On Mon, May 5, 2025 at 5:46 PM Kuniyuki Iwashima [off-list ref] wrote:

From: Alexei Starovoitov <redacted>
Date: Mon, 5 May 2025 17:13:32 -0700

quoted

On Mon, May 5, 2025 at 3:00 PM Kuniyuki Iwashima [off-list ref] wrote:

quoted

As Christian Brauner said [0], systemd calls cmsg_close_all() [1] after
each recvmsg() to close() unwanted file descriptors sent via SCM_RIGHTS.

However, this cannot work around the issue that close() for unwanted file
descriptors could block longer because the last fput() could occur on
the receiver side once sendmsg() with SCM_RIGHTS succeeds.

Also, even filtering by LSM at recvmsg() does not work for the same reason.

Thus, we need a better way to filter SCM_RIGHTS on the sender side.

Let's add a new kfunc to scrub all file descriptors from skb in
sendmsg().

This allows the receiver to keep recv()ing the bare data and disallows
the sender to impose the potential slowness of the last fput().

If necessary, we can add more granular filtering per file descriptor
after refactoring GC code and adding some fd-to-file helpers for BPF.

Sample:

SEC("lsm/unix_may_send")
int BPF_PROG(unix_scrub_scm_rights,
             struct socket *sock, struct socket *other, struct sk_buff *skb)
{
        struct unix_skb_parms *cb;

        if (skb && bpf_unix_scrub_fds(skb))
                return -EPERM;

        return 0;
}

Any other programmability do you need there?

This is kind of PoC, and as Kumar mentioned, per-fd scrubbing
is ideal to cover the real use cases.

https://lore.kernel.org/netdev/CAP01T77STmncrPt=BsFfEY6SX1+oYNXhPeZ1HC9J=S2jhOwQoQ@mail.gmail.com/ (local)

for example:
https://uapi-group.org/kernel-features/#filtering-on-received-file-descriptors

Fair enough.
Would be great to have them as selftests to make sure that advanced
use cases are actually working.