diff --git a/CHANGELOG.md b/CHANGELOG.md index 2876c24..7186c3e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [Unreleased] +### Fixed + +- Local sockets denied by network sandbox on Linux + ## [0.3.0] - 2023-08-31 ### Changed diff --git a/src/linux/seccomp.rs b/src/linux/seccomp.rs index 1f7d7ef..73bcfb1 100644 --- a/src/linux/seccomp.rs +++ b/src/linux/seccomp.rs @@ -56,6 +56,7 @@ impl NetworkFilter { SeccompCmpOp::Eq, libc::AF_UNIX as u64, )?; + let unix_rule = SeccompRule::new(vec![allow_unix])?; // Allow local IPC AF_NETLINK sockets. let allow_netlink = SeccompCondition::new( @@ -64,8 +65,9 @@ impl NetworkFilter { SeccompCmpOp::Eq, libc::AF_NETLINK as u64, )?; + let netlink_rule = SeccompRule::new(vec![allow_netlink])?; - let socket_rule = vec![SeccompRule::new(vec![allow_unix, allow_netlink])?]; + let socket_rule = vec![unix_rule, netlink_rule]; // Restrict socket creation to allowed socket domain types. rules.insert(libc::SYS_socketpair, socket_rule.clone()); diff --git a/tests/net.rs b/tests/net.rs index 5f28d97..8261228 100644 --- a/tests/net.rs +++ b/tests/net.rs @@ -51,6 +51,20 @@ fn block_io_uring() { assert_eq!(IoError::last_os_error().kind(), IoErrorKind::PermissionDenied); } +#[cfg(target_os = "linux")] +#[test] +fn allow_local_sockets() { + let birdcage = Birdcage::new().unwrap(); + birdcage.lock().unwrap(); + + let fd = unsafe { libc::socket(libc::AF_UNIX, libc::SOCK_STREAM, 0) }; + if fd < 0 { + panic!("AF_UNIX socket creation failed: {}", IoError::last_os_error()); + } + + unsafe { libc::close(fd) }; +} + #[repr(C)] #[derive(Default)] struct IoUringParams {