rusty-snake
commented
8 months ago For landlock I would say we should deny to bind to any tcp port and allow to connect to all tcp ports.
For fine grained control options we could use landlock.bind-tcp/landlock.connect-tcp (or namespaced landlock[.net].tcp.bind / landlock[.net].bind) or a implementation free name line whitelist-tcp-bind/whitelist-tcp-connect (systemd uses SocketBindAllow/SocketBindDeny implemented with cgroup/bind[46]).
We should also ask whether exposing those low-level options make sense for firejail. While restricting bind sounds interesting, restricting connect for tcp connections could give a lot users a false-sense of security(/privacy) unless other layer 4 protocols (udp and the like) are blocked by other means (seccomp/cgroup/ebpf/nftables/netfilter).
I hope everyone with eye on landlock functionality could plant this feature as fast as possible inside firejail.
https://www.phoronix.com/news/Landlock-Networking-Linux-6.7
Thanks and
Best regards