| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhQOQ096WEZPLo4-57cYkM8c38qzE-F8L3f_cSSB4WadGg@mail.gmail.com>
Date: Tue, 13 Jan 2026 18:27:15 -0500
From: Paul Moore <paul@...l-moore.com>
To: Christian Brauner <brauner@...nel.org>
Cc: Günther Noack <gnoack3000@...il.com>,
Mickaël Salaün <mic@...ikod.net>,
James Morris <jmorris@...ei.org>, "Serge E . Hallyn" <serge@...lyn.com>,
Justin Suess <utilityemal77@...il.com>, linux-security-module@...r.kernel.org,
Tingmao Wang <m@...wtm.org>, Samasth Norway Ananda <samasth.norway.ananda@...cle.com>,
Matthieu Buffet <matthieu@...fet.re>, Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com>,
konstantin.meskhidze@...wei.com, Demi Marie Obenour <demiobenour@...il.com>,
Alyssa Ross <hi@...ssa.is>, Jann Horn <jannh@...gle.com>, Tahera Fahimi <fahimitahera@...il.com>,
Simon Horman <horms@...nel.org>, netdev@...r.kernel.org,
Alexander Viro <viro@...iv.linux.org.uk>
Subject: Re: [PATCH v2 1/5] lsm: Add hook unix_path_connect
On Tue, Jan 13, 2026 at 4:34 AM Christian Brauner <brauner@...nel.org> wrote:
> On Sat, Jan 10, 2026 at 03:32:57PM +0100, Günther Noack wrote:
> > From: Justin Suess <utilityemal77@...il.com>
> >
> > Adds an LSM hook unix_path_connect.
> >
> > This hook is called to check the path of a named unix socket before a
> > connection is initiated.
> >
> > Cc: Günther Noack <gnoack3000@...il.com>
> > Signed-off-by: Justin Suess <utilityemal77@...il.com>
> > ---
> > include/linux/lsm_hook_defs.h | 4 ++++
> > include/linux/security.h | 11 +++++++++++
> > net/unix/af_unix.c | 9 +++++++++
> > security/security.c | 20 ++++++++++++++++++++
> > 4 files changed, 44 insertions(+)
...
> > diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> > index 55cdebfa0da0..3aabe2d489ae 100644
> > --- a/net/unix/af_unix.c
> > +++ b/net/unix/af_unix.c
> > @@ -1226,6 +1226,15 @@ static struct sock *unix_find_bsd(struct sockaddr_un *sunaddr, int addr_len,
> > if (!S_ISSOCK(inode->i_mode))
> > goto path_put;
> >
> > + /*
> > + * We call the hook because we know that the inode is a socket
> > + * and we hold a valid reference to it via the path.
> > + */
> > + err = security_unix_path_connect(&path, type, flags);
> > + if (err)
> > + goto path_put;
>
> Couldn't we try reflowing the code here so the path is passed ...
It would be good if you could be a bit more specific about your
desires here. Are you talking about changing the
unix_find_other()/unix_find_bsd() code path such that the path is
available to unix_find_other() callers and not limited to the
unix_find_bsd() scope?
> ... to
> security_unix_stream_connect() and security_unix_may_send() so that all
> LSMs get the same data and we don't have to have different LSMs hooks
> into different callpaths that effectively do the same thing.
>
> I mean the objects are even in two completely different states between
> those hooks. Even what type of sockets get a call to the LSM is
> different between those two hooks.
I'm working on the assumption that you are talking about changing the
UNIX socket code so that the path info is available to the existing
_may_send() and _stream_connect() hooks. If that isn't the case, and
you're thinking of something different, disregard my comments below.
In both the unix_dgram_{connect(),sendmsg()}, aka
security_unix_may_send(), cases and the unix_stream_connect(), aka
security_unix_stream_connect(), case the call to unix_find_other() is
done to lookup the other end of the communication channel, which does
seem reasonably consistent to me. Yes, of course, once you start
getting into the specifics of the UNIX socket handling the unix_dgram_
and unix_stream_ cases are very different, including their
corresponding existing LSM hooks, but that doesn't mean in the context
of unix_find_bsd() that security_unix_path_connect() doesn't have
value.
The alternative would be some rather serious surgery in af_unix.c to
persist the path struct from unix_find_bsd() until the later LSM hooks
are executed. It's certainly not impossible, but I'm not sure it is
necessary or desirable at this point in time. LSMs that wish to
connect the information from _unix_path_connect() to either
_unix_stream_connect() or _unix_may_send() can do so today without
needing to substantially change af_unix.c.
--
paul-moore.com
Powered by blists - more mailing lists