Re: [RFC PATCH 1/2] net: af_unix: Useful handling of LSM denials on SCM_RIGHTS
From: Jori Koolstra <jkoolstra@xs4all.nl>
Date: 2026-05-01 15:35:50
Also in:
io-uring, linux-fsdevel, lkml
Op 30-04-2026 04:04 CEST schreef Kuniyuki Iwashima [off-list ref]: On Tue, Apr 28, 2026 at 10:51 AM Jori Koolstra [off-list ref] wrote:quoted
Right now if some LSM such as Smack denies an AF_UNIX socket peer to receive an SCM_RIGHTS fd the SCM_RIGHTS fd array will be cut short at that point, and MSG_CTRUNC is set on return of recvmsg(). This is highly problematic behaviour, because it leaves the receiver wondering what happened. As per man page MSG_CTRUNC is supposed to indicate that the control buffer was sized too short, but suddenly a permission error might result in the exact same flag being set. Moreover, the receiver has no chance to determine how many fds got originally sent and how many were suppressed.[1] Add two MSG_* flags:Since we only have 5 bits remaining for future extension, we need to consider the use case a bit more carefully.
Right. Since it wasn't a lot of work I implemented it exactly as the request was made from userspace, and then discuss it from there. By the way, I suppose nothing can be done about that small flag space?
quoted
- MSG_RIGHTS_DENIAL is set whenever any file is rejected by the LSM during recvmsg() of SCM_RIGHTS fds.Is this really needed ? Even if the fd array is truncated, the application will traverse the array anyway since it has some fds already installed (to clean up in case of MSG_CTRUNC ?). Then, it will find the -EPERM entry. I assume no one uses MSG_RIGHTS_DENIAL without MSG_RIGHTS_FILTER.
I guess that is a fair assumption to make. We can certainly do without
MSG_RIGHTS_DENIAL if saving flags is important. I also suggested that
we may see whether we can make MSG_RIGHTS_FILTER the default behavior.
In the mean time I've found grep.app, and it turns out the answer is no.
Apparently almost no one checks even for the truncation flag (mostly 1 fd
is passed and then it is check the cmsg lenght). But cpython has this for
instance:
/* Close all descriptors coming from SCM_RIGHTS, so they don't leak. */
for (cmsgh = ((msg.msg_controllen > 0) ? CMSG_FIRSTHDR(&msg) : NULL);
cmsgh != NULL; cmsgh = CMSG_NXTHDR(&msg, cmsgh)) {
cmsg_status = get_cmsg_data_len(&msg, cmsgh, &cmsgdatalen);
if (cmsg_status < 0)
break;
if (cmsgh->cmsg_level == SOL_SOCKET &&
cmsgh->cmsg_type == SCM_RIGHTS) {
size_t numfds;
int *fdp;
numfds = cmsgdatalen / sizeof(int);
fdp = (int *)CMSG_DATA(cmsgh);
while (numfds-- > 0)
close(*fdp++);
}
if (cmsg_status != 0)
break;
}
quoted
- If MSG_RIGHTS_FILTER is passed as a flag to recvmsg(), the SCM_RIGHTSDoes this flag need per-recvmsg() granularity ?
Perhaps not. What would be the alternative? A fcntl option for the socket fd?
If the application does not welcome the truncated fd array, it would have passed MSG_RIGHTS_FILTER to every recvmsg(), no ?
Correct. Thanks, Jori.