[PATCH v4 2/6] landlock: Control pathname UNIX domain socket resolution by path
Mickaël Salaün
mic at digikod.net
Mon Feb 9 18:03:28 UTC 2026
On Mon, Feb 09, 2026 at 11:21:57AM +0100, Günther Noack wrote:
> On Mon, Feb 09, 2026 at 12:10:12AM +0100, Günther Noack wrote:
> > +static int hook_unix_find(const struct path *const path, struct sock *other,
> > + int flags)
> > +{
> > + const struct landlock_ruleset *dom_other;
> > + const struct landlock_cred_security *subject;
> > + struct layer_access_masks layer_masks;
> > + struct landlock_request request = {};
> > + static const struct access_masks fs_resolve_unix = {
> > + .fs = LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
> > + };
> > + int type = other->sk_type;
> > +
> > + /* Lookup for the purpose of saving coredumps is OK. */
> > + if (flags & SOCK_COREDUMP)
> > + return 0;
We should test this case too.
tools/testing/selftests/coredump/coredump_socket_* should help.
> > +
> > + /* Only stream, dgram and seqpacket sockets are restricted. */
> > + if (type != SOCK_STREAM && type != SOCK_DGRAM && type != SOCK_SEQPACKET)
> > + return 0;
More information about the Linux-security-module-archive
mailing list