Re: Landlock: LANDLOCK_ACCESS_NET_CONNECT_TCP bypass via TCP Fast Open
From: Matthieu Buffet <hidden>
Date: 2026-06-17 18:05:24
Also in:
linux-security-module, lkml
From: Matthieu Buffet <hidden>
Date: 2026-06-17 18:05:24
Also in:
linux-security-module, lkml
Hi, On 6/17/2026 4:22 PM, Mickaël Salaün wrote:
Thanks for the report. This was previously identified by Mikhail and Matthieu, see the related issue: https://github.com/landlock-lsm/linux/issues/41
(I worked on a v0 patch for that issue after I first reported it to Mickaël, missing the fact that it was already documented as a github issue. Then tried a more generic approach that failed. Here's the v0, rebased on the beggining of -next to ease backporting, it might be a good start. For instance, someone with more performance/benchmarking background might want to add an unlikely() around the MSG_FASTOPEN condition in the hot code path?) Have a nice day! Matthieu Buffet (2): landlock: fix TCP Fast Open connection bypass selftests/landlock: Add test for TCP fast open security/landlock/net.c | 17 +++ tools/testing/selftests/landlock/net_test.c | 155 ++++++++++++++++++++ 2 files changed, 172 insertions(+) base-commit: 0ce4243509d1580349dd0d50624036d6b097e958 -- 2.47.3