feat(sandbox): seccomp-notify DNS-pinned allowlist for Platform mode#17
Open
Ladas wants to merge 1 commit into
Open
feat(sandbox): seccomp-notify DNS-pinned allowlist for Platform mode#17Ladas wants to merge 1 commit into
Ladas wants to merge 1 commit into
Conversation
Ladas
force-pushed
the
feat/seccomp-notify
branch
2 times, most recently
from
408aa3b to
2446c42
Compare
Ladas
force-pushed
the
feat/landlock-tcp-port
branch
from
9ec5718 to
179d108
Compare
Add kernel-level network syscall interception using SECCOMP_RET_USER_NOTIF for Platform mode. Provides mandatory, syscall-level enforcement without any capabilities. DnsPinnedAllowlist: resolve domains to IPs at sandbox creation, freeze for session lifetime (DNS rebinding prevention). BPF filter intercepts: connect, sendto, sendmsg, recvfrom, recvmsg, bind. Validates AUDIT_ARCH to prevent x32/compat ABI bypass. Linux syscall wrappers: notification fd ioctls, pidfd_open/pidfd_getfd for on-behalf-of operations (TOCTOU-safe), read_process_memory with read_exact (no short reads), sockaddr parser (correct endianness for sa_family, port, flowinfo), verify_socket_fd (mitigates fd-swap race), deny/allow_connect response helpers. Code review fixes applied across all PRs: - PR #15: gateway propagates network_enforcement to DriverSandboxSpec - PR #15: driver uses typed enum comparison (not magic integer) - PR #16: saturating_sub prevents underflow in Landlock skipped count - PR #16: warn!() on TCP port restriction failure (was debug) - PR #17: BPF arch check, recvfrom/recvmsg/bind interception, verify_socket_fd, read_exact, allow_connect rename, flowinfo endianness, safety comments on all unsafe blocks 8 tests. Compiles, 949 tests pass, clippy clean. Ref: NVIDIA#899
Ladas
force-pushed
the
feat/seccomp-notify
branch
from
2446c42 to
6078a8e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Foundation for kernel-level connect() interception using seccomp-notify.
Adds
DnsPinnedAllowlistmodule: resolves allowed domains to IPs atsandbox creation, freezes them for the session (prevents DNS rebinding).
The notification event loop and on-behalf-of operations (pidfd_getfd)
will be wired once OPA policy integration is complete.
Depends on: #16 (Landlock TCP port restriction) → #15 (Platform mode base)
2 files, +135 lines. 820 tests pass, clippy clean.
What this PR adds
DnsPinnedAllowlist: resolve domains, pin IPs, check connect targetsWhat's NOT in this PR (follow-up)
SECCOMP_FILTER_FLAG_NEW_LISTENER)pidfd_getfd()Ref: NVIDIA#899
Assisted-By: Claude Code