On Fri May 8, 2026 at 6:50 PM BST, Greg Dahlman wrote:
> PF/AF 1,2,10,16,17 are the ones that most people would use, with
> AF_VSOCK(40) as an exception that may be too noisy to log, along with
> bluetooth on desktops etc...
>
> IMHO, longer term, a bounding set in a text file in /etc of PF/AF
> families that can be used on a system is the more maintainable and
> robust solution in the end. socket() is just too tempting of an
> interface, with no real security boundaries unless it is device/file
> mediated. It should be blockable at the system level by PF/AF no
> matter if it is loading a module or is compiled in at the system level
> IMHO.
Fyi it is possible to block socket calls by AF/PF with seccomp.
If using the OCI schema for seccomp definitions, blocking calls to
socket and socketpair with AF_ALG looks like [1]:
```
{
"names": ["socket", "socketpair"],
"action": "SCMP_ACT_ERRNO",
"errnoRet": 97,
"args": [
{
"index": 0,
"value": 38,
"op": "SCMP_CMP_EQ"
}
]
}
```
[1]: https://github.com/moby/profiles/issues/19
Emily
