[RFC PATCH 1/2] landlock: fix TCP Fast Open connection bypass
Matthieu Buffet
matthieu at buffet.re
Fri Jun 19 00:34:10 UTC 2026
Hi Bryam,
On 6/18/2026 3:25 AM, Bryam Vargas wrote:
> One scope note, since you mention MPTCP: an MPTCP socket isn't covered.
> sk_is_tcp() is false for the mptcp parent (sk_protocol is IPPROTO_MPTCP), so
> neither the new sendmsg hook nor the existing socket_connect one mediates it. On
> the patched kernel my MPTCP arm still reaches the blocked port via both connect()
> and MSG_FASTOPEN. If MPTCP is meant to be in scope for CONNECT_TCP, the guard
> wants `|| sk->sk_protocol == IPPROTO_MPTCP` (not sk_is_mptcp(), which is the
> subflow flag).
Indeed, the patch does not try to filter MPTCP: it is not meant to be in
the scope of LANDLOCK_ACCESS_NET_*_TCP rights.
It used to be, but it was a bug, see:
https://lore.kernel.org/all/20250205093651.1424339-2-ivanov.mikhail1@huawei-partners.com/
Have a nice day!
--
Matthieu
More information about the Linux-security-module-archive
mailing list