More fine-grained network(-bind) interface

Both network and network-bind interfaces should optionally allow more fine grained network access. Specifically it should be possible to limit what ports a program should be allowed to listen on and what port it should be able to connect to.

CASE1: We have multiple snaps on our system. Snap A exposes multiple ports. Snap B should be only able to connect to port 9003 and Snap C should only be able to connect to 9004.

The network(-bind) should also optionally allow to listen on localhost only AND talk to services on localhost only.

1 Like

If we were to do this, there’s a catch about having the right technology available to achieve that. I don’t think AppArmor fine grained network mediation is at this stage. If i recall correctly there’s a way to attach a BPF program to various inet4/inet6 hooks, but this may require cgroup v2, but the hooks should allow basic mediation of ports and addresses a process can connect to.

FWIW I think we should stay away from the complexities of the network namespace.

1 Like

While I agree that this would be a nice feature to have, implementing it will be very complex and other projects like docker/lxd already seem to have a never ending supply of network/firewall configuration problems that we would not like to see with snaps as well. I personally think it’s a benefit of snaps that you don’t have to muck around with network settings inside snaps and that if you setup your networking on the host how you want it, snaps just inherit that and use it as-is.

1 Like