From: Mike Yuan <me@yhndnzj.com>
Date: Fri, 6 Jun 2025 19:01:33 +0000 (+0200)
Subject: core/socket: introduce AcceptFileDescriptors=
X-Git-Tag: v258-rc1~301^2~6
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5c12797fc3dc2dac37ef2c7873e59cbb6da19daf;p=thirdparty%2Fsystemd.git

core/socket: introduce AcceptFileDescriptors=

This controls the new SO_PASSRIGHTS socket option in kernel v6.16.
Note that I intentionally choose a different naming scheme than
Pass*=, since all other Pass*= options controls whether some extra
bits are attached to the message, while this one's about denying
file descriptor transfer and it feels more explicit this way.
And diverging from underlying socket option name is precedented
by Timestamping=. But happy to change it to just say PassRights=
if people disagree.
---

diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
index 814400ad43e..237394b1faa 100644
--- a/man/org.freedesktop.systemd1.xml
+++ b/man/org.freedesktop.systemd1.xml
@@ -4913,6 +4913,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b PassPacketInfo = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+      readonly b AcceptFileDescriptors = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly s Timestamping = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b RemoveOnStop = ...;
@@ -5584,6 +5586,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <!--property PassPacketInfo is not documented!-->
 
+    <!--property AcceptFileDescriptors is not documented!-->
+
     <!--property Timestamping is not documented!-->
 
     <!--property RemoveOnStop is not documented!-->
@@ -6188,6 +6192,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <variablelist class="dbus-property" generated="True" extra-ref="PassPacketInfo"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="AcceptFileDescriptors"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="Timestamping"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="RemoveOnStop"/>
@@ -12099,6 +12105,7 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
       <varname>PrivatePIDs</varname> were added in version 257.</para>
       <para><varname>ProtectHostnameEx</varname>,
       <varname>PassPIDFD</varname>,
+      <varname>AcceptFileDescriptors</varname>,
       <varname>DelegateNamespaces</varname>, and
       <function>RemoveSubgroup()</function> were added in version 258.</para>
     </refsect2>
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
index b43f8e685bf..91552d691f9 100644
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -771,6 +771,17 @@
         <xi:include href="version-info.xml" xpointer="v246"/></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>AcceptFileDescriptors=</varname></term>
+
+        <listitem><para>Takes a boolean value. This controls the <constant>SO_PASSRIGHTS</constant> socket
+        option, which when disabled prohibits the peer from sending <constant>SCM_RIGHTS</constant>
+        ancillary messages (aka file descriptors) via <constant>AF_UNIX</constant> sockets. Defaults to
+        <option>true</option>.</para>
+
+        <xi:include href="version-info.xml" xpointer="v258"/></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>Timestamping=</varname></term>
         <listitem><para>Takes one of <literal>off</literal>, <literal>us</literal> (alias:
diff --git a/src/core/dbus-socket.c b/src/core/dbus-socket.c
index b07b3c93c53..de96f00a158 100644
--- a/src/core/dbus-socket.c
+++ b/src/core/dbus-socket.c
@@ -89,6 +89,7 @@ const sd_bus_vtable bus_socket_vtable[] = {
         SD_BUS_PROPERTY("PassPIDFD", "b", bus_property_get_bool, offsetof(Socket, pass_pidfd), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("PassSecurity", "b", bus_property_get_bool, offsetof(Socket, pass_sec), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("PassPacketInfo", "b", bus_property_get_bool, offsetof(Socket, pass_pktinfo), SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("AcceptFileDescriptors", "b", bus_property_get_bool, offsetof(Socket, pass_rights), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("Timestamping", "s", property_get_timestamping, offsetof(Socket, timestamping), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("RemoveOnStop", "b", bus_property_get_bool, offsetof(Socket, remove_on_stop), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("Listen", "a(ss)", property_get_listen, 0, SD_BUS_VTABLE_PROPERTY_CONST),
@@ -201,6 +202,9 @@ static int bus_socket_set_transient_property(
         if (streq(name, "PassPacketInfo"))
                 return bus_set_transient_bool(u, name, &s->pass_pktinfo, message, flags, error);
 
+        if (streq(name, "AcceptFileDescriptors"))
+                return bus_set_transient_bool(u, name, &s->pass_rights, message, flags, error);
+
         if (streq(name, "Timestamping"))
                 return bus_set_transient_socket_timestamping(u, name, &s->timestamping, message, flags, error);
 
diff --git a/src/core/load-fragment-gperf.gperf.in b/src/core/load-fragment-gperf.gperf.in
index e3c23337319..918228fea16 100644
--- a/src/core/load-fragment-gperf.gperf.in
+++ b/src/core/load-fragment-gperf.gperf.in
@@ -513,6 +513,7 @@ Socket.PassCredentials,                       config_parse_bool,
 Socket.PassPIDFD,                             config_parse_bool,                                  0,                                  offsetof(Socket, pass_pidfd)
 Socket.PassSecurity,                          config_parse_bool,                                  0,                                  offsetof(Socket, pass_sec)
 Socket.PassPacketInfo,                        config_parse_bool,                                  0,                                  offsetof(Socket, pass_pktinfo)
+Socket.AcceptFileDescriptors,                 config_parse_bool,                                  0,                                  offsetof(Socket, pass_rights)
 Socket.Timestamping,                          config_parse_socket_timestamping,                   0,                                  offsetof(Socket, timestamping)
 Socket.TCPCongestion,                         config_parse_string,                                0,                                  offsetof(Socket, tcp_congestion)
 Socket.ReusePort,                             config_parse_bool,                                  0,                                  offsetof(Socket, reuse_port)
diff --git a/src/core/socket.c b/src/core/socket.c
index 6d69d6cb425..e5cff0de761 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -129,6 +129,7 @@ static void socket_init(Unit *u) {
 
         s->max_connections = 64;
 
+        s->pass_rights = true; /* defaults to enabled in kernel */
         s->priority = -1;
         s->ip_tos = -1;
         s->ip_ttl = -1;
@@ -613,6 +614,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
                 "%sPassPIDFD: %s\n"
                 "%sPassSecurity: %s\n"
                 "%sPassPacketInfo: %s\n"
+                "%sAcceptFileDescriptors: %s\n"
                 "%sTCPCongestion: %s\n"
                 "%sRemoveOnStop: %s\n"
                 "%sWritable: %s\n"
@@ -635,6 +637,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
                 prefix, yes_no(s->pass_pidfd),
                 prefix, yes_no(s->pass_sec),
                 prefix, yes_no(s->pass_pktinfo),
+                prefix, yes_no(s->pass_rights),
                 prefix, strna(s->tcp_congestion),
                 prefix, yes_no(s->remove_on_stop),
                 prefix, yes_no(s->writable),
@@ -1098,6 +1101,13 @@ static void socket_apply_socket_options(Socket *s, SocketPort *p, int fd) {
                         log_unit_warning_errno(UNIT(s), r, SOCKET_OPTION_WARNING_FORMAT_STR, "packet info");
         }
 
+        if (!s->pass_rights) {
+                r = setsockopt_int(fd, SOL_SOCKET, SO_PASSRIGHTS, false);
+                if (r < 0)
+                        log_unit_full_errno(UNIT(s), ERRNO_IS_NEG_NOT_SUPPORTED(r) ? LOG_DEBUG : LOG_WARNING, r,
+                                            SOCKET_OPTION_WARNING_FORMAT_STR, "SO_PASSRIGHTS");
+        }
+
         if (s->timestamping != SOCKET_TIMESTAMPING_OFF) {
                 r = setsockopt_int(fd, SOL_SOCKET,
                                    s->timestamping == SOCKET_TIMESTAMPING_NS ? SO_TIMESTAMPNS : SO_TIMESTAMP,
diff --git a/src/core/socket.h b/src/core/socket.h
index 99fcc0cbe65..70291fb0d26 100644
--- a/src/core/socket.h
+++ b/src/core/socket.h
@@ -134,6 +134,7 @@ typedef struct Socket {
         bool pass_pidfd;
         bool pass_sec;
         bool pass_pktinfo;
+        bool pass_rights;
         SocketTimestamping timestamping;
 
         /* Only for INET6 sockets: issue IPV6_V6ONLY sockopt */
diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
index aebeaa15ced..ce56defeacc 100644
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@@ -2586,6 +2586,7 @@ static int bus_append_socket_property(sd_bus_message *m, const char *field, cons
                               "PassPIDFD",
                               "PassSecurity",
                               "PassPacketInfo",
+                              "AcceptFileDescriptors",
                               "ReusePort",
                               "RemoveOnStop",
                               "PassFileDescriptorsToExec",