Landlock Tcp Port Control

Landlock can restrict the use of connect(2) and bind(2) with TCP ports.

⚠️ Known issues

Multipath-TCP is not covered

By creating a Multipath-TCP socket, server processes can side-step the bind(2) restriction and still expose a socket which single-path TCP clients can connect to. (🐞 https://github.com/landlock-lsm/linux/issues/54)

listen(2) without bind(2) also works

You can listen also without doing a bind(2) first. (The kernel will assign an ephemeral port.)

API

struct landlock_ruleset_attr is extended by the new field:

__u64 handled_access_net;

with the possible access rights:

LANDLOCK_ACCESS_NET_BIND_TCP: Bind a TCP socket to a local port.
LANDLOCK_ACCESS_NET_CONNECT_TCP: Connect an active TCP socket to a remote port.

When these are passed during ruleset creation, the use of bind(2) and connect(2) for TCP sockets will be forbidden by default when the ruleset is enforced.

To add an exception for a specific TCP port, fill the struct landlock_net_port_attr:

struct landlock_net_port_attr {
        __u64 allowed_access;
        __u64 port;
};

and add it as an exception to the ruleset using landlock_add_rule(2).

landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &attr, 0);

Example

This is partially discussed in the LandlockTcpServerExample.

Landlock Tcp Port Control

⚠️ Known issues

API

Example