From 08b197bbc1e2ae2ac06c312dfbe9ddc5c704f6d5 Mon Sep 17 00:00:00 2001
From: Alyssa Ross <hi@alyssa.is>
Date: Tue, 9 Sep 2025 10:21:38 +0200
Subject: [PATCH] vmm: fix vsock with landlock

Without write access to the directory the socket will go in, it's not
possible to create the socket.

I've tested outgoing connections from the VM, and they don't seem to
need read permissions on that directory to connect to a socket on the
host.

Fixes: b3e5738b4 ("vmm: Introduce ApplyLandlock trait")
Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 vmm/src/vm_config.rs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/vmm/src/vm_config.rs b/vmm/src/vm_config.rs
index 38c0a0ba4..aff0d95f3 100644
--- a/vmm/src/vm_config.rs
+++ b/vmm/src/vm_config.rs
@@ -647,7 +647,12 @@ pub struct VsockConfig {
 
 impl ApplyLandlock for VsockConfig {
     fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
+        if let Some(parent) = self.socket.parent() {
+            landlock.add_rule_with_access(parent, "w")?;
+        }
+
         landlock.add_rule_with_access(&self.socket, "rw")?;
+
         Ok(())
     }
 }