Skip to content

Commit c5a48c4

Browse files
poetteringbluca
poettering
authored and
bluca
committed
wishlist: add item about SCM_RIGHTS/SELinux nastiness
1 parent a4e9e02 commit c5a48c4

File tree

1 file changed

+37
-0
lines changed

1 file changed

+37
-0
lines changed

README.md

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -772,6 +772,43 @@ to thread-group leader pidfd.
772772
a PID namespace corresponds to in the caller's PID namespace. For example, to
773773
figure out what the PID of PID 1 inside of a given PID namespace is.
774774

775+
### Useful handling of LSM denials on SCM_RIGHTS
776+
777+
Right now if some LSM such as SELinux denies an `AF_UNIX` socket peer
778+
to receive an `SCM_RIGHTS` fd the `SCM_RIGHTS` fd array will be cut
779+
short at that point, and `MSG_CTRUNC` is set on return of
780+
`recvmsg()`. This is highly problematic behaviour, because it leaves
781+
the receiver wondering what happened. As per man page `MSG_CTRUNC` is
782+
supposed to indicate that the control buffer was sized too short, but
783+
suddenly a permission error might result in the exact same flag being
784+
set. Moreover, the receiver has no chance to determine how many fds
785+
got originally sent and how many were suppressed.
786+
787+
Ideas how to improve things:
788+
789+
1. Maybe introduce a new flag `MSG_RIGHTS_DENIAL` or so which is set
790+
on `recvmsg()` return, which tells us that fds where dropped from
791+
the `SCM_RIGHTS` array because of an LSM error. This new flag could
792+
be set in addition to `CMSG_CTRUNC`, for compatibility.
793+
794+
2. Maybe, define a new flag `MSG_RIGHTS_FILTER` or so which when
795+
passed to `recvmsg()` will ensure that the `SCM_RIGHTS` fd array is
796+
always passed through in its full, original size. Entries for which
797+
an LSM says no are suppressed, and replaced by a special value, for
798+
example `-EPERM`.
799+
800+
3. It would be good if the relevant man page would at least document
801+
this pitfall, even if it right now cannot reasonably be handled.
802+
803+
Ideally both ideas would be implemented, but of course, strictly
804+
speaking the 2nd idea makes the 1st idea half-way redundant.
805+
806+
**Use-Case:** Any code that uses `SCM_RIGHTS` generically (D-Bus and
807+
so on) needs this, so that it can reasonably handle SELinux AVC errors
808+
on received messages.
809+
810+
---
811+
775812
## Finished Items
776813

777814
### Unmounting of obstructed mounts

0 commit comments

Comments
 (0)