Use bpf-lsm for network filtering without netns

[osevan]

Dear community,

im already sandboxing since more than 6 years with firejail and think it's one of best - maybe the best supported - projects in earth.

The current situation in fj is, if you want to prevent an application from network access to the outside world, you put netfilter in profile and write the iptables config in profile and use extra network name space.

The problem is, some server daemons shouldn't run on a network called namspace, because you want to bind server apps directly to IP address and not to bridged network, as is the case with netfilter filtering, using iptables method.

But there is already a bpf lsm that closes exactly this gap, in which the server daemons no longer have to run in a bridged network and can bind directly to network card without network namespaces.

https://eunomia.dev/tutorials/19-lsm-connect/

Some of the hook points currently supported by LSM include:

    File open, creation, deletion, and movement;
    Filesystem mounting;
    Operations on tasks and processes;
    Operations on sockets (creating, binding sockets, sending and receiving messages, etc.);

The last point is very important for our project.

allows us to build nginx server fj sandbox as an example without egress outbound connection to the outside world

It's just an idea
Important to mention: This method is based on the sandbox/level and has nothing to do with systems default iptables and nftables and runs independently.

So you have the flexibility to give each application its own rule.

Please take this into account.

You can coordinate the feasibility and weigh up whether it makes sense

Because not all apps should establish a connection to the internet - i.e. outside world - just because they run in a safe environment, just because you feel safe.

Therefore, I find this justified to close this loophole so that no sockets can build to the outside world without a bridged netfilter iptables method.

Of course, I also have sandboxes that are structured like this, but are usually for some usecases that make sense.

With server daemons that listen directly to network cards, the method is not possible.

I would like to thank you very much.

Best regards

[rusty-snake]

I wonder. BPF_PROG_TYPE_CGROUP_SKB is likely easier to implement and supported on more kernels. Reasons to prefer BPF_PROG_TYPE_LSM?