| Message ID | 20230226201730.515449-1-aleksandr.mikhalitsyn@canonical.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp2091084wrd;
Sun, 26 Feb 2023 12:40:37 -0800 (PST)
X-Google-Smtp-Source:
AK7set/tjW+dc+PXO85kEcrnONcPCAjpKqODidy4xnhMldMrXpw4M94Y9eYoLzMHRZqSbUN+Wmh2
X-Received: by 2002:a05:6a20:4428:b0:cd:2c0a:6ec0 with SMTP id
ce40-20020a056a20442800b000cd2c0a6ec0mr2388721pzb.3.1677444037003;
Sun, 26 Feb 2023 12:40:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1677444036; cv=none;
d=google.com; s=arc-20160816;
b=0OGEkqRfCI2To0gdUSs7XLX4cFBTmsZg9baLVOiYDDNbUREHpMq7y/qX2Oo9ZaWLrC
5D7lPS0PxXG1C3nCE723Z8U0X3MZ3tgf8kQlYU23qzEHrbcaJzNA+fZnt2p6MtL7W6zJ
7udFUwZSH9aPv+tacp6esYuI2FHFDwntKoqcK9iipq+vaA7FV8wrajByTYJh6i3WAtfa
Wf5kMu5uRt4/BOUtKwp9pCHihezYPs7/bOz2AHPE8TS5YF16Iyi4Qd5hGbSI/6oRFA77
4BIKrWAvL9gwiGTL6WsfuE4mzCHoC4IiRN8fMVZAF433yhr2+kbn1cBXOIM4rcbWuf9/
Ou4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=9/pq49ozwimVxEnGFYdfViP09nMRqPZhjqEhtsjGRMw=;
b=hSYKDacBPvxzSmtTEUXB9vwVm/Mtv/XZN61dnycfCN6/FwlEf5ARHF/QIjW3U6468l
og9wZAFD1N137zbrR5hPLkrFW47Zb4H+nNHDg4M27H6MG3LcFgTvK2q3z34oLc79qC+u
46O8SiNVELa4qzGG5o4jfZx36KZWMolq3/fLrmJKjMwVguwZ1bkhrtKwe2yotGTBMG1z
NRSoxpQCe4X29A9CJ+t/SlBxqk+YLgb+ZcWHFNVBpK2YI6RRoF116yIX5LNTt4AgnD0m
TH11b9koC82WQdlNPa8Pe8osoze9B0LuS/gMMYv1fuZdOPOr6w0QMMvWdBpu6OWk9j8v
MUwQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@canonical.com header.s=20210705 header.b=ZDIwedpX;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
s14-20020a63f04e000000b004fbbf27c7a4si5284241pgj.836.2023.02.26.12.40.24;
Sun, 26 Feb 2023 12:40:36 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@canonical.com header.s=20210705 header.b=ZDIwedpX;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229695AbjBZURr (ORCPT <rfc822;tertiaryakionsight@gmail.com>
+ 99 others); Sun, 26 Feb 2023 15:17:47 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59888 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229379AbjBZURp (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sun, 26 Feb 2023 15:17:45 -0500
Received: from smtp-relay-internal-1.canonical.com
(smtp-relay-internal-1.canonical.com [185.125.188.123])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 114741689D
for <linux-kernel@vger.kernel.org>;
Sun, 26 Feb 2023 12:17:44 -0800 (PST)
Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com
[209.85.208.70])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256)
(No client certificate requested)
by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id
6CC553F72E
for <linux-kernel@vger.kernel.org>;
Sun, 26 Feb 2023 20:17:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
s=20210705; t=1677442661;
bh=9/pq49ozwimVxEnGFYdfViP09nMRqPZhjqEhtsjGRMw=;
h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
b=ZDIwedpX5ZaJXeTs9eW8U5dhmsOMmA6p/zpue3bonzhLk2isYJZygHA4pxj+/769I
fHmA13SJtmf2zAQTpy9vicNod27SWCe/pbcg3iMSmqiYUNsiboVy75xU0+9aof9+nI
z0BizynJbddGBYlp0o9bhsJ547GiVydZDjMeyDoXYigOngzq5Fx6+9SnBPKfLv/OOx
SjMIcuLCWN8YL7bJ8b4na8+1EzuzuzsCWMFtwLix75XF7/Iook8I/4XKeX9bcHUK/8
fLyUQQ2s5nqFNE7m+ND8r9eRR4H2vmH63jPuicGa/UqoABGCCGPf/LaKhV/xaQf9X6
BZ+cTM4N7HpYQ==
Received: by mail-ed1-f70.google.com with SMTP id
r6-20020aa7c146000000b004acd97105ffso5457521edp.19
for <linux-kernel@vger.kernel.org>;
Sun, 26 Feb 2023 12:17:41 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=9/pq49ozwimVxEnGFYdfViP09nMRqPZhjqEhtsjGRMw=;
b=GrmeRn7XNt+CzDvH6faYs8Z+krb42laqjrInGW9dfzOjXuIGzyQXqqTqLYIL52JKZ7
HxrA1vjdkOoCNwt9dPbhRpTK7BZzPIiq4Mh8D+0h8yagIvFiypK5rRN3+5muXFhtfVK5
JBs6BlUhWyc0w+YT5tIKH3EfMz8Bky7eOkOGXibghqCixcsq9Ov92fJ6UqHtZH/chw4y
ngMQiCldvxS/e11GthmUcWq92P8mpeEkz3pEEHKrWLUnR9J2jrjQ4Ze7acZfiJ9VYm0M
dtxy2T0BNe3JMX9LPcO72uVByKdOXDdnb2wpZRQuKzilDiBrvE+PiSw5UTbUVONykx8p
ebYw==
X-Gm-Message-State: AO0yUKWVomBD/AKwnvLbjl8bNVfcXLgX9exEz91vULPJd5PFvLprO1OZ
A0Zi/ox5evisONGQ1U84Bz7VuG4gEOO2iMEsDguzLa0C3N+nL6+yR7GqS32aZh/bi6rxIKs6SEw
vfIwk4FExXDORf+V+yoI/8SKDYwVJkk6XmPme1uoCW4x4zt8=
X-Received: by 2002:aa7:ccd5:0:b0:4ac:bd72:e7c5 with SMTP id
y21-20020aa7ccd5000000b004acbd72e7c5mr23012935edt.20.1677442660690;
Sun, 26 Feb 2023 12:17:40 -0800 (PST)
X-Received: by 2002:aa7:ccd5:0:b0:4ac:bd72:e7c5 with SMTP id
y21-20020aa7ccd5000000b004acbd72e7c5mr23012923edt.20.1677442660391;
Sun, 26 Feb 2023 12:17:40 -0800 (PST)
Received: from amikhalitsyn.. ([2a02:8109:bd40:1414:ea8f:7f5:4586:1075])
by smtp.gmail.com with ESMTPSA id
cm18-20020a0564020c9200b004af5968cb3bsm2284995edb.17.2023.02.26.12.17.39
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sun, 26 Feb 2023 12:17:39 -0800 (PST)
From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
To: davem@davemloft.net
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>
Subject: [PATCH net-next] scm: fix MSG_CTRUNC setting condition for SO_PASSSEC
Date: Sun, 26 Feb 2023 21:17:30 +0100
Message-Id: <20230226201730.515449-1-aleksandr.mikhalitsyn@canonical.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1758927558592229010?=
X-GMAIL-MSGID: =?utf-8?q?1758927558592229010?=
|
| Series |
[net-next] scm: fix MSG_CTRUNC setting condition for SO_PASSSEC
|
|
Commit Message
Aleksandr Mikhalitsyn
Feb. 26, 2023, 8:17 p.m. UTC
Currently, we set MSG_CTRUNC flag is we have no
msg_control buffer provided and SO_PASSCRED is set
or if we have pending SCM_RIGHTS.
For some reason we have no corresponding check for
SO_PASSSEC.
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
---
include/net/scm.h | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
Comments
On Sun, Feb 26, 2023 at 09:17:30PM +0100, Alexander Mikhalitsyn wrote: > Currently, we set MSG_CTRUNC flag is we have no > msg_control buffer provided and SO_PASSCRED is set > or if we have pending SCM_RIGHTS. > > For some reason we have no corresponding check for > SO_PASSSEC. > > Cc: "David S. Miller" <davem@davemloft.net> > Cc: Eric Dumazet <edumazet@google.com> > Cc: Jakub Kicinski <kuba@kernel.org> > Cc: Paolo Abeni <pabeni@redhat.com> > Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> > --- > include/net/scm.h | 13 ++++++++++++- > 1 file changed, 12 insertions(+), 1 deletion(-) Is it a bugfix? If yes, it needs Fixes line. > > diff --git a/include/net/scm.h b/include/net/scm.h > index 1ce365f4c256..585adc1346bd 100644 > --- a/include/net/scm.h > +++ b/include/net/scm.h > @@ -105,16 +105,27 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc > } > } > } > + > +static inline bool scm_has_secdata(struct socket *sock) > +{ > + return test_bit(SOCK_PASSSEC, &sock->flags); > +} > #else > static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) > { } > + > +static inline bool scm_has_secdata(struct socket *sock) > +{ > + return false; > +} > #endif /* CONFIG_SECURITY_NETWORK */ There is no need in this ifdef, just test bit directly. > > static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg, > struct scm_cookie *scm, int flags) > { > if (!msg->msg_control) { > - if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp) > + if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp || > + scm_has_secdata(sock)) > msg->msg_flags |= MSG_CTRUNC; > scm_destroy(scm); > return; > -- > 2.34.1 >
On Mon, Feb 27, 2023 at 10:47 AM Leon Romanovsky <leon@kernel.org> wrote: > > On Sun, Feb 26, 2023 at 09:17:30PM +0100, Alexander Mikhalitsyn wrote: > > Currently, we set MSG_CTRUNC flag is we have no > > msg_control buffer provided and SO_PASSCRED is set > > or if we have pending SCM_RIGHTS. > > > > For some reason we have no corresponding check for > > SO_PASSSEC. > > > > Cc: "David S. Miller" <davem@davemloft.net> > > Cc: Eric Dumazet <edumazet@google.com> > > Cc: Jakub Kicinski <kuba@kernel.org> > > Cc: Paolo Abeni <pabeni@redhat.com> > > Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> > > --- > > include/net/scm.h | 13 ++++++++++++- > > 1 file changed, 12 insertions(+), 1 deletion(-) > > Is it a bugfix? If yes, it needs Fixes line. It's from 1da177e4c3 ("Linux-2.6.12-rc2") times :) I wasn't sure that it's correct to put the "Fixes" tag on such an old and big commit. Will do. Thanks! > > > > > diff --git a/include/net/scm.h b/include/net/scm.h > > index 1ce365f4c256..585adc1346bd 100644 > > --- a/include/net/scm.h > > +++ b/include/net/scm.h > > @@ -105,16 +105,27 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc > > } > > } > > } > > + > > +static inline bool scm_has_secdata(struct socket *sock) > > +{ > > + return test_bit(SOCK_PASSSEC, &sock->flags); > > +} > > #else > > static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) > > { } > > + > > +static inline bool scm_has_secdata(struct socket *sock) > > +{ > > + return false; > > +} > > #endif /* CONFIG_SECURITY_NETWORK */ > > There is no need in this ifdef, just test bit directly. The problem is that even if the kernel is compiled without CONFIG_SECURITY_NETWORK userspace can still set the SO_PASSSEC option. IMHO it's better not to set MSG_CTRUNC if CONFIG_SECURITY_NETWORK is disabled, msg_control is not set but SO_PASSSEC is enabled. Because in this case SCM_SECURITY will never be sent. Please correct me if I'm wrong. Kind regards, Alex > > > > > static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg, > > struct scm_cookie *scm, int flags) > > { > > if (!msg->msg_control) { > > - if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp) > > + if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp || > > + scm_has_secdata(sock)) > > msg->msg_flags |= MSG_CTRUNC; > > scm_destroy(scm); > > return; > > -- > > 2.34.1 > >
On Sun, Feb 26, 2023 at 9:17 PM Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> wrote: > > Currently, we set MSG_CTRUNC flag is we have no > msg_control buffer provided and SO_PASSCRED is set > or if we have pending SCM_RIGHTS. > > For some reason we have no corresponding check for > SO_PASSSEC. Can you describe what side effects this patch has ? I think it could break some applications, who might not be able to recover from MSG_CTRUNC in this case. This should be documented, in order to avoid a future revert. In any case, net-next is currently closed.
On Mon, Feb 27, 2023 at 11:01 AM Eric Dumazet <edumazet@google.com> wrote: > > On Sun, Feb 26, 2023 at 9:17 PM Alexander Mikhalitsyn > <aleksandr.mikhalitsyn@canonical.com> wrote: > > > > Currently, we set MSG_CTRUNC flag is we have no > > msg_control buffer provided and SO_PASSCRED is set > > or if we have pending SCM_RIGHTS. > > > > For some reason we have no corresponding check for > > SO_PASSSEC. > Hi Eric, > Can you describe what side effects this patch has ? > > I think it could break some applications, who might not be able to > recover from MSG_CTRUNC in this case. > This should be documented, in order to avoid a future revert. Yes, it can break applications but only those who use SO_PASSSEC and not properly check MSG_CTRUNC. According to the recv(2) man: MSG_CTRUNC indicates that some control data was discarded due to lack of space in the buffer for ancillary data. So, there is no specification about a particular SCM type. It seems more correct to handle SCM_SECURITY the same way as SCM_RIGHTS / SCM_CREDENTIALS. > > In any case, net-next is currently closed. Oh, I'm sorry. Kind regards, Alex
On Mon, Feb 27, 2023 at 10:55:04AM +0100, Aleksandr Mikhalitsyn wrote: > On Mon, Feb 27, 2023 at 10:47 AM Leon Romanovsky <leon@kernel.org> wrote: > > > > On Sun, Feb 26, 2023 at 09:17:30PM +0100, Alexander Mikhalitsyn wrote: > > > Currently, we set MSG_CTRUNC flag is we have no > > > msg_control buffer provided and SO_PASSCRED is set > > > or if we have pending SCM_RIGHTS. > > > > > > For some reason we have no corresponding check for > > > SO_PASSSEC. > > > > > > Cc: "David S. Miller" <davem@davemloft.net> > > > Cc: Eric Dumazet <edumazet@google.com> > > > Cc: Jakub Kicinski <kuba@kernel.org> > > > Cc: Paolo Abeni <pabeni@redhat.com> > > > Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> > > > --- > > > include/net/scm.h | 13 ++++++++++++- > > > 1 file changed, 12 insertions(+), 1 deletion(-) > > > > Is it a bugfix? If yes, it needs Fixes line. > > It's from 1da177e4c3 ("Linux-2.6.12-rc2") times :) > I wasn't sure that it's correct to put the "Fixes" tag on such an old > and big commit. Will do. Thanks! > > > > > > > > > diff --git a/include/net/scm.h b/include/net/scm.h > > > index 1ce365f4c256..585adc1346bd 100644 > > > --- a/include/net/scm.h > > > +++ b/include/net/scm.h > > > @@ -105,16 +105,27 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc > > > } > > > } > > > } > > > + > > > +static inline bool scm_has_secdata(struct socket *sock) > > > +{ > > > + return test_bit(SOCK_PASSSEC, &sock->flags); > > > +} > > > #else > > > static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) > > > { } > > > + > > > +static inline bool scm_has_secdata(struct socket *sock) > > > +{ > > > + return false; > > > +} > > > #endif /* CONFIG_SECURITY_NETWORK */ > > > > There is no need in this ifdef, just test bit directly. > > The problem is that even if the kernel is compiled without > CONFIG_SECURITY_NETWORK > userspace can still set the SO_PASSSEC option. IMHO it's better not to > set MSG_CTRUNC > if CONFIG_SECURITY_NETWORK is disabled, msg_control is not set but > SO_PASSSEC is enabled. > Because in this case SCM_SECURITY will never be sent. Please correct > me if I'm wrong. I don't know enough in this area to say if it is wrong or not. My remark was due to the situation where user sets some bit which is going to be ignored silently. It will be much cleaner do not set it if CONFIG_SECURITY_NETWORK is disabled instead of masking its usage. Thanks > > Kind regards, > Alex > > > > > > > > > static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg, > > > struct scm_cookie *scm, int flags) > > > { > > > if (!msg->msg_control) { > > > - if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp) > > > + if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp || > > > + scm_has_secdata(sock)) > > > msg->msg_flags |= MSG_CTRUNC; > > > scm_destroy(scm); > > > return; > > > -- > > > 2.34.1 > > >
On Mon, Feb 27, 2023 at 7:32 PM Leon Romanovsky <leon@kernel.org> wrote: > > On Mon, Feb 27, 2023 at 10:55:04AM +0100, Aleksandr Mikhalitsyn wrote: > > On Mon, Feb 27, 2023 at 10:47 AM Leon Romanovsky <leon@kernel.org> wrote: > > > > > > On Sun, Feb 26, 2023 at 09:17:30PM +0100, Alexander Mikhalitsyn wrote: > > > > Currently, we set MSG_CTRUNC flag is we have no > > > > msg_control buffer provided and SO_PASSCRED is set > > > > or if we have pending SCM_RIGHTS. > > > > > > > > For some reason we have no corresponding check for > > > > SO_PASSSEC. > > > > > > > > Cc: "David S. Miller" <davem@davemloft.net> > > > > Cc: Eric Dumazet <edumazet@google.com> > > > > Cc: Jakub Kicinski <kuba@kernel.org> > > > > Cc: Paolo Abeni <pabeni@redhat.com> > > > > Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> > > > > --- > > > > include/net/scm.h | 13 ++++++++++++- > > > > 1 file changed, 12 insertions(+), 1 deletion(-) > > > > > > Is it a bugfix? If yes, it needs Fixes line. > > > > It's from 1da177e4c3 ("Linux-2.6.12-rc2") times :) > > I wasn't sure that it's correct to put the "Fixes" tag on such an old > > and big commit. Will do. Thanks! > > > > > > > > > > > > > diff --git a/include/net/scm.h b/include/net/scm.h > > > > index 1ce365f4c256..585adc1346bd 100644 > > > > --- a/include/net/scm.h > > > > +++ b/include/net/scm.h > > > > @@ -105,16 +105,27 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc > > > > } > > > > } > > > > } > > > > + > > > > +static inline bool scm_has_secdata(struct socket *sock) > > > > +{ > > > > + return test_bit(SOCK_PASSSEC, &sock->flags); > > > > +} > > > > #else > > > > static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) > > > > { } > > > > + > > > > +static inline bool scm_has_secdata(struct socket *sock) > > > > +{ > > > > + return false; > > > > +} > > > > #endif /* CONFIG_SECURITY_NETWORK */ > > > > > > There is no need in this ifdef, just test bit directly. > > > > The problem is that even if the kernel is compiled without > > CONFIG_SECURITY_NETWORK > > userspace can still set the SO_PASSSEC option. IMHO it's better not to > > set MSG_CTRUNC > > if CONFIG_SECURITY_NETWORK is disabled, msg_control is not set but > > SO_PASSSEC is enabled. > > Because in this case SCM_SECURITY will never be sent. Please correct > > me if I'm wrong. > > I don't know enough in this area to say if it is wrong or not. > My remark was due to the situation where user sets some bit which is > going to be ignored silently. It will be much cleaner do not set it > if CONFIG_SECURITY_NETWORK is disabled instead of masking its usage. Hi Leon, I agree with you, but IMHO then it looks more correct to return -EOPNOTSUPP on setsockopt(fd, SO_PASSSEC, ...) if CONFIG_SECURITY_NETWORK is disabled. But such a change may break things. Okay, anyway I'll wait until net-next will be opened and present a patch with a more detailed description and Fixes tag. Speaking about this problem with CONFIG_SECURITY_NETWORK if you insist that it will be more correct then I'm ready to fix it too. Thanks, Alex > > Thanks > > > > > Kind regards, > > Alex > > > > > > > > > > > > > static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg, > > > > struct scm_cookie *scm, int flags) > > > > { > > > > if (!msg->msg_control) { > > > > - if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp) > > > > + if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp || > > > > + scm_has_secdata(sock)) > > > > msg->msg_flags |= MSG_CTRUNC; > > > > scm_destroy(scm); > > > > return; > > > > -- > > > > 2.34.1 > > > >
On Tue, Feb 28, 2023 at 11:06:12AM +0100, Aleksandr Mikhalitsyn wrote: > On Mon, Feb 27, 2023 at 7:32 PM Leon Romanovsky <leon@kernel.org> wrote: > > > > On Mon, Feb 27, 2023 at 10:55:04AM +0100, Aleksandr Mikhalitsyn wrote: > > > On Mon, Feb 27, 2023 at 10:47 AM Leon Romanovsky <leon@kernel.org> wrote: > > > > > > > > On Sun, Feb 26, 2023 at 09:17:30PM +0100, Alexander Mikhalitsyn wrote: > > > > > Currently, we set MSG_CTRUNC flag is we have no > > > > > msg_control buffer provided and SO_PASSCRED is set > > > > > or if we have pending SCM_RIGHTS. > > > > > > > > > > For some reason we have no corresponding check for > > > > > SO_PASSSEC. > > > > > > > > > > Cc: "David S. Miller" <davem@davemloft.net> > > > > > Cc: Eric Dumazet <edumazet@google.com> > > > > > Cc: Jakub Kicinski <kuba@kernel.org> > > > > > Cc: Paolo Abeni <pabeni@redhat.com> > > > > > Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> > > > > > --- > > > > > include/net/scm.h | 13 ++++++++++++- > > > > > 1 file changed, 12 insertions(+), 1 deletion(-) > > > > > > > > Is it a bugfix? If yes, it needs Fixes line. > > > > > > It's from 1da177e4c3 ("Linux-2.6.12-rc2") times :) > > > I wasn't sure that it's correct to put the "Fixes" tag on such an old > > > and big commit. Will do. Thanks! > > > > > > > > > > > > > > > > > diff --git a/include/net/scm.h b/include/net/scm.h > > > > > index 1ce365f4c256..585adc1346bd 100644 > > > > > --- a/include/net/scm.h > > > > > +++ b/include/net/scm.h > > > > > @@ -105,16 +105,27 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc > > > > > } > > > > > } > > > > > } > > > > > + > > > > > +static inline bool scm_has_secdata(struct socket *sock) > > > > > +{ > > > > > + return test_bit(SOCK_PASSSEC, &sock->flags); > > > > > +} > > > > > #else > > > > > static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) > > > > > { } > > > > > + > > > > > +static inline bool scm_has_secdata(struct socket *sock) > > > > > +{ > > > > > + return false; > > > > > +} > > > > > #endif /* CONFIG_SECURITY_NETWORK */ > > > > > > > > There is no need in this ifdef, just test bit directly. > > > > > > The problem is that even if the kernel is compiled without > > > CONFIG_SECURITY_NETWORK > > > userspace can still set the SO_PASSSEC option. IMHO it's better not to > > > set MSG_CTRUNC > > > if CONFIG_SECURITY_NETWORK is disabled, msg_control is not set but > > > SO_PASSSEC is enabled. > > > Because in this case SCM_SECURITY will never be sent. Please correct > > > me if I'm wrong. > > > > I don't know enough in this area to say if it is wrong or not. > > My remark was due to the situation where user sets some bit which is > > going to be ignored silently. It will be much cleaner do not set it > > if CONFIG_SECURITY_NETWORK is disabled instead of masking its usage. > > Hi Leon, > > I agree with you, but IMHO then it looks more correct to return -EOPNOTSUPP on > setsockopt(fd, SO_PASSSEC, ...) if CONFIG_SECURITY_NETWORK is disabled. > But such a change may break things. > > Okay, anyway I'll wait until net-next will be opened and present a > patch with a more > detailed description and Fixes tag. Speaking about this problem with > CONFIG_SECURITY_NETWORK > if you insist that it will be more correct then I'm ready to fix it too. I won't insist on anything, most likely Eric will comment if you need to fix it. Thanks > > Thanks, > Alex > > > > > Thanks > > > > > > > > Kind regards, > > > Alex > > > > > > > > > > > > > > > > > static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg, > > > > > struct scm_cookie *scm, int flags) > > > > > { > > > > > if (!msg->msg_control) { > > > > > - if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp) > > > > > + if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp || > > > > > + scm_has_secdata(sock)) > > > > > msg->msg_flags |= MSG_CTRUNC; > > > > > scm_destroy(scm); > > > > > return; > > > > > -- > > > > > 2.34.1 > > > > >
On Tue, Feb 28, 2023 at 3:45 PM Leon Romanovsky <leon@kernel.org> wrote: > > On Tue, Feb 28, 2023 at 11:06:12AM +0100, Aleksandr Mikhalitsyn wrote: > > On Mon, Feb 27, 2023 at 7:32 PM Leon Romanovsky <leon@kernel.org> wrote: > > > > > > On Mon, Feb 27, 2023 at 10:55:04AM +0100, Aleksandr Mikhalitsyn wrote: > > > > On Mon, Feb 27, 2023 at 10:47 AM Leon Romanovsky <leon@kernel.org> wrote: > > > > > > > > > > On Sun, Feb 26, 2023 at 09:17:30PM +0100, Alexander Mikhalitsyn wrote: > > > > > > Currently, we set MSG_CTRUNC flag is we have no > > > > > > msg_control buffer provided and SO_PASSCRED is set > > > > > > or if we have pending SCM_RIGHTS. > > > > > > > > > > > > For some reason we have no corresponding check for > > > > > > SO_PASSSEC. > > > > > > > > > > > > Cc: "David S. Miller" <davem@davemloft.net> > > > > > > Cc: Eric Dumazet <edumazet@google.com> > > > > > > Cc: Jakub Kicinski <kuba@kernel.org> > > > > > > Cc: Paolo Abeni <pabeni@redhat.com> > > > > > > Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> > > > > > > --- > > > > > > include/net/scm.h | 13 ++++++++++++- > > > > > > 1 file changed, 12 insertions(+), 1 deletion(-) > > > > > > > > > > Is it a bugfix? If yes, it needs Fixes line. > > > > > > > > It's from 1da177e4c3 ("Linux-2.6.12-rc2") times :) > > > > I wasn't sure that it's correct to put the "Fixes" tag on such an old > > > > and big commit. Will do. Thanks! > > > > > > > > > > > > > > > > > > > > > diff --git a/include/net/scm.h b/include/net/scm.h > > > > > > index 1ce365f4c256..585adc1346bd 100644 > > > > > > --- a/include/net/scm.h > > > > > > +++ b/include/net/scm.h > > > > > > @@ -105,16 +105,27 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc > > > > > > } > > > > > > } > > > > > > } > > > > > > + > > > > > > +static inline bool scm_has_secdata(struct socket *sock) > > > > > > +{ > > > > > > + return test_bit(SOCK_PASSSEC, &sock->flags); > > > > > > +} > > > > > > #else > > > > > > static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) > > > > > > { } > > > > > > + > > > > > > +static inline bool scm_has_secdata(struct socket *sock) > > > > > > +{ > > > > > > + return false; > > > > > > +} > > > > > > #endif /* CONFIG_SECURITY_NETWORK */ > > > > > > > > > > There is no need in this ifdef, just test bit directly. > > > > > > > > The problem is that even if the kernel is compiled without > > > > CONFIG_SECURITY_NETWORK > > > > userspace can still set the SO_PASSSEC option. IMHO it's better not to > > > > set MSG_CTRUNC > > > > if CONFIG_SECURITY_NETWORK is disabled, msg_control is not set but > > > > SO_PASSSEC is enabled. > > > > Because in this case SCM_SECURITY will never be sent. Please correct > > > > me if I'm wrong. > > > > > > I don't know enough in this area to say if it is wrong or not. > > > My remark was due to the situation where user sets some bit which is > > > going to be ignored silently. It will be much cleaner do not set it > > > if CONFIG_SECURITY_NETWORK is disabled instead of masking its usage. > > > > Hi Leon, > > > > I agree with you, but IMHO then it looks more correct to return -EOPNOTSUPP on > > setsockopt(fd, SO_PASSSEC, ...) if CONFIG_SECURITY_NETWORK is disabled. > > But such a change may break things. > > > > Okay, anyway I'll wait until net-next will be opened and present a > > patch with a more > > detailed description and Fixes tag. Speaking about this problem with > > CONFIG_SECURITY_NETWORK > > if you insist that it will be more correct then I'm ready to fix it too. > > I won't insist on anything, most likely Eric will comment if you need to > fix it. Got it. Thanks a lot for your attention to the patch! Kind regards, Alex > > Thanks > > > > > Thanks, > > Alex > > > > > > > > Thanks > > > > > > > > > > > Kind regards, > > > > Alex > > > > > > > > > > > > > > > > > > > > > static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg, > > > > > > struct scm_cookie *scm, int flags) > > > > > > { > > > > > > if (!msg->msg_control) { > > > > > > - if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp) > > > > > > + if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp || > > > > > > + scm_has_secdata(sock)) > > > > > > msg->msg_flags |= MSG_CTRUNC; > > > > > > scm_destroy(scm); > > > > > > return; > > > > > > -- > > > > > > 2.34.1 > > > > > >
diff --git a/include/net/scm.h b/include/net/scm.h index 1ce365f4c256..585adc1346bd 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -105,16 +105,27 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc } } } + +static inline bool scm_has_secdata(struct socket *sock) +{ + return test_bit(SOCK_PASSSEC, &sock->flags); +} #else static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) { } + +static inline bool scm_has_secdata(struct socket *sock) +{ + return false; +} #endif /* CONFIG_SECURITY_NETWORK */ static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm, int flags) { if (!msg->msg_control) { - if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp) + if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp || + scm_has_secdata(sock)) msg->msg_flags |= MSG_CTRUNC; scm_destroy(scm); return;