Landlock Socket Type Control

💾 Patch Set V3 (V2) (Mikhail Ivanov) | 🐞 Bugtracker

Warning: The LandlockSocketTypeControl feature for restricting the use of socket(2) is not stable yet (as of October 2024).

This work-in-progress patch set restricts invocations of socket(2) to specific combinations of a socket’s protocol family and socket type.

API

struct landlock_ruleset_attr is extended by the new field:

__u64 handled_access_socket

with the possible access right:

LANDLOCK_ACCESS_SOCKET_CREATE

When these are passed during ruleset creation, the creation of new sockets through socket(2) will be forbidden by default when the ruleset is enforced.

To add an exception for a specific combination of a socket’s protocol family and socket type, fill the struct:

struct landlock_socket_attr {
	__u64 allowed_access;
	int family;
	int type;
};

and add it as an exception to the ruleset using landlock_add_rule(2):

landlock_add_rule(ruleset_fd, LANDLOCK_RULE_SOCKET, &attr, 0);

Example

See LandlockTcpServerExample.