feat: add Landlock sandbox and capability dropping for Linux (#86)

* feat: add Landlock sandbox and capability dropping for Linux

- Restrict filesystem access to /proc only after initialization
- Block TCP bind/connect on kernel 6.4+ (network sandbox)
- Drop CAP_NET_RAW after pcap handle opened
- Add --no-sandbox and --sandbox-strict CLI options
- Show privilege info on non-Linux platforms in UI
- Add SECURITY.md documentation

* fix: remove unused set_sandbox_info and hide Landlock line on non-Linux

* fix: gate SandboxInfo to Linux only to fix clippy warnings

* fix: add is_admin() function for Windows builds

The Windows build was failing because ui.rs called crate::is_admin()
but the function didn't exist. Added the implementation using Windows
Security API to check if the process has elevated privileges.

Also added Win32_Security feature to windows crate dependencies.

* fix: add is_admin() to main.rs for Windows binary crate

The previous fix added is_admin() to lib.rs but ui.rs is compiled
as part of the binary crate (main.rs), not the library crate.
Added the function to main.rs so crate::is_admin() resolves correctly.

Author: domcyrus

ARCHITECTURE.md

@@ -9,7 +9,7 @@ This document describes the technical architecture and implementation details of
 - [Platform-Specific Implementations](#platform-specific-implementations)
 - [Performance Considerations](#performance-considerations)
 - [Dependencies](#dependencies)
-- [Security Considerations](#security-considerations)
+- [Security](#security)
 
 ## Multi-threaded Architecture
 
@@ -315,78 +315,6 @@ RustNet is built with the following key dependencies:
 - **ring** - Cryptographic operations (for TLS/SNI parsing)
 - **aes** - AES encryption support (for protocol detection)
 
-## Security Considerations
+## Security
 
-### Privileged Access
-
-RustNet requires privileged access for packet capture:
-- **Raw socket access** - Intercept network traffic at low level (read-only, non-promiscuous mode)
-- **BPF device access** - Load packet filters into kernel
-- **eBPF programs** - Optional kernel probes for enhanced process tracking (Linux only)
-
-**Mitigation:**
-- Use Linux capabilities instead of full root (CAP_NET_RAW for packet capture, CAP_BPF+CAP_PERFMON for eBPF)
-- Use macOS group-based access (`access_bpf` group)
-- Audit which users have packet capture permissions
-- Operates in read-only mode - cannot modify or inject packets
-
-### Read-Only Operation
-
-The tool only monitors traffic; it does not:
-- Modify packets
-- Block connections
-- Inject traffic
-- Alter routing tables
-- Change firewall rules
-
-### Log File Privacy
-
-Log files may contain sensitive information:
-- IP addresses and ports
-- Hostnames and SNI data
-- Process names and PIDs
-- DNS queries and responses
-
-**Best Practices:**
-- Disable logging by default (no `--log-level` flag)
-- Secure log directory permissions
-- Implement log rotation and retention policies
-- Review logs for sensitive data before sharing
-
-### No External Communication
-
-RustNet operates entirely locally:
-- No telemetry or analytics
-- No network requests (except monitored traffic)
-- No cloud services or remote APIs
-- All data stays on your system
-
-### eBPF Security
-
-When using experimental eBPF support:
-- Requires additional kernel capabilities (`CAP_BPF`, `CAP_PERFMON`)
-- eBPF programs are verified by kernel before loading
-- Limited to read-only operations (no packet modification)
-- Automatically falls back to procfs if eBPF fails
-
-### Audit and Compliance
-
-For production environments:
-- **Audit logging** of who runs RustNet with packet capture privileges
-- **Network monitoring policies** and compliance with data protection regulations
-- **User access reviews** for privileged network access
-- **Automated capability management** via configuration management systems
-
-### Threat Model
-
-**What RustNet protects against:**
-- Unauthorized users cannot capture packets without proper permissions
-- Capability-based permissions limit blast radius of compromise
-
-**What RustNet does NOT protect against:**
-- Users with packet capture permissions can see all unencrypted traffic
-- Root/Administrator users can modify RustNet or capture packets directly
-- Physical access to the machine enables packet capture
-- Network-level attacks (RustNet is a monitoring tool, not a security appliance)
-
-For detailed permission setup and security best practices, see [INSTALL.md](INSTALL.md).
+For security documentation including Landlock sandboxing, privilege requirements, and threat model, see [SECURITY.md](SECURITY.md).

Cargo.lock

@@ -48,6 +48,8 @@ procfs = "0.18"
 libbpf-rs = { version = "0.25", optional = true }
 bytes = { version = "1.11", optional = true }
 libc = { version = "0.2", optional = true }
+landlock = { version = "0.4", optional = true }
+caps = { version = "0.5", optional = true }
 
 [target.'cfg(any(target_os = "macos", target_os = "freebsd"))'.dependencies]
 libc = "0.2"
@@ -58,6 +60,7 @@ windows = { version = "0.62", features = [
     "Win32_NetworkManagement_IpHelper",
     "Win32_NetworkManagement_Ndis",
     "Win32_Networking_WinSock",
+    "Win32_Security",
     "Win32_System_LibraryLoader",
     "Win32_System_Threading",
 ] }
@@ -80,6 +83,7 @@ windows = { version = "0.62", features = [
     "Win32_NetworkManagement_IpHelper",
     "Win32_NetworkManagement_Ndis",
     "Win32_Networking_WinSock",
+    "Win32_Security",
     "Win32_System_LibraryLoader",
     "Win32_System_Threading",
 ] }
@@ -91,9 +95,11 @@ libbpf-cargo = { version = "0.25", optional = true }
 # eBPF is enabled by default for enhanced performance on Linux.
 # On non-Linux platforms, this feature has no effect as all eBPF code
 # and dependencies are Linux-specific (guarded by target_os checks).
-default = ["ebpf"]
+# Landlock provides security sandboxing on Linux 5.13+.
+default = ["ebpf", "landlock"]
 linux-default = ["ebpf"]  # Deprecated: kept for backwards compatibility
 ebpf = ["libbpf-rs", "bytes", "libc", "dep:libbpf-cargo"]
+landlock = ["dep:landlock", "dep:caps"]
 
 # Minimal cross configuration to override dependency conflicts
 [workspace.metadata.cross.build.env]

Cargo.toml

@@ -26,6 +26,7 @@ A cross-platform network monitoring tool built with Rust. RustNet provides real-
 - **Terminal User Interface**: Beautiful TUI built with ratatui with adjustable column widths
 - **Multi-threaded Processing**: Concurrent packet processing for high performance
 - **Optional Logging**: Detailed logging with configurable log levels (disabled by default)
+- **Security Sandboxing**: Landlock-based filesystem/network restrictions on Linux 5.13+ (see [SECURITY.md](SECURITY.md))
 
 <details>
 <summary><b>eBPF Enhanced Process Identification (Linux Default)</b></summary>
@@ -232,6 +233,7 @@ See [USAGE.md](USAGE.md) for complete timeout details.
 
 - **[INSTALL.md](INSTALL.md)** - Detailed installation instructions for all platforms, permission setup, and troubleshooting
 - **[USAGE.md](USAGE.md)** - Complete usage guide including command-line options, filtering, sorting, and logging
+- **[SECURITY.md](SECURITY.md)** - Security features including Landlock sandboxing and privilege management
 - **[ARCHITECTURE.md](ARCHITECTURE.md)** - Technical architecture, platform implementations, and performance details
 - **[PROFILING.md](PROFILING.md)** - Performance profiling guide with flamegraph setup and optimization tips
 - **[ROADMAP.md](ROADMAP.md)** - Planned features and future improvements

README.md

@@ -0,0 +1,157 @@
+# Security
+
+RustNet processes untrusted network data, making defense-in-depth security critical. This document describes the security measures implemented.
+
+## Table of Contents
+
+- [Landlock Sandboxing (Linux)](#landlock-sandboxing-linux)
+- [Privilege Requirements](#privilege-requirements)
+- [Read-Only Operation](#read-only-operation)
+- [No External Communication](#no-external-communication)
+- [Log File Privacy](#log-file-privacy)
+- [eBPF Security](#ebpf-security)
+- [Threat Model](#threat-model)
+- [Audit and Compliance](#audit-and-compliance)
+- [Reporting Security Issues](#reporting-security-issues)
+
+## Landlock Sandboxing (Linux)
+
+On Linux 5.13+, RustNet uses [Landlock](https://landlock.io/) to restrict its own capabilities after initialization. This limits the damage if a vulnerability in packet parsing is exploited.
+
+### What Gets Restricted
+
+| Restriction | Kernel Version | Description |
+|-------------|----------------|-------------|
+| Filesystem | 5.13+ | Only `/proc` readable (for process identification) |
+| Network | 6.4+ | TCP bind/connect blocked (RustNet is passive) |
+| Capabilities | Any | `CAP_NET_RAW` dropped after pcap socket opened |
+
+### How It Works
+
+1. **Initialization phase**: RustNet loads eBPF programs, opens packet capture handles, and creates log files
+2. **Sandbox application**: After init, Landlock restricts filesystem and network access
+3. **Capability drop**: `CAP_NET_RAW` is removed from the process (existing pcap socket remains valid)
+
+### Security Benefits
+
+If an attacker exploits a vulnerability in DPI/packet parsing:
+- Cannot read arbitrary files (credentials, configs, etc.)
+- Cannot write to filesystem (except configured log paths)
+- Cannot make outbound TCP connections (data exfiltration blocked)
+- Cannot bind TCP ports (reverse shell blocked)
+- Cannot create new raw sockets (capability dropped)
+
+### CLI Options
+
+```
+--no-sandbox        Disable Landlock sandboxing
+--sandbox-strict    Require full sandbox enforcement or exit
+```
+
+### Graceful Degradation
+
+- **Kernel < 5.13**: Sandboxing skipped, warning logged
+- **Kernel 5.13-6.3**: Filesystem restrictions only
+- **Kernel 6.4+**: Full filesystem + network restrictions
+- **Docker**: May be blocked by seccomp; app continues normally
+
+## Privilege Requirements
+
+RustNet requires privileged access for packet capture:
+
+| Platform | Requirement |
+|----------|-------------|
+| Linux | `CAP_NET_RAW` capability or root |
+| macOS | Root or BPF group membership (`access_bpf` group) |
+| Windows | Administrator (for Npcap) |
+| FreeBSD | Root or BPF device access |
+
+### Why Privileges Are Needed
+
+- **Raw socket access** - Intercept network traffic at low level (read-only, non-promiscuous mode)
+- **BPF device access** - Load packet filters into kernel
+- **eBPF programs** - Optional kernel probes for enhanced process tracking (Linux only)
+
+### Recommended: Capability-based Execution (Linux)
+
+Instead of running as root, grant only the required capabilities:
+
+```bash
+# Modern Linux (5.8+): packet capture + eBPF
+sudo setcap 'cap_net_raw,cap_bpf,cap_perfmon=eip' $(which rustnet)
+
+# Legacy Linux (pre-5.8): packet capture + eBPF
+sudo setcap 'cap_net_raw,cap_sys_admin=eip' $(which rustnet)
+
+# Packet capture only (no eBPF process detection)
+sudo setcap cap_net_raw=eip $(which rustnet)
+```
+
+After sandbox application, `CAP_NET_RAW` is dropped - the process retains only the minimum privileges needed.
+
+## Read-Only Operation
+
+RustNet only monitors traffic; it does not:
+- Modify packets
+- Block connections
+- Inject traffic
+- Alter routing tables
+- Change firewall rules
+
+The packet capture is opened in non-promiscuous, read-only mode.
+
+## No External Communication
+
+RustNet operates entirely locally:
+- No telemetry or analytics
+- No network requests (except monitored traffic)
+- No cloud services or remote APIs
+- All data stays on your system
+
+## Log File Privacy
+
+Log files may contain sensitive information:
+- IP addresses and ports
+- Hostnames and SNI data
+- Process names and PIDs
+- DNS queries and responses
+
+**Best Practices:**
+- Disable logging by default (no `--log-level` flag)
+- Secure log directory permissions
+- Implement log rotation and retention policies
+- Review logs for sensitive data before sharing
+
+## eBPF Security
+
+When using eBPF for enhanced process detection (default on Linux):
+
+- Requires additional kernel capabilities (`CAP_BPF`, `CAP_PERFMON`)
+- eBPF programs are verified by kernel before loading
+- Limited to read-only operations (no packet modification)
+- Automatically falls back to procfs if eBPF fails
+
+## Threat Model
+
+**What RustNet protects against:**
+- Unauthorized users cannot capture packets without proper permissions
+- Capability-based permissions limit blast radius of compromise
+- Landlock sandbox contains potential exploitation
+
+**What RustNet does NOT protect against:**
+- Users with packet capture permissions can see all unencrypted traffic
+- Root/Administrator users can modify RustNet or capture packets directly
+- Physical access to the machine enables packet capture
+- Network-level attacks (RustNet is a monitoring tool, not a security appliance)
+
+## Audit and Compliance
+
+For production environments:
+- **Audit logging** of who runs RustNet with packet capture privileges
+- **Network monitoring policies** and compliance with data protection regulations
+- **User access reviews** for privileged network access
+- **Automated capability management** via configuration management systems
+
+## Reporting Security Issues
+
+Please report security vulnerabilities via GitHub Issues or contact the maintainers directly.

SECURITY.md

@@ -78,6 +78,9 @@ Options:
   -r, --refresh-interval <MILLISECONDS>  UI refresh interval in milliseconds [default: 1000]
       --no-dpi                           Disable deep packet inspection
   -l, --log-level <LEVEL>                Set the log level (if not provided, no logging will be enabled)
+      --json-log <FILE>                  Enable JSON logging of connection events to specified file
+      --no-sandbox                       Disable Landlock sandboxing (Linux only)
+      --sandbox-strict                   Require full sandbox enforcement or exit (Linux only)
   -h, --help                             Print help
   -V, --version                          Print version
 ```