diff options
| author | Kuniyuki Iwashima <kuniyu@amazon.com> | 2025-05-19 23:57:59 +0300 | 
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2025-05-23 12:24:18 +0300 | 
| commit | 77cbe1a6d8730a07f99f9263c2d5f2304cf5e830 (patch) | |
| tree | e23b2ab882f74ca8ec3865a433111eadb7ba6b32 /net/unix/af_unix.c | |
| parent | 3f84d577b79d2fce8221244f2509734940609ca6 (diff) | |
| download | linux-77cbe1a6d8730a07f99f9263c2d5f2304cf5e830.tar.xz | |
af_unix: Introduce SO_PASSRIGHTS.
As long as recvmsg() or recvmmsg() is used with cmsg, it is not
possible to avoid receiving file descriptors via SCM_RIGHTS.
This behaviour has occasionally been flagged as problematic, as
it can be (ab)used to trigger DoS during close(), for example, by
passing a FUSE-controlled fd or a hung NFS fd.
For instance, as noted on the uAPI Group page [0], an untrusted peer
could send a file descriptor pointing to a hung NFS mount and then
close it.  Once the receiver calls recvmsg() with msg_control, the
descriptor is automatically installed, and then the responsibility
for the final close() now falls on the receiver, which may result
in blocking the process for a long time.
Regarding this, systemd calls cmsg_close_all() [1] after each
recvmsg() to close() unwanted file descriptors sent via SCM_RIGHTS.
However, this cannot work around the issue at all, because the final
fput() may still occur on the receiver's side once sendmsg() with
SCM_RIGHTS succeeds.  Also, even filtering by LSM at recvmsg() does
not work for the same reason.
Thus, we need a better way to refuse SCM_RIGHTS at sendmsg().
Let's introduce SO_PASSRIGHTS to disable SCM_RIGHTS.
Note that this option is enabled by default for backward
compatibility.
Link: https://uapi-group.org/kernel-features/#disabling-reception-of-scm_rights-for-af_unix-sockets #[0]
Link: https://github.com/systemd/systemd/blob/v257.5/src/basic/fd-util.c#L612-L628 #[1]
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/unix/af_unix.c')
| -rw-r--r-- | net/unix/af_unix.c | 22 | 
1 files changed, 20 insertions, 2 deletions
| diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 900bad88fbd2..bd507f74e35e 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -1015,6 +1015,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern,  	sock_init_data(sock, sk); +	sk->sk_scm_rights	= 1;  	sk->sk_hash		= unix_unbound_hash(sk);  	sk->sk_allocation	= GFP_KERNEL_ACCOUNT;  	sk->sk_write_space	= unix_write_space; @@ -2073,6 +2074,11 @@ restart_locked:  		goto out_unlock;  	} +	if (UNIXCB(skb).fp && !other->sk_scm_rights) { +		err = -EPERM; +		goto out_unlock; +	} +  	if (sk->sk_type != SOCK_SEQPACKET) {  		err = security_unix_may_send(sk->sk_socket, other->sk_socket);  		if (err) @@ -2174,9 +2180,13 @@ static int queue_oob(struct sock *sk, struct msghdr *msg, struct sock *other,  	if (sock_flag(other, SOCK_DEAD) ||  	    (other->sk_shutdown & RCV_SHUTDOWN)) { -		unix_state_unlock(other);  		err = -EPIPE; -		goto out; +		goto out_unlock; +	} + +	if (UNIXCB(skb).fp && !other->sk_scm_rights) { +		err = -EPERM; +		goto out_unlock;  	}  	unix_maybe_add_creds(skb, sk, other); @@ -2192,6 +2202,8 @@ static int queue_oob(struct sock *sk, struct msghdr *msg, struct sock *other,  	other->sk_data_ready(other);  	return 0; +out_unlock: +	unix_state_unlock(other);  out:  	consume_skb(skb);  	return err; @@ -2295,6 +2307,12 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg,  		    (other->sk_shutdown & RCV_SHUTDOWN))  			goto out_pipe_unlock; +		if (UNIXCB(skb).fp && !other->sk_scm_rights) { +			unix_state_unlock(other); +			err = -EPERM; +			goto out_free; +		} +  		unix_maybe_add_creds(skb, sk, other);  		scm_stat_add(other, skb);  		skb_queue_tail(&other->sk_receive_queue, skb); | 
