From: Paul Moore <paul@xxxxxxxxxxxxxx>
Date: Wed, 18 Jun 2025 23:23:31 -0400
> On Sat, Jun 14, 2025 at 4:40 PM Kuniyuki Iwashima <kuni1840@xxxxxxxxx> wrote:
> > From: Paul Moore <paul@xxxxxxxxxxxxxx>
> > Date: Sat, 14 Jun 2025 07:43:46 -0400
> > > On June 13, 2025 6:24:15 PM Kuniyuki Iwashima <kuni1840@xxxxxxxxx> wrote:
> > > > From: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
> > > >
> > > > Since commit 77cbe1a6d873 ("af_unix: Introduce SO_PASSRIGHTS."),
> > > > we can disable SCM_RIGHTS per socket, but it's not flexible.
> > > >
> > > > This series allows us to implement more fine-grained filtering for
> > > > SCM_RIGHTS with BPF LSM.
> > >
> > > My ability to review this over the weekend is limited due to device and
> > > network access, but I'll take a look next week.
> > >
> > > That said, it would be good if you could clarify the "filtering" aspect of
> > > your comments; it may be obvious when I'm able to look at the full patchset
> >
> > I meant to mention that just below the quoted part :)
> >
> > ---8<---
> > Changes:
> > v2: Remove SCM_RIGHTS fd scrubbing functionality
> > ---8<---
>
> Thanks :)
>
> While looking at your patches tonight, I was wondering if you had ever
> considered adding a new LSM hook to __scm_send() that specifically
> targets SCM_RIGHTS? I was thinking of something like this:
>
> diff --git a/net/core/scm.c b/net/core/scm.c
> index 0225bd94170f..5fec8abc99f5 100644
> --- a/net/core/scm.c
> +++ b/net/core/scm.c
> @@ -173,6 +173,9 @@ int __scm_send(struct socket *sock, struct msghdr *msg, stru
> ct scm_cookie *p)
> case SCM_RIGHTS:
> if (!ops || ops->family != PF_UNIX)
> goto error;
> + err = security_sock_scm_rights(sock);
> + if (err<0)
> + goto error;
> err=scm_fp_copy(cmsg, &p->fp);
> if (err<0)
> goto error;
>
> ... if I'm correct in my understanding of what you are trying to
> accomplish, I believe this should allow you to meet your goals with a
> much simpler and targeted approach. Or am I thinking about this
> wrong?
As BPF LSM is just a hook point and not tied to a specific socket,
we cannot know who will receive the message in __scm_send().
Also, the hook must be after scm_fp_copy(), otherwise struct file
is not yet available there.
Another way I thought of was to reuse LSM hook in sk_filter()
(SOCK_STREAM needs to add it), but it returns 0 even when we drop
skb, which will be less preferable.
BTW, I was about to send v3, what target tree should be specified in
subject, bpf-next or something else ?
