Re: [PATCH] selinux: check connect-related permissions on TCP Fast Open
From: Bryam Vargas
Date: Wed Jun 24 2026 - 21:51:32 EST
Tested this on x86-64. I built mainline with and without the patch and ran it
under a SELinux domain (enforcing) that lacks the tcp_socket connect permission.
Unpatched, connect(2) is denied but sendto(MSG_FASTOPEN) still reaches the
listener. With the patch the fastopen send is denied too, and the AVC shows the
connect check firing on the sendmsg path. Same for TCP, TCP6 and MPTCP. The
TCP_FASTOPEN_CONNECT path was already mediated at connect(2), and a domain that
allows connect is unaffected.
A/B logs on request.
Tested-by: Bryam Vargas <hexlabsecurity@xxxxxxxxx>