.net].tcp.bind
/ landlock[.net].bind
) or a implementation free name line whitelist-tcp-bind
/whitelist-tcp-connect
(systemd uses SocketBindAllow
/SocketBindDeny
implemented with cgroup/bind[46]
).
We should also ask whether exposing those low-level options make sense for firejail. While restricting bind
sounds interesting, restricting connect
for tcp connections could give a lot users a false-sense of security(/privacy) unless other layer 4 protocols (udp and the like) are blocked by other means (seccomp/cgroup/ebpf/nftables/netfilter).
I hope everyone with eye on landlock functionality could plant this feature as fast as possible inside firejail.
https://www.phoronix.com/news/Landlock-Networking-Linux-6.7
Thanks and
Best regards