Landlock currently does not have handling of O_PATH fds. Now that they are being passed to the file_open hook, explicitly skip mediation of them until we can handle them. Signed-off-by: Ryan Lee <ryan.lee@xxxxxxxxxxxxx> --- security/landlock/fs.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 0804f76a67be..37b2167bf4c6 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -1522,6 +1522,14 @@ static int hook_file_open(struct file *const file) if (!dom) return 0; + /* + * Preserve the behavior of O_PATH fd creation not being mediated, for + * now. Remove this when the comment below about handling O_PATH fds + * is resolved. + */ + if (file->f_flags & O_PATH) + return 0; + /* * Because a file may be opened with O_PATH, get_required_file_open_access() * may return 0. This case will be handled with a future Landlock -- 2.43.0 base-kernel: v6.14-rc6
