Skip to content

feat(sandbox): Landlock TCP port restriction for mandatory proxy#16

Open
Ladas wants to merge 1 commit into
feat/platform-modefrom
feat/landlock-tcp-port
Open

feat(sandbox): Landlock TCP port restriction for mandatory proxy#16
Ladas wants to merge 1 commit into
feat/platform-modefrom
feat/landlock-tcp-port

Conversation

@Ladas

@Ladas Ladas commented Jun 12, 2026

Copy link
Copy Markdown

Summary

Add Landlock ABI v4 TCP port restriction to Platform mode. Restricts
connect() to proxy port only (3128). All other ports return EACCES
at the kernel level. Makes the CONNECT proxy mandatory, not cooperative.

Depends on: #15 (Platform mode base)

1 file, +43/-3 lines. Compiles, tests pass, clippy clean.

Ref: NVIDIA#899

Assisted-By: Claude Code

@Ladas Ladas mentioned this pull request Jun 12, 2026
Open
@Ladas Ladas force-pushed the feat/platform-mode branch from 421a0a7 to 869b3f0 Compare June 12, 2026 16:25
@Ladas
feat(sandbox): Landlock TCP port restriction in Platform mode
179d108 
When Platform mode is active, apply Landlock ABI v4 network rules to
restrict TCP connect to only the proxy port (default 3128). This makes
the loopback CONNECT proxy mandatory at the kernel level -- a process
calling connect() to any other port gets EACCES before any packet is
created.

This closes the cooperative proxy gap: without this, processes ignoring
HTTP_PROXY could bypass the proxy and connect directly. With this,
enforcement is at the kernel LSM layer (Tier 1), same as Landlock
filesystem restrictions.

Graceful degradation: if the kernel does not support Landlock ABI v4
(RHEL 9.5 or earlier), the network rules are silently skipped and
enforcement falls back to the cooperative proxy + NetworkPolicy.

1 file changed, +43/-3 lines. Compiles, tests pass, clippy clean.

Ref: NVIDIA#899
@Ladas Ladas force-pushed the feat/landlock-tcp-port branch from 9ec5718 to 179d108 Compare June 12, 2026 16:26
Ladas added a commit that referenced this pull request Jun 12, 2026
@Ladas
feat(sandbox): seccomp-notify network enforcement for Platform mode
6078a8e 
Add kernel-level network syscall interception using SECCOMP_RET_USER_NOTIF
for Platform mode. Provides mandatory, syscall-level enforcement without
any capabilities.

DnsPinnedAllowlist: resolve domains to IPs at sandbox creation, freeze
for session lifetime (DNS rebinding prevention).

BPF filter intercepts: connect, sendto, sendmsg, recvfrom, recvmsg,
bind. Validates AUDIT_ARCH to prevent x32/compat ABI bypass.

Linux syscall wrappers: notification fd ioctls, pidfd_open/pidfd_getfd
for on-behalf-of operations (TOCTOU-safe), read_process_memory with
read_exact (no short reads), sockaddr parser (correct endianness for
sa_family, port, flowinfo), verify_socket_fd (mitigates fd-swap race),
deny/allow_connect response helpers.

Code review fixes applied across all PRs:
- PR #15: gateway propagates network_enforcement to DriverSandboxSpec
- PR #15: driver uses typed enum comparison (not magic integer)
- PR #16: saturating_sub prevents underflow in Landlock skipped count
- PR #16: warn!() on TCP port restriction failure (was debug)
- PR #17: BPF arch check, recvfrom/recvmsg/bind interception,
  verify_socket_fd, read_exact, allow_connect rename, flowinfo
  endianness, safety comments on all unsafe blocks

8 tests. Compiles, 949 tests pass, clippy clean.

Ref: NVIDIA#899
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Ladas