Netdev List
 help / color / mirror / Atom feed
* [PATCH net-next v3 0/5] af_unix: useful handling of LSM denials on SCM_RIGHTS
@ 2026-06-29 19:43 Jori Koolstra
  2026-06-29 19:43 ` [PATCH net-next v3 1/5] net: scm: move scm_detach_fds() from common path to scm_recv_unix() Jori Koolstra
                   ` (4 more replies)
  0 siblings, 5 replies; 16+ messages in thread
From: Jori Koolstra @ 2026-06-29 19:43 UTC (permalink / raw)
  To: Christian Brauner, Aleksa Sarai, Kuniyuki Iwashima,
	David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman
  Cc: netdev, linux-fsdevel, linux-kernel, Jori Koolstra

Right now if some LSM such as Smack denies an AF_UNIX socket peer to
receive an SCM_RIGHTS fd, the SCM_RIGHTS fd array will be cut short at
that point, and MSG_CTRUNC is set on return of recvmsg(2). This is
highly problematic behaviour, because it leaves the receiver
wondering what happened. As per man page MSG_CTRUNC is supposed to
indicate that the control buffer was sized too short, but suddenly
a permission error might result in the exact same flag being set.
Moreover, the receiver has no chance to determine how many fds got
originally sent and how many were suppressed.[1]

Add a SO_RIGHTS_NOTRUNC option to UNIX sockets to enable more useful
handling of LSM denials when receiving SCM_RIGHTS messages: instead of
truncating the message at the first blocked fd, keep every fd slot
and store the LSM errno in the blocked slot.

[1]: https://github.com/uapi-group/kernel-features#useful-handling-of-lsm-denials-on-scm_rights

Changes:
v3:
  - Separated net and vfs changes.
  - Use kselftest_harness.h and system() to call the test script.
v2: https://lore.kernel.org/netdev/20260616143020.3458085-2-jkoolstra@xs4all.nl/
  - Reimplemented as a UNIX socket option instead of a per recvmsg(2) flag.
v1: https://lore.kernel.org/netdev/20260428175125.2705296-1-jkoolstra@xs4all.nl/

Jori Koolstra (5):
  net: scm: move scm_detach_fds() from common path to scm_recv_unix()
  vfs: add function receive_fd_filtered() that makes LSM filtering
    explicit
  net: af_unix: useful handling of LSM denials on SCM_RIGHTS
  net: af_unix: replace copy_from_sockptr() with
    copy_safe_from_sockptr()
  selftest: Add tests for useful handling of LSM denials on SCM_RIGHTS

 fs/file.c                                     |  48 +++--
 include/linux/file.h                          |   2 +
 include/net/af_unix.h                         |   1 +
 include/net/scm.h                             |  15 +-
 include/uapi/asm-generic/socket.h             |   3 +
 net/compat.c                                  |   4 +-
 net/core/scm.c                                |  18 +-
 net/unix/af_unix.c                            |  18 +-
 .../testing/selftests/net/af_unix/.gitignore  |   3 +
 tools/testing/selftests/net/af_unix/Makefile  |   4 +
 .../selftests/net/af_unix/scm_rights_denial.c |  20 ++
 .../selftests/net/af_unix/scm_rights_denial.h |  38 ++++
 .../net/af_unix/scm_rights_denial.sh          | 174 ++++++++++++++++
 .../net/af_unix/scm_rights_denial_receiver.c  | 195 ++++++++++++++++++
 .../net/af_unix/scm_rights_denial_sender.c    | 126 +++++++++++
 15 files changed, 636 insertions(+), 33 deletions(-)
 create mode 100644 tools/testing/selftests/net/af_unix/scm_rights_denial.c
 create mode 100644 tools/testing/selftests/net/af_unix/scm_rights_denial.h
 create mode 100755 tools/testing/selftests/net/af_unix/scm_rights_denial.sh
 create mode 100644 tools/testing/selftests/net/af_unix/scm_rights_denial_receiver.c
 create mode 100644 tools/testing/selftests/net/af_unix/scm_rights_denial_sender.c

-- 
2.54.0


^ permalink raw reply	[flat|nested] 16+ messages in thread

end of thread, other threads:[~2026-07-01  9:31 UTC | newest]

Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-29 19:43 [PATCH net-next v3 0/5] af_unix: useful handling of LSM denials on SCM_RIGHTS Jori Koolstra
2026-06-29 19:43 ` [PATCH net-next v3 1/5] net: scm: move scm_detach_fds() from common path to scm_recv_unix() Jori Koolstra
2026-06-29 19:43 ` [PATCH net-next v3 2/5] vfs: add function receive_fd_filtered() that makes LSM filtering explicit Jori Koolstra
2026-06-29 19:43 ` [PATCH net-next v3 3/5] net: af_unix: useful handling of LSM denials on SCM_RIGHTS Jori Koolstra
2026-06-30  9:58   ` Christian Brauner
2026-06-30 12:17     ` Jori Koolstra
2026-07-01  7:44       ` Christian Brauner
2026-06-30 16:43   ` Kuniyuki Iwashima
2026-06-29 19:43 ` [PATCH net-next v3 4/5] net: af_unix: replace copy_from_sockptr() with copy_safe_from_sockptr() Jori Koolstra
2026-06-30 16:18   ` Kuniyuki Iwashima
2026-06-29 19:43 ` [PATCH net-next v3 5/5] selftest: Add tests for useful handling of LSM denials on SCM_RIGHTS Jori Koolstra
2026-06-30 14:17   ` Jakub Kicinski
2026-06-30 14:35     ` Jori Koolstra
2026-06-30 16:23       ` Kuniyuki Iwashima
2026-07-01  7:38       ` Christian Brauner
2026-07-01  9:31         ` Jori Koolstra

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox