From: Christian Brauner <brauner@kernel.org>
To: Kuniyuki Iwashima <kuniyu@google.com>
Cc: Jori Koolstra <jkoolstra@xs4all.nl>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Jan Kara <jack@suse.cz>, Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
Willem de Bruijn <willemb@google.com>,
"David S . Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Jens Axboe <axboe@kernel.dk>,
Kees Cook <kees@kernel.org>, Simon Horman <horms@kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>, Jeff Layton <jlayton@kernel.org>,
Oleg Nesterov <oleg@redhat.com>, Andrei Vagin <avagin@gmail.com>,
Pavel Tikhomirov <ptikhomirov@virtuozzo.com>,
Mateusz Guzik <mjguzik@gmail.com>,
Joel Granados <joel.granados@kernel.org>,
Charlie Mirabile <cmirabil@redhat.com>,
Aleksa Sarai <cyphar@cyphar.com>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, io-uring@vger.kernel.org
Subject: Re: [RFC PATCH 1/2] net: af_unix: Useful handling of LSM denials on SCM_RIGHTS
Date: Tue, 12 May 2026 15:06:14 +0200 [thread overview]
Message-ID: <20260512-sparflamme-themen-4f3f10225b2a@brauner> (raw)
In-Reply-To: <CAAVpQUBKeN2KtRkRAFr8sYJM1_-rbkdjsujau5fAyaiP_dO6FA@mail.gmail.com>
On Wed, Apr 29, 2026 at 07:04:25PM -0700, Kuniyuki Iwashima wrote:
> On Tue, Apr 28, 2026 at 10:51 AM Jori Koolstra <jkoolstra@xs4all.nl> wrote:
> >
> > Right now if some LSM such as Smack denies an AF_UNIX socket peer to
> > receive an SCM_RIGHTS fd the SCM_RIGHTS fd array will be cut short at
> > that point, and MSG_CTRUNC is set on return of recvmsg(). This is
> > highly problematic behaviour, because it leaves the receiver
> > wondering what happened. As per man page MSG_CTRUNC is supposed to
> > indicate that the control buffer was sized too short, but suddenly
> > a permission error might result in the exact same flag being set.
> > Moreover, the receiver has no chance to determine how many fds got
> > originally sent and how many were suppressed.[1]
> >
> > Add two MSG_* flags:
>
> Since we only have 5 bits remaining for future extension,
> we need to consider the use case a bit more carefully.
>
>
> > - MSG_RIGHTS_DENIAL is set whenever any file is rejected by the LSM
> > during recvmsg() of SCM_RIGHTS fds.
>
> Is this really needed ?
>
> Even if the fd array is truncated, the application will traverse
> the array anyway since it has some fds already installed (to
> clean up in case of MSG_CTRUNC ?).
The socket option suggested later: Wouldn't it be simpler to just add a
socket that instructs the scm layer to send all fds that were denied
with a -EPERM sentinel. Then systemd can:
* detect all fds that were denied simply by seeing they were -EPERM
* keep the count in tact
and - see below - get rid of the blatant layering violation in here...
> Then, it will find the -EPERM entry.
I assume we're talking about the same thing. All the complicated rest
should be dropped. There's a bunch of nonsense in that uapi entry -
quite a few items are merely drafts.
> > -int receive_fd(struct file *file, int __user *ufd, unsigned int o_flags)
> > +int receive_fd_msg(struct file *file, int __user *ufd, unsigned int o_flags,
> > + unsigned int *msg_flags)
> > {
> > int error;
> >
> > error = security_file_receive(file);
> > - if (error)
> > + if (error) {
> > + if (msg_flags)
> > + *msg_flags |= MSG_RIGHTS_DENIAL;
> > +
> > + if (ufd)
> > + put_user(-EPERM, ufd);
> > +
> > return error;
> > + }
I don't like this. It's bad enought that the generic file layer needs to
call into __receive_sock() I don't want it to poke into other subsystems
internals even more. That's just not appropriate. Get this out of the
VFS's way, please.
next prev parent reply other threads:[~2026-05-12 13:06 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 17:51 [RFC PATCH 0/2] net: af_unix: Useful handling of LSM denials on SCM_RIGHTS Jori Koolstra
2026-04-28 17:51 ` [RFC PATCH 1/2] " Jori Koolstra
2026-04-30 2:04 ` Kuniyuki Iwashima
2026-05-01 15:34 ` Jori Koolstra
2026-05-02 1:24 ` Kuniyuki Iwashima
2026-05-04 17:43 ` Jori Koolstra
2026-05-12 13:06 ` Christian Brauner [this message]
2026-04-28 17:51 ` [RFC PATCH 2/2] selftest: Add tests for useful " Jori Koolstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260512-sparflamme-themen-4f3f10225b2a@brauner \
--to=brauner@kernel.org \
--cc=avagin@gmail.com \
--cc=axboe@kernel.dk \
--cc=cmirabil@redhat.com \
--cc=cyphar@cyphar.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=io-uring@vger.kernel.org \
--cc=jack@suse.cz \
--cc=jkoolstra@xs4all.nl \
--cc=jlayton@kernel.org \
--cc=joel.granados@kernel.org \
--cc=kees@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mjguzik@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=pabeni@redhat.com \
--cc=ptikhomirov@virtuozzo.com \
--cc=viro@zeniv.linux.org.uk \
--cc=wad@chromium.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox