[RFC PATCH 0/1] lsm: Add hook unix_path_connect

Justin Suess utilityemal77 at gmail.com
Thu Jan 1 23:40:49 UTC 2026 

On 1/1/26 18:11, Tingmao Wang wrote:
> On 1/1/26 19:45, Justin Suess wrote:
>> [...]
>> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
>> index 55cdebfa0da0..397687e2d87f 100644
>> --- a/net/unix/af_unix.c
>> +++ b/net/unix/af_unix.c
>> @@ -1226,6 +1226,18 @@ static struct sock *unix_find_bsd(struct
>> sockaddr_un *sunaddr, int addr_len,
>>         if (!S_ISSOCK(inode->i_mode))
>>                 goto path_put;
>>  
>> +       /*
>> +        * We call the hook because we know that the inode is a socket
>> +        * and we hold a valid reference to it via the path.
>> +        * We intentionally forgo the ability to restrict SOCK_COREDUMP.
>> +        */
>> +       if (!(flags & SOCK_COREDUMP)) {
>> +               err = security_unix_path_connect(&path);
>> +               if (err)
>> +                       goto path_put;
>> +               err = -ECONNREFUSED;
> I'm not sure if this is a good suggestion, but I think it might be cleaner
> to move this `err = -ECONNREFUSED;` out of the if, and do it
> unconditionally above the `sk = unix_find_socket_byinode(inode);` below?
> To me that makes the intention for resetting err clear (it is to ensure
> that a NULL return from unix_find_socket_byinode causes us to return
> -ECONNREFUSED).
>
I'll do that. That does make it more clear.

I suspect resetting the error accidentally was what caused the syzbot to rightfully complain.

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 55cdebfa0da0..2e0300121ab5 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1226,6 +1226,18 @@ static struct sock *unix_find_bsd(struct sockaddr_un *sunaddr, int addr_len,
     if (!S_ISSOCK(inode->i_mode))
         goto path_put;
 
+    /*
+     * We call the hook because we know that the inode is a socket
+     * and we hold a valid reference to it via the path.
+     * We intentionally forgo the ability to restrict SOCK_COREDUMP.
+     */
+    if (!(flags & SOCK_COREDUMP)) {
+        err = security_unix_path_connect(&path);
+        if (err)
+            goto path_put;
+    }
+    err = -ECONNREFUSED;
+
     sk = unix_find_socket_byinode(inode);
     if (!sk)
         goto path_put;

More information about the Linux-security-module-archive mailing list