From 99a93022519932290f9ce527f1fed7c01ac6fe74 Mon Sep 17 00:00:00 2001
From: Ladislav Smola <lsmola@redhat.com>
Date: Fri, 12 Jun 2026 14:57:15 +0200
Subject: [PATCH] feat(sandbox): Landlock TCP port restriction in Platform mode

When Platform mode is active, apply Landlock ABI v4 network rules to
restrict TCP connect to only the proxy port (default 3128). This makes
the loopback CONNECT proxy mandatory at the kernel level -- a process
calling connect() to any other port gets EACCES.

This closes the cooperative proxy gap identified in the enforcement
analysis: without this, processes ignoring HTTP_PROXY could bypass the
proxy and connect directly (caught only by Tier 3 NetworkPolicy). With
this, enforcement is at Tier 1 (kernel LSM).

Graceful degradation: if the kernel does not support Landlock ABI v4
(e.g. RHEL 9.5 or earlier), the network rules are silently skipped
and enforcement falls back to the cooperative proxy + NetworkPolicy
(same as Issue #899 base behavior).

Ref: NVIDIA/OpenShell#899
---
 .../src/sandbox/linux/landlock.rs             | 45 ++++++++++++++++++-
 1 file changed, 43 insertions(+), 2 deletions(-)

diff --git a/crates/openshell-sandbox/src/sandbox/linux/landlock.rs b/crates/openshell-sandbox/src/sandbox/linux/landlock.rs
index e7f37ce4f..9fd61256a 100644
--- a/crates/openshell-sandbox/src/sandbox/linux/landlock.rs
+++ b/crates/openshell-sandbox/src/sandbox/linux/landlock.rs
@@ -4,9 +4,10 @@
 //! Landlock filesystem sandboxing.
 
 use crate::policy::{LandlockCompatibility, SandboxPolicy};
+use crate::policy::NetworkMode;
 use landlock::{
-    ABI, Access, AccessFs, CompatLevel, Compatible, PathBeneath, PathFd, PathFdError, Ruleset,
-    RulesetAttr, RulesetCreatedAttr,
+    ABI, Access, AccessFs, AccessNet, CompatLevel, Compatible, NetPort, PathBeneath, PathFd,
+    PathFdError, Ruleset, RulesetAttr, RulesetCreatedAttr,
 };
 use miette::{IntoDiagnostic, Result};
 use std::path::{Path, PathBuf};
@@ -184,6 +185,15 @@ pub fn prepare(policy: &SandboxPolicy, workdir: Option<&str>) -> Result<Option<P
             .handle_access(access_all)
             .into_diagnostic()?;
 
+        // Platform mode: also handle TCP connect access so Landlock can
+        // restrict which ports the agent connects to. This requires ABI v4.
+        // The compat_level handles graceful degradation on older kernels.
+        if matches!(policy.network.mode, NetworkMode::Platform) {
+            ruleset = ruleset
+                .handle_access(AccessNet::ConnectTcp)
+                .into_diagnostic()?;
+        }
+
         let mut ruleset = ruleset.create().into_diagnostic()?;
         let mut rules_applied: usize = 0;
 
@@ -207,6 +217,37 @@ pub fn prepare(policy: &SandboxPolicy, workdir: Option<&str>) -> Result<Option<P
             }
         }
 
+        // Platform mode: restrict TCP connect to the proxy port only.
+        // Uses Landlock ABI v4 (LANDLOCK_ACCESS_NET_CONNECT_TCP). If the
+        // kernel doesn't support ABI v4, the network rules are silently
+        // skipped (best_effort) and enforcement falls back to NetworkPolicy.
+        if matches!(policy.network.mode, NetworkMode::Platform) {
+            let proxy_port = policy
+                .network
+                .proxy
+                .as_ref()
+                .and_then(|p| p.http_addr)
+                .map_or(3128_u16, |addr| addr.port());
+
+            match ruleset.add_rule(NetPort::new(proxy_port, AccessNet::ConnectTcp)) {
+                Ok(r) => {
+                    ruleset = r;
+                    debug!(
+                        port = proxy_port,
+                        "Landlock allow TCP connect (proxy port only)"
+                    );
+                    rules_applied += 1;
+                }
+                Err(e) => {
+                    debug!(
+                        error = %e,
+                        "Landlock TCP port restriction unavailable (ABI v4 required), \
+                         falling back to cooperative proxy enforcement"
+                    );
+                }
+            }
+        }
+
         if rules_applied == 0 {
             return Err(miette::miette!(
                 "Landlock ruleset has zero valid paths — all {} path(s) failed to open. \