Landlock Unix Connect Control

Goal: Linux 7.1

🐞 bug #36 💾 github 📬 old hook patch 💾 V1 💾 V2 💾 V3 💾 V4 💾 V5

💡 TL;DR: A Landlock control for restricting the connect(2) operation on UnixDomainSockets.

Server-side can already be restricted through LANDLOCK_ACCESS_FS_MAKE_SOCK, a filesystem access right which is required to create the socket file.

V6 TODOs

Collect TODOs from 📧 V5 review once the discussion has settled:

• selftests: check path length when populating sun_path
• Docs: squash design decisions update into the main implementation commit and cross-reference it
• LSM hook: Move LSM hook call below socket type check (V6)
• LSM hook: Mention that hook gets called without any locks held
• Impl: Unify domain_is_scoped with unmask_scoped_access (📧) - PENDING DISCUSSION
• Impl: Locking and SOCK_DEAD (📧) - PENDING DISCUSSION
• https://lore.kernel.org/all/20260218.ohth8theu8Yi@digikod.net/ (set EUID for coredump test)
• https://lore.kernel.org/all/20260218.AXoosuwo8aen@digikod.net/ (Inline code in docs)

Then:

• Fix up cover letter and send

Work in Progress on 💾 github

Appropriate locking for accessing other’s creds

• Do we have to double check that the socket is not dead (c.f. sock_orphan())?
• Locking maybe comparable to sk_user_ns (code, refs)?

V5 (sent)

• Fix up cover letter
• test that coredump sockets stay unaffected (📧)
• follow Tingmao’s approach to test the scope (📧)
  • Tingmao’s patch set: https://lore.kernel.org/all/cover.1767115163.git.m@maowtm.org/
  • Use Tahera’s scoped_base_variants.h
  • Does that mean that we can remove the old test? – YES
• Simplify fs_test.c
• Add missing audit test to fs_test.c.