landlock: restrict tcp sockets

[osevan]

I hope everyone with eye on landlock functionality could plant this feature as fast as possible inside firejail.

https://www.phoronix.com/news/Landlock-Networking-Linux-6.7

Thanks and

Best regards

[rusty-snake]

For landlock I would say we should deny to bind to any tcp port and allow to connect to all tcp ports.

For fine grained control options we could use landlock.bind-tcp/landlock.connect-tcp (or namespaced landlock[.net].tcp.bind / landlock[.net].bind) or a implementation free name line whitelist-tcp-bind/whitelist-tcp-connect (systemd uses SocketBindAllow/SocketBindDeny implemented with cgroup/bind[46]).

We should also ask whether exposing those low-level options make sense for firejail. While restricting bind sounds interesting, restricting connect for tcp connections could give a lot users a false-sense of security(/privacy) unless other layer 4 protocols (udp and the like) are blocked by other means (seccomp/cgroup/ebpf/nftables/netfilter).