Re: [PATCH v5 net-next 5/9] net: Restrict SO_PASS{CRED,PIDFD,SEC} to AF_{UNIX,NETLINK,BLUETOOTH}.

[Kuniyuki Iwashima <kuni1840@gmail.com>]

From: Luca Boccassi <bluca@debian.org>
Date: Mon, 09 Jun 2025 12:14:51 +0100
> On Mon, 2025-05-19 at 13:57 -0700, Kuniyuki Iwashima wrote:
> > SCM_CREDENTIALS and SCM_SECURITY can be recv()ed by calling
> > scm_recv() or scm_recv_unix(), and SCM_PIDFD is only used by
> > scm_recv_unix().
> > 
> > scm_recv() is called from AF_NETLINK and AF_BLUETOOTH.
> > 
> > scm_recv_unix() is literally called from AF_UNIX.
> > 
> > Let's restrict SO_PASSCRED and SO_PASSSEC to such sockets and
> > SO_PASSPIDFD to AF_UNIX only.
> > 
> > Later, SOCK_PASS{CRED,PIDFD,SEC} will be moved to struct sock
> > and united with another field.
> > 
> > Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
> > Reviewed-by: Willem de Bruijn <willemb@google.com>
> > ---
> > v3:
> >   * Return -EOPNOTSUPP in getsockopt() too
> >   * Add CONFIG_SECURITY_NETWORK check for SO_PASSSEC
> > 
> > diff --git a/net/core/sock.c b/net/core/sock.c
> > index d7d6d3a8efe5..fd5f9d3873c1 100644
> > --- a/net/core/sock.c
> > +++ b/net/core/sock.c
> > @@ -1221,12 +1221,21 @@ int sk_setsockopt(struct sock *sk, int level,
> > int optname,
> >  		}
> >  		return -EPERM;
> >  	case SO_PASSSEC:
> > +		if (!IS_ENABLED(CONFIG_SECURITY_NETWORK) ||
> > sk_may_scm_recv(sk))
> > +			return -EOPNOTSUPP;
> 
> Hi,
> 
> Was this one meant to be !sk_may_scm_recv(sk) like in getsockopt below
> by any chance?

Oops, but the next patch happened to fix it.

Will try to reproduce it.

> 
> We have a report that this is breaking AF_UNIX sockets with 6.16~rc1:
> 
> [    1.763019] systemd[1]: systemd-journald-dev-log.socket: SO_PASSSEC
> failed: Operation not supported
> [    1.763102] systemd[1]: systemd-journald.socket: SO_PASSSEC failed:
> Operation not supported
> [    1.763121] systemd[1]: systemd-journald.socket: SO_PASSSEC failed:
> Operation not supported
> 
> https://github.com/systemd/systemd/issues/37783