Added
- Landlock Sandbox for Linux: Filesystem and network sandboxing for enhanced security
- Restricts filesystem access to
/proconly after initialization - Network sandbox blocks TCP bind/connect on kernel 6.4+
- Drops
CAP_NET_RAWcapability after pcap handle is opened - New CLI options:
--no-sandboxand--sandbox-strict - Comprehensive security documentation in SECURITY.md
- Restricts filesystem access to
- eBPF Thread Name Resolution: Resolve eBPF thread names (e.g., 'Socket Thread') to main process names (e.g., 'firefox')
- Uses periodic procfs PID cache for resolution
- Falls back to eBPF name for short-lived processes
- AUR Package Automation: Automated Arch Linux AUR package publishing workflow
Changed
- Platform Code Reorganization: Restructured platform-specific code into cleaner module hierarchy
src/network/platform/linux/- Linux-specific code with eBPF and sandbox subdirectoriessrc/network/platform/macos/- macOS-specific codesrc/network/platform/freebsd/- FreeBSD-specific codesrc/network/platform/windows/- Windows-specific code
- QUIC DPI Simplification: Unified SNI extraction helpers and simplified QUIC protocol handling
Fixed
- Test Determinism: Made RateTracker tests deterministic with injectable timestamps
What's Changed
- feat: reorganize platform code into per-platform directories by @domcyrus in #81
- chore(deps): bump vmactions/freebsd-vm from 1.2.7 to 1.2.8 in the actions group by @dependabot[bot] in #82
- chore(deps): bump pcap from 2.3.0 to 2.4.0 in the rust-dependencies group by @dependabot[bot] in #83
- refactor: simplify QUIC DPI and reorganize platform code by @domcyrus in #84
- fix: make RateTracker tests deterministic with injectable timestamps by @domcyrus in #85
- feat: add Landlock sandbox and capability dropping for Linux by @domcyrus in #86
- fix(linux): resolve eBPF thread names to main process names by @domcyrus in #87
Full Changelog: v0.16.1...v0.17.0