From: Christian Brauner <brauner@kernel.org>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: "Kuniyuki Iwashima" <kuniyu@amazon.com>,
"Alexei Starovoitov" <ast@kernel.org>,
"Andrii Nakryiko" <andrii@kernel.org>, bpf <bpf@vger.kernel.org>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Daniel Borkmann" <daniel@iogearbox.net>,
Eduard <eddyz87@gmail.com>, "Günther Noack" <gnoack@google.com>,
"Hao Luo" <haoluo@google.com>, "James Morris" <jmorris@namei.org>,
"John Fastabend" <john.fastabend@gmail.com>,
"Jiri Olsa" <jolsa@kernel.org>, "KP Singh" <kpsingh@kernel.org>,
"Kuniyuki Iwashima" <kuni1840@gmail.com>,
"LSM List" <linux-security-module@vger.kernel.org>,
"Martin KaFai Lau" <martin.lau@linux.dev>,
"Mickaël Salaün" <mic@digikod.net>,
"Network Development" <netdev@vger.kernel.org>,
"Ondrej Mosnacek" <omosnace@redhat.com>,
"Paul Moore" <paul@paul-moore.com>,
"Stanislav Fomichev" <sdf@fomichev.me>,
selinux@vger.kernel.org, "Serge E . Hallyn" <serge@hallyn.com>,
"Song Liu" <song@kernel.org>,
"Stephen Smalley" <stephen.smalley.work@gmail.com>,
"Yonghong Song" <yonghong.song@linux.dev>
Subject: Re: [PATCH v1 bpf-next 4/5] bpf: Add kfunc to scrub SCM_RIGHTS at security_unix_may_send().
Date: Tue, 6 May 2025 10:56:23 +0200 [thread overview]
Message-ID: <20250506-gehirn-festplatten-6ee995a756b7@brauner> (raw)
In-Reply-To: <CAADnVQ+bk8Qt=Zo4S2MZxB+O4G4q_EXB4P0BtJ3LjgbJuY_9_w@mail.gmail.com>
On Mon, May 05, 2025 at 05:56:49PM -0700, Alexei Starovoitov wrote:
> On Mon, May 5, 2025 at 5:46 PM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
> >
> > From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
> > Date: Mon, 5 May 2025 17:13:32 -0700
> > > On Mon, May 5, 2025 at 3:00 PM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
> > > >
> > > > As Christian Brauner said [0], systemd calls cmsg_close_all() [1] after
> > > > each recvmsg() to close() unwanted file descriptors sent via SCM_RIGHTS.
> > > >
> > > > However, this cannot work around the issue that close() for unwanted file
> > > > descriptors could block longer because the last fput() could occur on
> > > > the receiver side once sendmsg() with SCM_RIGHTS succeeds.
> > > >
> > > > Also, even filtering by LSM at recvmsg() does not work for the same reason.
> > > >
> > > > Thus, we need a better way to filter SCM_RIGHTS on the sender side.
> > > >
> > > > Let's add a new kfunc to scrub all file descriptors from skb in
> > > > sendmsg().
> > > >
> > > > This allows the receiver to keep recv()ing the bare data and disallows
> > > > the sender to impose the potential slowness of the last fput().
> > > >
> > > > If necessary, we can add more granular filtering per file descriptor
> > > > after refactoring GC code and adding some fd-to-file helpers for BPF.
> > > >
> > > > Sample:
> > > >
> > > > SEC("lsm/unix_may_send")
> > > > int BPF_PROG(unix_scrub_scm_rights,
> > > > struct socket *sock, struct socket *other, struct sk_buff *skb)
> > > > {
> > > > struct unix_skb_parms *cb;
> > > >
> > > > if (skb && bpf_unix_scrub_fds(skb))
> > > > return -EPERM;
> > > >
> > > > return 0;
> > > > }
> > >
> > > Any other programmability do you need there?
> >
> > This is kind of PoC, and as Kumar mentioned, per-fd scrubbing
> > is ideal to cover the real use cases.
> >
> > https://lore.kernel.org/netdev/CAP01T77STmncrPt=BsFfEY6SX1+oYNXhPeZ1HC9J=S2jhOwQoQ@mail.gmail.com/
> >
> > for example:
> > https://uapi-group.org/kernel-features/#filtering-on-received-file-descriptors
>
> Fair enough.
> Would be great to have them as selftests to make sure that advanced
> use cases are actually working.
I think we should do both a socket option and the bpf fd filtering. They
can compliment each other. We should not force the use of bpf for this.
This is a very basic security guarantee we want that shouldn't require
the involvement of any LSM whatsoever.
next prev parent reply other threads:[~2025-05-06 8:56 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAADnVQK1t3ZqERODdHJM_HaZDMm+JH4OFvwTsLNqZG0=4SQQcA@mail.gmail.com.txt>
2025-05-06 0:44 ` [PATCH v1 bpf-next 4/5] bpf: Add kfunc to scrub SCM_RIGHTS at security_unix_may_send() Kuniyuki Iwashima
2025-05-06 0:56 ` Alexei Starovoitov
2025-05-06 8:56 ` Christian Brauner [this message]
2025-05-05 21:56 [PATCH v1 bpf-next 0/5] af_unix: Allow BPF LSM to scrub SCM_RIGHTS at sendmsg() Kuniyuki Iwashima
2025-05-05 21:56 ` [PATCH v1 bpf-next 4/5] bpf: Add kfunc to scrub SCM_RIGHTS at security_unix_may_send() Kuniyuki Iwashima
2025-05-06 0:13 ` Alexei Starovoitov
2025-05-06 8:25 ` Mickaël Salaün
2025-05-09 15:06 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250506-gehirn-festplatten-6ee995a756b7@brauner \
--to=brauner@kernel.org \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=casey@schaufler-ca.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=gnoack@google.com \
--cc=haoluo@google.com \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=kuni1840@gmail.com \
--cc=kuniyu@amazon.com \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=sdf@fomichev.me \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=song@kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox