[PATCH v1 bpf-next 4/5] bpf: Add kfunc to scrub SCM_RIGHTS at security_unix_may_send().

Christian Brauner brauner at kernel.org
Tue May 6 08:56:23 UTC 2025 

On Mon, May 05, 2025 at 05:56:49PM -0700, Alexei Starovoitov wrote:
> On Mon, May 5, 2025 at 5:46 PM Kuniyuki Iwashima <kuniyu at amazon.com> wrote:
> >
> > From: Alexei Starovoitov <alexei.starovoitov at gmail.com>
> > Date: Mon, 5 May 2025 17:13:32 -0700
> > > On Mon, May 5, 2025 at 3:00 PM Kuniyuki Iwashima <kuniyu at amazon.com> wrote:
> > > >
> > > > As Christian Brauner said [0], systemd calls cmsg_close_all() [1] after
> > > > each recvmsg() to close() unwanted file descriptors sent via SCM_RIGHTS.
> > > >
> > > > However, this cannot work around the issue that close() for unwanted file
> > > > descriptors could block longer because the last fput() could occur on
> > > > the receiver side once sendmsg() with SCM_RIGHTS succeeds.
> > > >
> > > > Also, even filtering by LSM at recvmsg() does not work for the same reason.
> > > >
> > > > Thus, we need a better way to filter SCM_RIGHTS on the sender side.
> > > >
> > > > Let's add a new kfunc to scrub all file descriptors from skb in
> > > > sendmsg().
> > > >
> > > > This allows the receiver to keep recv()ing the bare data and disallows
> > > > the sender to impose the potential slowness of the last fput().
> > > >
> > > > If necessary, we can add more granular filtering per file descriptor
> > > > after refactoring GC code and adding some fd-to-file helpers for BPF.
> > > >
> > > > Sample:
> > > >
> > > > SEC("lsm/unix_may_send")
> > > > int BPF_PROG(unix_scrub_scm_rights,
> > > >              struct socket *sock, struct socket *other, struct sk_buff *skb)
> > > > {
> > > >         struct unix_skb_parms *cb;
> > > >
> > > >         if (skb && bpf_unix_scrub_fds(skb))
> > > >                 return -EPERM;
> > > >
> > > >         return 0;
> > > > }
> > >
> > > Any other programmability do you need there?
> >
> > This is kind of PoC, and as Kumar mentioned, per-fd scrubbing
> > is ideal to cover the real use cases.
> >
> > https://lore.kernel.org/netdev/CAP01T77STmncrPt=BsFfEY6SX1+oYNXhPeZ1HC9J=S2jhOwQoQ@mail.gmail.com/
> >
> > for example:
> > https://uapi-group.org/kernel-features/#filtering-on-received-file-descriptors
> 
> Fair enough.
> Would be great to have them as selftests to make sure that advanced
> use cases are actually working.

I think we should do both a socket option and the bpf fd filtering. They
can compliment each other. We should not force the use of bpf for this.
This is a very basic security guarantee we want that shouldn't require
the involvement of any LSM whatsoever.

More information about the Linux-security-module-archive mailing list