mirror/rustnet
1
0
Fork 0
mirror of https://github.com/domcyrus/rustnet.git synced 2025-12-30 10:29:50 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
4c02a302d873ef04e67655b71cd822c425c9c8c3
rustnet/SECURITY.md
Marco Cadetg 5a059a3a12 feat: add Landlock sandbox and capability dropping for Linux (#86) 
* feat: add Landlock sandbox and capability dropping for Linux

- Restrict filesystem access to /proc only after initialization
- Block TCP bind/connect on kernel 6.4+ (network sandbox)
- Drop CAP_NET_RAW after pcap handle opened
- Add --no-sandbox and --sandbox-strict CLI options
- Show privilege info on non-Linux platforms in UI
- Add SECURITY.md documentation

* fix: remove unused set_sandbox_info and hide Landlock line on non-Linux

* fix: gate SandboxInfo to Linux only to fix clippy warnings

* fix: add is_admin() function for Windows builds

The Windows build was failing because ui.rs called crate::is_admin()
but the function didn't exist. Added the implementation using Windows
Security API to check if the process has elevated privileges.

Also added Win32_Security feature to windows crate dependencies.

* fix: add is_admin() to main.rs for Windows binary crate

The previous fix added is_admin() to lib.rs but ui.rs is compiled
as part of the binary crate (main.rs), not the library crate.
Added the function to main.rs so crate::is_admin() resolves correctly.
2025-12-06 17:50:21 +01:00

5.5 KiB
Raw Blame History

Security

RustNet processes untrusted network data, making defense-in-depth security critical. This document describes the security measures implemented.

Table of Contents

Landlock Sandboxing (Linux)

On Linux 5.13+, RustNet uses Landlock to restrict its own capabilities after initialization. This limits the damage if a vulnerability in packet parsing is exploited.

What Gets Restricted

Restriction Kernel Version Description
Filesystem 5.13+ Only /proc readable (for process identification)
Network 6.4+ TCP bind/connect blocked (RustNet is passive)
Capabilities Any CAP_NET_RAW dropped after pcap socket opened

How It Works

  1. Initialization phase: RustNet loads eBPF programs, opens packet capture handles, and creates log files
  2. Sandbox application: After init, Landlock restricts filesystem and network access
  3. Capability drop: CAP_NET_RAW is removed from the process (existing pcap socket remains valid)

Security Benefits

If an attacker exploits a vulnerability in DPI/packet parsing:

  • Cannot read arbitrary files (credentials, configs, etc.)
  • Cannot write to filesystem (except configured log paths)
  • Cannot make outbound TCP connections (data exfiltration blocked)
  • Cannot bind TCP ports (reverse shell blocked)
  • Cannot create new raw sockets (capability dropped)

CLI Options

--no-sandbox        Disable Landlock sandboxing
--sandbox-strict    Require full sandbox enforcement or exit

Graceful Degradation

  • Kernel < 5.13: Sandboxing skipped, warning logged
  • Kernel 5.13-6.3: Filesystem restrictions only
  • Kernel 6.4+: Full filesystem + network restrictions
  • Docker: May be blocked by seccomp; app continues normally

Privilege Requirements

RustNet requires privileged access for packet capture:

Platform Requirement
Linux CAP_NET_RAW capability or root
macOS Root or BPF group membership (access_bpf group)
Windows Administrator (for Npcap)
FreeBSD Root or BPF device access

Why Privileges Are Needed

  • Raw socket access - Intercept network traffic at low level (read-only, non-promiscuous mode)
  • BPF device access - Load packet filters into kernel
  • eBPF programs - Optional kernel probes for enhanced process tracking (Linux only)

Recommended: Capability-based Execution (Linux)

Instead of running as root, grant only the required capabilities:

# Modern Linux (5.8+): packet capture + eBPF
sudo setcap 'cap_net_raw,cap_bpf,cap_perfmon=eip' $(which rustnet)

# Legacy Linux (pre-5.8): packet capture + eBPF
sudo setcap 'cap_net_raw,cap_sys_admin=eip' $(which rustnet)

# Packet capture only (no eBPF process detection)
sudo setcap cap_net_raw=eip $(which rustnet)

After sandbox application, CAP_NET_RAW is dropped - the process retains only the minimum privileges needed.

Read-Only Operation

RustNet only monitors traffic; it does not:

  • Modify packets
  • Block connections
  • Inject traffic
  • Alter routing tables
  • Change firewall rules

The packet capture is opened in non-promiscuous, read-only mode.

No External Communication

RustNet operates entirely locally:

  • No telemetry or analytics
  • No network requests (except monitored traffic)
  • No cloud services or remote APIs
  • All data stays on your system

Log File Privacy

Log files may contain sensitive information:

  • IP addresses and ports
  • Hostnames and SNI data
  • Process names and PIDs
  • DNS queries and responses

Best Practices:

  • Disable logging by default (no --log-level flag)
  • Secure log directory permissions
  • Implement log rotation and retention policies
  • Review logs for sensitive data before sharing

eBPF Security

When using eBPF for enhanced process detection (default on Linux):

  • Requires additional kernel capabilities (CAP_BPF, CAP_PERFMON)
  • eBPF programs are verified by kernel before loading
  • Limited to read-only operations (no packet modification)
  • Automatically falls back to procfs if eBPF fails

Threat Model

What RustNet protects against:

  • Unauthorized users cannot capture packets without proper permissions
  • Capability-based permissions limit blast radius of compromise
  • Landlock sandbox contains potential exploitation

What RustNet does NOT protect against:

  • Users with packet capture permissions can see all unencrypted traffic
  • Root/Administrator users can modify RustNet or capture packets directly
  • Physical access to the machine enables packet capture
  • Network-level attacks (RustNet is a monitoring tool, not a security appliance)

Audit and Compliance

For production environments:

  • Audit logging of who runs RustNet with packet capture privileges
  • Network monitoring policies and compliance with data protection regulations
  • User access reviews for privileged network access
  • Automated capability management via configuration management systems

Reporting Security Issues

Please report security vulnerabilities via GitHub Issues or contact the maintainers directly.

Reference in New Issue View Git Blame Copy Permalink