Intercept the bind syscall

[JeremyRand]

The bind syscall is used by TCP servers. It would be desirable to sandbox it as follows:

• If Horklump is configured to reject incoming connections at all, then the bind syscall should be blocked.
• If Horklump is configured to accept incoming connections on only a specific network interface, then any bind syscalls for other interfaces should be blocked.
• Unix domain sockets should be allowed regardless of the above.

[robertmin1]

Had a bit of difficulty obtaining the specific network interface, I'll revisit it

[robertmin1]

Idea I was thinking of, didn't seem to work

// Get the network address associated with the file descriptor
func getNetworkAddress(fd int, sys int) (net.Addr, error) {
	
	p, err := pidfd.Open(sys, 0)
	if err != nil {
		return nil, fmt.Errorf("error opening PID file descriptor: %w", err)
	}

	listenfd, err := p.GetFd(int(fd), 0)
	if err != nil {
		return nil, fmt.Errorf("error getting listen file descriptor: %w", err)
	}

	file := os.NewFile(uintptr(listenfd), "")
	defer file.Close()
	
	conn, err := net.FileConn(file)
	if err != nil {
		return nil, err
	}
	defer conn.Close()

	return conn.LocalAddr(), nil
}

// Get the network interface associated with the network address
func getNetworkInterface(addr net.Addr) (*net.Interface, error) {
	ifaces, err := net.Interfaces()
	if err != nil {
		return nil, fmt.Errorf("1111: %w", err)
	}

	ip := addr.(*net.TCPAddr).IP

	for _, iface := range ifaces {
		addrs, err := iface.Addrs()
		if err != nil {
			return nil, fmt.Errorf("222: %w", err)
		}

		for _, a := range addrs {
			ipNet, ok := a.(*net.IPNet)
			if ok && ipNet.Contains(ip) {
				return &iface, nil
			}
		}
	}

	return nil, fmt.Errorf("no network interface found for address: %s", addr.String())
}