Landlock currently does not have handling of O_PATH fds. Now that they
are being passed to the file_open hook, explicitly skip mediation of
them until we can handle them.
Signed-off-by: Ryan Lee <ryan....@canonical.com>
---
security/landlock/fs.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index 0804f76a67be..37b2167bf4c6 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -1522,6 +1522,14 @@ static int hook_file_open(struct file *const file)
if (!dom)
return 0;
+ /*
+ * Preserve the behavior of O_PATH fd creation not being mediated, for
+ * now. Remove this when the comment below about handling O_PATH fds
+ * is resolved.
+ */
+ if (file->f_flags & O_PATH)
+ return 0;
+
/*
* Because a file may be opened with O_PATH,
get_required_file_open_access()
* may return 0. This case will be handled with a future Landlock
--
2.43.0
base-kernel: v6.14-rc6
