A set of iptables rules need to be added to Citadel to not allow any access to the network at all from components running inside Citadel. Some exceptions will exist of course, such as the dhcp client.
Not only should all network access be blocked but it must be logged as well so that we can investigate any component that believes that it needs to do something on the network.
Of course the user will want to be able to use the internet so application image instances will need to be permitted to reach the network. Currently the nspawn containers are just using the simplest networking option and sharing the host network namespace. The plan I'm proposing is to configure them with Veth interfaces instead, and assign those interfaces to a bridge named something like 'clearnet'. Later when VPNs are supported, we can manage assigning application images to the correct network context by just adding them to the appropriate bridge.
A set of iptables rules need to be added to Citadel to not allow any access to the network at all from components running inside Citadel. Some exceptions will exist of course, such as the dhcp client.
Not only should all network access be blocked but it must be logged as well so that we can investigate any component that believes that it needs to do something on the network.
Of course the user will want to be able to use the internet so application image instances will need to be permitted to reach the network. Currently the nspawn containers are just using the simplest networking option and sharing the host network namespace. The plan I'm proposing is to configure them with Veth interfaces instead, and assign those interfaces to a bridge named something like 'clearnet'. Later when VPNs are supported, we can manage assigning application images to the correct network context by just adding them to the appropriate bridge.