landlock: Fix non-TCP sockets restriction

Do not check TCP access right if socket protocol is not IPPROTO_TCP. LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP should not restrict bind(2) and connect(2) for non-TCP protocols (SCTP, MPTCP, SMC). sk_is_tcp() is used for this to check address family of the socket before doing INET-specific address length validation. This is required for error consistency. Closes: landlock-lsm#40 Fixes: fff69fb ("landlock: Support network rules with TCP bind and connect") Signed-off-by: Mikhail Ivanov <[email protected]>
intel-lab-lkp · Oct 17, 2024 · dad5495 · dad5495
1 parent fe76bd1
commit dad5495
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/security/landlock/net.c b/security/landlock/net.c
@@ -66,8 +66,8 @@ static int current_check_access_socket(struct socket *const sock,
 	if (WARN_ON_ONCE(dom->num_layers < 1))
 		return -EACCES;
 
-	/* Checks if it's a (potential) TCP socket. */
-	if (sock->type != SOCK_STREAM)
+	/* Do not restrict non-TCP sockets. */
+	if (!sk_is_tcp(sock->sk))
 		return 0;
 
 	/* Checks for minimal header length to safely read sa_family. */