GHSA-vv6c-69r6-chg9: 
vulnerability analysis and mitigation

A security vulnerability was identified in Go-Landlock (GHSA-vv6c-69r6-chg9) affecting versions >= 0.0.0-20240109 and < 0.0.0-20241013234402-fb3ad845df46. The vulnerability relates to the library's 'best-effort' mode failing to properly restrict TCP bind() and connect() operations when they were requested. This issue specifically impacts users implementing Landlock rulesets for networking restrictions through landlock.V4, landlock.V5, or self-configured settings while operating in best-effort mode (GitHub Advisory).

The vulnerability stems from an implementation flaw where the library did not properly handle network access rights during config downgrade in best-effort mode. Additionally, there was a related bug in the PathBeneathAttr struct where port numbers were incorrectly passed using 16 bits instead of 64 bits. The issue manifests when users implement code using the Go-Landlock API with the combination of V4/V5 and .BestEffort() methods, typically in patterns like 'err := landlock.V5.BestEffort().Restrict(...)' (GitHub Commit).

The vulnerability only affects networking restrictions while file system restrictions continue to function as expected. It's important to note that this bug is specific to the Go-Landlock library and does not impact programs using Landlock through C or other language bindings (GitHub Advisory).

Users are advised to upgrade to version v0.0.0-20241013234402-fb3ad845df46. The upgrade can be performed using 'go get -u' from the project directory. No alternative workarounds are available for this vulnerability (GitHub Advisory).

The Go-Landlock maintainers have proactively identified affected projects and filed specific bug reports for impacted repositories including Foxboron/ssh-the-planet#1, ngergs/websrv#15, and whyvl/wireproxy#142 (GitHub Advisory).