[PATCH v1 bpf-next 4/5] bpf: Add kfunc to scrub SCM_RIGHTS at security_unix_may_send().

[Alexei Starovoitov]

On Mon, May 5, 2025 at 3:00 PM Kuniyuki Iwashima <kuniyu at amazon.com> wrote:
>
> As Christian Brauner said [0], systemd calls cmsg_close_all() [1] after
> each recvmsg() to close() unwanted file descriptors sent via SCM_RIGHTS.
>
> However, this cannot work around the issue that close() for unwanted file
> descriptors could block longer because the last fput() could occur on
> the receiver side once sendmsg() with SCM_RIGHTS succeeds.
>
> Also, even filtering by LSM at recvmsg() does not work for the same reason.
>
> Thus, we need a better way to filter SCM_RIGHTS on the sender side.
>
> Let's add a new kfunc to scrub all file descriptors from skb in
> sendmsg().
>
> This allows the receiver to keep recv()ing the bare data and disallows
> the sender to impose the potential slowness of the last fput().
>
> If necessary, we can add more granular filtering per file descriptor
> after refactoring GC code and adding some fd-to-file helpers for BPF.
>
> Sample:
>
> SEC("lsm/unix_may_send")
> int BPF_PROG(unix_scrub_scm_rights,
>              struct socket *sock, struct socket *other, struct sk_buff *skb)
> {
>         struct unix_skb_parms *cb;
>
>         if (skb && bpf_unix_scrub_fds(skb))
>                 return -EPERM;
>
>         return 0;
> }

Any other programmability do you need there?

If not and above is all that is needed then what Jann proposed
sounds like better path to me:
"
I think the thorough fix would probably be to introduce a socket
option (controlled via setsockopt()) that already blocks the peer's
sendmsg().
"

Easier to operate and upriv process can use such setsockopt() too.