[PATCH net-next v3 0/5] af_unix: useful handling of LSM denials on SCM_RIGHTS
From: Jori Koolstra
Date: Mon Jun 29 2026 - 15:42:39 EST
Right now if some LSM such as Smack denies an AF_UNIX socket peer to
receive an SCM_RIGHTS fd, the SCM_RIGHTS fd array will be cut short at
that point, and MSG_CTRUNC is set on return of recvmsg(2). This is
highly problematic behaviour, because it leaves the receiver
wondering what happened. As per man page MSG_CTRUNC is supposed to
indicate that the control buffer was sized too short, but suddenly
a permission error might result in the exact same flag being set.
Moreover, the receiver has no chance to determine how many fds got
originally sent and how many were suppressed.[1]
Add a SO_RIGHTS_NOTRUNC option to UNIX sockets to enable more useful
handling of LSM denials when receiving SCM_RIGHTS messages: instead of
truncating the message at the first blocked fd, keep every fd slot
and store the LSM errno in the blocked slot.
[1]: https://github.com/uapi-group/kernel-features#useful-handling-of-lsm-denials-on-scm_rights
Changes:
v3:
- Separated net and vfs changes.
- Use kselftest_harness.h and system() to call the test script.
v2: https://lore.kernel.org/netdev/20260616143020.3458085-2-jkoolstra@xxxxxxxxx/
- Reimplemented as a UNIX socket option instead of a per recvmsg(2) flag.
v1: https://lore.kernel.org/netdev/20260428175125.2705296-1-jkoolstra@xxxxxxxxx/
Jori Koolstra (5):
net: scm: move scm_detach_fds() from common path to scm_recv_unix()
vfs: add function receive_fd_filtered() that makes LSM filtering
explicit
net: af_unix: useful handling of LSM denials on SCM_RIGHTS
net: af_unix: replace copy_from_sockptr() with
copy_safe_from_sockptr()
selftest: Add tests for useful handling of LSM denials on SCM_RIGHTS
fs/file.c | 48 +++--
include/linux/file.h | 2 +
include/net/af_unix.h | 1 +
include/net/scm.h | 15 +-
include/uapi/asm-generic/socket.h | 3 +
net/compat.c | 4 +-
net/core/scm.c | 18 +-
net/unix/af_unix.c | 18 +-
.../testing/selftests/net/af_unix/.gitignore | 3 +
tools/testing/selftests/net/af_unix/Makefile | 4 +
.../selftests/net/af_unix/scm_rights_denial.c | 20 ++
.../selftests/net/af_unix/scm_rights_denial.h | 38 ++++
.../net/af_unix/scm_rights_denial.sh | 174 ++++++++++++++++
.../net/af_unix/scm_rights_denial_receiver.c | 195 ++++++++++++++++++
.../net/af_unix/scm_rights_denial_sender.c | 126 +++++++++++
15 files changed, 636 insertions(+), 33 deletions(-)
create mode 100644 tools/testing/selftests/net/af_unix/scm_rights_denial.c
create mode 100644 tools/testing/selftests/net/af_unix/scm_rights_denial.h
create mode 100755 tools/testing/selftests/net/af_unix/scm_rights_denial.sh
create mode 100644 tools/testing/selftests/net/af_unix/scm_rights_denial_receiver.c
create mode 100644 tools/testing/selftests/net/af_unix/scm_rights_denial_sender.c
--
2.54.0