[RFC PATCH v3 0/8] landlock: Add UDP access control support

Mickaël Salaün mic at digikod.net
Sat Feb 14 10:34:44 UTC 2026 

I had a chat with Matthieu and here is a summary of our discussion
(Matthieu, please complete if necessary):

First, this patch series is hight quality.  The remaining issues are
related to the semantic and the capabilities of the enforced
restrictions.

1/ Simplify access rights

It would make more sense to have only two access rights, one to set the
source port and another to set the destination port.  The source port is
should be handled by LANDLOCK_ACCESS_NET_BIND_UDP, but the destination
port is should also be handle by a unique access right, something like
LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP because it can be set with
connect(2) or sendmsg(2).  Any suggestion for a better name?

2/ Autobind handling

If an UDP socket is not explicitly binded to a port, inet_autobind() is
called and provides an implicit port.  In this case, the socket_bind
hook is not called and we cannot enforce any kind of restriction
(without relying on Netfilter like SELinux does).

The idea would be to lazily detect previous autobinds when one of the
socket_bind, socket_connect, socket_sendmsg, or socket_recvmsg hook is
called.  This would mean to attach a Landlock security blob to all
sockets and store their state there.  A better alternative would be to
only rely on the struct socket to infer this information, but we're not
sure if this is possible.

3/ AF_UNSPEC trick

As explained in patch 5/8, the network stack behaves differntly when
AF_UNSPEC is used with sendmsg(2) against an IPv4 or an IPv6 socket.
In a nutshell, because the LSM hook is not called while the socket is
locked, there is a possible race condition that Landlock needs to
handle to avoid policy bypass.

It's not clear yet what can be implemented safely but one new solution
would be to implement a socket_setsockopt hook to detect (potentially
concurrent) change of a socket type and store in a new Landlock socket
security blob the state of the socket (e.g. if it was IPv6 and it is now
IPv4).  This would enables us to detect a malicious race condition while
allowing legitimate use cases.

When such deny would be triggered, Landlock should log that, probably
with a new dedicated blocker.  One reason is because this should help
users to understand the issue (which should be very rare), and another
reason is because audit_log_lsm_data() currently ignores
LSM_AUDIT_DATA_NET records if the socket family is not AF_INET* nor
AF_UNIX.

Paul, not sure we'll need it now but, do you think it would be OK to add
a new case for LSM_AUDIT_DATA_NET to log the socket family for
AF_INET/AF_INET6/AF_UNIX and also for currently unhandled families?
Something like " family=%x" .


On Fri, Dec 12, 2025 at 05:36:56PM +0100, Matthieu Buffet wrote:
> Hi Mickaël, Günther, Mikhail, Konstantin,
> 
> Here is v3 of UDP support for Landlock. My apologies for the delay, I've
> had to deal with unrelated problems. All feedback from v1/v2 should be
> merged, thanks again for taking the time to review them.
> 
> I based these patches on linux-mic/next commit 1a3cedbdc156 ("landlock:
> Fix wrong type usage") plus my previous patch "landlock: Fix TCP
> handling of short AF_UNSPEC addresses" to avoid adding UDP with already
> known bugs, duplicated from TCP. I waited a bit to get feedback on that
> patch and no one yelled, so I hope it's acceptable, tell me if it's not.
> Link: https://lore.kernel.org/linux-security-module/20251027190726.626244-4-matthieu@buffet.re/
> 
> Changes since v2
> ================
> Link: https://lore.kernel.org/all/20241214184540.3835222-1-matthieu@buffet.re/
> - removed support for sending datagrams with explicit destination
>   address of family AF_UNSPEC, which allowed to bypass restrictions with
>   a race condition
> - rebased on linux-mic/next => add support for auditing
> - fixed mistake in selftests when using unspec_srv variables, which were
>   implicitly of type SOCK_STREAM and did not actually test UDP code
> - add tests for IPPROTO_IP
> - improved docs, split off TCP-related refactoring into another commit
> 
> Changes since v1
> ================
> Link: https://lore.kernel.org/all/20240916122230.114800-1-matthieu@buffet.re/
> - recvmsg hook is gone and sendmsg hook doesn't apply to connected
>   sockets anymore, to improve performance
> - don't add a get_addr_port() helper function, which required a weird
>   "am I in IPv4 or IPv6 context" to avoid a addrlen > sizeof(struct
>   sockaddr_in) check in connect(AF_UNSPEC) IPv6 context. A helper was
>   useful when ports also needed to be read in a recvmsg() hook, now it
>   is just a simple switch case in the sendmsg() hook, more readable
> - rename sendmsg access right to LANDLOCK_ACCESS_NET_UDP_SENDTO
> - reorder hook prologue for consistency: check domain, then type and
>   family
> - add additional selftests cases around minimal address length
> - update documentation
> 
> All important cases should have a selftest now. lcov gives me net.c
> going from 91.9% lines/82.5% branches to 93.4% lines/87% branches.
> Thank you for taking the time to read this!
> 
> Closes: https://github.com/landlock-lsm/linux/issues/10
> 
> Matthieu Buffet (8):
>   landlock: Minor reword of docs for TCP access rights
>   landlock: Refactor TCP socket type check
>   landlock: Add UDP bind+connect access control
>   selftests/landlock: Add UDP bind/connect tests
>   landlock: Add UDP sendmsg access control
>   selftests/landlock: Add tests for UDP sendmsg
>   samples/landlock: Add sandboxer UDP access control
>   landlock: Add documentation for UDP support
> 
>  Documentation/userspace-api/landlock.rst     |  94 ++-
>  include/uapi/linux/landlock.h                |  46 +-
>  samples/landlock/sandboxer.c                 |  58 +-
>  security/landlock/audit.c                    |   3 +
>  security/landlock/limits.h                   |   2 +-
>  security/landlock/net.c                      | 119 +++-
>  security/landlock/syscalls.c                 |   2 +-
>  tools/testing/selftests/landlock/base_test.c |   2 +-
>  tools/testing/selftests/landlock/net_test.c  | 691 ++++++++++++++++---
>  9 files changed, 869 insertions(+), 148 deletions(-)
> 
> 
> base-commit: 1a3cedbdc156e100eb1a5208a8562a3265c35d87
> prerequisite-patch-id: 22051d5d4076a87481b22798c127ce84e219ca97
> prerequisite-patch-id: 37a1b44596a2d861ba91989edb1d7aac005931d6
> prerequisite-patch-id: c7be1c906699a2590ab7112cdf2ab6892178ec07
> -- 
> 2.47.3
> 
>

More information about the Linux-security-module-archive mailing list