| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250619040127.1122427-1-kuni1840@gmail.com>
Date: Wed, 18 Jun 2025 21:00:29 -0700
From: Kuniyuki Iwashima <kuni1840@...il.com>
To: paul@...l-moore.com
Cc: andrii@...nel.org,
ast@...nel.org,
bpf@...r.kernel.org,
casey@...aufler-ca.com,
daniel@...earbox.net,
eddyz87@...il.com,
gnoack@...gle.com,
haoluo@...gle.com,
jmorris@...ei.org,
john.fastabend@...il.com,
jolsa@...nel.org,
kpsingh@...nel.org,
kuni1840@...il.com,
kuniyu@...gle.com,
linux-security-module@...r.kernel.org,
martin.lau@...ux.dev,
memxor@...il.com,
mic@...ikod.net,
netdev@...r.kernel.org,
omosnace@...hat.com,
sdf@...ichev.me,
selinux@...r.kernel.org,
serge@...lyn.com,
song@...nel.org,
stephen.smalley.work@...il.com,
yonghong.song@...ux.dev
Subject: Re: [PATCH v2 bpf-next 0/4] af_unix: Allow BPF LSM to filter SCM_RIGHTS at sendmsg().
From: Paul Moore <paul@...l-moore.com>
Date: Wed, 18 Jun 2025 23:23:31 -0400
> On Sat, Jun 14, 2025 at 4:40 PM Kuniyuki Iwashima <kuni1840@...il.com> wrote:
> > From: Paul Moore <paul@...l-moore.com>
> > Date: Sat, 14 Jun 2025 07:43:46 -0400
> > > On June 13, 2025 6:24:15 PM Kuniyuki Iwashima <kuni1840@...il.com> wrote:
> > > > From: Kuniyuki Iwashima <kuniyu@...gle.com>
> > > >
> > > > Since commit 77cbe1a6d873 ("af_unix: Introduce SO_PASSRIGHTS."),
> > > > we can disable SCM_RIGHTS per socket, but it's not flexible.
> > > >
> > > > This series allows us to implement more fine-grained filtering for
> > > > SCM_RIGHTS with BPF LSM.
> > >
> > > My ability to review this over the weekend is limited due to device and
> > > network access, but I'll take a look next week.
> > >
> > > That said, it would be good if you could clarify the "filtering" aspect of
> > > your comments; it may be obvious when I'm able to look at the full patchset
> >
> > I meant to mention that just below the quoted part :)
> >
> > ---8<---
> > Changes:
> > v2: Remove SCM_RIGHTS fd scrubbing functionality
> > ---8<---
>
> Thanks :)
>
> While looking at your patches tonight, I was wondering if you had ever
> considered adding a new LSM hook to __scm_send() that specifically
> targets SCM_RIGHTS? I was thinking of something like this:
>
> diff --git a/net/core/scm.c b/net/core/scm.c
> index 0225bd94170f..5fec8abc99f5 100644
> --- a/net/core/scm.c
> +++ b/net/core/scm.c
> @@ -173,6 +173,9 @@ int __scm_send(struct socket *sock, struct msghdr *msg, stru
> ct scm_cookie *p)
> case SCM_RIGHTS:
> if (!ops || ops->family != PF_UNIX)
> goto error;
> + err = security_sock_scm_rights(sock);
> + if (err<0)
> + goto error;
> err=scm_fp_copy(cmsg, &p->fp);
> if (err<0)
> goto error;
>
> ... if I'm correct in my understanding of what you are trying to
> accomplish, I believe this should allow you to meet your goals with a
> much simpler and targeted approach. Or am I thinking about this
> wrong?
As BPF LSM is just a hook point and not tied to a specific socket,
we cannot know who will receive the message in __scm_send().
Also, the hook must be after scm_fp_copy(), otherwise struct file
is not yet available there.
Another way I thought of was to reuse LSM hook in sk_filter()
(SOCK_STREAM needs to add it), but it returns 0 even when we drop
skb, which will be less preferable.
BTW, I was about to send v3, what target tree should be specified in
subject, bpf-next or something else ?
Powered by blists - more mailing lists