[PATCH v1 bpf-next 1/5] af_unix: Call security_unix_may_send() in sendmsg() for all socket types

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: Martin KaFai Lau <martin.lau@linux.dev>,
	Daniel Borkmann <daniel@iogearbox.net>,
	John Fastabend <john.fastabend@gmail.com>,
	"Alexei Starovoitov" <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>
Cc: "Eduard Zingerman" <eddyz87@gmail.com>,
	"Song Liu" <song@kernel.org>,
	"Yonghong Song" <yonghong.song@linux.dev>,
	"KP Singh" <kpsingh@kernel.org>,
	"Stanislav Fomichev" <sdf@fomichev.me>,
	"Hao Luo" <haoluo@google.com>, "Jiri Olsa" <jolsa@kernel.org>,
	"Mickaël Salaün" <mic@digikod.net>,
	"Günther Noack" <gnoack@google.com>,
	"Paul Moore" <paul@paul-moore.com>,
	"James Morris" <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	"Stephen Smalley" <stephen.smalley.work@gmail.com>,
	"Ondrej Mosnacek" <omosnace@redhat.com>,
	"Casey Schaufler" <casey@schaufler-ca.com>,
	"Christian Brauner" <brauner@kernel.org>,
	"Kuniyuki Iwashima" <kuniyu@amazon.com>,
	"Kuniyuki Iwashima" <kuni1840@gmail.com>,
	bpf@vger.kernel.org, netdev@vger.kernel.org,
	linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Subject: [PATCH v1 bpf-next 1/5] af_unix: Call security_unix_may_send() in sendmsg() for all socket types
Date: Mon, 5 May 2025 14:56:46 -0700	[thread overview]
Message-ID: <20250505215802.48449-2-kuniyu@amazon.com> (raw)
In-Reply-To: <20250505215802.48449-1-kuniyu@amazon.com>

Currently, security_unix_may_send() is invoked only for SOCK_DGRAM
sockets during connect() and sendmsg().

For SOCK_STREAM and SOCK_SEQPACKET sockets, an equivalent check
already occurs during connect(), making an additional hook in
sendmsg() unnecessary.

However, we want to leverage BPF LSM to inspect the skb during
sendmsg(), either to scrub file descriptors passed via SCM_RIGHTS
or to reject such an skb.

As a preparation, let's call security_unix_may_send() for SOCK_STREAM
and SOCK_SEQPACKET in sendmsg().

Note that SELinux, SMACK, and Landlock use security_unix_may_send().
To avoid unintentionally triggering the hook for SOCK_STREAM and
SOCK_SEQPACKET, an additional socket type check is added in each LSM.

Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
 net/unix/af_unix.c         | 31 ++++++++++++++++++++++---------
 security/landlock/task.c   |  3 +++
 security/selinux/hooks.c   |  3 +++
 security/smack/smack_lsm.c |  3 +++
 4 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index f78a2492826f..769db3f8f41b 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2101,11 +2101,9 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
 		goto out_unlock;
 	}
 
-	if (sk->sk_type != SOCK_SEQPACKET) {
-		err = security_unix_may_send(sk->sk_socket, other->sk_socket);
-		if (err)
-			goto out_unlock;
-	}
+	err = security_unix_may_send(sk->sk_socket, other->sk_socket);
+	if (err)
+		goto out_unlock;
 
 	/* other == sk && unix_peer(other) != sk if
 	 * - unix_peer(sk) == NULL, destination address bound to sk
@@ -2201,9 +2199,14 @@ static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other
 
 	if (sock_flag(other, SOCK_DEAD) ||
 	    (other->sk_shutdown & RCV_SHUTDOWN)) {
-		unix_state_unlock(other);
 		err = -EPIPE;
-		goto out;
+		goto out_unlock;
+	}
+
+	if (!fds_sent) {
+		err = security_unix_may_send(sock, other->sk_socket);
+		if (err)
+			goto out_unlock;
 	}
 
 	maybe_add_creds(skb, sock, other);
@@ -2219,6 +2222,8 @@ static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other
 	other->sk_data_ready(other);
 
 	return 0;
+out_unlock:
+	unix_state_unlock(other);
 out:
 	consume_skb(skb);
 	return err;
@@ -2296,8 +2301,6 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg,
 		if (err < 0)
 			goto out_free;
 
-		fds_sent = true;
-
 		if (unlikely(msg->msg_flags & MSG_SPLICE_PAGES)) {
 			skb->ip_summed = CHECKSUM_UNNECESSARY;
 			err = skb_splice_from_iter(skb, &msg->msg_iter, size,
@@ -2322,6 +2325,16 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg,
 		    (other->sk_shutdown & RCV_SHUTDOWN))
 			goto out_pipe_unlock;
 
+		if (!fds_sent) {
+			err = security_unix_may_send(sock, other->sk_socket);
+			if (err) {
+				unix_state_unlock(other);
+				goto out_free;
+			}
+		}
+
+		fds_sent = true;
+
 		maybe_add_creds(skb, sock, other);
 		scm_stat_add(other, skb);
 		skb_queue_tail(&other->sk_receive_queue, skb);
diff --git a/security/landlock/task.c b/security/landlock/task.c
index 2385017418ca..f15e6b0c56f8 100644
--- a/security/landlock/task.c
+++ b/security/landlock/task.c
@@ -305,6 +305,9 @@ static int hook_unix_may_send(struct socket *const sock,
 	if (!subject)
 		return 0;
 
+	if (sock->sk->sk_type != SOCK_DGRAM)
+		return 0;
+
 	/*
 	 * Checks if this datagram socket was already allowed to be connected
 	 * to other.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e7a7dcab81db..9fb4cd442ffd 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5106,6 +5106,9 @@ static int selinux_socket_unix_may_send(struct socket *sock,
 	struct common_audit_data ad;
 	struct lsm_network_audit net;
 
+	if (sock->sk->sk_type != SOCK_DGRAM)
+		return 0;
+
 	ad_net_init_from_sk(&ad, &net, other->sk);
 
 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 99833168604e..00aa1e7513c1 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3904,6 +3904,9 @@ static int smack_unix_may_send(struct socket *sock, struct socket *other)
 	smk_ad_setfield_u_net_sk(&ad, other->sk);
 #endif
 
+	if (sock->sk->sk_type != SOCK_DGRAM)
+		return 0;
+
 	if (smack_privileged(CAP_MAC_OVERRIDE))
 		return 0;
 
-- 
2.49.0

next prev parent reply	other threads:[~2025-05-05 21:58 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-05 21:56 [PATCH v1 bpf-next 0/5] af_unix: Allow BPF LSM to scrub SCM_RIGHTS at sendmsg() Kuniyuki Iwashima
2025-05-05 21:56 ` Kuniyuki Iwashima [this message]
2025-05-05 21:56 ` [PATCH v1 bpf-next 2/5] af_unix: Pass skb to security_unix_may_send() Kuniyuki Iwashima
2025-05-05 21:56 ` [PATCH v1 bpf-next 3/5] af_unix: Remove redundant scm->fp check in __scm_destroy() Kuniyuki Iwashima
2025-05-09 14:13   ` kernel test robot
2025-05-05 21:56 ` [PATCH v1 bpf-next 4/5] bpf: Add kfunc to scrub SCM_RIGHTS at security_unix_may_send() Kuniyuki Iwashima
2025-05-06  0:13   ` Alexei Starovoitov
2025-05-06  8:25     ` Mickaël Salaün
2025-05-09 15:06   ` kernel test robot
2025-05-05 21:56 ` [PATCH v1 bpf-next 5/5] selftest: bpf: Add test for bpf_unix_scrub_fds() Kuniyuki Iwashima
2025-05-05 22:49 ` [PATCH v1 bpf-next 0/5] af_unix: Allow BPF LSM to scrub SCM_RIGHTS at sendmsg() Kumar Kartikeya Dwivedi
2025-05-06  0:21   ` Kuniyuki Iwashima
2025-05-06 16:25     ` Kumar Kartikeya Dwivedi
2025-05-06 18:16       ` Kuniyuki Iwashima
2025-05-06  9:15   ` Christian Brauner
2025-05-06 16:08     ` Kumar Kartikeya Dwivedi
2025-05-06 18:14       ` Kuniyuki Iwashima
2025-05-05 23:21 ` Paul Moore
2025-05-06  0:35   ` Kuniyuki Iwashima
2025-05-06 14:57     ` Paul Moore
2025-05-06 12:17 ` Lennart Poettering
2025-05-06 18:19   ` Kuniyuki Iwashima

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f78a2492826 dfblob:769db3f8f41 dfblob:2385017418c
dfblob:f15e6b0c56f dfblob:e7a7dcab81d dfblob:9fb4cd442ff
dfblob:99833168604 dfblob:00aa1e7513c )
 OR (
bs:"[PATCH v1 bpf-next 1/5] af_unix: Call security_unix_may_send() in sendmsg() for all socket types" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250505215802.48449-2-kuniyu@amazon.com \
    --to=kuniyu@amazon.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=brauner@kernel.org \
    --cc=casey@schaufler-ca.com \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=gnoack@google.com \
    --cc=haoluo@google.com \
    --cc=jmorris@namei.org \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=kuni1840@gmail.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=mic@digikod.net \
    --cc=netdev@vger.kernel.org \
    --cc=omosnace@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=sdf@fomichev.me \
    --cc=selinux@vger.kernel.org \
    --cc=serge@hallyn.com \
    --cc=song@kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).