Skip to content

feat(run): seccomp loopback egress guard (Linux)#232

Merged
luca-iachini merged 13 commits into
mainfrom
fir-383-linux-loopback-guard
Jul 7, 2026
Merged

feat(run): seccomp loopback egress guard (Linux)#232
luca-iachini merged 13 commits into
mainfrom
fir-383-linux-loopback-guard

Conversation

@luca-iachini

Copy link
Copy Markdown
Contributor

What

Linux bwrap seccomp user-notify filter that traps the agent's connect(2) and blocks direct connections to any loopback address (127.0.0.0/8, ::1, IPv4-mapped) except the proxy bridge and DNS stub ports, returning EACCES. Catches direct sockets that bypass HTTP_PROXY.

Each block is reported to the Sidecar over the audit channel (PR #231) and recorded as a signed DENY / network.loopback / loopback blocked event, visible in firma monitor. Deny path is race-free; allow path uses SECCOMP_USER_NOTIF_FLAG_CONTINUE. Fails open with a warning if user-notify is unavailable — the private netns already isolates the agent, so the guard is defense-in-depth plus a direct-socket audit trail.

Stack

Based on #231 (audit channel). Part of the fir-383 split replacing #216.

Cross-platform run-audit channel: firma-core RunAuditEvent/RunAuditMessage,
sidecar out-of-band ingest listener, and CLI wiring that binds the control
socket when firma run provisions one. Also migrate two Windows-only
allow(unsafe_code)/expect_used lints to expect(...) with reasons.
Add the seccomp connect-notify egress guard and wire it into the bwrap
runtime: in-sandbox installer/runner (__egress-guarded-run), host-side
supervisor, routing env overrides, and the bwrap entrypoint. Add loopback
and raw TCP e2e coverage with a local TCP proxy and audit snapshots.
@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Add deterministic coverage for gaps in the seccomp loopback guard:

- classify/is_loopback edges: IPv4-mapped non-loopback allowed, unspecified
  addresses allowed, DNS port allowed, empty allow-list blocks all loopback,
  external IP on unsanctioned port allowed.
- parse_sockaddr boundaries: exact AF_INET/AF_INET6 length cutoffs, empty
  buffer, big-endian port, IPv4-mapped-loopback parses as V6 and blocks.
- classify_notification: IPv6 loopback block, AF_UNIX allow, sanctioned DNS
  port allow.
- BPF arch/nr jump routing.
- SCM_RIGHTS fd transfer roundtrip and the no-fd error path.
- start() binds the control socket and Drop tears it down.
Comment thread crates/firma-run/src/egress_guard.rs Outdated
Base automatically changed from fir-383-run-audit to main July 7, 2026 12:05
@luca-iachini luca-iachini merged commit 3e846f2 into main Jul 7, 2026
15 checks passed
@luca-iachini luca-iachini deleted the fir-383-linux-loopback-guard branch July 7, 2026 16:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants