For parity with OpenBSD (see #104), wireproxy should lock down itself after it finishes reading the config and prevent itself from doing any unnecessary IO actions. Currently, in OpeBSD, wireproxy would allow itself to perform DNS requests, networking operations, and printing to stdout/stderr.
Similar functionalities can be added to Linux now that landlock has been merged into the kernel, this library seems to be let us do landlock in Golang and seems to be owned by the authors of landlock.
With landlock, we can further lock down what networking operations are allowed by locking down which TCP ports are used. wireproxy only sends TCP requests if:
- it is listening on specific ports because of
TCPClientTunnel, Socks5, http
- it is connecting to specific ports because of
TCPServerTunnel
Would be nice if this feature would also support kernels before landlock support is added, probably via seccomp? But seccomp seems to be extremely complicated to work with.
For parity with OpenBSD (see #104), wireproxy should lock down itself after it finishes reading the config and prevent itself from doing any unnecessary IO actions. Currently, in OpeBSD, wireproxy would allow itself to perform DNS requests, networking operations, and printing to stdout/stderr.
Similar functionalities can be added to Linux now that landlock has been merged into the kernel, this library seems to be let us do landlock in Golang and seems to be owned by the authors of landlock.
With landlock, we can further lock down what networking operations are allowed by locking down which TCP ports are used. wireproxy only sends TCP requests if:
TCPClientTunnel,Socks5,httpTCPServerTunnelWould be nice if this feature would also support kernels before landlock support is added, probably via
seccomp? Butseccompseems to be extremely complicated to work with.