Landlock Network Port Control

Landlock can restrict the use of connect(2) and bind(2) with TCP ports.

Remark: This feature has an upcoming patch set which would change its semantics slightly. With that patch set, the Landlock policy would be dictated by the Landlock domain at socket creation time, instead of the current thread’s domain: Patch set

API

struct landlock_ruleset_attr is extended by the new field:

__u64 handled_access_net;

with the possible access rights:

LANDLOCK_ACCESS_NET_BIND_TCP: Bind a TCP socket to a local port.
LANDLOCK_ACCESS_NET_CONNECT_TCP: Connect an active TCP socket to a remote port.

When these are passed during ruleset creation, the use of bind(2) and connect(2) for TCP sockets will be forbidden by default when the ruleset is enforced.

To add an exception for a specific TCP port, fill the struct landlock_net_port_attr:

struct landlock_net_port_attr {
        __u64 allowed_access;
        __u64 port;
};

and add it as an exception to the ruleset using landlock_add_rule(2).

landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &attr, 0);

Example

This is partially discussed in the LandlockTcpServerExample.