Netdev List
 help / color / mirror / Atom feed
From: Jori Koolstra <jkoolstra@xs4all.nl>
To: Christian Brauner <brauner@kernel.org>
Cc: Aleksa Sarai <cyphar@cyphar.com>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH net-next v3 3/5] net: af_unix: useful handling of LSM denials on SCM_RIGHTS
Date: Tue, 30 Jun 2026 14:17:14 +0200 (CEST)	[thread overview]
Message-ID: <158151977.3525022.1782821834050@kpc.webmail.kpnmail.nl> (raw)
In-Reply-To: <20260630-getoppt-granit-gekrochen-78244e8979d9@brauner>


> Op 30-06-2026 11:58 CEST schreef Christian Brauner <brauner@kernel.org>:
> 
>  
> > Right now if some LSM such as Smack denies an AF_UNIX socket peer to
> > receive an SCM_RIGHTS fd, the SCM_RIGHTS fd array will be cut short at
> > that point, and MSG_CTRUNC is set on return of recvmsg(). This is
> > highly problematic behaviour, because it leaves the receiver
> > wondering what happened. As per man page MSG_CTRUNC is supposed to
> > indicate that the control buffer was sized too short, but suddenly
> > a permission error might result in the exact same flag being set.
> > Moreover, the receiver has no chance to determine how many fds got
> > originally sent and how many were suppressed.[1]
> > 
> > Add a SO_RIGHTS_NOTRUNC option to UNIX sockets to enable more useful
> > handling of LSM denials when receiving SCM_RIGHTS messages: instead of
> > truncating the message at the first blocked fd, keep every fd slot
> > and store the LSM errno in the blocked slot.
> > 
> > [1]: https://github.com/uapi-group/kernel-features#useful-handling-of-lsm-denials-on-scm_rights
> > 
> > Signed-off-by: Jori Koolstra <jkoolstra@xs4all.nl>
> >
> > diff --git a/include/net/af_unix.h b/include/net/af_unix.h
> > index 34f53dde65ce..bb1b3dee02e8 100644
> > --- a/include/net/af_unix.h
> > +++ b/include/net/af_unix.h
> > @@ -49,6 +49,7 @@ struct unix_sock {
> >  	struct scm_stat		scm_stat;
> >  	int			inq_len;
> >  	bool			recvmsg_inq;
> > +	bool			scm_rights_notrunc;
> >  #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
> >  	struct sk_buff		*oob_skb;
> >  #endif
> > diff --git a/include/net/scm.h b/include/net/scm.h
> > index c52519669349..761cda0803fb 100644
> > --- a/include/net/scm.h
> > +++ b/include/net/scm.h
> > @@ -50,8 +50,8 @@ struct scm_cookie {
> >  #endif
> >  };
> >  
> > -void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm);
> > -void scm_detach_fds_compat(struct msghdr *msg, struct scm_cookie *scm);
> > +void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm, bool notrunc);
> > +void scm_detach_fds_compat(struct msghdr *msg, struct scm_cookie *scm, bool notrunc);
> >  int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm);
> >  void __scm_destroy(struct scm_cookie *scm);
> >  struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl);
> > @@ -108,11 +108,18 @@ void scm_recv_unix(struct socket *sock, struct msghdr *msg,
> >  		   struct scm_cookie *scm, int flags);
> >  
> >  static inline int scm_recv_one_fd(struct file *f, int __user *ufd,
> > -				  unsigned int flags)
> > +				  unsigned int flags, bool notrunc)
> >  {
> > +	bool filtered;
> > +	int error;
> > +
> >  	if (!ufd)
> >  		return -EFAULT;
> > -	return receive_fd(f, ufd, flags);
> > +
> > +	error = receive_fd_filtered(f, ufd, flags, &filtered);
> > +	if (filtered && notrunc)
> > +		return put_user(error, ufd);
> 
> This helper makes no sense to me. The boolean return argument is just
> really nasty and you need an additional put_user() as well. At this
> point, just drop receive_fd() and open-code it instead of using another
> custom helper. Something like the completely untested:
> 

It's not very pretty no. I thought about several different options but they
all kinda suck.

You could override the error returned from the LSM to -EACCES. Since nothing
else in receive_fd() produces this, if you get it you can be sure that you had
an LSM fd block. However, this masks the real returned error and is also a bit
fragile if receive_fd() does ever return -EACCES in another path (unlikely but still).
You can also signal blocking by setting the ufd to the security_file_receive() error
no matter the socket option. But this does change userspace.

But open-coding might be a better idea.

I also choose to not put -EPERM as sentinel as suggested first, but use the
actual LSM error. Agreed?


> diff --git a/include/net/scm.h b/include/net/scm.h
> index 761cda0803fb..171b5ccd0b77 100644
> --- a/include/net/scm.h
> +++ b/include/net/scm.h
> @@ -116,10 +116,22 @@ static inline int scm_recv_one_fd(struct file *f, int __user *ufd,
>         if (!ufd)
>                 return -EFAULT;
> 
> -       error = receive_fd_filtered(f, ufd, flags, &filtered);
> -       if (filtered && notrunc)
> -               return put_user(error, ufd);
> -       return error;
> +       error = security_file_receive(file);
> +       if (error)
> +               return notrunc ? put_user(error, ufd) : error;
> +
> +       FD_PREPARE(fdf, flags, f);
> +       if (fdf.err)
> +               return fdf.err;
> +       get_file(f);
> +
> +       error = put_user(fd_prepare_fd(fdf), ufd);
> +       if (error)
> +               return error;
> +
> +       __receive_sock(f);
> +       return fd_publish(fdf);
>  }
> 
> -- 
> Christian Brauner <brauner@kernel.org>

  reply	other threads:[~2026-06-30 12:17 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 19:43 [PATCH net-next v3 0/5] af_unix: useful handling of LSM denials on SCM_RIGHTS Jori Koolstra
2026-06-29 19:43 ` [PATCH net-next v3 1/5] net: scm: move scm_detach_fds() from common path to scm_recv_unix() Jori Koolstra
2026-06-29 19:43 ` [PATCH net-next v3 2/5] vfs: add function receive_fd_filtered() that makes LSM filtering explicit Jori Koolstra
2026-06-29 19:43 ` [PATCH net-next v3 3/5] net: af_unix: useful handling of LSM denials on SCM_RIGHTS Jori Koolstra
2026-06-30  9:58   ` Christian Brauner
2026-06-30 12:17     ` Jori Koolstra [this message]
2026-07-01  7:44       ` Christian Brauner
2026-06-30 16:43   ` Kuniyuki Iwashima
2026-06-29 19:43 ` [PATCH net-next v3 4/5] net: af_unix: replace copy_from_sockptr() with copy_safe_from_sockptr() Jori Koolstra
2026-06-30 16:18   ` Kuniyuki Iwashima
2026-06-29 19:43 ` [PATCH net-next v3 5/5] selftest: Add tests for useful handling of LSM denials on SCM_RIGHTS Jori Koolstra
2026-06-30 14:17   ` Jakub Kicinski
2026-06-30 14:35     ` Jori Koolstra
2026-06-30 16:23       ` Kuniyuki Iwashima
2026-07-01  7:38       ` Christian Brauner
2026-07-01  9:31         ` Jori Koolstra

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=158151977.3525022.1782821834050@kpc.webmail.kpnmail.nl \
    --to=jkoolstra@xs4all.nl \
    --cc=brauner@kernel.org \
    --cc=cyphar@cyphar.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=kuniyu@google.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox