GHSA-vv6c-69r6-chg9: Go-Landlock in best-effort mode did not restrict TCP bind and connect operations correctly
When using the recommended “best-effort” mode, Go-Landlock did not restrict the TCP bind() and connect() operations any more when they were requested. This affects Go-Landlock users to whom both of the following conditions apply:
- They use Landlock rulesets that are supposed to restrict networking (through
landlock.V4,landlock.V5, or self-configured). - These Landlock rulesets are used in best-effort mode.
Typically, affected code uses the Go-Landlock API like this (the crucial part being the combination of V4/V5 and .BestEffort()):
err := landlock.V5.BestEffort().Restrict(...)
- This is a bug in the Go-Landlock library and does not affect programs that use Landlock via C or other language bindings.
- The bug only affects networking restrictions. File system restrictions continue to work as expected.
References
Code Behaviors & Features
Detect and mitigate GHSA-vv6c-69r6-chg9 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →