From: "Mickaël Salaün" <mic@digikod.net>
To: Matthieu Buffet <matthieu@buffet.re>
Cc: "Günther Noack" <gnoack@google.com>,
linux-security-module@vger.kernel.org,
"Mikhail Ivanov" <ivanov.mikhail1@huawei-partners.com>,
konstantin.meskhidze@huawei.com, "Tingmao Wang" <m@maowtm.org>,
netdev@vger.kernel.org, "Paul Moore" <paul@paul-moore.com>
Subject: Re: [PATCH v4 3/7] landlock: Add UDP send access control
Date: Fri, 22 May 2026 23:10:53 +0200 [thread overview]
Message-ID: <20260522.Shi4UuKeH6ch@digikod.net> (raw)
In-Reply-To: <20260502124306.3975990-4-matthieu@buffet.re>
On Sat, May 02, 2026 at 02:43:02PM +0200, Matthieu Buffet wrote:
> Add the second half of LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP: control the
> ability to specify an explicit destination when sending a datagram, to
> override any remote peer set on a UDP socket (in sendto(), sendmsg(), and
> sendmmsg()). It will make the right useful for clients which want to
> send datagrams while specifying a destination address each time.
>
> Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
> ---
> include/uapi/linux/landlock.h | 4 ++
> security/landlock/net.c | 70 ++++++++++++++++++++++++++++++++---
> 2 files changed, 68 insertions(+), 6 deletions(-)
>
> diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
> index 22c8cc63f30e..b147223efc97 100644
> --- a/include/uapi/linux/landlock.h
> +++ b/include/uapi/linux/landlock.h
> @@ -396,6 +396,10 @@ struct landlock_net_port_attr {
> * - or grant %LANDLOCK_ACCESS_NET_BIND_UDP on a specific port, and
> * call :manpage:`bind(2)` on that port before trying to
> * :manpage:`connect(2)` or send datagrams.
> + *
> + * .. note:: Sending datagrams to an ``AF_UNSPEC`` destination address
> + * family is not supported for IPv6 UDP sockets: you will need to use a
> + * ``NULL`` address instead.
> */
> /* clang-format off */
> #define LANDLOCK_ACCESS_NET_BIND_TCP (1ULL << 0)
> diff --git a/security/landlock/net.c b/security/landlock/net.c
> index 045881f81295..8a53aebdb8c6 100644
> --- a/security/landlock/net.c
> +++ b/security/landlock/net.c
> @@ -44,7 +44,8 @@ int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
> static int current_check_access_socket(struct socket *const sock,
> struct sockaddr *const address,
> const int addrlen,
> - access_mask_t access_request)
> + access_mask_t access_request,
> + bool connecting)
> {
> __be16 port;
> struct layer_access_masks layer_masks = {};
> @@ -69,7 +70,8 @@ static int current_check_access_socket(struct socket *const sock,
> switch (address->sa_family) {
> case AF_UNSPEC:
> if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP ||
> - access_request == LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP) {
> + (access_request == LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP &&
> + connecting)) {
> /*
> * Connecting to an address with AF_UNSPEC dissolves
> * the remote association while retaining the socket
> @@ -82,6 +84,35 @@ static int current_check_access_socket(struct socket *const sock,
> * inconsistencies and return -EINVAL if needed.
> */
> return 0;
> + } else if (access_request ==
> + LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP) {
> + if (sock->sk->__sk_common.skc_family == AF_INET6) {
> + /*
> + * We cannot allow sending UDP datagrams to an
> + * explicit AF_UNSPEC address on IPv6 sockets,
> + * even if AF_UNSPEC is treated as "no address"
> + * on such sockets (so it should always be allowed).
> + * That's because the socket's family can change under
> + * our feet (if another thread calls setsockopt(IPV6_ADDRFORM))
> + * to IPv4, which would then treat AF_UNSPEC as
> + * AF_INET.
> + */
> + audit_net.family = AF_UNSPEC;
I sent this patch and I just merged it in my tree:
https://lore.kernel.org/all/20260406143717.1815792-11-mic@digikod.net/
Günther, could you please take a look at this patch too?
For consistency, we need to add `audit_net.sk = sock->sk;` here.
> + landlock_init_layer_masks(
> + subject->domain, access_request,
> + &layer_masks, LANDLOCK_KEY_NET_PORT);
> + landlock_log_denial(
> + subject,
> + &(struct landlock_request){
> + .type = LANDLOCK_REQUEST_NET_ACCESS,
> + .audit.type =
> + LSM_AUDIT_DATA_NET,
> + .audit.u.net = &audit_net,
> + .access = access_request,
> + .layer_masks = &layer_masks,
> + });
> + return -EACCES;
> + }
> } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP ||
> access_request == LANDLOCK_ACCESS_NET_BIND_UDP) {
> /*
> @@ -124,7 +155,10 @@ static int current_check_access_socket(struct socket *const sock,
> } else {
> WARN_ON_ONCE(1);
> }
> - /* Only for bind(AF_UNSPEC+INADDR_ANY) on IPv4 socket. */
> + /*
> + * For bind(AF_UNSPEC+INADDR_ANY) on IPv4 socket and
> + * for sending to AF_UNSPEC addresses on IPv4 socket.
> + */
> fallthrough;
> case AF_INET: {
> const struct sockaddr_in *addr4;
> @@ -257,7 +291,7 @@ static int current_check_autobind_udp_socket(struct socket *const sock)
>
> return current_check_access_socket(sock, (struct sockaddr *)&port0,
> sizeof(port0),
> - LANDLOCK_ACCESS_NET_BIND_UDP);
> + LANDLOCK_ACCESS_NET_BIND_UDP, false);
> }
>
> static int hook_socket_bind(struct socket *const sock,
> @@ -273,7 +307,7 @@ static int hook_socket_bind(struct socket *const sock,
> return 0;
>
> return current_check_access_socket(sock, address, addrlen,
> - access_request);
> + access_request, false);
> }
>
> static int hook_socket_connect(struct socket *const sock,
> @@ -291,7 +325,7 @@ static int hook_socket_connect(struct socket *const sock,
> return 0;
>
> ret = current_check_access_socket(sock, address, addrlen,
> - access_request);
> + access_request, true);
>
> if (ret == 0 && sk_is_udp(sock->sk))
> ret = current_check_autobind_udp_socket(sock);
> @@ -299,9 +333,33 @@ static int hook_socket_connect(struct socket *const sock,
> return ret;
> }
>
> +static int hook_socket_sendmsg(struct socket *const sock,
> + struct msghdr *const msg, const int size)
> +{
> + struct sockaddr *const address = msg->msg_name;
> + const int addrlen = msg->msg_namelen;
> + access_mask_t access_request;
> + int ret = 0;
> +
> + if (sk_is_udp(sock->sk))
> + access_request = LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP;
> + else
> + return 0;
> +
> + if (address != NULL)
> + ret = current_check_access_socket(sock, address, addrlen,
> + access_request, false);
> +
> + if (ret == 0)
> + ret = current_check_autobind_udp_socket(sock);
> +
> + return ret;
> +}
> +
> static struct security_hook_list landlock_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(socket_bind, hook_socket_bind),
> LSM_HOOK_INIT(socket_connect, hook_socket_connect),
> + LSM_HOOK_INIT(socket_sendmsg, hook_socket_sendmsg),
> };
>
> __init void landlock_add_net_hooks(void)
> --
> 2.39.5
>
next prev parent reply other threads:[~2026-05-22 21:10 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-02 12:42 [PATCH v4 0/7] landlock: Add UDP access control support Matthieu Buffet
2026-05-02 12:43 ` [PATCH v4 1/7] landlock: Add UDP bind() access control Matthieu Buffet
2026-05-02 12:43 ` [PATCH v4 2/7] landlock: Add UDP connect() " Matthieu Buffet
2026-05-22 21:10 ` Mickaël Salaün
2026-05-22 21:18 ` Mickaël Salaün
2026-05-02 12:43 ` [PATCH v4 3/7] landlock: Add UDP send " Matthieu Buffet
2026-05-22 21:10 ` Mickaël Salaün [this message]
2026-05-02 12:43 ` [PATCH v4 4/7] selftests/landlock: Add UDP bind/connect tests Matthieu Buffet
2026-05-02 12:43 ` [PATCH v4 5/7] selftests/landlock: Add tests for sendmsg() Matthieu Buffet
2026-05-02 12:43 ` [PATCH v4 6/7] samples/landlock: Add sandboxer UDP access control Matthieu Buffet
2026-05-02 12:43 ` [PATCH v4 7/7] landlock: Add documentation for UDP support Matthieu Buffet
2026-05-22 21:11 ` Mickaël Salaün
2026-05-06 15:33 ` [PATCH v4 0/7] landlock: Add UDP access control support Günther Noack
2026-05-07 22:11 ` Matthieu Buffet
2026-05-22 21:08 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260522.Shi4UuKeH6ch@digikod.net \
--to=mic@digikod.net \
--cc=gnoack@google.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=m@maowtm.org \
--cc=matthieu@buffet.re \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox