Skip to content

Commit

Permalink
landlock: Fix non-TCP sockets restriction
Browse files Browse the repository at this point in the history 
Do not check TCP access right if socket protocol is not IPPROTO_TCP.
LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP
should not restrict bind(2) and connect(2) for non-TCP protocols
(SCTP, MPTCP, SMC).

Closes: landlock-lsm#40
Fixes: fff69fb ("landlock: Support network rules with TCP bind and connect")
Signed-off-by: Mikhail Ivanov <[email protected]>
  • Loading branch information
@sm1ling-knight @intel-lab-lkp
sm1ling-knight authored and intel-lab-lkp committed Oct 3, 2024
1 parent af3319b commit cec023f
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion security/landlock/net.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ static int current_check_access_socket(struct socket *const sock,
return -EACCES;

/* Checks if it's a (potential) TCP socket. */
if (sock->type != SOCK_STREAM)
if (sock->type != SOCK_STREAM || sock->sk->sk_protocol != IPPROTO_TCP)
return 0;

/* Checks for minimal header length to safely read sa_family. */
Expand Down

0 comments on commit cec023f

Please sign in to comment.