On Sat, Jun 14, 2025 at 4:40 PM Kuniyuki Iwashima [off-list ref] wrote:

From: Paul Moore <paul@paul-moore.com>
Date: Sat, 14 Jun 2025 07:43:46 -0400

quoted

On June 13, 2025 6:24:15 PM Kuniyuki Iwashima [off-list ref] wrote:

quoted

From: Kuniyuki Iwashima <kuniyu@google.com>

Since commit 77cbe1a6d873 ("af_unix: Introduce SO_PASSRIGHTS."),
we can disable SCM_RIGHTS per socket, but it's not flexible.

This series allows us to implement more fine-grained filtering for
SCM_RIGHTS with BPF LSM.

My ability to review this over the weekend is limited due to device and
network access, but I'll take a look next week.

That said, it would be good if you could clarify the "filtering" aspect of
your comments; it may be obvious when I'm able to look at the full patchset

I meant to mention that just below the quoted part :)

---8<---
Changes:
  v2: Remove SCM_RIGHTS fd scrubbing functionality
---8<---

Thanks :)

While looking at your patches tonight, I was wondering if you had ever
considered adding a new LSM hook to __scm_send() that specifically
targets SCM_RIGHTS?  I was thinking of something like this:

diff --git a/net/core/scm.c b/net/core/scm.c
index 0225bd94170f..5fec8abc99f5 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c

@@ -173,6 +173,9 @@ int __scm_send(struct socket *sock, struct msghdr *msg, stru

ct scm_cookie *p)
               case SCM_RIGHTS:
                       if (!ops || ops->family != PF_UNIX)
                               goto error;
+                       err = security_sock_scm_rights(sock);
+                       if (err<0)
+                               goto error;
                       err=scm_fp_copy(cmsg, &p->fp);
                       if (err<0)
                               goto error;

... if I'm correct in my understanding of what you are trying to
accomplish, I believe this should allow you to meet your goals with a
much simpler and targeted approach.  Or am I thinking about this
wrong?

-- 
paul-moore.com