Page MenuHomePhabricator

Implement shell restriction alternative to NO_NETWORK that only allows HTTP(S) traffic
Open, Stalled, Needs TriagePublic


If some command needs network access, most likely it wants HTTP(S) access. We can provide a netfilter configuration to firejail that only allows traffic to ports 80/443 so that way things like memcached are still protected.

Event Timeline

firejail comes with /etc/firejail/, which is a filter that only allows port 80 and 443 traffic. However we also need to set up a network device, and I don't think firejail can do that by itself.

Legoktm changed the task status from Open to Stalled.Jul 8 2020, 6:42 AM

This is stalled on finding a command that actually needs only HTTP(S) network traffic.