fixup! Deny outbound connections; clean up capabilities

- Document what netlink is and why it's needed - Allow TCP connections, but not establishing outbound ones - Split apart capability lines into two blocks for easier commenting
edx · Feb 14, 2025 · 260f966 · 260f966
1 parent edeeaea
commit 260f966
Showing 1 changed file with 11 additions and 6 deletions.
diff --git a/codejail.profile b/codejail.profile
@@ -40,13 +40,18 @@ profile codejail_service flags=(mediate_deleted) {
     # Filesystem access -- self-explanatory
     file,
 
-    # `network` is required for sudo
-    # TODO: Restrict this so that general network access is not permitted
-    network,
+    # netlink is needed for sudo's interprocess communication
+    network netlink raw,
 
-    # Various capabilities required for sudoing to sandbox (setuid,
-    # setgid, audit_write) and for sending a kill signal (kill).
-    capability setuid setgid audit_write kill,
+    # Allow all of the various network operations required to listen, accept connection, etc.
+    network tcp,
+    # But then deny making a new *outbound* connection.
+    deny network (connect) tcp,
+
+    # Required for sudoing to sandbox
+    capability setuid setgid audit_write,
+    # Allow sending a kill signal
+    capability kill,
 
     # Allow sending a kill signal to the sandbox when the execution
     # runs beyond time limits.