[PATCH v1 bpf-next 0/5] af_unix: Allow BPF LSM to scrub SCM_RIGHTS at sendmsg().

Mon May 5 21:56:45 UTC 2025

As long as recvmsg() or recvmmsg() is used with cmsg, it is not
possible to avoid receiving file descriptors via SCM_RIGHTS.

This behaviour has occasionally been flagged as problematic.

For instance, as noted on the uAPI Group page [0], an untrusted peer
could send a file descriptor pointing to a hung NFS mount and then
close it.  Once the receiver calls recvmsg() with msg_control, the
descriptor is automatically installed, and then the responsibility
for the final close() now falls on the receiver, which may result
in blocking the process for a long time.

systemd calls cmsg_close_all() [1] after each recvmsg() to close()
unwanted file descriptors sent via SCM_RIGHTS.

However, this cannot work around the issue because the last fput()
could occur on the receiver side once sendmsg() with SCM_RIGHTS
succeeds.  Also, even filtering by LSM at recvmsg() does not work
for the same reason.

Thus, we need a better way to filter SCM_RIGHTS on the sender side.

This series allows BPF LSM to inspect skb at sendmsg() and scrub
SCM_RIGHTS fds by kfunc.

Link: https://uapi-group.org/kernel-features/#disabling-reception-of-scm_rights-for-af_unix-sockets #[0]
Link: https://github.com/systemd/systemd/blob/v257.5/src/basic/fd-util.c#L612-L628 #[1]

Kuniyuki Iwashima (5):
  af_unix: Call security_unix_may_send() in sendmsg() for all socket
    types
  af_unix: Pass skb to security_unix_may_send().
  af_unix: Remove redundant scm->fp check in __scm_destroy().
  bpf: Add kfunc to scrub SCM_RIGHTS at security_unix_may_send().
  selftest: bpf: Add test for bpf_unix_scrub_fds().

 include/linux/lsm_hook_defs.h                 |   3 +-
 include/linux/security.h                      |   5 +-
 include/net/af_unix.h                         |   1 +
 include/net/scm.h                             |   5 +-
 net/compat.c                                  |   2 +-
 net/core/filter.c                             |  19 ++-
 net/core/scm.c                                |  19 +--
 net/unix/af_unix.c                            |  48 ++++--
 security/landlock/task.c                      |   6 +-
 security/security.c                           |   5 +-
 security/selinux/hooks.c                      |   6 +-
 security/smack/smack_lsm.c                    |   6 +-
 .../bpf/prog_tests/lsm_unix_may_send.c        | 160 ++++++++++++++++++
 .../selftests/bpf/progs/lsm_unix_may_send.c   |  30 ++++
 14 files changed, 282 insertions(+), 33 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/lsm_unix_may_send.c
 create mode 100644 tools/testing/selftests/bpf/progs/lsm_unix_may_send.c

-- 
2.49.0