| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhRWi5QdRgU-Eko4XZ9A2W2o3uhVAagVkhu1eT18qAWdkg@mail.gmail.com>
Date: Wed, 18 Jun 2025 23:23:31 -0400
From: Paul Moore <paul@...l-moore.com>
To: Kuniyuki Iwashima <kuni1840@...il.com>
Cc: andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org,
casey@...aufler-ca.com, daniel@...earbox.net, eddyz87@...il.com,
gnoack@...gle.com, haoluo@...gle.com, jmorris@...ei.org,
john.fastabend@...il.com, jolsa@...nel.org, kpsingh@...nel.org,
kuniyu@...gle.com, linux-security-module@...r.kernel.org,
martin.lau@...ux.dev, memxor@...il.com, mic@...ikod.net,
netdev@...r.kernel.org, omosnace@...hat.com, sdf@...ichev.me,
selinux@...r.kernel.org, serge@...lyn.com, song@...nel.org,
stephen.smalley.work@...il.com, yonghong.song@...ux.dev
Subject: Re: [PATCH v2 bpf-next 0/4] af_unix: Allow BPF LSM to filter
SCM_RIGHTS at sendmsg().
On Sat, Jun 14, 2025 at 4:40 PM Kuniyuki Iwashima <kuni1840@...il.com> wrote:
> From: Paul Moore <paul@...l-moore.com>
> Date: Sat, 14 Jun 2025 07:43:46 -0400
> > On June 13, 2025 6:24:15 PM Kuniyuki Iwashima <kuni1840@...il.com> wrote:
> > > From: Kuniyuki Iwashima <kuniyu@...gle.com>
> > >
> > > Since commit 77cbe1a6d873 ("af_unix: Introduce SO_PASSRIGHTS."),
> > > we can disable SCM_RIGHTS per socket, but it's not flexible.
> > >
> > > This series allows us to implement more fine-grained filtering for
> > > SCM_RIGHTS with BPF LSM.
> >
> > My ability to review this over the weekend is limited due to device and
> > network access, but I'll take a look next week.
> >
> > That said, it would be good if you could clarify the "filtering" aspect of
> > your comments; it may be obvious when I'm able to look at the full patchset
>
> I meant to mention that just below the quoted part :)
>
> ---8<---
> Changes:
> v2: Remove SCM_RIGHTS fd scrubbing functionality
> ---8<---
Thanks :)
While looking at your patches tonight, I was wondering if you had ever
considered adding a new LSM hook to __scm_send() that specifically
targets SCM_RIGHTS? I was thinking of something like this:
diff --git a/net/core/scm.c b/net/core/scm.c
index 0225bd94170f..5fec8abc99f5 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -173,6 +173,9 @@ int __scm_send(struct socket *sock, struct msghdr *msg, stru
ct scm_cookie *p)
case SCM_RIGHTS:
if (!ops || ops->family != PF_UNIX)
goto error;
+ err = security_sock_scm_rights(sock);
+ if (err<0)
+ goto error;
err=scm_fp_copy(cmsg, &p->fp);
if (err<0)
goto error;
... if I'm correct in my understanding of what you are trying to
accomplish, I believe this should allow you to meet your goals with a
much simpler and targeted approach. Or am I thinking about this
wrong?
--
paul-moore.com
Powered by blists - more mailing lists