From: John Ericson <John.Ericson@Obsidian.Systems>
To: "David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>
Cc: "John Ericson" <mail@JohnEricson.me>,
"Cong Wang" <cwang@multikernel.io>,
"Kuniyuki Iwashima" <kuniyu@google.com>,
"Simon Horman" <horms@kernel.org>,
"Christian Brauner" <brauner@kernel.org>,
"David Rheinsberg" <david@readahead.eu>,
"Andy Lutomirski" <luto@kernel.org>,
"Sergei Zimmerman" <sergei@zimmerman.foo>,
netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org,
"Mickaël Salaün" <mic@digikod.net>,
"Günther Noack" <gnoack@google.com>,
"Paul Moore" <paul@paul-moore.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [RFC PATCH 1/3] af_unix: factor out unix_lookup_bsd_path()
Date: Fri, 3 Jul 2026 03:39:42 -0400 [thread overview]
Message-ID: <20260703073948.2541875-2-John.Ericson@Obsidian.Systems> (raw)
In-Reply-To: <20260703073948.2541875-1-John.Ericson@Obsidian.Systems>
From: John Ericson <mail@JohnEricson.me>
Split the inode -> sock mapping out of `unix_find_bsd()` into a new
helper, `unix_lookup_bsd_path()`: given an already-resolved `struct
path`, check it is a socket, look the bound socket up by inode, and
check its type, returning a held `struct sock` (or an `ERR_PTR`).
`unix_find_bsd()` keeps doing the path resolution, the `MAY_WRITE`
permission check, the `security_unix_find()` LSM hook and
`touch_atime()`, and calls the helper for the lookup. No functional
change.
The function documentation anticipates (in an example) the way this will
be used later in the patch series.
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: John Ericson <mail@JohnEricson.me>
---
include/net/af_unix.h | 1 +
net/unix/af_unix.c | 50 ++++++++++++++++++++++++++++++++-----------
2 files changed, 39 insertions(+), 12 deletions(-)
diff --git a/include/net/af_unix.h b/include/net/af_unix.h
index 34f53dde65ce..fe4547508af1 100644
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -14,6 +14,7 @@
#if IS_ENABLED(CONFIG_UNIX)
struct unix_sock *unix_get_socket(struct file *filp);
+struct sock *unix_lookup_bsd_path(const struct path *path, int type);
#else
static inline struct unix_sock *unix_get_socket(struct file *filp)
{
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index f7a9d55eee8a..3270299238c4 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1185,10 +1185,43 @@ static int unix_release(struct socket *sock)
return 0;
}
+/**
+ * unix_lookup_bsd_path - find the AF_UNIX socket bound at a resolved path
+ * @path: a path the caller has already resolved under its own policy
+ * @type: required socket type (SOCK_STREAM/SOCK_SEQPACKET/SOCK_DGRAM)
+ *
+ * Unlike the connect(2) lookup, this performs no path resolution and no
+ * DAC or LSM check of its own: the caller is responsible for having
+ * resolved @path with whatever policy is appropriate. Used by kernel
+ * callers (e.g. coredump-to-socket) that must resolve the path under
+ * their own root and credentials rather than the current task's.
+ *
+ * Returns a held sock, or an ERR_PTR.
+ */
+struct sock *unix_lookup_bsd_path(const struct path *path, int type)
+{
+ struct inode *inode = d_backing_inode(path->dentry);
+ struct sock *sk;
+
+ if (!S_ISSOCK(inode->i_mode))
+ return ERR_PTR(-ECONNREFUSED);
+
+ sk = unix_find_socket_byinode(inode);
+ if (!sk)
+ return ERR_PTR(-ECONNREFUSED);
+
+ if (sk->sk_type != type) {
+ sock_put(sk);
+ return ERR_PTR(-EPROTOTYPE);
+ }
+
+ return sk;
+}
+EXPORT_SYMBOL_GPL(unix_lookup_bsd_path);
+
static struct sock *unix_find_bsd(struct sockaddr_un *sunaddr, int addr_len,
int type, int flags)
{
- struct inode *inode;
struct path path;
struct sock *sk;
int err;
@@ -1219,18 +1252,11 @@ static struct sock *unix_find_bsd(struct sockaddr_un *sunaddr, int addr_len,
goto path_put;
}
- err = -ECONNREFUSED;
- inode = d_backing_inode(path.dentry);
- if (!S_ISSOCK(inode->i_mode))
+ sk = unix_lookup_bsd_path(&path, type);
+ if (IS_ERR(sk)) {
+ err = PTR_ERR(sk);
goto path_put;
-
- sk = unix_find_socket_byinode(inode);
- if (!sk)
- goto path_put;
-
- err = -EPROTOTYPE;
- if (sk->sk_type != type)
- goto sock_put;
+ }
err = security_unix_find(&path, sk, flags);
if (err)
--
2.54.0
next prev parent reply other threads:[~2026-07-03 7:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 7:39 [RFC PATCH 0/3] coredump, net: fix layer violation with direct connection John Ericson
2026-07-03 7:39 ` John Ericson [this message]
2026-07-03 7:39 ` [RFC PATCH 2/3] af_unix: factor out kernel_unix_connect_direct() John Ericson
2026-07-03 7:39 ` [RFC PATCH 3/3] coredump, net: remove `SOCK_COREDUMP` John Ericson
2026-07-03 8:11 ` Christian Brauner
2026-07-03 9:08 ` John Ericson
2026-07-03 9:31 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260703073948.2541875-2-John.Ericson@Obsidian.Systems \
--to=john.ericson@obsidian.systems \
--cc=brauner@kernel.org \
--cc=cwang@multikernel.io \
--cc=davem@davemloft.net \
--cc=david@readahead.eu \
--cc=edumazet@google.com \
--cc=gnoack@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mail@JohnEricson.me \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=paul@paul-moore.com \
--cc=sergei@zimmerman.foo \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox