[RFC PATCH 0/1] lsm: Add hook unix_path_connect
Tingmao Wang
m at maowtm.org
Thu Jan 1 23:11:20 UTC 2026
On 1/1/26 19:45, Justin Suess wrote:
> [...]
> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> index 55cdebfa0da0..397687e2d87f 100644
> --- a/net/unix/af_unix.c
> +++ b/net/unix/af_unix.c
> @@ -1226,6 +1226,18 @@ static struct sock *unix_find_bsd(struct
> sockaddr_un *sunaddr, int addr_len,
> if (!S_ISSOCK(inode->i_mode))
> goto path_put;
>
> + /*
> + * We call the hook because we know that the inode is a socket
> + * and we hold a valid reference to it via the path.
> + * We intentionally forgo the ability to restrict SOCK_COREDUMP.
> + */
> + if (!(flags & SOCK_COREDUMP)) {
> + err = security_unix_path_connect(&path);
> + if (err)
> + goto path_put;
> + err = -ECONNREFUSED;
I'm not sure if this is a good suggestion, but I think it might be cleaner
to move this `err = -ECONNREFUSED;` out of the if, and do it
unconditionally above the `sk = unix_find_socket_byinode(inode);` below?
To me that makes the intention for resetting err clear (it is to ensure
that a NULL return from unix_find_socket_byinode causes us to return
-ECONNREFUSED).
More information about the Linux-security-module-archive
mailing list