bpf: Add kfunc to scrub SCM_RIGHTS at security_unix_may_send().

As Christian Brauner said [0], systemd calls cmsg_close_all() [1] after
each recvmsg() to close() unwanted file descriptors sent via SCM_RIGHTS.

However, this cannot work around the issue that close() for unwanted file
descriptors could block longer because the last fput() could occur on
the receiver side once sendmsg() with SCM_RIGHTS succeeds.

Also, even filtering by LSM at recvmsg() does not work for the same reason.

Thus, we need a better way to filter SCM_RIGHTS on the sender side.

Let's add a new kfunc to scrub all file descriptors from skb in
sendmsg().

This allows the receiver to keep recv()ing the bare data and disallows
the sender to impose the potential slowness of the last fput().

If necessary, we can add more granular filtering per file descriptor
after refactoring GC code and adding some fd-to-file helpers for BPF.

Sample:

SEC("lsm/unix_may_send")
int BPF_PROG(unix_scrub_scm_rights,
             struct socket *sock, struct socket *other, struct sk_buff *skb)
{
        struct unix_skb_parms *cb;

        if (skb && bpf_unix_scrub_fds(skb))
                return -EPERM;

        return 0;
}

Link: https://lore.kernel.org/netdev/20250502-fanden-unbeschadet-89973225255f@brauner/ #[0]
Link: https://github.com/systemd/systemd/blob/v257.5/src/basic/fd-util.c#L612-L628 #[1]
Signed-off-by: Kuniyuki Iwashima <[email protected]>

Author: q2ven

include/net/af_unix.h

@@ -58,4 +58,5 @@ struct unix_sock {
 #define unix_state_lock(s)	spin_lock(&unix_sk(s)->lock)
 #define unix_state_unlock(s)	spin_unlock(&unix_sk(s)->lock)
 
+int unix_scrub_fds(struct sk_buff *skb);
 #endif

net/core/filter.c

@@ -82,7 +82,7 @@
 #include <net/mptcp.h>
 #include <net/netfilter/nf_conntrack_bpf.h>
 #include <net/netkit.h>
-#include <linux/un.h>
+#include <net/af_unix.h>
 #include <net/xdp_sock_drv.h>
 #include <net/inet_dscp.h>
 
@@ -12153,6 +12153,11 @@ __bpf_kfunc int bpf_sock_ops_enable_tx_tstamp(struct bpf_sock_ops_kern *skops,
 	return 0;
 }
 
+__bpf_kfunc int bpf_unix_scrub_fds(struct sk_buff *skb)
+{
+	return unix_scrub_fds(skb);
+}
+
 __bpf_kfunc_end_defs();
 
 int bpf_dynptr_from_skb_rdonly(struct __sk_buff *skb, u64 flags,
@@ -12190,6 +12195,10 @@ BTF_KFUNCS_START(bpf_kfunc_check_set_sock_ops)
 BTF_ID_FLAGS(func, bpf_sock_ops_enable_tx_tstamp, KF_TRUSTED_ARGS)
 BTF_KFUNCS_END(bpf_kfunc_check_set_sock_ops)
 
+BTF_KFUNCS_START(bpf_kfunc_check_set_scm_rights)
+BTF_ID_FLAGS(func, bpf_unix_scrub_fds, KF_TRUSTED_ARGS)
+BTF_KFUNCS_END(bpf_kfunc_check_set_scm_rights)
+
 static const struct btf_kfunc_id_set bpf_kfunc_set_skb = {
 	.owner = THIS_MODULE,
 	.set = &bpf_kfunc_check_set_skb,
@@ -12215,6 +12224,11 @@ static const struct btf_kfunc_id_set bpf_kfunc_set_sock_ops = {
 	.set = &bpf_kfunc_check_set_sock_ops,
 };
 
+static const struct btf_kfunc_id_set bpf_kfunc_set_scm_rights = {
+	.owner = THIS_MODULE,
+	.set = &bpf_kfunc_check_set_scm_rights,
+};
+
 static int __init bpf_kfunc_init(void)
 {
 	int ret;
@@ -12234,7 +12248,8 @@ static int __init bpf_kfunc_init(void)
 	ret = ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
 					       &bpf_kfunc_set_sock_addr);
 	ret = ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_SCHED_CLS, &bpf_kfunc_set_tcp_reqsk);
-	return ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_SOCK_OPS, &bpf_kfunc_set_sock_ops);
+	ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_SOCK_OPS, &bpf_kfunc_set_sock_ops);
+	return ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_kfunc_set_scm_rights);
 }
 late_initcall(bpf_kfunc_init);
 

net/unix/af_unix.c

@@ -1885,6 +1885,21 @@ static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool sen
 	return err;
 }
 
+int unix_scrub_fds(struct sk_buff *skb)
+{
+	struct scm_cookie scm = {};
+
+	if (skb->destructor != unix_destruct_scm)
+		return -EINVAL;
+
+	if (UNIXCB(skb).fp) {
+		unix_detach_fds(&scm, skb);
+		scm_fp_destroy(&scm);
+	}
+
+	return 0;
+}
+
 static bool unix_passcred_enabled(const struct socket *sock,
 				  const struct sock *other)
 {