Re: [PATCH v5 2/9] landlock: Control pathname UNIX domain socket resolution by path

["Günther Noack" <gnoack3000@gmail.com>]

On Sun, Mar 08, 2026 at 10:09:21AM +0100, Mickaël Salaün wrote:
> On Sun, Feb 15, 2026 at 11:51:50AM +0100, Günther Noack wrote:
> > * Add a new access right LANDLOCK_ACCESS_FS_RESOLVE_UNIX, which
> >   controls the look up operations for named UNIX domain sockets.  The
> >   resolution happens during connect() and sendmsg() (depending on
> >   socket type).
> > * Hook into the path lookup in unix_find_bsd() in af_unix.c, using a
> >   LSM hook.  Make policy decisions based on the new access rights
> > * Increment the Landlock ABI version.
> > * Minor test adaptions to keep the tests working.
> > 
> > With this access right, access is granted if either of the following
> > conditions is met:
> > 
> > * The target socket's filesystem path was allow-listed using a
> >   LANDLOCK_RULE_PATH_BENEATH rule, *or*:
> > * The target socket was created in the same Landlock domain in which
> >   LANDLOCK_ACCESS_FS_RESOLVE_UNIX was restricted.
> > 
> > In case of a denial, connect() and sendmsg() return EACCES, which is
> > the same error as it is returned if the user does not have the write
> > bit in the traditional Unix file system permissions of that file.
> 
> It is not the same error code as for scoped abstract unix socket
> (EPERM), but it makes sense because the scope restrictions are closer to
> ambient rights (i.e. similar to a network isolation), whereas here the
> final denial comes from a missing FS rule (and all FS access checks may
> return EACCES).  It would be worth mentioning this difference in the
> user documentation.

Sounds good, added to the syscall documentation for V6.


> > This feature was created with substantial discussion and input from
> > Justin Suess, Tingmao Wang and Mickaël Salaün.
> > 
> > Cc: Tingmao Wang <m@maowtm.org>
> > Cc: Justin Suess <utilityemal77@gmail.com>
> > Cc: Mickaël Salaün <mic@digikod.net>
> > Suggested-by: Jann Horn <jannh@google.com>
> > Link: https://github.com/landlock-lsm/linux/issues/36
> > Signed-off-by: Günther Noack <gnoack3000@gmail.com>
> > ---
> >  include/uapi/linux/landlock.h                |  10 ++
> >  security/landlock/access.h                   |  11 +-
> >  security/landlock/audit.c                    |   1 +
> >  security/landlock/fs.c                       | 102 ++++++++++++++++++-
> >  security/landlock/limits.h                   |   2 +-
> >  security/landlock/syscalls.c                 |   2 +-
> >  tools/testing/selftests/landlock/base_test.c |   2 +-
> >  tools/testing/selftests/landlock/fs_test.c   |   5 +-
> >  8 files changed, 128 insertions(+), 7 deletions(-)
> 
> > +static int hook_unix_find(const struct path *const path, struct sock *other,
> > +			  int flags)
> > +{
> > +	const struct landlock_ruleset *dom_other;
> > +	const struct landlock_cred_security *subject;
> > +	struct layer_access_masks layer_masks;
> > +	struct landlock_request request = {};
> > +	static const struct access_masks fs_resolve_unix = {
> > +		.fs = LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
> > +	};
> > +
> > +	/* Lookup for the purpose of saving coredumps is OK. */
> > +	if (unlikely(flags & SOCK_COREDUMP))
> > +		return 0;
> > +
> > +	/* Access to the same (or a lower) domain is always allowed. */
> > +	subject = landlock_get_applicable_subject(current_cred(),
> > +						  fs_resolve_unix, NULL);
> > +
> > +	if (!subject)
> > +		return 0;
> > +
> > +	if (!landlock_init_layer_masks(subject->domain, fs_resolve_unix.fs,
> > +				       &layer_masks, LANDLOCK_KEY_INODE))
> > +		return 0;
> > +
> > +	/* Checks the layers in which we are connecting within the same domain. */
> > +	dom_other = landlock_cred(other->sk_socket->file->f_cred)->domain;
> > +	unmask_scoped_access(subject->domain, dom_other, &layer_masks,
> > +			     fs_resolve_unix.fs);
> > +
> > +	if (layer_access_masks_empty(&layer_masks))
> 
> I don't see the point of this helper and this call wrt the following
> is_access_to_paths_allowed() call and the is_layer_masks_allowed()
> check.

layer_access_masks_empty() is indeed the same thing as
is_layer_masks_allowed(), so I removed that implementation again for
V6.

The reason why I was calling this here is so that we can skip the path
walk in the case where the scoped-access check already suffices to
allow the operation.  It is not strictly needed though, so I can
remove it.  It is probably better to implement such a shortcut within
is_access_to_paths_allowed() instead.

Removed the call and the implementation for V6.


> > +		return 0;
> > +
> > +	/* Checks the connections to allow-listed paths. */
> > +	if (is_access_to_paths_allowed(subject->domain, path,
> > +				       fs_resolve_unix.fs, &layer_masks,
> > +				       &request, NULL, 0, NULL, NULL, NULL))
> > +		return 0;
> > +
> > +	landlock_log_denial(subject, &request);
> > +	return -EACCES;
> > +}