RustNet processes untrusted network data, making defense-in-depth security critical. This document describes the security measures implemented.
- Landlock Sandboxing (Linux)
- Privilege Requirements
- Read-Only Operation
- No External Communication
- Log File Privacy
- eBPF Security
- Threat Model
- Audit and Compliance
- Reporting Security Issues
On Linux 5.13+, RustNet uses Landlock to restrict its own capabilities after initialization. This limits the damage if a vulnerability in packet parsing is exploited.
| Restriction | Kernel Version | Description |
|---|---|---|
| Filesystem | 5.13+ | Only /proc readable (for process identification) |
| Network | 6.4+ | TCP bind/connect blocked (RustNet is passive) |
| Capabilities | Any | CAP_NET_RAW dropped after pcap socket opened |
- Initialization phase: RustNet loads eBPF programs, opens packet capture handles, and creates log files
- Sandbox application: After init, Landlock restricts filesystem and network access
- Capability drop:
CAP_NET_RAWis removed from the process (existing pcap socket remains valid)
If an attacker exploits a vulnerability in DPI/packet parsing:
- Cannot read arbitrary files (credentials, configs, etc.)
- Cannot write to filesystem (except configured log paths)
- Cannot make outbound TCP connections (data exfiltration blocked)
- Cannot bind TCP ports (reverse shell blocked)
- Cannot create new raw sockets (capability dropped)
--no-sandbox Disable Landlock sandboxing
--sandbox-strict Require full sandbox enforcement or exit
- Kernel < 5.13: Sandboxing skipped, warning logged
- Kernel 5.13-6.3: Filesystem restrictions only
- Kernel 6.4+: Full filesystem + network restrictions
- Docker: May be blocked by seccomp; app continues normally
RustNet requires privileged access for packet capture:
| Platform | Requirement |
|---|---|
| Linux | CAP_NET_RAW capability or root |
| macOS | Root or BPF group membership (access_bpf group) |
| Windows | Administrator (for Npcap) |
| FreeBSD | Root or BPF device access |
- Raw socket access - Intercept network traffic at low level (read-only, non-promiscuous mode)
- BPF device access - Load packet filters into kernel
- eBPF programs - Optional kernel probes for enhanced process tracking (Linux only)
Instead of running as root, grant only the required capabilities:
# Modern Linux (5.8+): packet capture + eBPF
sudo setcap 'cap_net_raw,cap_bpf,cap_perfmon=eip' $(which rustnet)
# Legacy Linux (pre-5.8): packet capture + eBPF
sudo setcap 'cap_net_raw,cap_sys_admin=eip' $(which rustnet)
# Packet capture only (no eBPF process detection)
sudo setcap cap_net_raw=eip $(which rustnet)After sandbox application, CAP_NET_RAW is dropped - the process retains only the minimum privileges needed.
RustNet only monitors traffic; it does not:
- Modify packets
- Block connections
- Inject traffic
- Alter routing tables
- Change firewall rules
The packet capture is opened in non-promiscuous, read-only mode.
RustNet operates entirely locally:
- No telemetry or analytics
- No network requests (except monitored traffic)
- No cloud services or remote APIs
- All data stays on your system
Log files may contain sensitive information:
- IP addresses and ports
- Hostnames and SNI data
- Process names and PIDs
- DNS queries and responses
Best Practices:
- Disable logging by default (no
--log-levelflag) - Secure log directory permissions
- Implement log rotation and retention policies
- Review logs for sensitive data before sharing
When using eBPF for enhanced process detection (default on Linux):
- Requires additional kernel capabilities (
CAP_BPF,CAP_PERFMON) - eBPF programs are verified by kernel before loading
- Limited to read-only operations (no packet modification)
- Automatically falls back to procfs if eBPF fails
What RustNet protects against:
- Unauthorized users cannot capture packets without proper permissions
- Capability-based permissions limit blast radius of compromise
- Landlock sandbox contains potential exploitation
What RustNet does NOT protect against:
- Users with packet capture permissions can see all unencrypted traffic
- Root/Administrator users can modify RustNet or capture packets directly
- Physical access to the machine enables packet capture
- Network-level attacks (RustNet is a monitoring tool, not a security appliance)
For production environments:
- Audit logging of who runs RustNet with packet capture privileges
- Network monitoring policies and compliance with data protection regulations
- User access reviews for privileged network access
- Automated capability management via configuration management systems
Please report security vulnerabilities via GitHub Issues or contact the maintainers directly.