Skip to content

Go-Landlock in best-effort mode did not restrict TCP bind and connect operations correctly

Low severity GitHub Reviewed Published Oct 14, 2024 in landlock-lsm/go-landlock • Updated Oct 14, 2024

Package

gomod github.com/landlock-lsm/go-landlock (Go)

Affected versions

>= 0.0.0-20240109, < 0.0.0-20241013234402-fb3ad845df46

Patched versions

0.0.0-20241013234402-fb3ad845df46

Description

Impact

When using the recommended "best-effort" mode, Go-Landlock did not restrict the TCP bind() and connect() operations any more when they were requested. This affects Go-Landlock users to whom both of the following conditions apply:

  • They use Landlock rulesets that are supposed to restrict networking (through landlock.V4, landlock.V5, or self-configured).
  • These Landlock rulesets are used in best-effort mode.

Typically, affected code uses the Go-Landlock API like this (the crucial part being the combination of V4/V5 and .BestEffort()):

err := landlock.V5.BestEffort().Restrict(...)
  • This is a bug in the Go-Landlock library and does not affect programs that use Landlock via C or other language bindings.
  • The bug only affects networking restrictions. File system restrictions continue to work as expected.

Patches

Patched in: landlock-lsm/go-landlock@fb3ad84
Users should upgrade to: v0.0.0-20241013234402-fb3ad845df46

Go package dependencies can be updated using go get -u from the project directory.

Projects on Github might get notified by Dependabot, once this advisory is public.

Workarounds

None.

References

Currently none.

The existing users of Go-Landlock on Github have the following bugs filed:

References

@gnoack gnoack published to landlock-lsm/go-landlock Oct 14, 2024
Published to the GitHub Advisory Database Oct 14, 2024
Reviewed Oct 14, 2024
Last updated Oct 14, 2024

Severity

Low

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-vv6c-69r6-chg9
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.