nono-py policy handling could fail open in two ways. First, resolving a policy-derived ProxyConfig did not automatically enforce CapabilitySet.proxy_only, allowing sandboxed children to bypass a resolved domain allowlist by using direct network access. Second, policy JSON accepted unknown security-sensitive fields, so misspelled or unsupported restrictions could be silently ignored.
The python API made a restrictive-looking configuration unsafe by default. A caller could configure only reverse- proxy credential routes, put the child in CapabilitySet.proxy_only, and reasonably expect network access to be limited to those routes. Instead, because empty allowed_hosts meant allow-all inside nono-proxy, the child could use the local proxy as a transparent CONNECT tunnel to non-route nominated hosts (not including metadata endpoints). That is an authorization bypass / policy …
On Linux kernels that do not support Landlock network rules, nono_py.sandboxed_exec() could run CapabilitySet.proxy_only(proxy) without supervising the seccomp-notify proxy-only fallback returned by the Rust core. In that configuration, a sandboxed child process could remove HTTP_PROXY / HTTPS_PROXY environment variables or use raw sockets and then open direct TCP connections that should have been denied by proxy-only policy. The issue affects proxy-only enforcement. It does not mean that all nono-py network …