tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

landlock: Refactor TCP socket type check

Move the socket type check earlier, so that we will later be able to add
elseifs for other types. Ordering of checks (socket is of a type we
enforce restrictions on) / (current creds have Landlock restrictions)
should not change anything.

Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
Link: https://lore.kernel.org/r/20251212163704.142301-3-matthieu@buffet.re
Signed-off-by: Mickaël Salaün <mic@digikod.net>

authored by

Matthieu Buffet and committed by
Mickaël Salaün d90ba69e bbb6f53e

+16 -5
+16 -5
security/landlock/net.c
··· 62 62 if (!subject) 63 63 return 0; 64 64 65 - if (!sk_is_tcp(sock->sk)) 66 - return 0; 67 - 68 65 /* Checks for minimal header length to safely read sa_family. */ 69 66 if (addrlen < offsetofend(typeof(*address), sa_family)) 70 67 return -EINVAL; ··· 211 214 static int hook_socket_bind(struct socket *const sock, 212 215 struct sockaddr *const address, const int addrlen) 213 216 { 217 + access_mask_t access_request; 218 + 219 + if (sk_is_tcp(sock->sk)) 220 + access_request = LANDLOCK_ACCESS_NET_BIND_TCP; 221 + else 222 + return 0; 223 + 214 224 return current_check_access_socket(sock, address, addrlen, 215 - LANDLOCK_ACCESS_NET_BIND_TCP); 225 + access_request); 216 226 } 217 227 218 228 static int hook_socket_connect(struct socket *const sock, 219 229 struct sockaddr *const address, 220 230 const int addrlen) 221 231 { 232 + access_mask_t access_request; 233 + 234 + if (sk_is_tcp(sock->sk)) 235 + access_request = LANDLOCK_ACCESS_NET_CONNECT_TCP; 236 + else 237 + return 0; 238 + 222 239 return current_check_access_socket(sock, address, addrlen, 223 - LANDLOCK_ACCESS_NET_CONNECT_TCP); 240 + access_request); 224 241 } 225 242 226 243 static struct security_hook_list landlock_hooks[] __ro_after_init = {