python · nono-pyHeads-up
nono-py: Missing proxy-only enforcement fallback on kernels without Landlock network support
On Linux kernels without Landlock network support (ABI v4 / Linux <6.
What changed
On Linux kernels without Landlock network support (ABI v4 / Linux <6.7), nono-py's sandboxed_exec() did not supervise the seccomp-notify proxy-only fallback, allowing a sandboxed child to bypass proxy-only enforcement by removing proxy environment variables or using raw sockets.
Who it affects
Users of nono-py on Linux kernels <6.7 who use sandboxed_exec() with proxy_only() capability set.
What to do today
Update nono-py to the fixed version that includes supervised fallback for proxy-only enforcement on older kernels.
The trail
Collected→
Audited→
Written→
Published