From ed0b8114e06659707e46ddc56e11d9e2e98d19ca Mon Sep 17 00:00:00 2001
From: theanarkh <theratliter@gmail.com>
Date: Mon, 10 Jun 2024 04:44:09 +0800
Subject: [PATCH] permission,net,dgram: add permission for net

---
 doc/api/cli.md                                | 180 ++++++++++++
 doc/api/permissions.md                        |   8 +
 doc/node.1                                    |  12 +
 lib/internal/process/pre_execution.js         |   8 +
 node.gyp                                      |   2 +
 src/env.cc                                    |  20 ++
 src/node_options.cc                           |  16 ++
 src/node_options.h                            |   4 +
 src/permission/net_permission.cc              | 256 ++++++++++++++++++
 src/permission/net_permission.h               | 176 ++++++++++++
 src/permission/permission.cc                  |   5 +
 src/permission/permission.h                   |   1 +
 src/permission/permission_base.h              |  12 +-
 src/tcp_wrap.cc                               |  27 ++
 src/udp_wrap.cc                               |  28 ++
 .../parallel/test-permission-warning-flags.js |   4 +
 16 files changed, 758 insertions(+), 1 deletion(-)
 create mode 100644 src/permission/net_permission.cc
 create mode 100644 src/permission/net_permission.h

diff --git a/doc/api/cli.md b/doc/api/cli.md
index cf64f45bfd4d64..8077fb4ba7e557 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -357,6 +357,176 @@ Error: Access to this API has been restricted
 }
 ```
 
+### `--allow-net-tcp-in`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+> Stability: 1.1 - Active development
+
+When using the [Permission Model][], the process will not be able to bind to any
+ip or port by default. Attempts to do so will throw an `ERR_ACCESS_DENIED` unless
+the user explicitly passes the `--allow-net-tcp-in` flag when starting Node.js.
+
+The valid arguments for the `--allow-net-tcp-in` flag are:
+
+* `*` - To allow all `bind` operations.
+* Multiple addresses can be allowed using multiple `--allow-net-tcp-in` flags.
+  Example `--allow-net-tcp-in=127.0.0.1:8080 --allow-net-tcp-in=127.0.0.1:9090`
+
+Example:
+
+```js
+const net = require('node:net');
+net.createServer().listen(9297, '127.0.0.1')
+```
+
+```console
+$ node --experimental-permission --allow-fs-read=./index.js index.js
+node:net:1840
+      err = handle.bind(address, port);
+                   ^
+
+Error: Access to this API has been restricted
+    at createServerHandle (node:net:1840:20)
+    at Server.setupListenHandle [as _listen2] (node:net:1879:14)
+    at listenInCluster (node:net:1961:12)
+    at doListen (node:net:2135:7)
+    at process.processTicksAndRejections (node:internal/process/task_queues:83:21) {
+  code: 'ERR_ACCESS_DENIED',
+  permission: 'NetTCPIn',
+  resource: '127.0.0.1/9297'
+}
+```
+
+### `--allow-net-tcp-out`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+> Stability: 1.1 - Active development
+
+When using the [Permission Model][], the process will not be able to connect to any
+ip or port by default. Attempts to do so will throw an `ERR_ACCESS_DENIED` unless
+the user explicitly passes the `--allow-net-tcp-out` flag when starting Node.js.
+
+The valid arguments for the `--allow-net-tcp-out` flag are:
+
+* `*` - To allow all `connect` operations.
+* Multiple addresses can be allowed using multiple `--allow-net-tcp-out` flags.
+  Example `--allow-net-tcp-out=127.0.0.1:8080 --allow-net-tcp-out=127.0.0.1:9090`
+
+Example:
+
+```js
+const net = require('node:net');
+net.connect(9297, '127.0.0.1');
+```
+
+```console
+$ node --experimental-permission --allow-fs-read=./index.js index.js
+node:net:1075
+      err = self._handle.connect(req, address, port);
+                         ^
+
+Error: Access to this API has been restricted
+    at internalConnect (node:net:1075:26)
+    at defaultTriggerAsyncIdScope (node:internal/async_hooks:464:18)
+    at node:net:1324:9
+    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
+  code: 'ERR_ACCESS_DENIED',
+  permission: 'NetTCPOut',
+  resource: '127.0.0.1/9297'
+}
+
+```
+
+### `--allow-net-udp-in`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+> Stability: 1.1 - Active development
+
+When using the [Permission Model][], the process will not be able to bind to any
+ip or port by default. Attempts to do so will throw an `ERR_ACCESS_DENIED` unless
+the user explicitly passes the `--allow-net-udp-in` flag when starting Node.js.
+
+The valid arguments for the `--allow-net-udp-in` flag are:
+
+* `*` - To allow all `bind` operations.
+* Multiple addresses can be allowed using multiple `--allow-net-udp-in` flags.
+  Example `--allow-net-udp-in=127.0.0.1:8080 --allow-net-udp-in=127.0.0.1:9090`
+
+Example:
+
+```js
+const dgram = require('node:dgram');
+dgram.createSocket('udp4').bind(9000, '127.0.0.1')
+```
+
+```console
+$ node --experimental-permission --allow-fs-read=./index.js index.js
+node:dgram:364
+      const err = state.handle.bind(ip, port || 0, flags);
+                               ^
+
+Error: Access to this API has been restricted
+    at node:dgram:364:32
+    at process.processTicksAndRejections (node:internal/process/task_queues:83:21) {
+  code: 'ERR_ACCESS_DENIED',
+  permission: 'NetUDPIn',
+  resource: '127.0.0.1/9297'
+}
+```
+
+### `--allow-net-udp-out`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+> Stability: 1.1 - Active development
+
+When using the [Permission Model][], the process will not be able to connect to any
+ip or port by default. Attempts to do so will throw an `ERR_ACCESS_DENIED` unless
+the user explicitly passes the `--allow-net-udp-out` flag when starting Node.js.
+
+The valid arguments for the `--allow-net-udp-out` flag are:
+
+* `*` - To allow all `connect` operations.
+* Multiple addresses can be allowed using multiple `--allow-net-udp-out` flags.
+  Example `--allow-net-udp-out=127.0.0.1:8080 --allow-net-udp-out=127.0.0.1:9090`
+
+Example:
+
+```js
+const dgram = require('node:dgram');
+dgram.createSocket('udp4').bind(8000, '127.0.0.1', function () {
+    this.connect(9001, '127.0.0.1')
+});
+```
+
+```console
+$ node --experimental-permission --allow-net-udp-in=127.0.0.1/8000 --allow-fs-read=./index.js index.js
+node:dgram:433
+    const err = state.handle.connect(ip, port);
+                             ^
+
+Error: Access to this API has been restricted
+    at doConnect (node:dgram:433:30)
+    at defaultTriggerAsyncIdScope (node:internal/async_hooks:464:18)
+    at afterDns (node:dgram:416:5)
+    at process.processTicksAndRejections (node:internal/process/task_queues:83:21) {
+  code: 'ERR_ACCESS_DENIED',
+  permission: 'NetUDPOut',
+  resource: '127.0.0.1/9001'
+}
+```
+
 ### `--build-snapshot`
 
 <!-- YAML
@@ -1012,6 +1182,8 @@ following permissions are restricted:
 * Child Process - manageable through [`--allow-child-process`][] flag
 * Worker Threads - manageable through [`--allow-worker`][] flag
 * WASI - manageable through [`--allow-wasi`][] flag
+* Net - manageable through [`--allow-net-tcp-in`][], [`--allow-net-tcp-out`][],
+  [`--allow-net-udp-in`][] and [`--allow-net-udp-out`][] flags
 
 ### `--experimental-require-module`
 
@@ -2804,6 +2976,10 @@ one is included in the list below.
 * `--allow-child-process`
 * `--allow-fs-read`
 * `--allow-fs-write`
+* `--allow-net-tcp-in`
+* `--allow-net-tcp-out`
+* `--allow-net-udp-in`
+* `--allow-net-udp-out`
 * `--allow-wasi`
 * `--allow-worker`
 * `--conditions`, `-C`
@@ -3356,6 +3532,10 @@ node --stack-trace-limit=12 -p -e "Error.stackTraceLimit" # prints 12
 [`--allow-child-process`]: #--allow-child-process
 [`--allow-fs-read`]: #--allow-fs-read
 [`--allow-fs-write`]: #--allow-fs-write
+[`--allow-net-tcp-in`]: #--allow-net-tcp-in
+[`--allow-net-tcp-out`]: #--allow-net-tcp-out
+[`--allow-net-udp-in`]: #--allow-net-udp-in
+[`--allow-net-udp-out`]: #--allow-net-udp-out
 [`--allow-wasi`]: #--allow-wasi
 [`--allow-worker`]: #--allow-worker
 [`--build-snapshot`]: #--build-snapshot
diff --git a/doc/api/permissions.md b/doc/api/permissions.md
index d994035c808818..f2bb50bd2ef60c 100644
--- a/doc/api/permissions.md
+++ b/doc/api/permissions.md
@@ -509,6 +509,9 @@ using the [`--allow-child-process`][] and [`--allow-worker`][] respectively.
 To allow native addons when using permission model, use the [`--allow-addons`][]
 flag. For WASI, use the [`--allow-wasi`][] flag.
 
+For net, use the [`--allow-net-tcp-in`][], [`--allow-net-tcp-out`][],
+[`--allow-net-udp-in`][] and [`--allow-net-udp-out`][] flags.
+
 #### Runtime API
 
 When enabling the Permission Model through the [`--experimental-permission`][]
@@ -575,6 +578,7 @@ There are constraints you need to know before using this system:
   * Inspector protocol
   * File system access
   * WASI
+  * DNS
 * The Permission Model is initialized after the Node.js environment is set up.
   However, certain flags such as `--env-file` or `--openssl-config` are designed
   to read files before environment initialization. As a result, such flags are
@@ -598,6 +602,10 @@ There are constraints you need to know before using this system:
 [`--allow-child-process`]: cli.md#--allow-child-process
 [`--allow-fs-read`]: cli.md#--allow-fs-read
 [`--allow-fs-write`]: cli.md#--allow-fs-write
+[`--allow-net-tcp-in`]: cli.md#--allow-net-tcp-in
+[`--allow-net-tcp-out`]: cli.md#--allow-net-tcp-out
+[`--allow-net-udp-in`]: cli.md#--allow-net-udp-in
+[`--allow-net-udp-out`]: cli.md#--allow-net-udp-out
 [`--allow-wasi`]: cli.md#--allow-wasi
 [`--allow-worker`]: cli.md#--allow-worker
 [`--experimental-permission`]: cli.md#--experimental-permission
diff --git a/doc/node.1 b/doc/node.1
index 987c7f81610d45..d107e3827e449e 100644
--- a/doc/node.1
+++ b/doc/node.1
@@ -94,6 +94,18 @@ Allow execution of WASI when using the permission model.
 .It Fl -allow-worker
 Allow creating worker threads when using the permission model.
 .
+.It Fl -allow-net-tcp-in
+Allow bind when using the permission model.
+.
+.It Fl -allow-net-tcp-out
+Allow connect when using the permission model.
+.
+.It Fl -allow-net-udp-in
+Allow bind when using the permission model.
+.
+.It Fl -allow-net-udp-out
+Allow connect when using the permission model.
+.
 .It Fl -completion-bash
 Print source-able bash completion script for Node.js.
 .
diff --git a/lib/internal/process/pre_execution.js b/lib/internal/process/pre_execution.js
index 20eaaade5f2b54..b7c759ec854bb9 100644
--- a/lib/internal/process/pre_execution.js
+++ b/lib/internal/process/pre_execution.js
@@ -530,6 +530,10 @@ function initializePermission() {
     const warnFlags = [
       '--allow-addons',
       '--allow-child-process',
+      '--allow-net-tcp-in',
+      '--allow-net-tcp-out',
+      '--allow-net-udp-in',
+      '--allow-net-udp-out',
       '--allow-wasi',
       '--allow-worker',
     ];
@@ -574,6 +578,10 @@ function initializePermission() {
       '--allow-child-process',
       '--allow-wasi',
       '--allow-worker',
+      '--allow-net-tcp-in',
+      '--allow-net-tcp-out',
+      '--allow-net-udp-in',
+      '--allow-net-udp-out',
     ];
     ArrayPrototypeForEach(availablePermissionFlags, (flag) => {
       const value = getOptionValue(flag);
diff --git a/node.gyp b/node.gyp
index ef0c9aa74cbbf1..3970b6dbcb848a 100644
--- a/node.gyp
+++ b/node.gyp
@@ -155,6 +155,7 @@
       'src/permission/permission.cc',
       'src/permission/wasi_permission.cc',
       'src/permission/worker_permission.cc',
+      'src/permission/net_permission.cc',
       'src/pipe_wrap.cc',
       'src/process_wrap.cc',
       'src/signal_wrap.cc',
@@ -280,6 +281,7 @@
       'src/permission/permission.h',
       'src/permission/wasi_permission.h',
       'src/permission/worker_permission.h',
+      'src/permission/net_permission.h',
       'src/pipe_wrap.h',
       'src/req_wrap.h',
       'src/req_wrap-inl.h',
diff --git a/src/env.cc b/src/env.cc
index 73981071f6cce5..149197e1ccc8e8 100644
--- a/src/env.cc
+++ b/src/env.cc
@@ -936,6 +936,26 @@ Environment::Environment(IsolateData* isolate_data,
                           options_->allow_fs_write,
                           permission::PermissionScope::kFileSystemWrite);
     }
+    if (!options_->allow_net_tcp_in.empty()) {
+      permission()->Apply(this,
+                          options_->allow_net_tcp_in,
+                          permission::PermissionScope::kNetTCPIn);
+    }
+     if (!options_->allow_net_tcp_out.empty()) {
+      permission()->Apply(this,
+                          options_->allow_net_tcp_out,
+                          permission::PermissionScope::kNetTCPOut);
+    }
+    if (!options_->allow_net_udp_in.empty()) {
+      permission()->Apply(this,
+                          options_->allow_net_udp_in,
+                          permission::PermissionScope::kNetUDPIn);
+    }
+     if (!options_->allow_net_udp_out.empty()) {
+      permission()->Apply(this,
+                          options_->allow_net_udp_out,
+                          permission::PermissionScope::kNetUDPOut);
+    }
   }
 }
 
diff --git a/src/node_options.cc b/src/node_options.cc
index b47ee5fea16e2e..1c4a67bfa78ccb 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -464,6 +464,22 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
             "allow worker threads when any permissions are set",
             &EnvironmentOptions::allow_worker_threads,
             kAllowedInEnvvar);
+  AddOption("--allow-net-tcp-in",
+            "allow host:port or ip:port to listen when any permissions are set",
+            &EnvironmentOptions::allow_net_tcp_in,
+            kAllowedInEnvvar);
+  AddOption("--allow-net-tcp-out",
+            "allow host:port or ip:port to dial when any permissions are set",
+            &EnvironmentOptions::allow_net_tcp_out,
+            kAllowedInEnvvar);
+  AddOption("--allow-net-udp-in",
+            "allow host:port or ip:port to bind when any permissions are set",
+            &EnvironmentOptions::allow_net_udp_in,
+            kAllowedInEnvvar);
+  AddOption("--allow-net-udp-out",
+            "allow host:port or ip:port to connect when any permissions are set",
+            &EnvironmentOptions::allow_net_udp_out,
+            kAllowedInEnvvar);
   AddOption("--experimental-repl-await",
             "experimental await keyword support in REPL",
             &EnvironmentOptions::experimental_repl_await,
diff --git a/src/node_options.h b/src/node_options.h
index d16846facc5af2..4d513744765a8e 100644
--- a/src/node_options.h
+++ b/src/node_options.h
@@ -132,6 +132,10 @@ class EnvironmentOptions : public Options {
   bool allow_child_process = false;
   bool allow_wasi = false;
   bool allow_worker_threads = false;
+  std::vector<std::string> allow_net_tcp_in;
+  std::vector<std::string> allow_net_tcp_out;
+  std::vector<std::string> allow_net_udp_in;
+  std::vector<std::string> allow_net_udp_out;
   bool experimental_repl_await = true;
   bool experimental_vm_modules = false;
   bool expose_internals = false;
diff --git a/src/permission/net_permission.cc b/src/permission/net_permission.cc
new file mode 100644
index 00000000000000..60db5953ecfdf9
--- /dev/null
+++ b/src/permission/net_permission.cc
@@ -0,0 +1,256 @@
+#include "net_permission.h"
+#include "base_object-inl.h"
+#include "debug_utils-inl.h"
+#include "env.h"
+#include "path.h"
+#include "v8.h"
+
+#include <fcntl.h>
+#include <limits.h>
+#include <stdlib.h>
+#include <algorithm>
+#include <filesystem>
+#include <string>
+#include <string_view>
+#include <vector>
+
+void FreeRecursivelyNode(
+    node::permission::NetPermission::RadixTree::Node* node) {
+  if (node == nullptr) {
+    return;
+  }
+
+  if (node->children.size()) {
+    for (auto& c : node->children) {
+      FreeRecursivelyNode(c.second);
+    }
+  }
+
+  if (node->wildcard_child != nullptr) {
+    delete node->wildcard_child;
+  }
+  delete node;
+}
+
+bool is_tree_granted(
+    node::Environment* env,
+    const node::permission::NetPermission::RadixTree* granted_tree,
+    const std::string_view& param) {
+  std::string resolved_param{param};
+  return granted_tree->Lookup(resolved_param, true);
+}
+
+void PrintTree(const node::permission::NetPermission::RadixTree::Node* node,
+               size_t spaces = 0) {
+  std::string whitespace(spaces, ' ');
+
+  if (node == nullptr) {
+    return;
+  }
+  if (node->wildcard_child != nullptr) {
+    node::per_process::Debug(node::DebugCategory::PERMISSION_MODEL,
+                             "%s Wildcard: %s\n",
+                             whitespace,
+                             node->prefix);
+  } else {
+    node::per_process::Debug(node::DebugCategory::PERMISSION_MODEL,
+                             "%s Prefix: %s\n",
+                             whitespace,
+                             node->prefix);
+    if (node->children.size()) {
+      size_t child = 0;
+      for (const auto& pair : node->children) {
+        ++child;
+        node::per_process::Debug(node::DebugCategory::PERMISSION_MODEL,
+                                 "%s Child(%s): %s\n",
+                                 whitespace,
+                                 child,
+                                 std::string(1, pair.first));
+        PrintTree(pair.second, spaces + 2);
+      }
+      node::per_process::Debug(node::DebugCategory::PERMISSION_MODEL,
+                               "%s End of tree - child(%s)\n",
+                               whitespace,
+                               child);
+    } else {
+      node::per_process::Debug(node::DebugCategory::PERMISSION_MODEL,
+                               "%s End of tree: %s\n",
+                               whitespace,
+                               node->prefix);
+    }
+  }
+}
+
+namespace node {
+
+namespace permission {
+
+void NetPermission::Apply(Environment* env,
+                         const std::vector<std::string>& allow,
+                         PermissionScope scope) {
+  for (const std::string& res : allow) {
+    if (res == "*") {
+      switch (scope) {
+        case PermissionScope::kNetTCP: 
+          deny_all_tcp_in_ = false;
+          allow_all_tcp_in_ = true;
+          deny_all_tcp_out_ = false;
+          allow_all_tcp_out_ = true;
+          return;
+        case PermissionScope::kNetUDP: 
+          deny_all_udp_in_ = false;
+          allow_all_udp_in_ = true;
+          deny_all_udp_out_ = false;
+          allow_all_udp_out_ = true;
+          return;
+        case PermissionScope::kNetTCPIn: 
+          deny_all_tcp_in_ = false;
+          allow_all_tcp_in_ = true;
+          return;
+        case PermissionScope::kNetTCPOut: 
+          deny_all_tcp_out_ = false;
+          allow_all_tcp_out_ = true;
+          return;
+        case PermissionScope::kNetUDPIn: 
+          deny_all_udp_in_ = false;
+          allow_all_udp_in_ = true;
+          return;
+        case PermissionScope::kNetUDPOut: 
+          deny_all_udp_out_ = false;
+          allow_all_udp_out_ = true;
+          return;
+        default: continue;
+      }
+    }
+    GrantAccess(scope, std::string{res});
+  }
+}
+
+void NetPermission::GrantAccess(PermissionScope scope, const std::string& param) {
+  switch (scope) {
+    case PermissionScope::kNetTCP: 
+      granted_net_tcp_in_.Insert(param);
+      deny_all_tcp_in_ = false;
+      granted_net_tcp_out_.Insert(param);
+      deny_all_tcp_out_ = false;
+      return;
+    case PermissionScope::kNetUDP: 
+      granted_net_udp_in_.Insert(param);
+      deny_all_udp_in_ = false;
+      granted_net_udp_out_.Insert(param);
+      deny_all_udp_out_ = false;
+      return;
+    case PermissionScope::kNetTCPIn: 
+      granted_net_tcp_in_.Insert(param);
+      deny_all_tcp_in_ = false;
+      return;
+    case PermissionScope::kNetTCPOut: 
+      granted_net_tcp_out_.Insert(param);
+      deny_all_tcp_out_ = false;
+      return;
+    case PermissionScope::kNetUDPIn: 
+      granted_net_udp_in_.Insert(param);
+      deny_all_udp_in_ = false;
+      return;
+    case PermissionScope::kNetUDPOut: 
+      granted_net_udp_out_.Insert(param);
+      deny_all_udp_out_ = false;
+      return;
+    default: return;
+  }
+}
+
+bool NetPermission::is_granted(Environment* env,
+                              PermissionScope perm,
+                              const std::string_view& param = "") const {
+  switch (perm) {
+    case PermissionScope::kNetTCP:
+      return allow_all_tcp_in_ && allow_all_tcp_out_;
+    case PermissionScope::kNetUDP:
+      return allow_all_udp_in_ && allow_all_udp_out_;
+    case PermissionScope::kNetTCPIn:
+      return !deny_all_tcp_in_ &&
+             ((param.empty() && allow_all_tcp_in_) || allow_all_tcp_in_ ||
+              is_tree_granted(env, &granted_net_tcp_in_, param));
+    case PermissionScope::kNetTCPOut:
+      return !deny_all_tcp_out_ &&
+             ((param.empty() && allow_all_tcp_out_) || allow_all_tcp_out_ ||
+              is_tree_granted(env, &granted_net_tcp_out_, param));
+    case PermissionScope::kNetUDPIn:
+      return !deny_all_udp_in_ &&
+             ((param.empty() && allow_all_udp_in_) || allow_all_udp_in_ ||
+              is_tree_granted(env, &granted_net_udp_in_, param));
+    case PermissionScope::kNetUDPOut:
+      return !deny_all_udp_out_ &&
+             ((param.empty() && allow_all_udp_out_) || allow_all_udp_out_ ||
+              is_tree_granted(env, &granted_net_udp_out_, param));
+    default:
+      return false;
+  }
+}
+
+NetPermission::RadixTree::RadixTree() : root_node_(new Node("")) {}
+
+NetPermission::RadixTree::~RadixTree() {
+  FreeRecursivelyNode(root_node_);
+}
+
+bool NetPermission::RadixTree::Lookup(const std::string_view& s,
+                                     bool when_empty_return) const {
+  NetPermission::RadixTree::Node* current_node = root_node_;
+  if (current_node->children.size() == 0) {
+    return when_empty_return;
+  }
+  size_t parent_node_prefix_len = current_node->prefix.length();
+  const std::string path(s);
+  auto path_len = path.length();
+
+  while (true) {
+    if (parent_node_prefix_len == path_len && current_node->IsEndNode()) {
+      return true;
+    }
+
+    auto node = current_node->NextNode(path, parent_node_prefix_len);
+    if (node == nullptr) {
+      return false;
+    }
+
+    current_node = node;
+    parent_node_prefix_len += current_node->prefix.length();
+    if (current_node->wildcard_child != nullptr &&
+        path_len >= (parent_node_prefix_len - 2 /* slash* */)) {
+      return true;
+    }
+  }
+}
+
+void NetPermission::RadixTree::Insert(const std::string& path) {
+  NetPermission::RadixTree::Node* current_node = root_node_;
+
+  size_t parent_node_prefix_len = current_node->prefix.length();
+  size_t path_len = path.length();
+
+  for (size_t i = 1; i <= path_len; ++i) {
+    bool is_wildcard_node = path[i - 1] == '*';
+    bool is_last_char = i == path_len;
+
+    if (is_wildcard_node || is_last_char) {
+      std::string node_path = path.substr(parent_node_prefix_len, i);
+      current_node = current_node->CreateChild(node_path);
+    }
+
+    if (is_wildcard_node) {
+      current_node = current_node->CreateWildcardChild();
+      parent_node_prefix_len = i;
+    }
+  }
+
+  if (UNLIKELY(per_process::enabled_debug_list.enabled(
+          DebugCategory::PERMISSION_MODEL))) {
+    per_process::Debug(DebugCategory::PERMISSION_MODEL, "Inserting %s\n", path);
+    PrintTree(root_node_);
+  }
+}
+
+}  // namespace permission
+}  // namespace node
diff --git a/src/permission/net_permission.h b/src/permission/net_permission.h
new file mode 100644
index 00000000000000..0b153955c9c6a1
--- /dev/null
+++ b/src/permission/net_permission.h
@@ -0,0 +1,176 @@
+#ifndef SRC_PERMISSION_NET_PERMISSION_H_
+#define SRC_PERMISSION_NET_PERMISSION_H_
+
+#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
+
+#include "v8.h"
+
+#include <unordered_map>
+#include "permission/permission_base.h"
+#include "util.h"
+
+namespace node {
+
+namespace permission {
+
+class NetPermission final : public PermissionBase {
+ public:
+  void Apply(Environment* env,
+             const std::vector<std::string>& allow,
+             PermissionScope scope) override;
+  bool is_granted(Environment* env,
+                  PermissionScope perm,
+                  const std::string_view& param) const override;
+  struct RadixTree {
+    struct Node {
+      std::string prefix;
+      std::unordered_map<char, Node*> children;
+      Node* wildcard_child;
+      bool is_leaf;
+
+      explicit Node(const std::string& pre)
+          : prefix(pre), wildcard_child(nullptr), is_leaf(false) {}
+
+      Node() : wildcard_child(nullptr), is_leaf(false) {}
+
+      Node* CreateChild(const std::string& path_prefix) {
+        if (path_prefix.empty() && !is_leaf) {
+          is_leaf = true;
+          return this;
+        }
+
+        CHECK(!path_prefix.empty());
+        char label = path_prefix[0];
+
+        Node* child = children[label];
+        if (child == nullptr) {
+          children[label] = new Node(path_prefix);
+          return children[label];
+        }
+
+        // swap prefix
+        size_t i = 0;
+        size_t prefix_len = path_prefix.length();
+        for (; i < child->prefix.length(); ++i) {
+          if (i > prefix_len || path_prefix[i] != child->prefix[i]) {
+            std::string parent_prefix = child->prefix.substr(0, i);
+            std::string child_prefix = child->prefix.substr(i);
+
+            child->prefix = child_prefix;
+            Node* split_child = new Node(parent_prefix);
+            split_child->children[child_prefix[0]] = child;
+            children[parent_prefix[0]] = split_child;
+
+            return split_child->CreateChild(path_prefix.substr(i));
+          }
+        }
+        child->is_leaf = true;
+        return child->CreateChild(path_prefix.substr(i));
+      }
+
+      Node* CreateWildcardChild() {
+        if (wildcard_child != nullptr) {
+          return wildcard_child;
+        }
+        wildcard_child = new Node();
+        return wildcard_child;
+      }
+
+      Node* NextNode(const std::string& path, size_t idx) const {
+        if (idx >= path.length()) {
+          return nullptr;
+        }
+
+        // wildcard node takes precedence
+        if (children.size() > 1) {
+          auto it = children.find('*');
+          if (it != children.end()) {
+            return it->second;
+          }
+        }
+
+        auto it = children.find(path[idx]);
+        if (it == children.end()) {
+          return nullptr;
+        }
+        auto child = it->second;
+        // match prefix
+        size_t prefix_len = child->prefix.length();
+        for (size_t i = 0; i < path.length(); ++i) {
+          if (i >= prefix_len || child->prefix[i] == '*') {
+            return child;
+          }
+
+          // Handle optional trailing
+          // path = /home/subdirectory
+          // child = subdirectory/*
+          if (idx >= path.length() &&
+              child->prefix[i] == node::kPathSeparator) {
+            continue;
+          }
+
+          if (path[idx++] != child->prefix[i]) {
+            return nullptr;
+          }
+        }
+        return child;
+      }
+
+      // A node can be a *end* node and have children
+      // E.g: */slower*, */slown* are inserted:
+      // /slow
+      // ---> er
+      // ---> n
+      // If */slow* is inserted right after, it will create an
+      // empty node
+      // /slow
+      // ---> '\000' ASCII (0) || \0
+      // ---> er
+      // ---> n
+      bool IsEndNode() const {
+        if (children.size() == 0) {
+          return true;
+        }
+        return is_leaf;
+      }
+    };
+
+    RadixTree();
+    ~RadixTree();
+    void Insert(const std::string& s);
+    bool Lookup(const std::string_view& s) const { return Lookup(s, false); }
+    bool Lookup(const std::string_view& s, bool when_empty_return) const;
+
+   private:
+    Node* root_node_;
+  };
+ private:
+  void GrantAccess(PermissionScope scope, const std::string& param);
+
+  RadixTree granted_net_tcp_in_;
+  RadixTree granted_net_tcp_out_;
+  
+  RadixTree granted_net_udp_in_;
+  RadixTree granted_net_udp_out_;
+
+  bool deny_all_tcp_in_ = true;
+  bool deny_all_tcp_out_ = true;
+
+  bool allow_all_tcp_in_ = false;
+  bool allow_all_tcp_out_ = false;
+
+  bool deny_all_udp_in_ = true;
+  bool deny_all_udp_out_ = true;
+
+  bool allow_all_udp_in_ = false;
+  bool allow_all_udp_out_ = false;
+
+
+};
+
+}  // namespace permission
+
+}  // namespace node
+
+#endif  // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
+#endif  // SRC_PERMISSION_NET_PERMISSION_H_
diff --git a/src/permission/permission.cc b/src/permission/permission.cc
index ad393df0e38976..010504533d6e2c 100644
--- a/src/permission/permission.cc
+++ b/src/permission/permission.cc
@@ -83,6 +83,7 @@ Permission::Permission() : enabled_(false) {
   std::shared_ptr<PermissionBase> inspector =
       std::make_shared<InspectorPermission>();
   std::shared_ptr<PermissionBase> wasi = std::make_shared<WASIPermission>();
+  std::shared_ptr<PermissionBase> net = std::make_shared<NetPermission>();
 #define V(Name, _, __)                                                         \
   nodes_.insert(std::make_pair(PermissionScope::k##Name, fs));
   FILESYSTEM_PERMISSIONS(V)
@@ -103,6 +104,10 @@ Permission::Permission() : enabled_(false) {
   nodes_.insert(std::make_pair(PermissionScope::k##Name, wasi));
   WASI_PERMISSIONS(V)
 #undef V
+#define V(Name, _, __)                                                         \
+  nodes_.insert(std::make_pair(PermissionScope::k##Name, net));
+  NET_PERMISSIONS(V)
+#undef V
 }
 
 Local<Value> CreateAccessDeniedError(Environment* env,
diff --git a/src/permission/permission.h b/src/permission/permission.h
index 55309b6ba551c2..a1bff1579cc79d 100644
--- a/src/permission/permission.h
+++ b/src/permission/permission.h
@@ -8,6 +8,7 @@
 #include "permission/child_process_permission.h"
 #include "permission/fs_permission.h"
 #include "permission/inspector_permission.h"
+#include "permission/net_permission.h"
 #include "permission/permission_base.h"
 #include "permission/wasi_permission.h"
 #include "permission/worker_permission.h"
diff --git a/src/permission/permission_base.h b/src/permission/permission_base.h
index d4ab33d10142f2..5965b7dbd7cfb4 100644
--- a/src/permission/permission_base.h
+++ b/src/permission/permission_base.h
@@ -28,12 +28,22 @@ namespace permission {
 
 #define INSPECTOR_PERMISSIONS(V) V(Inspector, "inspector", PermissionsRoot)
 
+#define NET_PERMISSIONS(V) \
+  V(Net, "net", PermissionsRoot)                                              \
+  V(NetTCP, "net.tcp", Net)                                                   \
+  V(NetTCPIn, "net.tcp.in", NetTCP)                                           \
+  V(NetTCPOut, "net.tcp.out", NetTCP)                                         \
+  V(NetUDP, "net.udp", Net)                                                   \
+  V(NetUDPIn, "net.udp.in", NetUDP)                                           \
+  V(NetUDPOut, "net.udp.out", NetUDP)
+
 #define PERMISSIONS(V)                                                         \
   FILESYSTEM_PERMISSIONS(V)                                                    \
   CHILD_PROCESS_PERMISSIONS(V)                                                 \
   WASI_PERMISSIONS(V)                                                          \
   WORKER_THREADS_PERMISSIONS(V)                                                \
-  INSPECTOR_PERMISSIONS(V)
+  INSPECTOR_PERMISSIONS(V)                                                     \
+  NET_PERMISSIONS(V)
 
 #define V(name, _, __) k##name,
 enum class PermissionScope {
diff --git a/src/tcp_wrap.cc b/src/tcp_wrap.cc
index baa7618dfa0743..f81e6788d21114 100644
--- a/src/tcp_wrap.cc
+++ b/src/tcp_wrap.cc
@@ -260,6 +260,19 @@ void TCPWrap::Bind(
   int err = uv_ip_addr(*ip_address, port, &addr);
 
   if (err == 0) {
+    if (UNLIKELY(env->permission()->enabled())) {
+      std::string resource = *ip_address + std::string("/") + std::to_string(port);
+      if (!env->permission()->is_granted(
+            env,
+            permission::PermissionScope::kNetTCPIn,
+            resource)) {
+        node::permission::Permission::ThrowAccessDenied(
+          env,
+          permission::PermissionScope::kNetTCPIn,
+          resource);
+        return;
+      }
+    }
     err = uv_tcp_bind(&wrap->handle_,
                       reinterpret_cast<const sockaddr*>(&addr),
                       flags);
@@ -334,6 +347,20 @@ void TCPWrap::Connect(const FunctionCallbackInfo<Value>& args,
   int err = uv_ip_addr(*ip_address, &addr);
 
   if (err == 0) {
+    if (UNLIKELY(env->permission()->enabled())) {
+      int port = static_cast<int>(args[2].As<Uint32>()->Value());
+      std::string resource = *ip_address + std::string("/") + std::to_string(port);
+      if (!env->permission()->is_granted(
+            env,
+            permission::PermissionScope::kNetTCPOut,
+            resource)) {
+        node::permission::Permission::ThrowAccessDenied(
+          env,
+          permission::PermissionScope::kNetTCPOut,
+          resource);
+        return;
+      }
+    }
     AsyncHooks::DefaultTriggerAsyncIdScope trigger_scope(wrap);
     ConnectWrap* req_wrap =
         new ConnectWrap(env, req_wrap_obj, AsyncWrap::PROVIDER_TCPCONNECTWRAP);
diff --git a/src/udp_wrap.cc b/src/udp_wrap.cc
index a7c6bc6ae07607..2bec87dc43ad15 100644
--- a/src/udp_wrap.cc
+++ b/src/udp_wrap.cc
@@ -314,6 +314,20 @@ void UDPWrap::DoBind(const FunctionCallbackInfo<Value>& args, int family) {
   struct sockaddr_storage addr_storage;
   int err = sockaddr_for_family(family, address.out(), port, &addr_storage);
   if (err == 0) {
+    Environment* env = wrap->env();
+    if (UNLIKELY(env->permission()->enabled())) {
+      std::string resource = *address + std::string("/") + std::to_string(port);
+      if (!env->permission()->is_granted(
+            env,
+            permission::PermissionScope::kNetUDPIn,
+            resource)) {
+        node::permission::Permission::ThrowAccessDenied(
+          env,
+          permission::PermissionScope::kNetUDPIn,
+          resource);
+        return;
+      }
+    }
     err = uv_udp_bind(&wrap->handle_,
                       reinterpret_cast<const sockaddr*>(&addr_storage),
                       flags);
@@ -342,6 +356,20 @@ void UDPWrap::DoConnect(const FunctionCallbackInfo<Value>& args, int family) {
   struct sockaddr_storage addr_storage;
   int err = sockaddr_for_family(family, address.out(), port, &addr_storage);
   if (err == 0) {
+    Environment* env = wrap->env();
+    if (UNLIKELY(env->permission()->enabled())) {
+      std::string resource = *address + std::string("/") + std::to_string(port);
+      if (!env->permission()->is_granted(
+            env,
+            permission::PermissionScope::kNetUDPOut,
+            resource)) {
+        node::permission::Permission::ThrowAccessDenied(
+          env,
+          permission::PermissionScope::kNetUDPOut,
+          resource);
+        return;
+      }
+    }
     err = uv_udp_connect(&wrap->handle_,
                          reinterpret_cast<const sockaddr*>(&addr_storage));
   }
diff --git a/test/parallel/test-permission-warning-flags.js b/test/parallel/test-permission-warning-flags.js
index 87fcb7ff7f3158..018015163a3206 100644
--- a/test/parallel/test-permission-warning-flags.js
+++ b/test/parallel/test-permission-warning-flags.js
@@ -9,6 +9,10 @@ const warnFlags = [
   '--allow-child-process',
   '--allow-wasi',
   '--allow-worker',
+  '--allow-net-tcp-in=*',
+  '--allow-net-tcp-out=*',
+  '--allow-net-udp-in=*',
+  '--allow-net-udp-out=*',
 ];
 
 for (const flag of warnFlags) {