Impact

When using the recommended "best-effort" mode, Go-Landlock did not restrict the TCP bind() and connect() operations any more when they were requested. This affects Go-Landlock users to whom both of the following conditions apply:

• They use Landlock rulesets that are supposed to restrict networking (through landlock.V4, landlock.V5, or self-configured).
• These Landlock rulesets are used in best-effort mode.

Typically, affected code uses the Go-Landlock API like this (the crucial part being the combination of V4/V5 and .BestEffort()):

err := landlock.V5.BestEffort().Restrict(...)

• This is a bug in the Go-Landlock library and does not affect programs that use Landlock via C or other language bindings.
• The bug only affects networking restrictions. File system restrictions continue to work as expected.

Patches

Patched in: fb3ad84
Users should upgrade to: v0.0.0-20241013234402-fb3ad845df46

Go package dependencies can be updated using go get -u from the project directory.

Projects on Github might get notified by Dependabot, once this advisory is public.

Workarounds

None.

References

Currently none.

I went through the existing users of Go-Landlock on Github, sorted out which of them are affected, and filed the following bugs:

• Foxboron/ssh-the-planet#1
• ngergs/websrv#15
• pufferffish/wireproxy#142