[PATCH v5 0/6] landlock: Add UDP access control support
Matthieu Buffet
matthieu at buffet.re
Thu Jun 11 16:21:00 UTC 2026
Hi,
This is V5 (hopefully final) of UDP access control in Landlock. It has
very few changes compared to v4, described below, all feedback given so
far should be in there (if not that's a mistake on my part). It adds
only two access rights, to restrict configuring local and remote
addresses on UDP sockets. The one that restricts setting a remote
address also controls sending datagrams to explicit remote addresses
-ignoring any remote address preset on the socket-. The one that
restricts binding to a local port also applies when the kernel
auto-binds an ephemeral port.
Changes v1->v2
==============
- recvmsg hook is gone and sendmsg hook doesn't apply when sending to a
remote address pre-set on socket, to improve performance
- don't add a get_addr_port() helper function, which required a weird
"am I in IPv4 or IPv6 context"
- reorder hook prologue for consistency: check domain, then type and
family
Changes v2->v3
==============
- removed support for sending datagrams with explicit destination
address of family AF_UNSPEC, which allowed to bypass restrictions with
a race condition
- rebased on linux-mic/next => add support for auditing
- fixed mistake in selftests when using unspec_srv variables, which were
implicitly of type SOCK_STREAM and did not actually test UDP code
- add tests for IPPROTO_IP
- improved docs, split off TCP-related refactoring
Changes v3->v4
==============
- merge LANDLOCK_ACCESS_NET_CONNECT_UDP and
LANDLOCK_ACCESS_NET_SENDTO_UDP into
LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP (everything that might set the
destination of a datagram)
- make LANDLOCK_ACCESS_NET_BIND_UDP apply when kernel is about to
auto-bind an ephemeral port for the caller. Block it if policy would
not allow an explicit call to bind(0)
- only deny sending AF_UNSPEC datagrams on IPv6 sockets, where there is
a risk of the address family changing midway
Changes v4->v5
==============
- fix unmarked racy socket address family accesses
- fix improper bind(0) autobind access check when connecting to AF_UNSPEC
- fix example code structure in documentation to match pattern of usage
used in the rest of the code
- fix bad copy-pastes in selftests, and some unimportant variable types
- squash LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP commits
- add a small help note in sandboxer to point out the need to allow
binding a source port when emitting, to reduce surprises if people
try to get a feeling of the feature through sandboxer before reading
the docs
v1:
Link: https://lore.kernel.org/all/20240916122230.114800-1-matthieu@buffet.re/
v2:
Link: https://lore.kernel.org/all/20241214184540.3835222-1-matthieu@buffet.re/
v3:
Link: https://lore.kernel.org/all/20251212163704.142301-1-matthieu@buffet.re/
v4:
Link: https://lore.kernel.org/all/20260502124306.3975990-1-matthieu@buffet.re/
Based on https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git
9ea6fb415fc8 ("selftests/landlock: Explicitly disable audit in teardowns")
from branch next.
All lines added are covered with selftests (net.c goes from 93.1% to 95.3%
line coverage).
Closes: https://github.com/landlock-lsm/linux/issues/10
Matthieu Buffet (6):
landlock: Add UDP bind() access control
landlock: Add UDP send+connect access control
selftests/landlock: Add tests for UDP bind/connect
selftests/landlock: Add tests for UDP send
samples/landlock: Add sandboxer UDP access control
landlock: Add documentation for UDP support
Documentation/userspace-api/landlock.rst | 91 +-
include/uapi/linux/landlock.h | 35 +-
samples/landlock/sandboxer.c | 41 +-
security/landlock/audit.c | 3 +
security/landlock/limits.h | 2 +-
security/landlock/net.c | 155 ++-
security/landlock/syscalls.c | 2 +-
tools/testing/selftests/landlock/base_test.c | 4 +-
tools/testing/selftests/landlock/net_test.c | 1166 ++++++++++++++++--
9 files changed, 1353 insertions(+), 146 deletions(-)
base-commit: 9ea6fb415fc8b535da91dadd74f948d96ba3d41d
--
2.47.3
More information about the Linux-security-module-archive
mailing list