[RFC PATCH 3/5] samples/landlock: Add support for LANDLOCK_ACCESS_FS_CONNECT_UNIX

Thu Jan 1 22:07:58 UTC 2026

On 1/1/26 19:30, Justin Suess wrote:
> Allow users to separately specify unix socket rights,
> document the variable, and make the right optional.
> 
> Signed-off-by: Justin Suess <utilityemal77 at gmail.com>
> Cc: Günther Noack <gnoack3000 at gmail.com>
> ---
> 
> Notes:
> 
>     Small fixup suggestion patch to this RFC series.
> 
>     Handling the unix connect rights separate from
>     other rights makes more sense, and makes the sandboxer
>     much easier to use. Also connect doesn't really neatly
>     correspond to "roughly write" in my opinion, so this puts
>     it in a separate variable documented in the help printout.
>     
>     This also makes it possible to specify rights on the socket itself,
>     which wasn't possible.
>     
>     before:
>     ~ # LL_FS_RO=/ LL_FS_RW=/tmp/test.sock landlock-sandboxer sh -c 'echo "hello" |
>     socat - UNIX-CONNECT:/tmp/test.sock'
>     Executing the sandboxed command...
>     2026/01/01 19:14:33 socat[78] E connect(, AF=1 "/tmp/test.sock", 16): Permission denied
>     
>     after:
>     ~ # LL_FS_RO=/ LL_FS_RW= LL_UNIX_CONNECT=/tmp/test.sock landlock-sandboxer sh -c
>      'echo "hello" | socat - UNIX-CONNECT:/tmp/test.sock'
>     Executing the sandboxed command...
>     hello
> 
>  samples/landlock/sandboxer.c | 26 +++++++++++++++++++-------
>  1 file changed, 19 insertions(+), 7 deletions(-)
> 
> diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
> index b24ef317d1ea..3df7e7c8b6f1 100644
> --- a/samples/landlock/sandboxer.c
> +++ b/samples/landlock/sandboxer.c
> @@ -62,6 +62,7 @@ static inline int landlock_restrict_self(const int ruleset_fd,
>  #define ENV_TCP_CONNECT_NAME "LL_TCP_CONNECT"
>  #define ENV_SCOPED_NAME "LL_SCOPED"
>  #define ENV_FORCE_LOG_NAME "LL_FORCE_LOG"
> +#define ENV_UNIX_CONNECT_NAME "LL_UNIX_CONNECT"
>  #define ENV_DELIMITER ":"
>  
>  static int str2num(const char *numstr, __u64 *num_dst)
> @@ -163,8 +164,14 @@ static int populate_ruleset_fs(const char *const env_var, const int ruleset_fd,
>  			goto out_free_name;
>  		}
>  		path_beneath.allowed_access = allowed_access;
> -		if (!S_ISDIR(statbuf.st_mode))
> +		if (!S_ISDIR(statbuf.st_mode)) {
>  			path_beneath.allowed_access &= ACCESS_FILE;
> +			/* Keep CONNECT_UNIX for socket files. */
> +			if (S_ISSOCK(statbuf.st_mode))
> +				path_beneath.allowed_access |=
> +					allowed_access &
> +					LANDLOCK_ACCESS_FS_CONNECT_UNIX;

Looking at this I guess it might also make sense for the kernel side to
enforce only being able to add LANDLOCK_ACCESS_FS_CONNECT_UNIX on socket
files (S_ISSOCK(d_backing_inode)) too in landlock_append_fs_rule?

Also, for the sandboxer logic, maybe a better way would be having
LANDLOCK_ACCESS_FS_CONNECT_UNIX in ACCESS_FILE (matching the kernel code),
then another if(!S_ISSOCK) below this that will clear out
LANDLOCK_ACCESS_FS_CONNECT_UNIX if not socket.