Restrict Multipath TCP #54
Description
Discovered because Go defaults its "listening" function (socket+bind+listen) to Multipath-TCP now:
landlock-lsm/go-landlock#50
When you create a socket with protocol MPTCP, this socket can be used to talk to single-path TCP endpoints as well, bypassing the intent of Landlock's TCP connect and bind restrictions.
Multipath TCP was excluded from Landlock's TCP access rights after the fact, in https://lore.kernel.org/all/20250205093651.1424339-1-ivanov.mikhail1@huawei-partners.com/ and in #40.
#include <err.h>
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
int sock = socket(AF_INET, SOCK_STREAM, IPPROTO_MPTCP); /* Multipass^H^Hth */
if (sock < 0)
err(1, "socket");
struct sockaddr_in addr = {
.sin_family = AF_INET,
.sin_port = htons(4444),
.sin_addr.s_addr = inet_addr("127.0.0.1"),
};
/* if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, */
if (bind(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0)
err(1, "bind");
puts("done");
}
We should make that restrictable for multipath TCP (and maybe also for SCTP, as suggested in #40 (comment))