[PATCH v8 01/12] lsm: Add LSM hook security_unix_find

Mon Mar 30 16:02:05 UTC 2026

On Fri, Mar 27, 2026 at 01:55:58PM -0400, Paul Moore wrote:
> On Fri, Mar 27, 2026 at 12:49 PM Günther Noack <gnoack3000 at gmail.com> wrote:
> >
> > From: Justin Suess <utilityemal77 at gmail.com>
> >
> > Add an LSM hook security_unix_find.
> >
> > This hook is called to check the path of a named UNIX socket before a
> > connection is initiated. The peer socket may be inspected as well.
> >
> > Why existing hooks are unsuitable:
> >
> > Existing socket hooks, security_unix_stream_connect(),
> > security_unix_may_send(), and security_socket_connect() don't provide
> > TOCTOU-free / namespace independent access to the paths of sockets.
> >
> > (1) We cannot resolve the path from the struct sockaddr in existing hooks.
> > This requires another path lookup. A change in the path between the
> > two lookups will cause a TOCTOU bug.
> >
> > (2) We cannot use the struct path from the listening socket, because it
> > may be bound to a path in a different namespace than the caller,
> > resulting in a path that cannot be referenced at policy creation time.
> >
> > Consumers of the hook wishing to reference @other are responsible
> > for acquiring the unix_state_lock and checking for the SOCK_DEAD flag
> > therein, ensuring the socket hasn't died since lookup.
> >
> > Cc: Günther Noack <gnoack3000 at gmail.com>
> > Cc: Tingmao Wang <m at maowtm.org>
> > Cc: Mickaël Salaün <mic at digikod.net>
> > Cc: Paul Moore <paul at paul-moore.com>
> > Signed-off-by: Justin Suess <utilityemal77 at gmail.com>
> > Signed-off-by: Günther Noack <gnoack3000 at gmail.com>
> > ---
> >  include/linux/lsm_hook_defs.h |  5 +++++
> >  include/linux/security.h      | 11 +++++++++++
> >  net/unix/af_unix.c            | 10 +++++++---
> >  security/security.c           | 20 ++++++++++++++++++++
> >  4 files changed, 43 insertions(+), 3 deletions(-)
> 
> This patch doesn't look like it changed significantly in this
> revision, is there a reason you dropped the tags from Georgia and I?

You'r right, the patch didn't change at all. I added Georgia's tag in my
-next branch for the previous version, I guess Günther forgot to add it
for this version, but I updated my branch with the same tag, so it's
still there.  Thank you both BTW!

I just included a one-line fix because of the m68k warning, we'll see if
it works as expected, and we should be good to go.  It would be nice to
have John's feedback though.