GHSA-vv6c-69r6-chg9

Impact

When using the recommended "best-effort" mode, Go-Landlock did not restrict the TCP bind() and connect() operations any more when they were requested. This affects Go-Landlock users to whom both of the following conditions apply:

• They use Landlock rulesets that are supposed to restrict networking (through landlock.V4, landlock.V5, or self-configured).
• These Landlock rulesets are used in best-effort mode.

Typically, affected code uses the Go-Landlock API like this (the crucial part being the combination of V4/V5 and .BestEffort()):

err := landlock.V5.BestEffort().Restrict(...)

• This is a bug in the Go-Landlock library and does not affect programs that use Landlock via C or other language bindings.
• The bug only affects networking restrictions. File system restrictions continue to work as expected.

Patches

Patched in: https://github.com/landlock-lsm/go-landlock/commit/fb3ad845df462d013f9c8a965c496617c6a5778b Users should upgrade to: v0.0.0-20241013234402-fb3ad845df46

Go package dependencies can be updated using go get -u from the project directory.

Projects on Github might get notified by Dependabot, once this advisory is public.

Workarounds

None.

References

Currently none.

The existing users of Go-Landlock on Github have the following bugs filed: * https://github.com/Foxboron/ssh-the-planet/issues/1 * https://github.com/ngergs/websrv/issues/15 * https://github.com/pufferffish/wireproxy/issues/142