[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <eb38a7d139a9c0854e2ed7122ee5ea5153227b41.camel@debian.org>
Date: Mon, 09 Jun 2025 12:14:51 +0100
From: Luca Boccassi <bluca@...ian.org>
To: Kuniyuki Iwashima <kuniyu@...zon.com>, "David S. Miller"
<davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski
<kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Willem de Bruijn
<willemb@...gle.com>
Cc: Simon Horman <horms@...nel.org>, Christian Brauner <brauner@...nel.org>,
Kuniyuki Iwashima <kuni1840@...il.com>, netdev@...r.kernel.org
Subject: Re: [PATCH v5 net-next 5/9] net: Restrict SO_PASS{CRED,PIDFD,SEC}
to AF_{UNIX,NETLINK,BLUETOOTH}.
On Mon, 2025-05-19 at 13:57 -0700, Kuniyuki Iwashima wrote:
> SCM_CREDENTIALS and SCM_SECURITY can be recv()ed by calling
> scm_recv() or scm_recv_unix(), and SCM_PIDFD is only used by
> scm_recv_unix().
>
> scm_recv() is called from AF_NETLINK and AF_BLUETOOTH.
>
> scm_recv_unix() is literally called from AF_UNIX.
>
> Let's restrict SO_PASSCRED and SO_PASSSEC to such sockets and
> SO_PASSPIDFD to AF_UNIX only.
>
> Later, SOCK_PASS{CRED,PIDFD,SEC} will be moved to struct sock
> and united with another field.
>
> Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.com>
> Reviewed-by: Willem de Bruijn <willemb@...gle.com>
> ---
> v3:
> * Return -EOPNOTSUPP in getsockopt() too
> * Add CONFIG_SECURITY_NETWORK check for SO_PASSSEC
>
> diff --git a/net/core/sock.c b/net/core/sock.c
> index d7d6d3a8efe5..fd5f9d3873c1 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -1221,12 +1221,21 @@ int sk_setsockopt(struct sock *sk, int level,
> int optname,
> }
> return -EPERM;
> case SO_PASSSEC:
> + if (!IS_ENABLED(CONFIG_SECURITY_NETWORK) ||
> sk_may_scm_recv(sk))
> + return -EOPNOTSUPP;
Hi,
Was this one meant to be !sk_may_scm_recv(sk) like in getsockopt below
by any chance?
We have a report that this is breaking AF_UNIX sockets with 6.16~rc1:
[ 1.763019] systemd[1]: systemd-journald-dev-log.socket: SO_PASSSEC
failed: Operation not supported
[ 1.763102] systemd[1]: systemd-journald.socket: SO_PASSSEC failed:
Operation not supported
[ 1.763121] systemd[1]: systemd-journald.socket: SO_PASSSEC failed:
Operation not supported
https://github.com/systemd/systemd/issues/37783
> @@ -1956,6 +1971,9 @@ int sk_getsockopt(struct sock *sk, int level,
> int optname,
> break;
>
> case SO_PASSSEC:
> + if (!IS_ENABLED(CONFIG_SECURITY_NETWORK) ||
> !sk_may_scm_recv(sk))
> + return -EOPNOTSUPP;
> +
> v.val = !!test_bit(SOCK_PASSSEC, &sock->flags);
> break;
>
Powered by blists - more mailing lists