Netdev List
 help / color / mirror / Atom feed
From: Christian Brauner <brauner@kernel.org>
To: Jori Koolstra <jkoolstra@xs4all.nl>
Cc: Christian Brauner <brauner@kernel.org>,
	 Aleksa Sarai <cyphar@cyphar.com>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	 "David S . Miller" <davem@davemloft.net>,
	 Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	 Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
	 netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	 linux-kernel@vger.kernel.org
Subject: Re: [PATCH net-next v4 2/3] net: af_unix: useful handling of LSM denials on SCM_RIGHTS
Date: Tue, 07 Jul 2026 13:02:05 +0200	[thread overview]
Message-ID: <20260707-werkvertrag-walzen-anteil-4aef3ab6e47f@brauner> (raw)
In-Reply-To: <20260705123826.3818443-3-jkoolstra@xs4all.nl>

> Right now if some LSM such as Smack denies an AF_UNIX socket peer to
> receive an SCM_RIGHTS fd, the SCM_RIGHTS fd array will be cut short at
> that point, and MSG_CTRUNC is set on return of recvmsg(). This is
> highly problematic behaviour, because it leaves the receiver
> wondering what happened. As per man page MSG_CTRUNC is supposed to
> indicate that the control buffer was sized too short, but suddenly
> a permission error might result in the exact same flag being set.
> Moreover, the receiver has no chance to determine how many fds got
> originally sent and how many were suppressed.[1]
> 
> Add a SO_RIGHTS_NOTRUNC option to UNIX sockets to enable more useful
> handling of LSM denials when receiving SCM_RIGHTS messages: instead of
> truncating the message at the first blocked fd, keep every fd slot
> and store the LSM errno in the blocked slot.
> 
> [1]: https://github.com/uapi-group/kernel-features#useful-handling-of-lsm-denials-on-scm_rights
> 
> Signed-off-by: Jori Koolstra <jkoolstra@xs4all.nl>

Reviewed-by: Christian Brauner (Amutable) <brauner@kernel.org>

> -void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
> +int scm_recv_one_fd(struct file *f, int __user *ufd, unsigned int flags,
> +		    bool notrunc)
> +{
> +	int error;
> +
> +	if (!ufd)
> +		return -EFAULT;
> +
> +	error = security_file_receive(f);
> +	if (error)
> +		return notrunc ? put_user(error, ufd) : error;
> +
> +	FD_PREPARE(fdf, flags, get_file(f));
> +	if (fdf.err)
> +		return fdf.err;
> +
> +	error = put_user(fd_prepare_fd(fdf), ufd);
> +	if (error)
> +		return error;
> +
> +	__receive_sock(fd_prepare_file(fdf));
> +	return fd_publish(fdf);
> +}

Seems good.

> +
> +void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm, bool notrunc)
>  {
>  	struct cmsghdr __user *cm =
>  		(__force struct cmsghdr __user *)msg->msg_control_user;
> @@ -365,12 +389,12 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
>  		return;
>  
>  	if (msg->msg_flags & MSG_CMSG_COMPAT) {
> -		scm_detach_fds_compat(msg, scm);
> +		scm_detach_fds_compat(msg, scm, notrunc);
>  		return;
>  	}
>  
>  	for (i = 0; i < fdmax; i++) {
> -		err = scm_recv_one_fd(scm->fp->fp[i], cmsg_data + i, o_flags);
> +		err = scm_recv_one_fd(scm->fp->fp[i], cmsg_data + i, o_flags, notrunc);
>  		if (err < 0)
>  			break;
>  	}
> @@ -542,8 +566,14 @@ void scm_recv_unix(struct socket *sock, struct msghdr *msg,
>  	if (!__scm_recv_common(sock->sk, msg, scm, flags))
>  		return;
>  
> -	if (scm->fp)
> -		scm_detach_fds(msg, scm);
> +	if (scm->fp) {
> +		struct unix_sock *u;
> +		bool notrunc;
> +
> +		u = unix_sk(sock->sk);
> +		notrunc = READ_ONCE(u->scm_rights_notrunc);
> +		scm_detach_fds(msg, scm, notrunc);

Minor nit: Really no need for the boolean. Would be enough to do:

scm_detach_fds(msg, scm, READ_ONCE(u->scm_rights_notrunc));

-- 
Christian Brauner <brauner@kernel.org>

  reply	other threads:[~2026-07-07 11:02 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-05 12:38 [PATCH net-next v4 0/3] net: af_unix: useful handling of LSM denials on SCM_RIGHTS Jori Koolstra
2026-07-05 12:38 ` [PATCH net-next v4 1/3] net: scm: move scm_detach_fds() from common path to scm_recv_unix() Jori Koolstra
2026-07-06 18:20   ` Kuniyuki Iwashima
2026-07-05 12:38 ` [PATCH net-next v4 2/3] net: af_unix: useful handling of LSM denials on SCM_RIGHTS Jori Koolstra
2026-07-07 11:02   ` Christian Brauner [this message]
2026-07-05 12:38 ` [PATCH net-next v4 3/3] selftest: Add tests for " Jori Koolstra
2026-07-06 23:17   ` Kuniyuki Iwashima
2026-07-07 11:02   ` Christian Brauner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260707-werkvertrag-walzen-anteil-4aef3ab6e47f@brauner \
    --to=brauner@kernel.org \
    --cc=cyphar@cyphar.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=jkoolstra@xs4all.nl \
    --cc=kuba@kernel.org \
    --cc=kuniyu@google.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox