You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For landlock I would say we should deny to bind to any tcp port and allow to connect to all tcp ports.
For fine grained control options we could use landlock.bind-tcp/landlock.connect-tcp (or namespaced landlock[.net].tcp.bind / landlock[.net].bind) or a implementation free name line whitelist-tcp-bind/whitelist-tcp-connect (systemd uses SocketBindAllow/SocketBindDeny implemented with cgroup/bind[46]).
We should also ask whether exposing those low-level options make sense for firejail. While restricting bind sounds interesting, restricting connect for tcp connections could give a lot users a false-sense of security(/privacy) unless other layer 4 protocols (udp and the like) are blocked by other means (seccomp/cgroup/ebpf/nftables/netfilter).
I hope everyone with eye on landlock functionality could plant this feature as fast as possible inside firejail.
https://www.phoronix.com/news/Landlock-Networking-Linux-6.7
Thanks and
Best regards
The text was updated successfully, but these errors were encountered: