From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp-8faa.mail.infomaniak.ch (smtp-8faa.mail.infomaniak.ch [83.166.143.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F3A633C1B3 for ; Wed, 18 Feb 2026 09:43:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.166.143.170 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771407790; cv=none; b=B7s/ZYRkZt78oNTstj+Z/DEaU27wg/lrc6wNfKezFIPhZRjcCEHbaP3cAL46cUvyk/5xXdBuiPTfM+Tf/NvF+73ZNjg2e0P7oo6kM6mW18FbzXKp43nH/lw5yGmYW3ExmoSR6d+UexYqcANxye9otxcRGahX9odV7LIr1q3N5I0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771407790; c=relaxed/simple; bh=J9Uxe4ZEAWj20zBZzQJyfXD6ju3mDOe3vYTEKgmZwTU=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=u8sLDRDP9UWfiXCDOpDHHY110EhpMNIonsES9psFwF7SfxnrljJ84FO3aLAG87Kbhw2rErEY+M8NfMSGCqweCYwZBIJUw1epV4eCs7S8kByZFaJ7xJMOj1zLkStHKLI8eCq5XPfSjbX3FSR3GD9b6HyYp5+ULR3zah9i3CZyulE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=2Encfo+X; arc=none smtp.client-ip=83.166.143.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="2Encfo+X" Received: from smtp-3-0001.mail.infomaniak.ch (smtp-3-0001.mail.infomaniak.ch [10.4.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4fGBH31RQnzqpc; Wed, 18 Feb 2026 10:36:47 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1771407407; bh=ffntIhV2m6xC97D+pEZgKwQ6ddwWIQFpxfoE0JG7tfw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=2Encfo+X/baZ2m1VBAgiRsUSMTGNzMcMAaicEiW0RYddGxHGEbherxuDtrOGldquH bEYIF1ZKpQ0UAeLfNT0YF0P5a8dU2rubVY2u/xGObzeIPdqJFeU+2auMZAYA/pdp3j oL/HEqhd7nEV0zHDsX9J4ea0IeUp2CYomld4z02g= Received: from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4fGBH06q50z5rJ; Wed, 18 Feb 2026 10:36:44 +0100 (CET) Date: Wed, 18 Feb 2026 10:36:37 +0100 From: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= To: =?utf-8?Q?G=C3=BCnther?= Noack Cc: John Johansen , Paul Moore , James Morris , "Serge E . Hallyn" , Tingmao Wang , Justin Suess , linux-security-module@vger.kernel.org, Samasth Norway Ananda , Matthieu Buffet , Mikhail Ivanov , konstantin.meskhidze@huawei.com, Demi Marie Obenour , Alyssa Ross , Jann Horn , Tahera Fahimi , Simon Horman , netdev@vger.kernel.org, Alexander Viro , Christian Brauner Subject: Re: [PATCH v5 1/9] lsm: Add LSM hook security_unix_find Message-ID: <20260217.Nei3Aeg8bo6h@digikod.net> References: <20260215105158.28132-1-gnoack3000@gmail.com> <20260215105158.28132-2-gnoack3000@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20260215105158.28132-2-gnoack3000@gmail.com> X-Infomaniak-Routing: alpha On Sun, Feb 15, 2026 at 11:51:49AM +0100, Günther Noack wrote: > From: Justin Suess > > Add a LSM hook security_unix_find. > > This hook is called to check the path of a named unix socket before a > connection is initiated. The peer socket may be inspected as well. > > Why existing hooks are unsuitable: > > Existing socket hooks, security_unix_stream_connect(), > security_unix_may_send(), and security_socket_connect() don't provide > TOCTOU-free / namespace independent access to the paths of sockets. > > (1) We cannot resolve the path from the struct sockaddr in existing hooks. > This requires another path lookup. A change in the path between the > two lookups will cause a TOCTOU bug. > > (2) We cannot use the struct path from the listening socket, because it > may be bound to a path in a different namespace than the caller, > resulting in a path that cannot be referenced at policy creation time. > > Cc: Günther Noack > Cc: Tingmao Wang > Signed-off-by: Justin Suess > --- > include/linux/lsm_hook_defs.h | 5 +++++ > include/linux/security.h | 11 +++++++++++ > net/unix/af_unix.c | 8 ++++++++ > security/security.c | 20 ++++++++++++++++++++ > 4 files changed, 44 insertions(+) > > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h > index 8c42b4bde09c..7a0fd3dbfa29 100644 > --- a/include/linux/lsm_hook_defs.h > +++ b/include/linux/lsm_hook_defs.h > @@ -317,6 +317,11 @@ LSM_HOOK(int, 0, post_notification, const struct cred *w_cred, > LSM_HOOK(int, 0, watch_key, struct key *key) > #endif /* CONFIG_SECURITY && CONFIG_KEY_NOTIFICATIONS */ > > +#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_SECURITY_PATH) > +LSM_HOOK(int, 0, unix_find, const struct path *path, struct sock *other, > + int flags) > +#endif /* CONFIG_SECURITY_NETWORK && CONFIG_SECURITY_PATH */ > + > #ifdef CONFIG_SECURITY_NETWORK > LSM_HOOK(int, 0, unix_stream_connect, struct sock *sock, struct sock *other, > struct sock *newsk) > diff --git a/include/linux/security.h b/include/linux/security.h > index 83a646d72f6f..99a33d8eb28d 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -1931,6 +1931,17 @@ static inline int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) > } > #endif /* CONFIG_SECURITY_NETWORK */ > > +#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_SECURITY_PATH) > + > +int security_unix_find(const struct path *path, struct sock *other, int flags); > + > +#else /* CONFIG_SECURITY_NETWORK && CONFIG_SECURITY_PATH */ > +static inline int security_unix_find(const struct path *path, struct sock *other, int flags) > +{ > + return 0; > +} > +#endif /* CONFIG_SECURITY_NETWORK && CONFIG_SECURITY_PATH */ > + > #ifdef CONFIG_SECURITY_INFINIBAND > int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey); > int security_ib_endport_manage_subnet(void *sec, const char *name, u8 port_num); > diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c > index d0511225799b..369812b79dd8 100644 > --- a/net/unix/af_unix.c > +++ b/net/unix/af_unix.c > @@ -1230,6 +1230,14 @@ static struct sock *unix_find_bsd(struct sockaddr_un *sunaddr, int addr_len, > if (!sk) > goto path_put; > > + /* > + * We call the hook because we know that the inode is a socket and we > + * hold a valid reference to it via the path. > + */ > + err = security_unix_find(&path, sk, flags); > + if (err) > + goto sock_put; > + > err = -EPROTOTYPE; > if (sk->sk_type == type) I think this hook call should be moved here, just before the touch_atime() call for consistency with the socket type check, and to avoid doing useless check in the hook. > touch_atime(&path); > diff --git a/security/security.c b/security/security.c > index 67af9228c4e9..c73196b8db4b 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -4731,6 +4731,26 @@ int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) > > #endif /* CONFIG_SECURITY_NETWORK */ > > +#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_SECURITY_PATH) > +/** > + * security_unix_find() - Check if a named AF_UNIX socket can connect > + * @path: path of the socket being connected to > + * @other: peer sock > + * @flags: flags associated with the socket > + * > + * This hook is called to check permissions before connecting to a named > + * AF_UNIX socket. > + * > + * Return: Returns 0 if permission is granted. > + */ > +int security_unix_find(const struct path *path, struct sock *other, int flags) > +{ > + return call_int_hook(unix_find, path, other, flags); > +} > +EXPORT_SYMBOL(security_unix_find); > + > +#endif /* CONFIG_SECURITY_NETWORK && CONFIG_SECURITY_PATH */ > + > #ifdef CONFIG_SECURITY_INFINIBAND > /** > * security_ib_pkey_access() - Check if access to an IB pkey is allowed > -- > 2.52.0 > >