Skip to main content

Overview

Network rules control TCP bind and connect operations. Like filesystem rules, they follow an allow-list model: any network operation not explicitly allowed is denied.
Network restrictions require Landlock ABI v4+, typically available in Linux kernel 6.7 or newer.

Rule Format

Network rules use the format: 
RIGHTS:PORT
  • RIGHTS: What network operations are allowed (bind, connect, or both)
  • PORT: The TCP port number (0-65535)

Adding Rules

sandboxec --fs rx:/usr --net c:443 -- /usr/bin/curl https://example.com

Network Rights

All available network rights:
bind
b
Allow binding (listening) on a TCP port. Use for servers and local services.
sandboxec --fs rx:/usr --net b:8080 -- python3 -m http.server 8080
Allowed operations:
  • bind() system call on the specified port
  • Listen for incoming connections
  • Accept connections
Bind permission does not include connect permission. Use bc for both.
connect
c
Allow connecting (outbound) to a TCP port. Use for HTTP clients, API calls, database connections.
sandboxec --fs rx:/usr --net c:443 -- curl https://example.com
Allowed operations:
  • connect() system call to the specified port
  • Establish outbound TCP connections
This is the most common network rule for sandboxing commands that make outbound requests.
bind_connect
bc
Allow both binding and connecting on a TCP port.
sandboxec --fs rx:/usr --net bc:8080 -- your-server-with-client
Allowed operations:
  • All bind operations
  • All connect operations
The shorthand bc can also be written as cb - both are equivalent.

Port Specification

Ports must be specified as integers between 0 and 65535: 
# Well-known ports
sandboxec --net c:80 --net c:443 --fs rx:/usr -- curl https://example.com

# Custom ports
sandboxec --net b:8080 --fs rx:/usr -- python3 -m http.server 8080

# High ports
sandboxec --net c:50051 --fs rx:/usr -- grpc-client
Each rule applies to a single port. To allow multiple ports, use multiple --net flags.

Kernel Requirements

Network rules require specific kernel versions:
FeatureLandlock ABIMinimum KernelNotes
TCP bind restrictionsv4+6.7+Control bind() syscall
TCP connect restrictionsv4+6.7+Control connect() syscall

Checking Compatibility

To verify your kernel supports network rules: 
# Check kernel version
uname -r

# Try a simple network rule
sandboxec --fs rx:/usr --net c:443 -- /usr/bin/curl https://example.com

# Use --best-effort to degrade gracefully on old kernels
sandboxec --best-effort --fs rx:/usr --net c:443 -- your-command
With --best-effort, sandboxec will skip network rules on kernels that don’t support them, applying only filesystem restrictions.

Common Patterns

Outbound HTTPS Only

Allow only secure outbound connections: 
sandboxec --fs rx:/usr --net c:443 -- /usr/bin/curl https://example.com

HTTP and HTTPS Client

Allow both HTTP and HTTPS: 
sandboxec --fs rx:/usr --net c:80 --net c:443 -- wget http://example.com

Local Development Server

Bind a local port for testing: 
sandboxec --fs rx:/usr --fs rw:$PWD --net b:8080 -- python3 -m http.server 8080

API Service with Outbound Calls

Server that also makes outbound requests: 
sandboxec \
  --fs rx:/usr \
  --fs rw:$PWD \
  --net b:8080 \
  --net c:443 \
  -- node server.js

Database Client

Connect to a database server: 
sandboxec \
  --fs rx:/usr \
  --fs rw:$PWD \
  --net c:5432 \
  -- psql -h localhost -U user

Real-World Examples

# Allow HTTPS for downloading packages
sandboxec \
  --fs rx:/usr \
  --fs rw:$PWD \
  --fs rw:/tmp \
  --net c:443 \
  -- npm install

Rule Behavior

Allow-List Model

Any network operation not explicitly allowed is completely blocked. The sandboxed process will receive connection refused or operation not permitted errors.
# This will fail - port 443 not allowed
sandboxec --fs rx:/usr -- curl https://example.com
# Error: curl: (7) Failed to connect to example.com port 443: Operation not permitted

# This succeeds - port 443 is now allowed
sandboxec --fs rx:/usr --net c:443 -- curl https://example.com

Cumulative Rules

Multiple --net flags are cumulative: 
sandboxec --net c:80 --net c:443 --net c:8080 --fs rx:/usr -- your-client
All ports are allowed simultaneously.

Port-Specific Rules

Each rule applies to a specific port number: 
# Allows connect to 443 only (not 80)
sandboxec --net c:443 --fs rx:/usr -- curl http://example.com
# Error: connection refused

# Both ports now allowed
sandboxec --net c:443 --net c:80 --fs rx:/usr -- curl http://example.com

No Wildcard Ports

sandboxec does not support wildcard or port range rules. Each port must be explicitly specified.
# To allow multiple ports, list them individually
sandboxec \
  --net c:80 \
  --net c:443 \
  --net c:8080 \
  --net c:8443 \
  --fs rx:/usr \
  -- your-command

Combining with Filesystem Rules

Network rules are almost always used with filesystem rules: 
sandboxec \
  --fs rx:/usr \
  --fs rx:/lib \
  --fs rx:/usr/lib \
  --fs rw:/tmp \
  --net c:443 \
  -- your-command
Most network-enabled commands need at minimum:
  • rx rights on /usr (for binaries and libraries)
  • c rights on relevant ports (80, 443, etc.)
  • Optional: rw on /tmp or $PWD for file operations

Troubleshooting

Ensure the target port is allowed:
# For HTTPS (port 443)
sandboxec --fs rx:/usr --net c:443 -- curl https://example.com

# For HTTP (port 80)
sandboxec --fs rx:/usr --net c:80 -- curl http://example.com
This is a normal OS error, not a sandboxec restriction. Another process is using the port:
# Check what's using the port
lsof -i :8080

# Use a different port
sandboxec --net b:8081 --fs rx:/usr -- python3 -m http.server 8081
Network rules require kernel 6.7+. Check your version:
uname -r
Use --best-effort to skip unsupported features:
sandboxec --best-effort --fs rx:/usr --net c:443 -- your-command
DNS typically uses UDP, which Landlock does not control. If DNS fails, it’s likely a filesystem issue (missing /etc/resolv.conf or libraries):
sandboxec \
  --fs rx:/usr \
  --fs rx:/lib \
  --fs rx:/usr/lib \
  --fs r:/etc \
  --net c:443 \
  -- curl https://example.com
Verify you’re using the correct rights:
  • c for outbound connections (clients)
  • b for inbound connections (servers)
  • bc for both
# Client: use connect (c)
sandboxec --net c:443 --fs rx:/usr -- curl https://example.com

# Server: use bind (b)
sandboxec --net b:8080 --fs rx:/usr -- python3 -m http.server 8080

Limitations

Network rules control TCP only. They do NOT control:
  • UDP traffic
  • ICMP (ping)
  • Unix domain sockets
  • Other network protocols
Landlock focuses on TCP bind/connect operations.
For broader network isolation, consider using firewall rules, network namespaces, or containers.

Build docs developers (and LLMs) love

Get started for freeTalk to us