* [PATCH v7 00/11] landlock: UNIX connect() control by pathname and scope
@ 2026-03-23 16:56 Günther Noack
2026-03-23 16:56 ` [PATCH v7 01/11] lsm: Add LSM hook security_unix_find Günther Noack
0 siblings, 1 reply; 4+ messages in thread
From: Günther Noack @ 2026-03-23 16:56 UTC (permalink / raw)
To: Mickaël Salaün, John Johansen, Paul Moore, James Morris,
Serge E . Hallyn
Cc: Günther Noack, linux-security-module, Tingmao Wang,
Justin Suess, Samasth Norway Ananda, Matthieu Buffet,
Mikhail Ivanov, konstantin.meskhidze, Demi Marie Obenour,
Alyssa Ross, Jann Horn, Tahera Fahimi, Sebastian Andrzej Siewior,
Kuniyuki Iwashima, Simon Horman, netdev, Alexander Viro,
Christian Brauner
Hello!
This patch set introduces a filesystem-based Landlock restriction
mechanism for connecting to UNIX domain sockets (or addressing them
with sendmsg(2)). It introduces the filesystem access right
LANDLOCK_ACCESS_FS_RESOLVE_UNIX.
For the connection-oriented SOCK_STREAM and SOCK_SEQPACKET type
sockets, the access right makes the connect(2) operation fail with
EACCES, if denied.
SOCK_DGRAM-type UNIX sockets can be used both with connect(2), or by
passing an explicit recipient address with every sendmsg(2)
invocation. In the latter case, the Landlock check is done when an
explicit recipient address is passed to sendmsg(2) and can make
sendmsg(2) return EACCES. When UNIX datagram sockets are connected
with connect(2), a fixed recipient address is associated with the
socket and the check happens during connect(2) and may return EACCES.
When LANDLOCK_ACCESS_FS_RESOLVE_UNIX is handled within a Landlock
domain, this domain will only allow connect(2) and sendmsg(2) to
server sockets that were created within the same domain. Or, to
phrase it the other way around: Unless it is allow-listed with a
LANDLOCK_PATH_BENEATH rule, the newly created domain denies connect(2)
and sendmsg(2) actions that are directed *outwards* of that domain.
In that regard, LANDLOCK_ACCESS_FS_RESOLVE_UNIX has the same semantics
as one of the "scoped" access rights.
== Motivation
Currently, landlocked processes can connect to named UNIX sockets
through the BSD socket API described in unix(7), by invoking socket(2)
followed by connect(2) with a suitable struct sockname_un holding the
socket's filename. This is a surprising gap in Landlock's sandboxing
capabilities for users (e.g. in [1]) and it can be used to escape a
sandbox when a Unix service offers command execution (various such
scenarios were listed by Tingmao Wang in [2]).
The original feature request is at [4].
== Alternatives and Related Work
=== Alternative: Use existing LSM hooks
We have carefully and seriously considered the use of existing LSM
hooks, but still came to the conclusion that a new LSM hook is better
suited in this case:
The existing hooks security_unix_stream_connect(),
security_unix_may_send() and security_socket_connect() do not give
access to the resolved filesystem path.
* Resolving the filesystem path in the struct sockaddr_un again within
a Landlock would produce a TOCTOU race, so this is not an option.
* We would therefore need to wire through the resolved struct path
from unix_find_bsd() to one of the existing LSM hooks which get
called later. This would be a more substantial change to af_unix.c.
The struct path that is available in the listening-side struct sock is
can be read through the existing hooks, but it is not an option to use
this information: As the listening socket may have been bound from
within a different namespace, the path that was used for that can is
in the general case not meaningful for a sandboxed process. In
particular, it is not possible to use this path (or prefixes thereof)
when constructing a sandbox policy in the client-side process.
Paul Moore also chimed in in support of adding a new hook, with the
rationale that the simplest change to the LSM hook interface has
traditionally proven to be the most robust. [11]
More details are on the Github issue at [6] and on the LKML at [9].
In a the discussion of the V2 review, started by Christian Brauner
[10], we have further explored the approach of reusing the existing
LSM hooks but still ended up leaning on the side of introducing a new
hook, with Paul Moore and me (gnoack) arguing for that option.
Further insights about the LSM hook were shared in the V3 review by
Tingmao Wang [12], who spotted additional requirements due to the two
approaches being merged into one patch set. The summary of that
discussion is in [13].
=== Related work: Scope Control for Pathname Unix Sockets
The motivation for this patch is the same as in Tingmao Wang's patch
set for "scoped" control for pathname Unix sockets [2], originally
proposed in the Github feature request [5].
In [14], we have settled on the decision to merge the two patch sets
into this one, whose primary way of controlling connect(2) is
LANDLOCK_ACCESS_FS_RESOLVE_UNIX, but where this flag additionally has
the semantics of only restricting this unix(7) IPC *outwards* of the
created Landlock domain, in line with the logic that exists for the
existing "scoped" flags already.
By having LANDLOCK_ACCESS_FS_RESOLVE_UNIX implement "scoping"
semantics, we can avoid introducing two separate interacting flags for
now, but we retain the option of introducing
LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET at a later point in time, should
such a flag be needed to express additional rules.
== Credits
The feature was originally suggested by Jann Horn in [7].
Tingmao Wang and Demi Marie Obenour have taken the initiative to
revive this discussion again in [1], [4] and [5].
Tingmao Wang has sent the patch set for the scoped access control for
pathname Unix sockets [2] and has contributed substantial insights
during the code review, shaping the form of the LSM hook and agreeing
to merge the pathname and scoped-flag patch sets.
Justin Suess has sent the patch for the LSM hook in [8] and
subsequently through this patch set.
Christian Brauner and Paul Moore have contributed to the design of the
new LSM hook, discussing the tradeoffs in [10].
Sebastian Andrzej Siewior and Kuniyuki Iwashima have helped with
locking questions in the networking subsystem. [15] [16]
Ryan Sullivan has started on an initial implementation and has brought
up relevant discussion points on the Github issue at [4].
As maintainer of Landlock, Mickaël Salaün has done the main review so
far and particularly pointed out ways in which the UNIX connect()
patch sets interact with each other and what we need to look for with
regards to UAPI consistency as Landlock evolves.
[1] https://lore.kernel.org/landlock/515ff0f4-2ab3-46de-8d1e-5c66a93c6ede@gmail.com/
[2] Tingmao Wang's "Implement scope control for pathname Unix sockets"
https://lore.kernel.org/all/cover.1767115163.git.m@maowtm.org/
[3] https://lore.kernel.org/all/20251230.bcae69888454@gnoack.org/
[4] Github issue for FS-based control for named Unix sockets:
https://github.com/landlock-lsm/linux/issues/36
[5] Github issue for scope-based restriction of named Unix sockets:
https://github.com/landlock-lsm/linux/issues/51
[6] https://github.com/landlock-lsm/linux/issues/36#issuecomment-2950632277
[7] https://lore.kernel.org/linux-security-module/CAG48ez3NvVnonOqKH4oRwRqbSOLO0p9djBqgvxVwn6gtGQBPcw@mail.gmail.com/
[8] Patch for the LSM hook:
https://lore.kernel.org/all/20251231213314.2979118-1-utilityemal77@gmail.com/
[9] https://lore.kernel.org/all/20260108.64bd7391e1ae@gnoack.org/
[10] https://lore.kernel.org/all/20260113-kerngesund-etage-86de4a21da24@brauner/
[11] https://lore.kernel.org/all/CAHC9VhQHZCe0LMx4xzSo-h1SWY489U4frKYnxu4YVrcJN3x7nA@mail.gmail.com/
[12] https://lore.kernel.org/all/e6b6b069-384c-4c45-a56b-fa54b26bc72a@maowtm.org/
[13] https://lore.kernel.org/all/aYMenaSmBkAsFowd@google.com/
[14] https://lore.kernel.org/all/20260205.Kiech3gupee1@digikod.net/
[15] https://lore.kernel.org/all/20260310151907.VYySCtJp@linutronix.de/
[16] https://lore.kernel.org/all/CAAVpQUC95mSjX1vRK===pubHofcYqbkNE7goYKiu6vha5GYAFw@mail.gmail.com/
---
== Patch set history
V1: https://lore.kernel.org/all/20260101134102.25938-1-gnoack3000@gmail.com/
V2: https://lore.kernel.org/all/20260110143300.71048-2-gnoack3000@gmail.com/
V3: https://lore.kernel.org/all/20260119203457.97676-2-gnoack3000@gmail.com/
V4: https://lore.kernel.org/all/20260208231017.114343-1-gnoack3000@gmail.com/
V5: https://lore.kernel.org/all/20260215105158.28132-1-gnoack3000@gmail.com/
V6: https://lore.kernel.org/all/20260315222150.121952-1-gnoack3000@gmail.com/
Changes in V7:
* Implementation:
* LSM hook: Small header file layout restructurings, typos (Justin)
* Hold unix_state_lock across the usage of the other Landlock domain
This prevents a UAF; spotted by Mickaël and Sebastian in code review 🏆
* Ignore the return value from landlock_init_layer_masks() -
it is not needed in this specific case
* Add a BUILD_BUG_ON to unmask_scoped_access() like in
domain_is_scoped(). Revise the BUILD_BUG_ON logic and bring both
implementations in line.
* Documentation and commentary:
* Mention access_mask_t change from u16 to u32 in commit message
* Improve documentation for unmask_scoped_access()
* Various typos and smaller documentation fixes, caught in code review
* Add ABI version remark to landlock.h
* Add comment to explain why returning 0 on SOCK_DEAD is correct -
This is not obvious in the code and requires understanding the callers
* In kernel docs, use "case 6 ... 8" in a place
Changes in V6:
* Implementation:
* Move the LSM hook call after the check that checks for the other
end's matching socket type. (Justin Suess)
* Lock with unix_state_lock() and check SOCK_DEAD.
* Remove unnecessary layer_access_masks_empty() call (and its
implementation).
* Documentation:
* Squash docs with design rationale into main implementation commit,
and cross-referece it from the header docs.
* Clarify that denials result in EACCES and that this is consistent
with other filesystem access rights.
* Minor:
* Use mem_is_zero() in is_layer_masks_allowed() (minor cleanup)
* Omit unnecessary __attribute__((fallthrough)) usages
* Remove comment at the end of a line in a place.
* Selftests:
* sun_path population fixes
* coredump test: Set EUID to 0 (needed for UML-based selftests)
Link[1]: https://lore.kernel.org/all/20260218.ohth8theu8Yi@digikod.net/
Changes in V5:
This change primarily adds tests, changing the testing approach for
the main test to use the scoped_domains fixture as in Tingmao's patch
set [2], and adding tests for the audit and coredump cases.
* Selftests:
* Replaced the main selftest with one based on scoped_domains
* Added audit test
* Added test for the coredump case
* Added a follow-up commit that simplifies ruleset enforcement
* Kernel code:
* Mark coredump check as unlikely (per Justin's review)
* Drop check for socket type (per Mickaël's review)
Changes in V4:
Since this version, this patch set subsumes the scoping semantics from
Tingmao Wang's "Scope Control" patch set [2], per discussion with
Tingmao Wang and Mickaël Salaün in [14] and in the thread leading up
to it.
Now, LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET only restricts connect(2) and
sendmsg(2) *outwards* of the domain where it is restricted, *with the
same semantics as a "scoped" flag*.
* Implement a layer-mask based version of domain_is_scoped():
unmask_scoped_access(). Rationale: domain_is_scoped() returns
early, which we can't do in the layer masks based variant. The two
variants are similar enough.
* LSM hook: Replace 'type' argument with 'sk' argument,
per discussion in [12] and [13].
* Bump ABI version to 9 (pessimistically assuming that we won't make
it for 7.0)
* Documentation fixes in header file and in Documentation/
* selftests: more test variants, now also parameterizing whether the
server socket gets created within the Landlock domain or before that
* selftests: use EXPECT_EQ() for test cleanup
Changes in V3:
* LSM hook: rename it to security_unix_find() (Justin Suess)
(resolving the previously open question about the LSM hook name)
Related discussions:
https://lore.kernel.org/all/20260112.Wufar9coosoo@digikod.net/
https://lore.kernel.org/all/CAHC9VhSRiHwLEWfFkQdPEwgB4AXKbXzw_+3u=9hPpvUTnu02Bg@mail.gmail.com/
* Reunite the three UNIX resolving access rights back into one
(resolving the previously open question about the access right
structuring) Related discussion:
https://lore.kernel.org/all/20260112.Wufar9coosoo@digikod.net/)
* Sample tool: Add new UNIX lookup access rights to ACCESS_FILE
Changes in V2:
* Send Justin Suess's LSM hook patch together with the Landlock
implementation
* LSM hook: Pass type and flags parameters to the hook, to make the
access right more generally usable across LSMs, per suggestion from
Paul Moore (Implemented by Justin)
* Split the access right into the three types of UNIX domain sockets:
SOCK_STREAM, SOCK_DGRAM and SOCK_SEQPACKET.
* selftests: More exhaustive tests.
* Removed a minor commit from V1 which adds a missing close(fd) to a
test (it is already in the mic-next branch)
Günther Noack (10):
landlock: Use mem_is_zero() in is_layer_masks_allowed()
landlock: Control pathname UNIX domain socket resolution by path
samples/landlock: Add support for named UNIX domain socket
restrictions
landlock: Clarify BUILD_BUG_ON check in scoping logic
selftests/landlock: Replace access_fs_16 with ACCESS_ALL in fs_test
selftests/landlock: Test LANDLOCK_ACCESS_FS_RESOLVE_UNIX
selftests/landlock: Audit test for LANDLOCK_ACCESS_FS_RESOLVE_UNIX
selftests/landlock: Check that coredump sockets stay unrestricted
selftests/landlock: fs_test: Simplify ruleset creation and enforcement
landlock: Document FS access right for pathname UNIX sockets
Justin Suess (1):
lsm: Add LSM hook security_unix_find
Documentation/security/landlock.rst | 40 +
Documentation/userspace-api/landlock.rst | 14 +-
include/linux/lsm_hook_defs.h | 5 +
include/linux/security.h | 11 +
include/uapi/linux/landlock.h | 21 +
net/unix/af_unix.c | 10 +-
samples/landlock/sandboxer.c | 12 +-
security/landlock/access.h | 2 +-
security/landlock/audit.c | 1 +
security/landlock/fs.c | 135 +-
security/landlock/limits.h | 2 +-
security/landlock/syscalls.c | 2 +-
security/landlock/task.c | 9 +-
security/security.c | 20 +
tools/testing/selftests/landlock/base_test.c | 2 +-
tools/testing/selftests/landlock/fs_test.c | 1345 ++++++++++--------
16 files changed, 1003 insertions(+), 628 deletions(-)
Range-diff against v6:
1: b2235eddb099 ! 1: dec515e7d7bf lsm: Add LSM hook security_unix_find
@@ Metadata
## Commit message ##
lsm: Add LSM hook security_unix_find
- Add a LSM hook security_unix_find.
+ Add an LSM hook security_unix_find.
- This hook is called to check the path of a named unix socket before a
+ This hook is called to check the path of a named UNIX socket before a
connection is initiated. The peer socket may be inspected as well.
Why existing hooks are unsuitable:
@@ Commit message
may be bound to a path in a different namespace than the caller,
resulting in a path that cannot be referenced at policy creation time.
+ Consumers of the hook wishing to reference @other are responsible
+ for acquiring the unix_state_lock and checking for the SOCK_DEAD flag
+ therein, ensuring the socket hasn't died since lookup.
+
Cc: Günther Noack <gnoack3000@gmail.com>
Cc: Tingmao Wang <m@maowtm.org>
+ Cc: Mickaël Salaün <mic@digikod.net>
+ Cc: Paul Moore <paul@paul-moore.com>
Signed-off-by: Justin Suess <utilityemal77@gmail.com>
+ Signed-off-by: Günther Noack <gnoack3000@gmail.com>
## include/linux/lsm_hook_defs.h ##
@@ include/linux/lsm_hook_defs.h: LSM_HOOK(int, 0, post_notification, const struct cred *w_cred,
@@ net/unix/af_unix.c: static struct sock *unix_find_bsd(struct sockaddr_un *sunadd
+ if (sk->sk_type != type)
goto sock_put;
-+ /*
-+ * We call the hook because we know that the inode is a socket and we
-+ * hold a valid reference to it via the path.
-+ */
+ err = security_unix_find(&path, sk, flags);
+ if (err)
+ goto sock_put;
++
+ touch_atime(&path);
+
path_put(&path);
@@ security/security.c: int security_mptcp_add_subflow(struct sock *sk, struct sock
+ * @flags: flags associated with the socket
+ *
+ * This hook is called to check permissions before connecting to a named
-+ * AF_UNIX socket.
++ * AF_UNIX socket. The caller does not hold any locks on @other.
+ *
+ * Return: Returns 0 if permission is granted.
+ */
2: 0e25c15eea62 ! 2: aaa334660a52 landlock: use mem_is_zero() in is_layer_masks_allowed()
@@ Metadata
Author: Günther Noack <gnoack3000@gmail.com>
## Commit message ##
- landlock: use mem_is_zero() in is_layer_masks_allowed()
+ landlock: Use mem_is_zero() in is_layer_masks_allowed()
This is equivalent, but expresses the intent a bit clearer.
3: e50515788eba ! 3: 4d455134c5d9 landlock: Control pathname UNIX domain socket resolution by path
@@ Commit message
landlock: Control pathname UNIX domain socket resolution by path
* Add a new access right LANDLOCK_ACCESS_FS_RESOLVE_UNIX, which
- controls the look up operations for named UNIX domain sockets. The
+ controls the lookup operations for named UNIX domain sockets. The
resolution happens during connect() and sendmsg() (depending on
socket type).
+ * Change access_mask_t from u16 to u32 (see below)
* Hook into the path lookup in unix_find_bsd() in af_unix.c, using a
LSM hook. Make policy decisions based on the new access rights
* Increment the Landlock ABI version.
- * Minor test adaptions to keep the tests working.
+ * Minor test adaptations to keep the tests working.
* Document the design rationale for scoped access rights,
and cross-reference it from the header documentation.
@@ Commit message
In case of a denial, connect() and sendmsg() return EACCES, which is
the same error as it is returned if the user does not have the write
- bit in the traditional Unix file system permissions of that file.
+ bit in the traditional UNIX file system permissions of that file.
+
+ The access_mask_t type grows from u16 to u32 to make space for the new
+ access right. This also doubles the size of struct layer_access_masks
+ from 32 byte to 64 byte.
Document the (possible future) interaction between scoped flags and
other access rights in struct landlock_ruleset_attr, and summarize the
@@ include/uapi/linux/landlock.h: struct landlock_net_port_attr {
+ * were created outside of the newly created Landlock domain (e.g. from within
+ * a parent domain or from an unrestricted process). Newly created UNIX
+ * servers within the same Landlock domain continue to be accessible. In this
-+ * regard, %LANDLOCK_ACCESS_RESOLVE_UNIX has the same semantics as the
++ * regard, %LANDLOCK_ACCESS_FS_RESOLVE_UNIX has the same semantics as the
+ * ``LANDLOCK_SCOPE_*`` flags.
+ *
+ * If a resolve attempt is denied, the operation returns an ``EACCES`` error,
+ * in line with other filesystem access rights (but different to denials for
+ * abstract UNIX domain sockets).
+ *
++ * This access right is available since the ninth version of the Landlock ABI.
++ *
+ * The rationale for this design is described in
+ * :ref:`Documentation/security/landlock.rst <scoped-flags-interaction>`.
*
@@ security/landlock/fs.c: static int hook_path_truncate(const struct path *const p
+ * This does the same as domain_is_scoped(), but unmasks bits in @masks.
+ * It can not return early as domain_is_scoped() does.
+ *
++ * A scoped access for a given access right bit is allowed iff, for all layer
++ * depths where the access bit is set, the client and server domain are the
++ * same. This function clears the access rights @access in @masks at all layer
++ * depths where the client and server domain are the same, so that, when they
++ * are all cleared, the access is allowed.
++ *
+ * @client: Client domain
+ * @server: Server domain
+ * @masks: Layer access masks to unmask
-+ * @access: Access bit that controls scoping
++ * @access: Access bits that control scoping
+ */
+static void unmask_scoped_access(const struct landlock_ruleset *const client,
+ const struct landlock_ruleset *const server,
@@ security/landlock/fs.c: static int hook_path_truncate(const struct path *const p
+ if (!server)
+ return;
+
++ /*
++ * client_layer must be a signed integer with greater capacity
++ * than client->num_layers to ensure the following loop stops.
++ */
++ BUILD_BUG_ON(sizeof(client_layer) > sizeof(client->num_layers));
++
+ client_layer = client->num_layers - 1;
+ client_walker = client->hierarchy;
+ server_layer = server->num_layers - 1;
@@ security/landlock/fs.c: static int hook_path_truncate(const struct path *const p
+ if (unlikely(flags & SOCK_COREDUMP))
+ return 0;
+
-+ /* Access to the same (or a lower) domain is always allowed. */
+ subject = landlock_get_applicable_subject(current_cred(),
+ fs_resolve_unix, NULL);
+
+ if (!subject)
+ return 0;
+
-+ if (!landlock_init_layer_masks(subject->domain, fs_resolve_unix.fs,
-+ &layer_masks, LANDLOCK_KEY_INODE))
-+ return 0;
++ /*
++ * Ignoring return value: that the domains apply was already checked in
++ * landlock_get_applicable_subject() above.
++ */
++ landlock_init_layer_masks(subject->domain, fs_resolve_unix.fs,
++ &layer_masks, LANDLOCK_KEY_INODE);
+
+ /* Checks the layers in which we are connecting within the same domain. */
+ unix_state_lock(other);
+ if (unlikely(sock_flag(other, SOCK_DEAD) || !other->sk_socket ||
+ !other->sk_socket->file)) {
+ unix_state_unlock(other);
++ /*
++ * We rely on the caller to catch the (non-reversible) SOCK_DEAD
++ * condition and retry the lookup. If we returned an error
++ * here, the lookup would not get retried.
++ */
+ return 0;
+ }
+ dom_other = landlock_cred(other->sk_socket->file->f_cred)->domain;
-+ unix_state_unlock(other);
+
++ /* Access to the same (or a lower) domain is always allowed. */
+ unmask_scoped_access(subject->domain, dom_other, &layer_masks,
+ fs_resolve_unix.fs);
++ unix_state_unlock(other);
+
+ /* Checks the connections to allow-listed paths. */
+ if (is_access_to_paths_allowed(subject->domain, path,
4: 8c1a813b9831 = 4: 70354dfcefcb samples/landlock: Add support for named UNIX domain socket restrictions
-: ------------ > 5: 00c90045f470 landlock: Clarify BUILD_BUG_ON check in scoping logic
9: 43c93c9af805 ! 6: b8e6477b2f9a landlock: Document FS access right for pathname UNIX sockets
@@ Metadata
Author: Günther Noack <gnoack3000@gmail.com>
## Commit message ##
- landlock: Document FS access right for pathname UNIX sockets
+ selftests/landlock: Replace access_fs_16 with ACCESS_ALL in fs_test
- Cc: Justin Suess <utilityemal77@gmail.com>
- Cc: Mickaël Salaün <mic@digikod.net>
+ The access_fs_16 variable was originally intended to stay frozen at 16
+ access rights so that audit tests would not need updating when new
+ access rights are added. Now that we have 17 access rights, the name
+ is confusing.
+
+ Replace all uses of access_fs_16 with ACCESS_ALL and delete the
+ variable.
+
+ Suggested-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Günther Noack <gnoack3000@gmail.com>
- ## Documentation/userspace-api/landlock.rst ##
-@@ Documentation/userspace-api/landlock.rst: to be explicit about the denied-by-default access rights.
- LANDLOCK_ACCESS_FS_MAKE_SYM |
- LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_TRUNCATE |
-- LANDLOCK_ACCESS_FS_IOCTL_DEV,
-+ LANDLOCK_ACCESS_FS_IOCTL_DEV |
-+ LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
- .handled_access_net =
- LANDLOCK_ACCESS_NET_BIND_TCP |
- LANDLOCK_ACCESS_NET_CONNECT_TCP,
-@@ Documentation/userspace-api/landlock.rst: version, and only use the available subset of access rights:
- /* Removes LANDLOCK_SCOPE_* for ABI < 6 */
- ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
- LANDLOCK_SCOPE_SIGNAL);
-+ __attribute__((fallthrough));
-+ case 7:
-+ case 8:
-+ /* Removes LANDLOCK_ACCESS_FS_RESOLVE_UNIX for ABI < 9 */
-+ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_RESOLVE_UNIX;
- }
+ ## tools/testing/selftests/landlock/fs_test.c ##
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, execute_make)
+ * only the blocked ones are logged.
+ */
- This enables the creation of an inclusive ruleset that will contain our rules.
-@@ Documentation/userspace-api/landlock.rst: enforce Landlock rulesets across all threads of the calling process
- using the ``LANDLOCK_RESTRICT_SELF_TSYNC`` flag passed to
- sys_landlock_restrict_self().
+-/* clang-format off */
+-static const __u64 access_fs_16 =
+- LANDLOCK_ACCESS_FS_EXECUTE |
+- LANDLOCK_ACCESS_FS_WRITE_FILE |
+- LANDLOCK_ACCESS_FS_READ_FILE |
+- LANDLOCK_ACCESS_FS_READ_DIR |
+- LANDLOCK_ACCESS_FS_REMOVE_DIR |
+- LANDLOCK_ACCESS_FS_REMOVE_FILE |
+- LANDLOCK_ACCESS_FS_MAKE_CHAR |
+- LANDLOCK_ACCESS_FS_MAKE_DIR |
+- LANDLOCK_ACCESS_FS_MAKE_REG |
+- LANDLOCK_ACCESS_FS_MAKE_SOCK |
+- LANDLOCK_ACCESS_FS_MAKE_FIFO |
+- LANDLOCK_ACCESS_FS_MAKE_BLOCK |
+- LANDLOCK_ACCESS_FS_MAKE_SYM |
+- LANDLOCK_ACCESS_FS_REFER |
+- LANDLOCK_ACCESS_FS_TRUNCATE |
+- LANDLOCK_ACCESS_FS_IOCTL_DEV;
+-/* clang-format on */
+-
+ TEST_F(audit_layout1, execute_read)
+ {
+ struct audit_records records;
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, execute_read)
+ test_check_exec(_metadata, 0, file1_s1d1);
-+Pathname UNIX sockets (ABI < 9)
-+-------------------------------
-+
-+Starting with the Landlock ABI version 9, it is possible to restrict
-+connections to pathname UNIX domain sockets (:manpage:`unix(7)`) using
-+the new ``LANDLOCK_ACCESS_FS_RESOLVE_UNIX`` right.
-+
- .. _kernel_support:
+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+- .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ /*
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, write_file)
+ struct audit_records records;
+
+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+- .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ EXPECT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, read_file)
+ struct audit_records records;
+
+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+- .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ EXPECT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, read_dir)
+ struct audit_records records;
+
+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+- .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ EXPECT_EQ(EACCES, test_open(dir_s1d1, O_DIRECTORY));
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, remove_dir)
+ EXPECT_EQ(0, unlink(file2_s1d3));
+
+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+- .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ EXPECT_EQ(-1, rmdir(dir_s1d3));
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, remove_file)
+ struct audit_records records;
+
+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+- .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ EXPECT_EQ(-1, unlink(file1_s1d3));
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, make_char)
+ EXPECT_EQ(0, unlink(file1_s1d3));
+
+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+- .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ EXPECT_EQ(-1, mknod(file1_s1d3, S_IFCHR | 0644, 0));
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, make_dir)
+ EXPECT_EQ(0, unlink(file1_s1d3));
+
+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+- .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ EXPECT_EQ(-1, mkdir(file1_s1d3, 0755));
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, make_reg)
+ EXPECT_EQ(0, unlink(file1_s1d3));
+
+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+- .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ EXPECT_EQ(-1, mknod(file1_s1d3, S_IFREG | 0644, 0));
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, make_sock)
+ EXPECT_EQ(0, unlink(file1_s1d3));
+
+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+- .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ EXPECT_EQ(-1, mknod(file1_s1d3, S_IFSOCK | 0644, 0));
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, make_fifo)
+ EXPECT_EQ(0, unlink(file1_s1d3));
+
+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+- .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ EXPECT_EQ(-1, mknod(file1_s1d3, S_IFIFO | 0644, 0));
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, make_block)
+ EXPECT_EQ(0, unlink(file1_s1d3));
+
+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+- .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ EXPECT_EQ(-1, mknod(file1_s1d3, S_IFBLK | 0644, 0));
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, make_sym)
+ EXPECT_EQ(0, unlink(file1_s1d3));
+
+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+- .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ EXPECT_EQ(-1, symlink("target", file1_s1d3));
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, refer_rename)
+ EXPECT_EQ(0, unlink(file1_s1d3));
+
+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+- .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ EXPECT_EQ(EACCES, test_rename(file1_s1d2, file1_s2d3));
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, refer_exchange)
+ EXPECT_EQ(0, unlink(file1_s1d3));
+
+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+- .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ /*
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, truncate)
+ struct audit_records records;
+
+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+- .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ EXPECT_EQ(-1, truncate(file1_s1d3, 0));
+@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, ioctl_dev)
+ drop_access_rights(_metadata,
+ &(struct landlock_ruleset_attr){
+ .handled_access_fs =
+- access_fs_16 &
++ ACCESS_ALL &
+ ~LANDLOCK_ACCESS_FS_READ_FILE,
+ });
- Kernel support
5: 7c360d3c293f ! 7: 66554c5b5b9c landlock/selftests: Test LANDLOCK_ACCESS_FS_RESOLVE_UNIX
@@ Metadata
Author: Günther Noack <gnoack3000@gmail.com>
## Commit message ##
- landlock/selftests: Test LANDLOCK_ACCESS_FS_RESOLVE_UNIX
+ selftests/landlock: Test LANDLOCK_ACCESS_FS_RESOLVE_UNIX
* Extract common helpers from an existing IOCTL test that
also uses pathname unix(7) sockets.
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F_FORK(ioctl, handle_file_acces
+ enforce_ruleset(_metadata, fd);
+ EXPECT_EQ(0, close(fd));
+ } else {
-+ drop_access_rights(
-+ _metadata,
-+ &(struct landlock_ruleset_attr){
-+ .handled_access_fs =
-+ LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
-+ });
++ struct landlock_ruleset_attr attr = {
++ .handled_access_fs = LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
++ };
++ drop_access_rights(_metadata, &attr);
+ }
+}
+
6: 6ea15ea91990 ! 8: fab3d3d71215 landlock/selftests: Audit test for LANDLOCK_ACCESS_FS_RESOLVE_UNIX
@@ Metadata
Author: Günther Noack <gnoack3000@gmail.com>
## Commit message ##
- landlock/selftests: Audit test for LANDLOCK_ACCESS_FS_RESOLVE_UNIX
+ selftests/landlock: Audit test for LANDLOCK_ACCESS_FS_RESOLVE_UNIX
Add an audit test to check that Landlock denials from
LANDLOCK_ACCESS_FS_RESOLVE_UNIX result in audit logs in the expected
@@ Commit message
Signed-off-by: Günther Noack <gnoack3000@gmail.com>
## tools/testing/selftests/landlock/fs_test.c ##
-@@ tools/testing/selftests/landlock/fs_test.c: static const __u64 access_fs_16 =
- LANDLOCK_ACCESS_FS_MAKE_SYM |
- LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_TRUNCATE |
-- LANDLOCK_ACCESS_FS_IOCTL_DEV;
-+ LANDLOCK_ACCESS_FS_IOCTL_DEV |
-+ LANDLOCK_ACCESS_FS_RESOLVE_UNIX;
- /* clang-format on */
-
- TEST_F(audit_layout1, execute_read)
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, ioctl_dev)
EXPECT_EQ(1, records.domain);
}
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, ioctl_dev)
+ if (!child_pid) {
+ drop_access_rights(_metadata,
+ &(struct landlock_ruleset_attr){
-+ .handled_access_fs = access_fs_16,
++ .handled_access_fs = ACCESS_ALL,
+ });
+
+ cli_fd = socket(AF_UNIX, SOCK_STREAM, 0);
7: 0ada3dd8e1a1 ! 9: 4e8a07344278 landlock/selftests: Check that coredump sockets stay unrestricted
@@ Metadata
Author: Günther Noack <gnoack3000@gmail.com>
## Commit message ##
- landlock/selftests: Check that coredump sockets stay unrestricted
+ selftests/landlock: Check that coredump sockets stay unrestricted
Even when a process is restricted with the new
- LANDLOCK_ACCESS_FS_RESOLVE_SOCKET right, the kernel can continue
- writing its coredump to the configured coredump socket.
+ LANDLOCK_ACCESS_FS_RESOLVE_UNIX right, the kernel can continue writing
+ its coredump to the configured coredump socket.
In the test, we create a local server and rewire the system to write
coredumps into it. We then create a child process within a Landlock
- domain where LANDLOCK_ACCESS_FS_RESOLVE_SOCKET is restricted and make
+ domain where LANDLOCK_ACCESS_FS_RESOLVE_UNIX is restricted and make
the process crash. The test uses SO_PEERCRED to check that the
connecting client process is the expected one.
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(scoped_domains, unix_seqpacke
+ set_core_pattern(_metadata, core_pattern);
+
+ /* Restrict LANDLOCK_ACCESS_FS_RESOLVE_UNIX. */
-+ drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-+ .handled_access_fs = LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
-+ });
++ drop_access_rights(_metadata,
++ &(struct landlock_ruleset_attr){
++ .handled_access_fs =
++ LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
++ });
+
+ /* Fork a child that crashes. */
+ child_pid = fork();
8: e9f591ec527f ! 10: fcaef2882dbd landlock/selftests: fs_test: Simplify ruleset creation and enforcement
@@ Metadata
Author: Günther Noack <gnoack3000@gmail.com>
## Commit message ##
- landlock/selftests: fs_test: Simplify ruleset creation and enforcement
+ selftests/landlock: fs_test: Simplify ruleset creation and enforcement
* Add enforce_fs() for defining and enforcing a ruleset in one step
* In some places, dropped "ASSERT_LE(0, fd)" checks after
@@ tools/testing/selftests/landlock/fs_test.c: FIXTURE_TEARDOWN(scoped_domains)
- enforce_ruleset(_metadata, fd);
- EXPECT_EQ(0, close(fd));
- } else {
-- drop_access_rights(
-- _metadata,
-- &(struct landlock_ruleset_attr){
-- .handled_access_fs =
-- LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
-- });
+- struct landlock_ruleset_attr attr = {
+- .handled_access_fs = LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
+- };
+- drop_access_rights(_metadata, &attr);
- }
-}
-
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F_FORK(coredump, socket_not_res
set_core_pattern(_metadata, core_pattern);
/* Restrict LANDLOCK_ACCESS_FS_RESOLVE_UNIX. */
-- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
-- });
+- drop_access_rights(_metadata,
+- &(struct landlock_ruleset_attr){
+- .handled_access_fs =
+- LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
+- });
+ enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, NULL);
/* Fork a child that crashes. */
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, execute_read)
test_check_exec(_metadata, 0, file1_s1d1);
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
/*
* The only difference with the previous audit_layout1.execute_read test is
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, write_file)
struct audit_records records;
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
EXPECT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, read_file)
struct audit_records records;
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
EXPECT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.read_file",
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, read_dir)
struct audit_records records;
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
EXPECT_EQ(EACCES, test_open(dir_s1d1, O_DIRECTORY));
EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.read_dir",
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, remove_dir)
EXPECT_EQ(0, unlink(file2_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
EXPECT_EQ(-1, rmdir(dir_s1d3));
EXPECT_EQ(EACCES, errno);
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, remove_file)
struct audit_records records;
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
EXPECT_EQ(-1, unlink(file1_s1d3));
EXPECT_EQ(EACCES, errno);
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, make_char)
EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
EXPECT_EQ(-1, mknod(file1_s1d3, S_IFCHR | 0644, 0));
EXPECT_EQ(EACCES, errno);
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, make_dir)
EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
EXPECT_EQ(-1, mkdir(file1_s1d3, 0755));
EXPECT_EQ(EACCES, errno);
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, make_reg)
EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
EXPECT_EQ(-1, mknod(file1_s1d3, S_IFREG | 0644, 0));
EXPECT_EQ(EACCES, errno);
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, make_sock)
EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
EXPECT_EQ(-1, mknod(file1_s1d3, S_IFSOCK | 0644, 0));
EXPECT_EQ(EACCES, errno);
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, make_fifo)
EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
EXPECT_EQ(-1, mknod(file1_s1d3, S_IFIFO | 0644, 0));
EXPECT_EQ(EACCES, errno);
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, make_block)
EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
EXPECT_EQ(-1, mknod(file1_s1d3, S_IFBLK | 0644, 0));
EXPECT_EQ(EACCES, errno);
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, make_sym)
EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
EXPECT_EQ(-1, symlink("target", file1_s1d3));
EXPECT_EQ(EACCES, errno);
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, refer_rename)
EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
EXPECT_EQ(EACCES, test_rename(file1_s1d2, file1_s2d3));
EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, refer_exchange
EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
/*
* The only difference with the previous audit_layout1.refer_rename test is
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, truncate)
struct audit_records records;
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
EXPECT_EQ(-1, truncate(file1_s1d3, 0));
EXPECT_EQ(EACCES, errno);
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, ioctl_dev)
- drop_access_rights(_metadata,
- &(struct landlock_ruleset_attr){
- .handled_access_fs =
-- access_fs_16 &
+- ACCESS_ALL &
- ~LANDLOCK_ACCESS_FS_READ_FILE,
- });
-+ enforce_fs(_metadata, access_fs_16 & ~LANDLOCK_ACCESS_FS_READ_FILE,
-+ NULL);
++ enforce_fs(_metadata, ACCESS_ALL & ~LANDLOCK_ACCESS_FS_READ_FILE, NULL);
fd = open("/dev/null", O_RDONLY | O_CLOEXEC);
ASSERT_LE(0, fd);
@@ tools/testing/selftests/landlock/fs_test.c: TEST_F(audit_layout1, resolve_unix)
if (!child_pid) {
- drop_access_rights(_metadata,
- &(struct landlock_ruleset_attr){
-- .handled_access_fs = access_fs_16,
+- .handled_access_fs = ACCESS_ALL,
- });
-+ enforce_fs(_metadata, access_fs_16, NULL);
++ enforce_fs(_metadata, ACCESS_ALL, NULL);
cli_fd = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, cli_fd);
-: ------------ > 11: 362a0e8f84a0 landlock: Document FS access right for pathname UNIX sockets
--
2.53.0
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH v7 01/11] lsm: Add LSM hook security_unix_find
2026-03-23 16:56 [PATCH v7 00/11] landlock: UNIX connect() control by pathname and scope Günther Noack
@ 2026-03-23 16:56 ` Günther Noack
2026-03-23 19:10 ` Günther Noack
2026-03-23 20:26 ` Paul Moore
0 siblings, 2 replies; 4+ messages in thread
From: Günther Noack @ 2026-03-23 16:56 UTC (permalink / raw)
To: Mickaël Salaün, John Johansen, Paul Moore, James Morris,
Serge E . Hallyn
Cc: Günther Noack, Tingmao Wang, Justin Suess,
linux-security-module, Samasth Norway Ananda, Matthieu Buffet,
Mikhail Ivanov, konstantin.meskhidze, Demi Marie Obenour,
Alyssa Ross, Jann Horn, Tahera Fahimi, Sebastian Andrzej Siewior,
Kuniyuki Iwashima, Simon Horman, netdev, Alexander Viro,
Christian Brauner
From: Justin Suess <utilityemal77@gmail.com>
Add an LSM hook security_unix_find.
This hook is called to check the path of a named UNIX socket before a
connection is initiated. The peer socket may be inspected as well.
Why existing hooks are unsuitable:
Existing socket hooks, security_unix_stream_connect(),
security_unix_may_send(), and security_socket_connect() don't provide
TOCTOU-free / namespace independent access to the paths of sockets.
(1) We cannot resolve the path from the struct sockaddr in existing hooks.
This requires another path lookup. A change in the path between the
two lookups will cause a TOCTOU bug.
(2) We cannot use the struct path from the listening socket, because it
may be bound to a path in a different namespace than the caller,
resulting in a path that cannot be referenced at policy creation time.
Consumers of the hook wishing to reference @other are responsible
for acquiring the unix_state_lock and checking for the SOCK_DEAD flag
therein, ensuring the socket hasn't died since lookup.
Cc: Günther Noack <gnoack3000@gmail.com>
Cc: Tingmao Wang <m@maowtm.org>
Cc: Mickaël Salaün <mic@digikod.net>
Cc: Paul Moore <paul@paul-moore.com>
Signed-off-by: Justin Suess <utilityemal77@gmail.com>
Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
include/linux/lsm_hook_defs.h | 5 +++++
include/linux/security.h | 11 +++++++++++
net/unix/af_unix.c | 10 +++++++---
security/security.c | 20 ++++++++++++++++++++
4 files changed, 43 insertions(+), 3 deletions(-)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 8c42b4bde09c..7a0fd3dbfa29 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -317,6 +317,11 @@ LSM_HOOK(int, 0, post_notification, const struct cred *w_cred,
LSM_HOOK(int, 0, watch_key, struct key *key)
#endif /* CONFIG_SECURITY && CONFIG_KEY_NOTIFICATIONS */
+#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_SECURITY_PATH)
+LSM_HOOK(int, 0, unix_find, const struct path *path, struct sock *other,
+ int flags)
+#endif /* CONFIG_SECURITY_NETWORK && CONFIG_SECURITY_PATH */
+
#ifdef CONFIG_SECURITY_NETWORK
LSM_HOOK(int, 0, unix_stream_connect, struct sock *sock, struct sock *other,
struct sock *newsk)
diff --git a/include/linux/security.h b/include/linux/security.h
index 83a646d72f6f..99a33d8eb28d 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1931,6 +1931,17 @@ static inline int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
}
#endif /* CONFIG_SECURITY_NETWORK */
+#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_SECURITY_PATH)
+
+int security_unix_find(const struct path *path, struct sock *other, int flags);
+
+#else /* CONFIG_SECURITY_NETWORK && CONFIG_SECURITY_PATH */
+static inline int security_unix_find(const struct path *path, struct sock *other, int flags)
+{
+ return 0;
+}
+#endif /* CONFIG_SECURITY_NETWORK && CONFIG_SECURITY_PATH */
+
#ifdef CONFIG_SECURITY_INFINIBAND
int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey);
int security_ib_endport_manage_subnet(void *sec, const char *name, u8 port_num);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 3756a93dc63a..5ef3c2e31757 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1231,11 +1231,15 @@ static struct sock *unix_find_bsd(struct sockaddr_un *sunaddr, int addr_len,
goto path_put;
err = -EPROTOTYPE;
- if (sk->sk_type == type)
- touch_atime(&path);
- else
+ if (sk->sk_type != type)
goto sock_put;
+ err = security_unix_find(&path, sk, flags);
+ if (err)
+ goto sock_put;
+
+ touch_atime(&path);
+
path_put(&path);
return sk;
diff --git a/security/security.c b/security/security.c
index 67af9228c4e9..28ccea205874 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4731,6 +4731,26 @@ int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
#endif /* CONFIG_SECURITY_NETWORK */
+#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_SECURITY_PATH)
+/**
+ * security_unix_find() - Check if a named AF_UNIX socket can connect
+ * @path: path of the socket being connected to
+ * @other: peer sock
+ * @flags: flags associated with the socket
+ *
+ * This hook is called to check permissions before connecting to a named
+ * AF_UNIX socket. The caller does not hold any locks on @other.
+ *
+ * Return: Returns 0 if permission is granted.
+ */
+int security_unix_find(const struct path *path, struct sock *other, int flags)
+{
+ return call_int_hook(unix_find, path, other, flags);
+}
+EXPORT_SYMBOL(security_unix_find);
+
+#endif /* CONFIG_SECURITY_NETWORK && CONFIG_SECURITY_PATH */
+
#ifdef CONFIG_SECURITY_INFINIBAND
/**
* security_ib_pkey_access() - Check if access to an IB pkey is allowed
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH v7 01/11] lsm: Add LSM hook security_unix_find
2026-03-23 16:56 ` [PATCH v7 01/11] lsm: Add LSM hook security_unix_find Günther Noack
@ 2026-03-23 19:10 ` Günther Noack
2026-03-23 20:26 ` Paul Moore
1 sibling, 0 replies; 4+ messages in thread
From: Günther Noack @ 2026-03-23 19:10 UTC (permalink / raw)
To: Mickaël Salaün, John Johansen, Paul Moore, James Morris,
Serge E . Hallyn, Georgia Garcia
Cc: Tingmao Wang, Justin Suess, linux-security-module,
Samasth Norway Ananda, Matthieu Buffet, Mikhail Ivanov,
konstantin.meskhidze, Demi Marie Obenour, Alyssa Ross, Jann Horn,
Tahera Fahimi, Sebastian Andrzej Siewior, Kuniyuki Iwashima,
Simon Horman, netdev, Alexander Viro, Christian Brauner
On Mon, Mar 23, 2026 at 05:56:43PM +0100, Günther Noack wrote:
> From: Justin Suess <utilityemal77@gmail.com>
>
> Add an LSM hook security_unix_find.
>
> This hook is called to check the path of a named UNIX socket before a
> connection is initiated. The peer socket may be inspected as well.
>
> Why existing hooks are unsuitable:
>
> Existing socket hooks, security_unix_stream_connect(),
> security_unix_may_send(), and security_socket_connect() don't provide
> TOCTOU-free / namespace independent access to the paths of sockets.
>
> (1) We cannot resolve the path from the struct sockaddr in existing hooks.
> This requires another path lookup. A change in the path between the
> two lookups will cause a TOCTOU bug.
>
> (2) We cannot use the struct path from the listening socket, because it
> may be bound to a path in a different namespace than the caller,
> resulting in a path that cannot be referenced at policy creation time.
>
> Consumers of the hook wishing to reference @other are responsible
> for acquiring the unix_state_lock and checking for the SOCK_DEAD flag
> therein, ensuring the socket hasn't died since lookup.
>
> Cc: Günther Noack <gnoack3000@gmail.com>
> Cc: Tingmao Wang <m@maowtm.org>
> Cc: Mickaël Salaün <mic@digikod.net>
> Cc: Paul Moore <paul@paul-moore.com>
> Signed-off-by: Justin Suess <utilityemal77@gmail.com>
> Signed-off-by: Günther Noack <gnoack3000@gmail.com>
> ---
> include/linux/lsm_hook_defs.h | 5 +++++
> include/linux/security.h | 11 +++++++++++
> net/unix/af_unix.c | 10 +++++++---
> security/security.c | 20 ++++++++++++++++++++
> 4 files changed, 43 insertions(+), 3 deletions(-)
>
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index 8c42b4bde09c..7a0fd3dbfa29 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -317,6 +317,11 @@ LSM_HOOK(int, 0, post_notification, const struct cred *w_cred,
> LSM_HOOK(int, 0, watch_key, struct key *key)
> #endif /* CONFIG_SECURITY && CONFIG_KEY_NOTIFICATIONS */
>
> +#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_SECURITY_PATH)
> +LSM_HOOK(int, 0, unix_find, const struct path *path, struct sock *other,
> + int flags)
> +#endif /* CONFIG_SECURITY_NETWORK && CONFIG_SECURITY_PATH */
> +
> #ifdef CONFIG_SECURITY_NETWORK
> LSM_HOOK(int, 0, unix_stream_connect, struct sock *sock, struct sock *other,
> struct sock *newsk)
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 83a646d72f6f..99a33d8eb28d 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1931,6 +1931,17 @@ static inline int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
> }
> #endif /* CONFIG_SECURITY_NETWORK */
>
> +#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_SECURITY_PATH)
> +
> +int security_unix_find(const struct path *path, struct sock *other, int flags);
> +
> +#else /* CONFIG_SECURITY_NETWORK && CONFIG_SECURITY_PATH */
> +static inline int security_unix_find(const struct path *path, struct sock *other, int flags)
> +{
> + return 0;
> +}
> +#endif /* CONFIG_SECURITY_NETWORK && CONFIG_SECURITY_PATH */
> +
> #ifdef CONFIG_SECURITY_INFINIBAND
> int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey);
> int security_ib_endport_manage_subnet(void *sec, const char *name, u8 port_num);
> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> index 3756a93dc63a..5ef3c2e31757 100644
> --- a/net/unix/af_unix.c
> +++ b/net/unix/af_unix.c
> @@ -1231,11 +1231,15 @@ static struct sock *unix_find_bsd(struct sockaddr_un *sunaddr, int addr_len,
> goto path_put;
>
> err = -EPROTOTYPE;
> - if (sk->sk_type == type)
> - touch_atime(&path);
> - else
> + if (sk->sk_type != type)
> goto sock_put;
>
> + err = security_unix_find(&path, sk, flags);
> + if (err)
> + goto sock_put;
> +
> + touch_atime(&path);
> +
> path_put(&path);
>
> return sk;
> diff --git a/security/security.c b/security/security.c
> index 67af9228c4e9..28ccea205874 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -4731,6 +4731,26 @@ int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
>
> #endif /* CONFIG_SECURITY_NETWORK */
>
> +#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_SECURITY_PATH)
> +/**
> + * security_unix_find() - Check if a named AF_UNIX socket can connect
> + * @path: path of the socket being connected to
> + * @other: peer sock
> + * @flags: flags associated with the socket
> + *
> + * This hook is called to check permissions before connecting to a named
> + * AF_UNIX socket. The caller does not hold any locks on @other.
> + *
> + * Return: Returns 0 if permission is granted.
> + */
> +int security_unix_find(const struct path *path, struct sock *other, int flags)
> +{
> + return call_int_hook(unix_find, path, other, flags);
> +}
> +EXPORT_SYMBOL(security_unix_find);
> +
> +#endif /* CONFIG_SECURITY_NETWORK && CONFIG_SECURITY_PATH */
> +
> #ifdef CONFIG_SECURITY_INFINIBAND
> /**
> * security_ib_pkey_access() - Check if access to an IB pkey is allowed
> --
> 2.53.0
>
P.S. I noticed it too late today, so it's not on the commit message,
but we also got a Reviewed-by from Georgia Garcia in
https://lore.kernel.org/all/c3fccd822db5fc76b7fab00a9515eb276a71b421.camel@canonical.com/
(in response to V6 of the patch).
Thanks, Georgia!
–Günther
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH v7 01/11] lsm: Add LSM hook security_unix_find
2026-03-23 16:56 ` [PATCH v7 01/11] lsm: Add LSM hook security_unix_find Günther Noack
2026-03-23 19:10 ` Günther Noack
@ 2026-03-23 20:26 ` Paul Moore
1 sibling, 0 replies; 4+ messages in thread
From: Paul Moore @ 2026-03-23 20:26 UTC (permalink / raw)
To: Günther Noack
Cc: Mickaël Salaün, John Johansen, James Morris,
Serge E . Hallyn, Tingmao Wang, Justin Suess,
linux-security-module, Samasth Norway Ananda, Matthieu Buffet,
Mikhail Ivanov, konstantin.meskhidze, Demi Marie Obenour,
Alyssa Ross, Jann Horn, Tahera Fahimi, Sebastian Andrzej Siewior,
Kuniyuki Iwashima, Simon Horman, netdev, Alexander Viro,
Christian Brauner
On Mon, Mar 23, 2026 at 12:58 PM Günther Noack <gnoack3000@gmail.com> wrote:
>
> From: Justin Suess <utilityemal77@gmail.com>
>
> Add an LSM hook security_unix_find.
>
> This hook is called to check the path of a named UNIX socket before a
> connection is initiated. The peer socket may be inspected as well.
>
> Why existing hooks are unsuitable:
>
> Existing socket hooks, security_unix_stream_connect(),
> security_unix_may_send(), and security_socket_connect() don't provide
> TOCTOU-free / namespace independent access to the paths of sockets.
>
> (1) We cannot resolve the path from the struct sockaddr in existing hooks.
> This requires another path lookup. A change in the path between the
> two lookups will cause a TOCTOU bug.
>
> (2) We cannot use the struct path from the listening socket, because it
> may be bound to a path in a different namespace than the caller,
> resulting in a path that cannot be referenced at policy creation time.
>
> Consumers of the hook wishing to reference @other are responsible
> for acquiring the unix_state_lock and checking for the SOCK_DEAD flag
> therein, ensuring the socket hasn't died since lookup.
>
> Cc: Günther Noack <gnoack3000@gmail.com>
> Cc: Tingmao Wang <m@maowtm.org>
> Cc: Mickaël Salaün <mic@digikod.net>
> Cc: Paul Moore <paul@paul-moore.com>
> Signed-off-by: Justin Suess <utilityemal77@gmail.com>
> Signed-off-by: Günther Noack <gnoack3000@gmail.com>
> ---
> include/linux/lsm_hook_defs.h | 5 +++++
> include/linux/security.h | 11 +++++++++++
> net/unix/af_unix.c | 10 +++++++---
> security/security.c | 20 ++++++++++++++++++++
> 4 files changed, 43 insertions(+), 3 deletions(-)
Acked-by: Paul Moore <paul@paul-moore.com>
--
paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-23 20:27 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-23 16:56 [PATCH v7 00/11] landlock: UNIX connect() control by pathname and scope Günther Noack
2026-03-23 16:56 ` [PATCH v7 01/11] lsm: Add LSM hook security_unix_find Günther Noack
2026-03-23 19:10 ` Günther Noack
2026-03-23 20:26 ` Paul Moore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox