[PATCH v6 3/9] landlock: Control pathname UNIX domain socket resolution by path

Wed Mar 18 11:15:07 UTC 2026

On 2026-03-15 23:21:44 [+0100], Günther Noack wrote:
> --- a/security/landlock/fs.c
> +++ b/security/landlock/fs.c
…
> @@ -1557,6 +1560,110 @@ static int hook_path_truncate(const struct path *const path)
…
> +static int hook_unix_find(const struct path *const path, struct sock *other,
> +			  int flags)
> +{
…
> +	/* Checks the layers in which we are connecting within the same domain. */
> +	unix_state_lock(other);
> +	if (unlikely(sock_flag(other, SOCK_DEAD) || !other->sk_socket ||
> +		     !other->sk_socket->file)) {
> +		unix_state_unlock(other);
> +		return 0;
> +	}
> +	dom_other = landlock_cred(other->sk_socket->file->f_cred)->domain;
> +	unix_state_unlock(other);
> +
> +	unmask_scoped_access(subject->domain, dom_other, &layer_masks,
> +			     fs_resolve_unix.fs);

This might be obvious but in case it is not: You obtain the domain
pointer from f_cred->security. Within the unix_state_lock() block the fd
can not be closed. Once you drop the lock, the fd can be closed. What
guarantees that the domain/ dom_other point remains valid between
unix_state_unlock() and after unmask_scoped_access()?
Is this invoked within a RCU section which would delay put_cred_rcu() or
is there other magic involved?

Sebastian