Thread (14 messages) 14 messages, 3 authors, 2d ago

Re: [RFC PATCH 1/2] landlock: fix TCP Fast Open connection bypass

From: Matthieu Buffet <hidden>
Date: 2026-06-19 00:33:48
Also in: lkml, netdev

Hi Bryam,

On 6/18/2026 3:25 AM, Bryam Vargas wrote:
One scope note, since you mention MPTCP: an MPTCP socket isn't covered.
sk_is_tcp() is false for the mptcp parent (sk_protocol is IPPROTO_MPTCP), so
neither the new sendmsg hook nor the existing socket_connect one mediates it. On
the patched kernel my MPTCP arm still reaches the blocked port via both connect()
and MSG_FASTOPEN. If MPTCP is meant to be in scope for CONNECT_TCP, the guard
wants `|| sk->sk_protocol == IPPROTO_MPTCP` (not sk_is_mptcp(), which is the
subflow flag).
Indeed, the patch does not try to filter MPTCP: it is not meant to be in 
the scope of LANDLOCK_ACCESS_NET_*_TCP rights.
It used to be, but it was a bug, see:
https://lore.kernel.org/all/20250205093651.1424339-2-ivanov.mikhail1@huawei-partners.com/ (local)

Have a nice day!

-- 
Matthieu
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help