landlock: Refactor TCP socket type check

Move the socket type check earlier, so that we will later be able to add elseifs for other types. Ordering of checks (socket is of a type we enforce restrictions on) / (current creds have Landlock restrictions) should not change anything. Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Link: https://lore.kernel.org/r/20251212163704.142301-3-matthieu@buffet.re Signed-off-by: Mickaël Salaün <mic@digikod.net>
2026-03-08 01:04:41 +01:00 · 2025-12-12 17:36:58 +01:00 · 2025-12-12 17:36:58 +01:00 · d90ba69e33
commit d90ba69e33
parent bbb6f53e90
1 changed files with 16 additions and 5 deletions
--- a/security/landlock/net.c
+++ b/security/landlock/net.c
@ -62,9 +62,6 @@ static int current_check_access_socket(struct socket *const sock,
 	if (!subject)
 		return 0;

-	if (!sk_is_tcp(sock->sk))
-		return 0;
-
 	/* Checks for minimal header length to safely read sa_family. */
 	if (addrlen < offsetofend(typeof(*address), sa_family))
 		return -EINVAL;
@ -214,16 +211,30 @@ static int current_check_access_socket(struct socket *const sock,
 static int hook_socket_bind(struct socket *const sock,
 			    struct sockaddr *const address, const int addrlen)
 {
+	access_mask_t access_request;
+
+	if (sk_is_tcp(sock->sk))
+		access_request = LANDLOCK_ACCESS_NET_BIND_TCP;
+	else
+		return 0;
+
 	return current_check_access_socket(sock, address, addrlen,
-					   LANDLOCK_ACCESS_NET_BIND_TCP);
+					   access_request);
 }

 static int hook_socket_connect(struct socket *const sock,
 			       struct sockaddr *const address,
 			       const int addrlen)
 {
+	access_mask_t access_request;
+
+	if (sk_is_tcp(sock->sk))
+		access_request = LANDLOCK_ACCESS_NET_CONNECT_TCP;
+	else
+		return 0;
+
 	return current_check_access_socket(sock, address, addrlen,
-					   LANDLOCK_ACCESS_NET_CONNECT_TCP);
+					   access_request);
 }

 static struct security_hook_list landlock_hooks[] __ro_after_init = {