From fd2ea7b5ad59bd8f02d155efb6811709eb944efa Mon Sep 17 00:00:00 2001
From: Ladislav Smola <lsmola@redhat.com>
Date: Fri, 12 Jun 2026 15:25:40 +0200
Subject: [PATCH] docs: RFC for seccomp-notify network enforcement in Platform
 mode

Design proposal for kernel-level domain/IP filtering using
SECCOMP_RET_USER_NOTIF. Alternative to Landlock TCP port restriction
for standalone deployments without a proxy.

Implementation: ~300-500 LOC, 2-3 weeks. All kernel features
available on RHEL 9 / OpenShift 4.18.

Ref: NVIDIA/OpenShell#899
---
 .../seccomp-notify-network-enforcement.md     | 48 +++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 docs/rfcs/seccomp-notify-network-enforcement.md

diff --git a/docs/rfcs/seccomp-notify-network-enforcement.md b/docs/rfcs/seccomp-notify-network-enforcement.md
new file mode 100644
index 000000000..58e921727
--- /dev/null
+++ b/docs/rfcs/seccomp-notify-network-enforcement.md
@@ -0,0 +1,48 @@
+# seccomp-notify Network Enforcement for Platform Mode
+
+**Status:** Proposal
+**Depends on:** Platform Mode (PR #12)
+**Related:** NVIDIA/OpenShell#899, Landlock TCP port restriction (PR #13)
+
+## Goal
+
+Add kernel-level domain/IP filtering to Platform Mode using seccomp-notify
+(SECCOMP_RET_USER_NOTIF). The supervisor intercepts connect(), sendto(),
+and sendmsg() at the syscall dispatch boundary, evaluates the destination
+against a DNS-pinned OPA allowlist, and performs the operation on behalf of
+the child -- or denies it with EPERM.
+
+This provides mandatory, kernel-enforced domain filtering without any
+capabilities, as an alternative to the Landlock TCP port restriction (PR #13)
+which only filters by port.
+
+## When to use this vs Landlock TCP port restriction
+
+| | Landlock port (PR #13) | seccomp-notify (this) |
+|---|---|---|
+| Filters by | TCP port only | IP + port + domain |
+| Proxy required | Yes (domain filtering at proxy) | No (domain filtering at syscall) |
+| Overhead | Negligible (LSM hook) | ~35us per mediated syscall |
+| Complexity | Low (~40 LOC) | High (~300-500 LOC) |
+| Best for | Deployments WITH a proxy | Standalone WITHOUT a proxy |
+
+## Architecture
+
+The supervisor forks before exec'ing the agent. The child installs a seccomp
+filter with SECCOMP_FILTER_FLAG_NEW_LISTENER. The parent handles notifications
+asynchronously and performs on-behalf-of operations via pidfd_getfd().
+
+## RHEL 9 / OpenShift 4.18 compatibility
+
+All required features available: SECCOMP_RET_USER_NOTIF (5.0),
+SECCOMP_IOCTL_NOTIF_ADDFD (5.9), pidfd_getfd (5.6), crun SCMP_ACT_NOTIFY.
+
+## Effort
+
+~300-500 LOC, 2-3 weeks.
+
+## Reference
+
+- Sandlock: https://github.com/multikernel/sandlock
+- Paper: https://arxiv.org/html/2605.26298v1
+- seccomp_unotify(2): https://www.man7.org/linux/man-pages/man2/seccomp_unotify.2.html