On Sat, Jun 14, 2025 at 4:40 PM Kuniyuki Iwashima <kuni1840@xxxxxxxxx> wrote:
> From: Paul Moore <paul@xxxxxxxxxxxxxx>
> Date: Sat, 14 Jun 2025 07:43:46 -0400
> > On June 13, 2025 6:24:15 PM Kuniyuki Iwashima <kuni1840@xxxxxxxxx> wrote:
> > > From: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
> > >
> > > Since commit 77cbe1a6d873 ("af_unix: Introduce SO_PASSRIGHTS."),
> > > we can disable SCM_RIGHTS per socket, but it's not flexible.
> > >
> > > This series allows us to implement more fine-grained filtering for
> > > SCM_RIGHTS with BPF LSM.
> >
> > My ability to review this over the weekend is limited due to device and
> > network access, but I'll take a look next week.
> >
> > That said, it would be good if you could clarify the "filtering" aspect of
> > your comments; it may be obvious when I'm able to look at the full patchset
>
> I meant to mention that just below the quoted part :)
>
> ---8<---
> Changes:
> v2: Remove SCM_RIGHTS fd scrubbing functionality
> ---8<---
Thanks :)
While looking at your patches tonight, I was wondering if you had ever
considered adding a new LSM hook to __scm_send() that specifically
targets SCM_RIGHTS? I was thinking of something like this:
diff --git a/net/core/scm.c b/net/core/scm.c
index 0225bd94170f..5fec8abc99f5 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -173,6 +173,9 @@ int __scm_send(struct socket *sock, struct msghdr *msg, stru
ct scm_cookie *p)
case SCM_RIGHTS:
if (!ops || ops->family != PF_UNIX)
goto error;
+ err = security_sock_scm_rights(sock);
+ if (err<0)
+ goto error;
err=scm_fp_copy(cmsg, &p->fp);
if (err<0)
goto error;
... if I'm correct in my understanding of what you are trying to
accomplish, I believe this should allow you to meet your goals with a
much simpler and targeted approach. Or am I thinking about this
wrong?
--
paul-moore.com
