Landlock Unix Connect Control
Goal: β Linux 7.1
π bug #36 πΎ github π¬ old hook patch πΎ V1 V2 V3 V4 V5 V6 V7 V8
π‘ TL;DR: A Landlock control for restricting the connect(2) operation on UnixDomainSockets.
Server-side can already be restricted through LANDLOCK_ACCESS_FS_MAKE_SOCK,
a filesystem access right which is required to create the socket file.
Overall TODOs
- Review from AppArmor folks for hook is still missing (blocked on AppArmor)
- Georgia Garcia has replied π§
- John Johansen (still pending)
Work in Progress on πΎ github
V8 (tag unix-connect-v8)
- for nicety, revise the order of
- use the current month as reference point when updating the documentation date
- fix the m68k GCC 15 bug (hopefully)
V7 (tag unix-connect-v7)
Collected TODOs from V6 review:
- 1/9: Hook needs another revision based on Paul’s (revised) feedback and on MickaΓ«l’s feedback (β‘οΈ Justin)
- 2/9: Capitalize subject line
- 3/9: What guarantees that the
dom_otherstays valid afterunix_state_unlock? (Maybe just keep it a bit longer) - 3/9: Various comments (π§)
- commit msg: explain the
u16 access_mask_ttou32change -
Open question: What is(Partially postponed for V8, because it’s somewhat of an independent concern)BUILD_BUG_ON()good for indomain_is_scoped()?
- commit msg: explain the
- 5/9: Subject line (
selftests/landlock) - 6/9: Rename
access_fs_16(in a separate commit) - 7/9: Commit message typos
- 9/9: Commit message lacks description
- 9/9: We are missing to handle case 6 in a switch statement?
- all: Run
check-linux.sh.- It flags that we should use
BIT(n)instead of1 << n, but that does not exist in tests. - It complains about the Documentation date in the main patch set, but that feels like a very minor update.
- It flags that we should use
V6
Collect TODOs from π§ V5 review once the discussion has settled:
- selftests: check path length when populating
sun_path - Docs: squash design decisions update into the main implementation commit and cross-reference it
- LSM hook: Move LSM hook call below socket type check (V6)
- LSM hook: Mention that hook gets called without any locks held
- Impl: Unify
domain_is_scopedwithunmask_scoped_access? (π§)- Decision: Better to not unify
- PENDING: Some open questions about
unmask_scoped_access()logic (π§) - Impl: Locking and
SOCK_DEAD(π§)- Decision: Check
SOCK_DEADand lock usingunix_state_lock()
- Decision: Check
- https://lore.kernel.org/all/20260218.ohth8theu8Yi@digikod.net/ (set EUID for coredump test)
- https://lore.kernel.org/all/20260218.AXoosuwo8aen@digikod.net/ (Inline code in docs)
- https://lore.kernel.org/all/20260308.zie6thaiP0aj@digikod.net/
Then:
- Fix up cover letter and send
Appropriate locking for accessing other’s creds
- Do we have to double check that the socket is not dead (c.f.
sock_orphan())? - Locking maybe comparable to
sk_user_ns(code, refs)?
V5 (sent)
- Fix up cover letter
- test that coredump sockets stay unaffected (π§)
- follow Tingmao’s approach to test the scope (π§)
- Tingmao’s patch set: https://lore.kernel.org/all/cover.1767115163.git.m@maowtm.org/
- Use Tahera’s
scoped_base_variants.h - Does that mean that we can remove the old test? – YES
- Simplify
fs_test.c - Add missing audit test to
fs_test.c.
Notes
Before sending out patches, remember to run the checks:
just landlock-check-linux
git rebase -i --exec "just landlock-check-linux" mic-next
Sending a new patch version:
git format-patch --cover-letter -v8 --range-diff=unix-connect-v7 base-commit
just send-email v8-*.patch # accumulate recipient lists in the configuration