[RFC PATCH 0/5] landlock: Pathname-based UNIX connect() control
Mickaël Salaün
mic at digikod.net
Fri Jan 9 10:37:12 UTC 2026
On Thu, Jan 01, 2026 at 02:40:57PM +0100, Günther Noack wrote:
> Happy New Year!
Happy New Year!
>
> This patch set introduces a file-system-based Landlock restriction
> mechanism for connecting to Unix sockets.
Thanks for this patch series, this is an important feature for
sandboxing.
>
> ## Motivation
>
> Currently, landlocked processes can connect() to named UNIX sockets
> through the BSD socket API described in unix(7), by invoking socket(2)
> followed by connect(2) with a suitable struct sockname_un holding the
> socket's filename. This can come as a surprise for users (e.g. in
> [1]) and it can be used to escape a sandbox when a Unix service offers
> command execution (some scenarios were listed by Tingmao Wang in [2]).
>
> These patches are built on Justin Suess's patch which adds the LSM
> hook:
> https://lore.kernel.org/all/20251231213314.2979118-1-utilityemal77@gmail.com/
As Kuniyuki pointed out [1], we should handle both connect and send.
This would be similar to the scoped restriction from Tingmao. I guess
we'll need a similar hook for the send operation. Because there is no
need to differenciate between connected and disconnected unix socket in
a security policy, we should have one access right for both. Any
proposal for its name? Something like TRANSMIT_UNIX or EMIT_UNIX?
[1] https://lore.kernel.org/all/CAAVpQUAd==+Pw02+E6UC-qwaDNm7aFg+Q9YDbWzyniShAkAhFQ@mail.gmail.com/
More information about the Linux-security-module-archive
mailing list