From: "Mickaël Salaün" <mic@digikod.net>
To: John Johansen <john.johansen@canonical.com>,
Georgia Garcia <georgia.garcia@canonical.com>
Cc: "Paul Moore" <paul@paul-moore.com>,
"Günther Noack" <gnoack3000@gmail.com>,
"James Morris" <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
"Tingmao Wang" <m@maowtm.org>,
"Justin Suess" <utilityemal77@gmail.com>,
linux-security-module@vger.kernel.org,
"Samasth Norway Ananda" <samasth.norway.ananda@oracle.com>,
"Matthieu Buffet" <matthieu@buffet.re>,
"Mikhail Ivanov" <ivanov.mikhail1@huawei-partners.com>,
konstantin.meskhidze@huawei.com,
"Demi Marie Obenour" <demiobenour@gmail.com>,
"Alyssa Ross" <hi@alyssa.is>, "Jann Horn" <jannh@google.com>,
"Tahera Fahimi" <fahimitahera@gmail.com>,
"Sebastian Andrzej Siewior" <bigeasy@linutronix.de>,
"Kuniyuki Iwashima" <kuniyu@google.com>,
"Simon Horman" <horms@kernel.org>,
netdev@vger.kernel.org,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Christian Brauner" <brauner@kernel.org>
Subject: Re: [PATCH v6 1/9] lsm: Add LSM hook security_unix_find
Date: Wed, 18 Mar 2026 09:48:26 +0100 [thread overview]
Message-ID: <20260318.In1aekohyivu@digikod.net> (raw)
In-Reply-To: <2697b9f672967b1318630f2ffa21914f@paul-moore.com>
On Tue, Mar 17, 2026 at 05:34:57PM -0400, Paul Moore wrote:
> On Mar 15, 2026 =?UTF-8?q?G=C3=BCnther=20Noack?= <gnoack3000@gmail.com> wrote:
> >
> > Add a LSM hook security_unix_find.
> >
> > This hook is called to check the path of a named unix socket before a
> > connection is initiated. The peer socket may be inspected as well.
> >
> > Why existing hooks are unsuitable:
> >
> > Existing socket hooks, security_unix_stream_connect(),
> > security_unix_may_send(), and security_socket_connect() don't provide
> > TOCTOU-free / namespace independent access to the paths of sockets.
> >
> > (1) We cannot resolve the path from the struct sockaddr in existing hooks.
> > This requires another path lookup. A change in the path between the
> > two lookups will cause a TOCTOU bug.
> >
> > (2) We cannot use the struct path from the listening socket, because it
> > may be bound to a path in a different namespace than the caller,
> > resulting in a path that cannot be referenced at policy creation time.
> >
> > Cc: Günther Noack <gnoack3000@gmail.com>
> > Cc: Tingmao Wang <m@maowtm.org>
> > Signed-off-by: Justin Suess <utilityemal77@gmail.com>
> > ---
> > include/linux/lsm_hook_defs.h | 5 +++++
> > include/linux/security.h | 11 +++++++++++
> > net/unix/af_unix.c | 13 ++++++++++---
> > security/security.c | 20 ++++++++++++++++++++
> > 4 files changed, 46 insertions(+), 3 deletions(-)
>
> Some really minor nitpicky things (below), but nothing critical.
> However, as we discussed, I would like to see the AppArmor folks comment
> on the new hook before we merge anything as I know they have an interest
> here.
John, Georgia, we've been discussing this new hook for a few months now
but didn't hear from you yet. We plan to merge this patch series with
the 7.1 merge window (in a few weeks), so before that I'd like to merge
it in -next in a few days to get a broader coverage. I'm pretty sure
this hook will work well with AppArmor too, but could you please take
look to confirm?
next prev parent reply other threads:[~2026-03-18 8:48 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-15 22:21 [PATCH v6 0/9] landlock: UNIX connect() control by pathname and scope Günther Noack
2026-03-15 22:21 ` [PATCH v6 1/9] lsm: Add LSM hook security_unix_find Günther Noack
2026-03-17 21:14 ` Mickaël Salaün
2026-03-17 21:34 ` Paul Moore
2026-03-17 23:20 ` [PATCH v7 " Justin Suess
2026-03-18 1:28 ` Paul Moore
2026-03-18 8:48 ` Mickaël Salaün [this message]
2026-03-18 14:44 ` [PATCH v6 " Paul Moore
2026-03-18 16:22 ` Mickaël Salaün
2026-03-18 16:43 ` Paul Moore
2026-03-23 14:37 ` Georgia Garcia
2026-03-23 20:26 ` Paul Moore
2026-03-18 16:51 ` Mickaël Salaün
2026-03-15 22:21 ` [PATCH v6 2/9] landlock: use mem_is_zero() in is_layer_masks_allowed() Günther Noack
2026-03-18 16:52 ` Mickaël Salaün
2026-03-20 10:50 ` Günther Noack
2026-03-15 22:21 ` [PATCH v6 3/9] landlock: Control pathname UNIX domain socket resolution by path Günther Noack
2026-03-18 11:15 ` Sebastian Andrzej Siewior
2026-03-18 14:14 ` Justin Suess
2026-03-18 15:05 ` Sebastian Andrzej Siewior
2026-03-18 16:26 ` Mickaël Salaün
2026-03-18 16:43 ` Justin Suess
2026-03-18 17:52 ` Mickaël Salaün
2026-03-20 12:28 ` Günther Noack
2026-03-18 16:52 ` Mickaël Salaün
2026-03-20 16:15 ` Günther Noack
2026-03-20 17:51 ` Mickaël Salaün
2026-03-20 22:25 ` Günther Noack
2026-03-21 9:09 ` Mickaël Salaün
2026-03-23 15:31 ` Günther Noack
2026-03-15 22:21 ` [PATCH v6 4/9] samples/landlock: Add support for named UNIX domain socket restrictions Günther Noack
2026-03-15 22:21 ` [PATCH v6 5/9] landlock/selftests: Test LANDLOCK_ACCESS_FS_RESOLVE_UNIX Günther Noack
2026-03-18 16:53 ` Mickaël Salaün
2026-03-20 10:51 ` Günther Noack
2026-03-15 22:21 ` [PATCH v6 6/9] landlock/selftests: Audit test for LANDLOCK_ACCESS_FS_RESOLVE_UNIX Günther Noack
2026-03-18 16:53 ` Mickaël Salaün
2026-03-15 22:21 ` [PATCH v6 7/9] landlock/selftests: Check that coredump sockets stay unrestricted Günther Noack
2026-03-18 16:53 ` Mickaël Salaün
2026-03-20 16:44 ` Günther Noack
2026-03-15 22:21 ` [PATCH v6 8/9] landlock/selftests: fs_test: Simplify ruleset creation and enforcement Günther Noack
2026-03-15 22:21 ` [PATCH v6 9/9] landlock: Document FS access right for pathname UNIX sockets Günther Noack
2026-03-18 16:54 ` Mickaël Salaün
2026-03-20 17:04 ` Günther Noack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260318.In1aekohyivu@digikod.net \
--to=mic@digikod.net \
--cc=bigeasy@linutronix.de \
--cc=brauner@kernel.org \
--cc=demiobenour@gmail.com \
--cc=fahimitahera@gmail.com \
--cc=georgia.garcia@canonical.com \
--cc=gnoack3000@gmail.com \
--cc=hi@alyssa.is \
--cc=horms@kernel.org \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=kuniyu@google.com \
--cc=linux-security-module@vger.kernel.org \
--cc=m@maowtm.org \
--cc=matthieu@buffet.re \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=samasth.norway.ananda@oracle.com \
--cc=serge@hallyn.com \
--cc=utilityemal77@gmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.