[RFC PATCH 3/5] samples/landlock: Add support for LANDLOCK_ACCESS_FS_CONNECT_UNIX
Tingmao Wang
m at maowtm.org
Thu Jan 1 22:19:36 UTC 2026
On 1/1/26 22:11, Demi Marie Obenour wrote:
> On 1/1/26 17:07, Tingmao Wang wrote:
>
> (snip)
>
>> Looking at this I guess it might also make sense for the kernel side to
>> enforce only being able to add LANDLOCK_ACCESS_FS_CONNECT_UNIX on socket
>> files (S_ISSOCK(d_backing_inode)) too in landlock_append_fs_rule?
>>
>> Also, for the sandboxer logic, maybe a better way would be having
>> LANDLOCK_ACCESS_FS_CONNECT_UNIX in ACCESS_FILE (matching the kernel code),
>> then another if(!S_ISSOCK) below this that will clear out
>> LANDLOCK_ACCESS_FS_CONNECT_UNIX if not socket.
>
> A process might legitimately need to connect to a socket that doesn't
> exist at the time it sandboxes itself. Therefore, I think it makes
> sense to for LANDLOCK_ACCESS_FS_CONNECT_UNIX access to a directory
> to allow LANDLOCK_ACCESS_FS_CONNECT_UNIX to any socket under that
> directory. This matches the flexibility mount namespaces can achieve.
Right, I forgot about the fact that we also need it on dirs, apologies.
(But maybe it might still make sense to not allow this on files which are
neither a socket or a dir? (If the file later gets removed and recreated
as a socket, the rule would not apply retroactively anyway due to being
tied to the inode.))
More information about the Linux-security-module-archive
mailing list