[PATCH v4 2/7] landlock: Add UDP connect() access control
Matthieu Buffet
matthieu at buffet.re
Sat Jun 6 17:11:27 UTC 2026
On 5/22/2026 11:10 PM, Mickaël Salaün wrote:
>> + * Note: socket is not locked, so another thread could do an
>> + * explicit bind(!=0) on this socket, changing inet_num to non-zero
>> + * after we read it, but this would only have us enforce an
>> + * additional bind(0) access check and would not bypass policy.
>> + */
>> + if (inet_sk(sock->sk)->inet_num != 0)
>
> There is still a race condition, this should fix it:
>
> *
> * Hold the socket lock around the inet_num read to exclude
> * udp_lib_get_port()'s transient inet_num = snum write that is reverted
> * to 0 on a failing reuseport bind.
> */
> if (inet_sk(sock->sk)->inet_num != 0)
> slow = lock_sock_fast(sock->sk);
> num = inet_sk(sock->sk)->inet_num;
> unlock_sock_fast(sock->sk, slow);
> if (num != 0)
> return 0;
Oh wow, nice catch. The transient write in udp_lib_get_port() indeed
requires locking, a READ_ONCE would not even be enough.
>> + port0.ss_family = sock->sk->__sk_common.skc_family;
>
> Looking at net/, __sk_common.skc_family (and other __sk_common.* fields)
> should be replaced by sk_family (see #define in include/net/sock.h).
> Same for all other __sk_common.
>
> In fact, it should be READ_ONCE(sock->sk->sk_family) for consistency
> with the net/ code and because the socket are not locked when the LSM
> hooks are called. I realized that the existing Landlock code have the
> same issue... Could you please add a new patch (to be backported) to
> always use this pattern?
Indeed, setsockopt(IPV6_ADDRFORM) could mess with these too, I can send
a separate fix patch for that.
Thanks!
--
Matthieu
More information about the Linux-security-module-archive
mailing list