lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250510015652.9931-6-kuniyu@amazon.com> Date: Fri, 9 May 2025 18:56:28 -0700 From: Kuniyuki Iwashima <kuniyu@...zon.com> To: "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Willem de Bruijn <willemb@...gle.com> CC: Simon Horman <horms@...nel.org>, Christian Brauner <brauner@...nel.org>, Kuniyuki Iwashima <kuniyu@...zon.com>, Kuniyuki Iwashima <kuni1840@...il.com>, <netdev@...r.kernel.org> Subject: [PATCH v2 net-next 5/9] net: Restrict SO_PASS{CRED,PIDFD,SEC} to AF_{UNIX,NETLINK,BLUETOOTH}. SCM_CREDENTIALS and SCM_SECURITY can be recv()ed by calling scm_recv() or scm_recv_unix(), and SCM_PIDFD is only used by scm_recv_unix(). scm_recv() is called from AF_NETLINK and AF_BLUETOOTH. scm_recv_unix() is literally called from AF_UNIX. Let's restrict SO_PASSCRED and SO_PASSSEC to such sockets and SO_PASSPIDFD to AF_UNIX only. Later, SOCK_PASS{CRED,PIDFD,SEC} will be moved to struct sock and united with another field, so we set 0 explicitly in getsockopt(). Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.com> --- include/net/sock.h | 14 +++++++++++++- net/core/sock.c | 24 +++++++++++++++++++++--- 2 files changed, 34 insertions(+), 4 deletions(-) diff --git a/include/net/sock.h b/include/net/sock.h index f0fabb9fd28a..af0719ba331f 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -2772,9 +2772,14 @@ static inline bool sk_is_udp(const struct sock *sk) sk->sk_protocol == IPPROTO_UDP; } +static inline bool sk_is_unix(const struct sock *sk) +{ + return sk->sk_family == AF_UNIX; +} + static inline bool sk_is_stream_unix(const struct sock *sk) { - return sk->sk_family == AF_UNIX && sk->sk_type == SOCK_STREAM; + return sk_is_unix(sk) && sk->sk_type == SOCK_STREAM; } static inline bool sk_is_vsock(const struct sock *sk) @@ -2782,6 +2787,13 @@ static inline bool sk_is_vsock(const struct sock *sk) return sk->sk_family == AF_VSOCK; } +static inline bool sk_may_scm_recv(const struct sock *sk) +{ + return (IS_ENABLED(CONFIG_UNIX) && sk->sk_family == AF_UNIX) || + sk->sk_family == AF_NETLINK || + (IS_ENABLED(CONFIG_BT) && sk->sk_family == AF_BLUETOOTH); +} + /** * sk_eat_skb - Release a skb if it is no longer needed * @sk: socket to eat this skb from diff --git a/net/core/sock.c b/net/core/sock.c index 5c84a608ddd7..1ab59efbafc5 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -1221,12 +1221,21 @@ int sk_setsockopt(struct sock *sk, int level, int optname, } return -EPERM; case SO_PASSSEC: + if (!sk_may_scm_recv(sk)) + return -EOPNOTSUPP; + assign_bit(SOCK_PASSSEC, &sock->flags, valbool); return 0; case SO_PASSCRED: + if (!sk_may_scm_recv(sk)) + return -EOPNOTSUPP; + assign_bit(SOCK_PASSCRED, &sock->flags, valbool); return 0; case SO_PASSPIDFD: + if (!sk_is_unix(sk)) + return -EOPNOTSUPP; + assign_bit(SOCK_PASSPIDFD, &sock->flags, valbool); return 0; case SO_TYPE: @@ -1855,11 +1864,17 @@ int sk_getsockopt(struct sock *sk, int level, int optname, break; case SO_PASSCRED: - v.val = !!test_bit(SOCK_PASSCRED, &sock->flags); + if (sk_may_scm_recv(sk)) + v.val = !!test_bit(SOCK_PASSCRED, &sock->flags); + else + v.val = 0; break; case SO_PASSPIDFD: - v.val = !!test_bit(SOCK_PASSPIDFD, &sock->flags); + if (sk_is_unix(sk)) + v.val = !!test_bit(SOCK_PASSPIDFD, &sock->flags); + else + v.val = 0; break; case SO_PEERCRED: @@ -1956,7 +1971,10 @@ int sk_getsockopt(struct sock *sk, int level, int optname, break; case SO_PASSSEC: - v.val = !!test_bit(SOCK_PASSSEC, &sock->flags); + if (sk_may_scm_recv(sk)) + v.val = !!test_bit(SOCK_PASSSEC, &sock->flags); + else + v.val = 0; break; case SO_PEERSEC: -- 2.49.0
Powered by blists - more mailing lists