[RFC PATCH v3 0/8] landlock: Add UDP access control support

Matthieu Buffet matthieu at buffet.re
Fri Dec 12 16:36:56 UTC 2025 

Hi Mickaël, Günther, Mikhail, Konstantin,

Here is v3 of UDP support for Landlock. My apologies for the delay, I've
had to deal with unrelated problems. All feedback from v1/v2 should be
merged, thanks again for taking the time to review them.

I based these patches on linux-mic/next commit 1a3cedbdc156 ("landlock:
Fix wrong type usage") plus my previous patch "landlock: Fix TCP
handling of short AF_UNSPEC addresses" to avoid adding UDP with already
known bugs, duplicated from TCP. I waited a bit to get feedback on that
patch and no one yelled, so I hope it's acceptable, tell me if it's not.
Link: https://lore.kernel.org/linux-security-module/20251027190726.626244-4-matthieu@buffet.re/

Changes since v2
================
Link: https://lore.kernel.org/all/20241214184540.3835222-1-matthieu@buffet.re/
- removed support for sending datagrams with explicit destination
  address of family AF_UNSPEC, which allowed to bypass restrictions with
  a race condition
- rebased on linux-mic/next => add support for auditing
- fixed mistake in selftests when using unspec_srv variables, which were
  implicitly of type SOCK_STREAM and did not actually test UDP code
- add tests for IPPROTO_IP
- improved docs, split off TCP-related refactoring into another commit

Changes since v1
================
Link: https://lore.kernel.org/all/20240916122230.114800-1-matthieu@buffet.re/
- recvmsg hook is gone and sendmsg hook doesn't apply to connected
  sockets anymore, to improve performance
- don't add a get_addr_port() helper function, which required a weird
  "am I in IPv4 or IPv6 context" to avoid a addrlen > sizeof(struct
  sockaddr_in) check in connect(AF_UNSPEC) IPv6 context. A helper was
  useful when ports also needed to be read in a recvmsg() hook, now it
  is just a simple switch case in the sendmsg() hook, more readable
- rename sendmsg access right to LANDLOCK_ACCESS_NET_UDP_SENDTO
- reorder hook prologue for consistency: check domain, then type and
  family
- add additional selftests cases around minimal address length
- update documentation

All important cases should have a selftest now. lcov gives me net.c
going from 91.9% lines/82.5% branches to 93.4% lines/87% branches.
Thank you for taking the time to read this!

Closes: https://github.com/landlock-lsm/linux/issues/10

Matthieu Buffet (8):
  landlock: Minor reword of docs for TCP access rights
  landlock: Refactor TCP socket type check
  landlock: Add UDP bind+connect access control
  selftests/landlock: Add UDP bind/connect tests
  landlock: Add UDP sendmsg access control
  selftests/landlock: Add tests for UDP sendmsg
  samples/landlock: Add sandboxer UDP access control
  landlock: Add documentation for UDP support

 Documentation/userspace-api/landlock.rst     |  94 ++-
 include/uapi/linux/landlock.h                |  46 +-
 samples/landlock/sandboxer.c                 |  58 +-
 security/landlock/audit.c                    |   3 +
 security/landlock/limits.h                   |   2 +-
 security/landlock/net.c                      | 119 +++-
 security/landlock/syscalls.c                 |   2 +-
 tools/testing/selftests/landlock/base_test.c |   2 +-
 tools/testing/selftests/landlock/net_test.c  | 691 ++++++++++++++++---
 9 files changed, 869 insertions(+), 148 deletions(-)


base-commit: 1a3cedbdc156e100eb1a5208a8562a3265c35d87
prerequisite-patch-id: 22051d5d4076a87481b22798c127ce84e219ca97
prerequisite-patch-id: 37a1b44596a2d861ba91989edb1d7aac005931d6
prerequisite-patch-id: c7be1c906699a2590ab7112cdf2ab6892178ec07
-- 
2.47.3

More information about the Linux-security-module-archive mailing list