[PATCH v2 3/5] samples/landlock: Add support for named UNIX domain socket restrictions
Günther Noack
gnoack3000 at gmail.com
Sun Jan 11 09:50:00 UTC 2026
On Sat, Jan 10, 2026 at 03:33:00PM +0100, Günther Noack wrote:
> The access rights for UNIX domain socket lookups are grouped with the
> read-write rights in the sample tool. Rationale: In the general case,
> any operations are possible through a UNIX domain socket, including
> data-mutating operations.
Sorry, I missed a part of the discussion in V1, which was suggested by
Tingmao Wang in [1]:
You are right, the new access rights should indeed become part of
ACCESS_FILE in the sample tool. (When the sample tool is adding a
rule for a non-directory, it only applies access rights that are also
in ACCESS_FILE.)
Will add it in V3.
–Günther
[1] https://lore.kernel.org/all/423dd2ca-ecba-47cf-98a7-4d99a48939da@maowtm.org/
More information about the Linux-security-module-archive
mailing list