From: Demi Marie Obenour <demiobenour@gmail.com>
To: "Justin Suess" <utilityemal77@gmail.com>,
"Tingmao Wang" <m@maowtm.org>,
"Günther Noack" <gnoack3000@gmail.com>
Cc: fahimitahera@gmail.com, hi@alyssa.is,
ivanov.mikhail1@huawei-partners.com, jannh@google.com,
konstantin.meskhidze@huawei.com,
linux-security-module@vger.kernel.org, matthieu@buffet.re,
mic@digikod.net, paul@paul-moore.com,
samasth.norway.ananda@oracle.com
Subject: Re: [RFC PATCH 3/5] samples/landlock: Add support for LANDLOCK_ACCESS_FS_CONNECT_UNIX
Date: Thu, 1 Jan 2026 17:39:26 -0500 [thread overview]
Message-ID: <884e44c6-7695-49a2-8d60-c7e76d260bea@gmail.com> (raw)
In-Reply-To: <43c0515d-afd3-4e00-a0fe-4d651a1d5cf1@gmail.com>
[-- Attachment #1.1.1: Type: text/plain, Size: 2095 bytes --]
On 1/1/26 17:38, Justin Suess wrote:
> On 1/1/26 17:19, Tingmao Wang wrote:
>> On 1/1/26 22:11, Demi Marie Obenour wrote:
>>> On 1/1/26 17:07, Tingmao Wang wrote:
>>>
>>> (snip)
>>>
>>>> Looking at this I guess it might also make sense for the kernel side to
>>>> enforce only being able to add LANDLOCK_ACCESS_FS_CONNECT_UNIX on socket
>>>> files (S_ISSOCK(d_backing_inode)) too in landlock_append_fs_rule?
>>>>
>>>> Also, for the sandboxer logic, maybe a better way would be having
>>>> LANDLOCK_ACCESS_FS_CONNECT_UNIX in ACCESS_FILE (matching the kernel code),
>>>> then another if(!S_ISSOCK) below this that will clear out
>>>> LANDLOCK_ACCESS_FS_CONNECT_UNIX if not socket.
>>> A process might legitimately need to connect to a socket that doesn't
>>> exist at the time it sandboxes itself. Therefore, I think it makes
>>> sense to for LANDLOCK_ACCESS_FS_CONNECT_UNIX access to a directory
>>> to allow LANDLOCK_ACCESS_FS_CONNECT_UNIX to any socket under that
>>> directory. This matches the flexibility mount namespaces can achieve.
>> Right, I forgot about the fact that we also need it on dirs, apologies.
>>
>> (But maybe it might still make sense to not allow this on files which are
>> neither a socket or a dir? (If the file later gets removed and recreated
>> as a socket, the rule would not apply retroactively anyway due to being
>> tied to the inode.))
> How do we handle IOCTL access on regular files? I think that landlock will let you put IOCTL rights on regular files even they are not valid for that operation.
Regular files definitely support ioctls.
> Sockets seem like a similar case where the operation is only valid for a subset of file types.
>
> I think we should mirror the existing behavior is for consistency.
>
> Besides, restricting which file types can have that right also makes it harder for applications that may not care about the specific file type, but now would have to check the filetype before making a policy on them (also opening them to TOCTOU).
I agree.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2026-01-01 22:39 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-01 13:40 [RFC PATCH 0/5] landlock: Pathname-based UNIX connect() control Günther Noack
2026-01-01 13:40 ` [RFC PATCH 1/5] landlock/selftests: add a missing close(srv_fd) call Günther Noack
2026-01-01 13:40 ` [RFC PATCH 2/5] landlock: Control connections to pathname UNIX sockets by path Günther Noack
2026-01-01 13:41 ` [RFC PATCH 3/5] samples/landlock: Add support for LANDLOCK_ACCESS_FS_CONNECT_UNIX Günther Noack
2026-01-01 19:30 ` Justin Suess
2026-01-01 22:07 ` Tingmao Wang
2026-01-01 22:11 ` Demi Marie Obenour
2026-01-01 22:19 ` Tingmao Wang
2026-01-01 22:36 ` Demi Marie Obenour
2026-01-01 22:38 ` Justin Suess
2026-01-01 22:39 ` Demi Marie Obenour [this message]
2026-01-02 9:53 ` Günther Noack
2026-01-01 13:41 ` [RFC PATCH 4/5] landlock/selftests: test LANDLOCK_ACCESS_FS_CONNECT_UNIX Günther Noack
2026-01-01 13:41 ` [RFC PATCH 5/5] landlock: Document LANDLOCK_ACCESS_FS_UNIX_CONNECT Günther Noack
2026-01-01 22:14 ` [RFC PATCH 0/5] landlock: Pathname-based UNIX connect() control Demi Marie Obenour
2026-01-01 22:34 ` Tingmao Wang
2026-01-01 22:44 ` Demi Marie Obenour
2026-01-02 10:16 ` Günther Noack
2026-01-02 10:25 ` Günther Noack
2026-01-02 10:27 ` Demi Marie Obenour
2026-01-02 10:50 ` Günther Noack
2026-01-02 18:37 ` Demi Marie Obenour
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=884e44c6-7695-49a2-8d60-c7e76d260bea@gmail.com \
--to=demiobenour@gmail.com \
--cc=fahimitahera@gmail.com \
--cc=gnoack3000@gmail.com \
--cc=hi@alyssa.is \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=jannh@google.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=m@maowtm.org \
--cc=matthieu@buffet.re \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=samasth.norway.ananda@oracle.com \
--cc=utilityemal77@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).