apparmor: mediate the implicit connect of TCP fast open sendmsg

author Bryam Vargas <hexlabsecurity@proton.me>

Mon, 22 Jun 2026 20:57:38 +0000 (15:57 -0500)

committer John Johansen <john.johansen@canonical.com>

Tue, 23 Jun 2026 07:16:59 +0000 (00:16 -0700)
author Bryam Vargas <hexlabsecurity@proton.me>
Mon, 22 Jun 2026 20:57:38 +0000 (15:57 -0500)
committer John Johansen <john.johansen@canonical.com>
Tue, 23 Jun 2026 07:16:59 +0000 (00:16 -0700)
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c

index 7457067e8192276b424448d1faf3feadd650d2e9..88d12e89d115dd10c1d8ebb3d74731e1174bedae 100644 (file)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1422,7 +1422,21 @@ static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock,
  static int apparmor_socket_sendmsg(struct socket *sock,
                                    struct msghdr *msg, int size)
  {
-       return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size);
+       int error = aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size);
+
+       if (error)
+               return error;
+
+       /* TCP fast open carries connect() semantics in sendmsg(); mediate
+        * the implicit connect so it cannot bypass the connect permission.
+        */
+       if ((msg->msg_flags & MSG_FASTOPEN) && msg->msg_name &&
+           (sk_is_tcp(sock->sk) ||
+            (sk_is_inet(sock->sk) && sock->sk->sk_type == SOCK_STREAM &&
+             sock->sk->sk_protocol == IPPROTO_MPTCP)))
+               error = aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk);
+
+       return error;
  }
  
  static int apparmor_socket_recvmsg(struct socket *sock,
author	Bryam Vargas <hexlabsecurity@proton.me>
	Mon, 22 Jun 2026 20:57:38 +0000 (15:57 -0500)
committer	John Johansen <john.johansen@canonical.com>
	Tue, 23 Jun 2026 07:16:59 +0000 (00:16 -0700)