[PATCH] tomoyo: Enforce connect policy in TCP Fast Open
Matthieu Buffet
matthieu at buffet.re
Fri Jun 19 00:22:07 UTC 2026
Tomoyo restricted TCP connections in 2011 in commit
059d84dbb389 ("TOMOYO: Add socket operation restriction support.")
using the socket_connect() LSM hook.
However, the MSG_FASTOPEN sendmsg() flag was added in 2012 to allow
combining connect() and the first sendmsg(). Tomoyo was not updated to
take this into account in its send hook.
This resulted in a TCP connect policy bypass similar to that reported in
Landlock in 2024 (see Link below), with the difference that Tomoyo was
fine when originally merged, and the problem got introduced when adding
fastopen support, possibly due to lack of synchronization between lsm
and netdev worlds.
Add MSG_FASTOPEN handling in Tomoyo's existing send hook.
Link: https://github.com/landlock-lsm/linux/issues/41
Link: https://lore.kernel.org/all/20260616201615.275032-1-hexlabsecurity@proton.me/
Fixes: cf60af03ca4e ("net-tcp: Fast Open client - sendmsg(MSG_FASTOPEN)")
Cc: stable at kernel.org
Signed-off-by: Matthieu Buffet <matthieu at buffet.re>
---
security/tomoyo/network.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/security/tomoyo/network.c b/security/tomoyo/network.c
index cfc2a019de1e..7d9ba7268dc2 100644
--- a/security/tomoyo/network.c
+++ b/security/tomoyo/network.c
@@ -764,11 +764,25 @@ int tomoyo_socket_sendmsg_permission(struct socket *sock, struct msghdr *msg,
struct tomoyo_addr_info address;
const u8 family = tomoyo_sock_family(sock->sk);
const unsigned int type = sock->type;
+ int ret;
+ address.protocol = type;
+
+ if ((msg->msg_flags & MSG_FASTOPEN) != 0 && msg->msg_name != NULL &&
+ (sk_is_tcp(sock->sk) ||
+ (sk_is_inet(sock->sk) && type == SOCK_STREAM &&
+ sock->sk->sk_protocol == IPPROTO_MPTCP))) {
+ address.operation = TOMOYO_NETWORK_CONNECT;
+ ret = tomoyo_check_inet_address(
+ (struct sockaddr *)msg->msg_name, msg->msg_namelen,
+ sock->sk->sk_protocol, &address);
+ if (ret != 0)
+ return ret;
+ }
if (!msg->msg_name || !family ||
(type != SOCK_DGRAM && type != SOCK_RAW))
return 0;
- address.protocol = type;
+
address.operation = TOMOYO_NETWORK_SEND;
if (family == PF_UNIX)
return tomoyo_check_unix_address((struct sockaddr *)
--
2.47.3
More information about the Linux-security-module-archive
mailing list