Re: [RFC PATCH 1/2] landlock: fix TCP Fast Open connection bypass
From: Bryam Vargas <hidden>
Date: 2026-06-18 01:25:49
Also in:
linux-security-module, lkml
From: Bryam Vargas <hidden>
Date: 2026-06-18 01:25:49
Also in:
linux-security-module, lkml
Thanks Matthieu, your #41, so no competing patch from me. I built your v0 (Landlock + MPTCP) and ran an A/B: without it, a confined task with CONNECT_TCP denied still reaches the port via sendto(MSG_FASTOPEN); with it, that path is now denied too, on IPv4 and IPv6. Tested-by: Bryam Vargas <redacted> One scope note, since you mention MPTCP: an MPTCP socket isn't covered. sk_is_tcp() is false for the mptcp parent (sk_protocol is IPPROTO_MPTCP), so neither the new sendmsg hook nor the existing socket_connect one mediates it. On the patched kernel my MPTCP arm still reaches the blocked port via both connect() and MSG_FASTOPEN. If MPTCP is meant to be in scope for CONNECT_TCP, the guard wants `|| sk->sk_protocol == IPPROTO_MPTCP` (not sk_is_mptcp(), which is the subflow flag). Bryam