Re: [PATCH v5 1/9] lsm: Add LSM hook security_unix_find
From: Mickaël Salaün <mic@digikod.net>
Date: 2026-02-18 09:43:07
Also in:
linux-security-module
On Sun, Feb 15, 2026 at 11:51:49AM +0100, Günther Noack wrote:
quoted hunk ↗ jump to hunk
From: Justin Suess <redacted> Add a LSM hook security_unix_find. This hook is called to check the path of a named unix socket before a connection is initiated. The peer socket may be inspected as well. Why existing hooks are unsuitable: Existing socket hooks, security_unix_stream_connect(), security_unix_may_send(), and security_socket_connect() don't provide TOCTOU-free / namespace independent access to the paths of sockets. (1) We cannot resolve the path from the struct sockaddr in existing hooks. This requires another path lookup. A change in the path between the two lookups will cause a TOCTOU bug. (2) We cannot use the struct path from the listening socket, because it may be bound to a path in a different namespace than the caller, resulting in a path that cannot be referenced at policy creation time. Cc: Günther Noack <redacted> Cc: Tingmao Wang <redacted> Signed-off-by: Justin Suess <redacted> --- include/linux/lsm_hook_defs.h | 5 +++++ include/linux/security.h | 11 +++++++++++ net/unix/af_unix.c | 8 ++++++++ security/security.c | 20 ++++++++++++++++++++ 4 files changed, 44 insertions(+)diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 8c42b4bde09c..7a0fd3dbfa29 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h@@ -317,6 +317,11 @@ LSM_HOOK(int, 0, post_notification, const struct cred *w_cred, LSM_HOOK(int, 0, watch_key, struct key *key) #endif /* CONFIG_SECURITY && CONFIG_KEY_NOTIFICATIONS */ +#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_SECURITY_PATH) +LSM_HOOK(int, 0, unix_find, const struct path *path, struct sock *other, + int flags) +#endif /* CONFIG_SECURITY_NETWORK && CONFIG_SECURITY_PATH */ + #ifdef CONFIG_SECURITY_NETWORK LSM_HOOK(int, 0, unix_stream_connect, struct sock *sock, struct sock *other, struct sock *newsk)diff --git a/include/linux/security.h b/include/linux/security.h index 83a646d72f6f..99a33d8eb28d 100644 --- a/include/linux/security.h +++ b/include/linux/security.h@@ -1931,6 +1931,17 @@ static inline int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) } #endif /* CONFIG_SECURITY_NETWORK */ +#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_SECURITY_PATH) + +int security_unix_find(const struct path *path, struct sock *other, int flags); + +#else /* CONFIG_SECURITY_NETWORK && CONFIG_SECURITY_PATH */ +static inline int security_unix_find(const struct path *path, struct sock *other, int flags) +{ + return 0; +} +#endif /* CONFIG_SECURITY_NETWORK && CONFIG_SECURITY_PATH */ + #ifdef CONFIG_SECURITY_INFINIBAND int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey); int security_ib_endport_manage_subnet(void *sec, const char *name, u8 port_num);diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index d0511225799b..369812b79dd8 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c@@ -1230,6 +1230,14 @@ static struct sock *unix_find_bsd(struct sockaddr_un *sunaddr, int addr_len, if (!sk) goto path_put; + /* + * We call the hook because we know that the inode is a socket and we + * hold a valid reference to it via the path. + */ + err = security_unix_find(&path, sk, flags); + if (err) + goto sock_put; + err = -EPROTOTYPE; if (sk->sk_type == type)
I think this hook call should be moved here, just before the touch_atime() call for consistency with the socket type check, and to avoid doing useless check in the hook.
quoted hunk ↗ jump to hunk
touch_atime(&path);diff --git a/security/security.c b/security/security.c index 67af9228c4e9..c73196b8db4b 100644 --- a/security/security.c +++ b/security/security.c@@ -4731,6 +4731,26 @@ int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) #endif /* CONFIG_SECURITY_NETWORK */ +#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_SECURITY_PATH) +/** + * security_unix_find() - Check if a named AF_UNIX socket can connect + * @path: path of the socket being connected to + * @other: peer sock + * @flags: flags associated with the socket + * + * This hook is called to check permissions before connecting to a named + * AF_UNIX socket. + * + * Return: Returns 0 if permission is granted. + */ +int security_unix_find(const struct path *path, struct sock *other, int flags) +{ + return call_int_hook(unix_find, path, other, flags); +} +EXPORT_SYMBOL(security_unix_find); + +#endif /* CONFIG_SECURITY_NETWORK && CONFIG_SECURITY_PATH */ + #ifdef CONFIG_SECURITY_INFINIBAND /** * security_ib_pkey_access() - Check if access to an IB pkey is allowed-- 2.52.0