[RFC PATCH 1/2] landlock: fix TCP Fast Open connection bypass
Bryam Vargas
hexlabsecurity at proton.me
Fri Jun 19 01:39:06 UTC 2026
Thanks, that settles it: MPTCP is out of scope by design, not a gap.
I read 854277e2cc8c ("landlock: Fix non-TCP sockets restriction"). It
changed the sock->type != SOCK_STREAM test to !sk_is_tcp(sock->sk),
dropping SMC/MPTCP/SCTP from the TCP rights on purpose, and 3d4033985ff5
pins that with a "MPTCP actions are not restricted" selftest. So my
"|| sk_protocol == IPPROTO_MPTCP" suggestion was wrong: it would revert
that decision and break the selftest. Please disregard it.
That leaves the series complete as-is on this axis. Keeping both the v0
guard and the 2/2 selftest sk_is_tcp()-only is correct, and the
Tested-by stands for the TCP and IPv6 fast-open path the patch fixes.
Bryam
More information about the Linux-security-module-archive
mailing list