Page MenuHomePhabricator
Create Task
Maniphest T182490

Implement shell restriction alternative to NO_NETWORK that only allows HTTP(S) traffic
Open, Stalled, Needs TriagePublic
Actions

Description

If some command needs network access, most likely it wants HTTP(S) access. We can provide a netfilter configuration to firejail that only allows traffic to ports 80/443 so that way things like memcached are still protected.

Related Objects

Event Timeline

Legoktm created this task.Dec 9 2017, 10:28 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 9 2017, 10:28 AM
Legoktm mentioned this in T173370: Support restricted execution of external commands (via firejail).Dec 9 2017, 10:29 AM
Legoktm added a comment.Dec 9 2017, 10:44 AM

firejail comes with /etc/firejail/webserver.net, which is a filter that only allows port 80 and 443 traffic. However we also need to set up a network device, and I don't think firejail can do that by itself.

Legoktm changed the task status from Open to Stalled.Jul 8 2020, 6:42 AM

This is stalled on finding a command that actually needs only HTTP(S) network traffic.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL