Landlock: LANDLOCK_ACCESS_NET_CONNECT_TCP bypass via TCP Fast Open
Matthieu Buffet
matthieu at buffet.re
Wed Jun 17 18:05:22 UTC 2026
Hi,
On 6/17/2026 4:22 PM, Mickaël Salaün wrote:
> Thanks for the report. This was previously identified by Mikhail and
> Matthieu, see the related issue:
> https://github.com/landlock-lsm/linux/issues/41
(I worked on a v0 patch for that issue after I first reported it to
Mickaël, missing the fact that it was already documented as a github
issue. Then tried a more generic approach that failed. Here's the v0,
rebased on the beggining of -next to ease backporting, it might be a
good start. For instance, someone with more performance/benchmarking
background might want to add an unlikely() around the MSG_FASTOPEN
condition in the hot code path?)
Have a nice day!
Matthieu Buffet (2):
landlock: fix TCP Fast Open connection bypass
selftests/landlock: Add test for TCP fast open
security/landlock/net.c | 17 +++
tools/testing/selftests/landlock/net_test.c | 155 ++++++++++++++++++++
2 files changed, 172 insertions(+)
base-commit: 0ce4243509d1580349dd0d50624036d6b097e958
--
2.47.3
More information about the Linux-security-module-archive
mailing list