[PATCH v6 3/9] landlock: Control pathname UNIX domain socket resolution by path

Justin Suess utilityemal77 at gmail.com
Wed Mar 18 14:14:52 UTC 2026 

On Wed, Mar 18, 2026 at 12:15:07PM +0100, Sebastian Andrzej Siewior wrote:
> On 2026-03-15 23:21:44 [+0100], Günther Noack wrote:
> > --- a/security/landlock/fs.c
> > +++ b/security/landlock/fs.c
>> > @@ -1557,6 +1560,110 @@ static int hook_path_truncate(const struct path *const path)
>> > +static int hook_unix_find(const struct path *const path, struct sock *other,
> > +			  int flags)
> > +{
>> > +	/* Checks the layers in which we are connecting within the same domain. */
> > +	unix_state_lock(other);
> > +	if (unlikely(sock_flag(other, SOCK_DEAD) || !other->sk_socket ||
> > +		     !other->sk_socket->file)) {
> > +		unix_state_unlock(other);
> > +		return 0;
> > +	}
> > +	dom_other = landlock_cred(other->sk_socket->file->f_cred)->domain;
> > +	unix_state_unlock(other);
> > +
> > +	unmask_scoped_access(subject->domain, dom_other, &layer_masks,
> > +			     fs_resolve_unix.fs);
> 
> This might be obvious but in case it is not: You obtain the domain
> pointer from f_cred->security. Within the unix_state_lock() block the fd
> can not be closed. Once you drop the lock, the fd can be closed. What
> guarantees that the domain/ dom_other point remains valid between
> unix_state_unlock() and after unmask_scoped_access()?
Sebastian,

In short: dom_other is a pointer to a landlock-owned refcounted struct.

There are two cases, one where there is a correspoinding landlock domain
with the other socket, and one where there is not.

We lookup the domain under lock:

    dom_other = landlock_cred(other->sk_socket->file->f_cred)->domain;

The '->domain' part is important.

Thus dom_other isn't a pointer to the actual tasks credentials,
it's a pointer to a landlock controlled/refcounted domain.

This is the function which returns a pointer to the creds.

    static inline struct landlock_cred_security *
    landlock_cred(const struct cred *cred)
    {
	    return cred->security + landlock_blob_sizes.lbs_cred;
    }

If we were storing the landlock_cred_securit, that could potentially
be a problem.

But we copy the domain pointer, which points to a landlock allocated
and controlled object.

If it is a domain, dom_other points to a landlock controlled, refcounted
struct landlock_ruleset object. So even if the f_cred is freed
afterwards, that object is still valid.

Justin
> Is this invoked within a RCU section which would delay put_cred_rcu() or
> is there other magic involved?
>

> Sebastian

More information about the Linux-security-module-archive mailing list