Re: [RFC PATCH 1/2] landlock: fix TCP Fast Open connection bypass
From: Matthieu Buffet <hidden>
Date: 2026-06-19 00:33:48
Also in:
lkml, netdev
From: Matthieu Buffet <hidden>
Date: 2026-06-19 00:33:48
Also in:
lkml, netdev
Hi Bryam, On 6/18/2026 3:25 AM, Bryam Vargas wrote:
One scope note, since you mention MPTCP: an MPTCP socket isn't covered. sk_is_tcp() is false for the mptcp parent (sk_protocol is IPPROTO_MPTCP), so neither the new sendmsg hook nor the existing socket_connect one mediates it. On the patched kernel my MPTCP arm still reaches the blocked port via both connect() and MSG_FASTOPEN. If MPTCP is meant to be in scope for CONNECT_TCP, the guard wants `|| sk->sk_protocol == IPPROTO_MPTCP` (not sk_is_mptcp(), which is the subflow flag).
Indeed, the patch does not try to filter MPTCP: it is not meant to be in the scope of LANDLOCK_ACCESS_NET_*_TCP rights. It used to be, but it was a bug, see: https://lore.kernel.org/all/20250205093651.1424339-2-ivanov.mikhail1@huawei-partners.com/ (local) Have a nice day! -- Matthieu