runsc: allow port-forwarding with network isolation

The security implications by this change are not entirely understood. At the most basic level, there can now be a port inside the sandbox that allows a network connection to the outside. Network isolation should prevent that. In Continuum's case this is fine because the other end outside the sandbox is expected to encrypt all sensitive data.
edgelesssys · Feb 23, 2024 · 1bbae78 · 1bbae78
1 parent 238645f
commit 1bbae78
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go
@@ -1642,7 +1642,7 @@ func (l *Loader) portForward(opts *PortForwardOpts) error {
 	pair := pf.ProxyPair{To: fdConn}
 
 	switch l.root.conf.Network {
-	case config.NetworkSandbox:
+	case config.NetworkSandbox, config.NetworkNone:
 		stack := l.k.RootNetworkNamespace().Stack().(*netstack.Stack).Stack
 		nsConn, err := pf.NewNetstackConn(stack, opts.Port)
 		if err != nil {