Thread (9 messages) 9 messages, 3 authors, 2026-06-02

Re: [RFC PATCH 1/2] net: af_unix: Useful handling of LSM denials on SCM_RIGHTS

From: Jori Koolstra <jkoolstra@xs4all.nl>
Date: 2026-05-01 15:35:50
Also in: io-uring, linux-fsdevel, lkml

Op 30-04-2026 04:04 CEST schreef Kuniyuki Iwashima [off-list ref]:

 
On Tue, Apr 28, 2026 at 10:51 AM Jori Koolstra [off-list ref] wrote:
quoted
Right now if some LSM such as Smack denies an AF_UNIX socket peer to
receive an SCM_RIGHTS fd the SCM_RIGHTS fd array will be cut short at
that point, and MSG_CTRUNC is set on return of recvmsg(). This is
highly problematic behaviour, because it leaves the receiver
wondering what happened. As per man page MSG_CTRUNC is supposed to
indicate that the control buffer was sized too short, but suddenly
a permission error might result in the exact same flag being set.
Moreover, the receiver has no chance to determine how many fds got
originally sent and how many were suppressed.[1]

Add two MSG_* flags:
Since we only have 5 bits remaining for future extension,
we need to consider the use case a bit more carefully.
Right. Since it wasn't a lot of work I implemented it exactly as the request
was made from userspace, and then discuss it from there. By the way, I suppose
nothing can be done about that small flag space?
quoted
 - MSG_RIGHTS_DENIAL is set whenever any file is rejected by the LSM
   during recvmsg() of SCM_RIGHTS fds.
Is this really needed ?

Even if the fd array is truncated, the application will traverse
the array anyway since it has some fds already installed (to
clean up in case of MSG_CTRUNC ?).

Then, it will find the -EPERM entry.

I assume no one uses MSG_RIGHTS_DENIAL without
MSG_RIGHTS_FILTER.
I guess that is a fair assumption to make. We can certainly do without
MSG_RIGHTS_DENIAL if saving flags is important. I also suggested that
we may see whether we can make MSG_RIGHTS_FILTER the default behavior.
In the mean time I've found grep.app, and it turns out the answer is no.
Apparently almost no one checks even for the truncation flag (mostly 1 fd
is passed and then it is check the cmsg lenght). But cpython has this for
instance:

    /* Close all descriptors coming from SCM_RIGHTS, so they don't leak. */
    for (cmsgh = ((msg.msg_controllen > 0) ? CMSG_FIRSTHDR(&msg) : NULL);
         cmsgh != NULL; cmsgh = CMSG_NXTHDR(&msg, cmsgh)) {
        cmsg_status = get_cmsg_data_len(&msg, cmsgh, &cmsgdatalen);
        if (cmsg_status < 0)
            break;
        if (cmsgh->cmsg_level == SOL_SOCKET &&
            cmsgh->cmsg_type == SCM_RIGHTS) {
            size_t numfds;
            int *fdp;
            numfds = cmsgdatalen / sizeof(int);
            fdp = (int *)CMSG_DATA(cmsgh);
            while (numfds-- > 0)
                close(*fdp++);
        }
        if (cmsg_status != 0)
            break;
    }
quoted
 - If MSG_RIGHTS_FILTER is passed as a flag to recvmsg(), the SCM_RIGHTS
Does this flag need per-recvmsg() granularity ?
Perhaps not. What would be the alternative? A fcntl option for the socket fd?
If the application does not welcome the truncated fd array,
it would have passed MSG_RIGHTS_FILTER to every
recvmsg(), no ?
Correct.


Thanks,
Jori.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help