scm.c 7.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342
  1. /* scm.c - Socket level control messages processing.
  2. *
  3. * Author: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
  4. * Alignment and value checking mods by Craig Metz
  5. *
  6. * This program is free software; you can redistribute it and/or
  7. * modify it under the terms of the GNU General Public License
  8. * as published by the Free Software Foundation; either version
  9. * 2 of the License, or (at your option) any later version.
  10. */
  11. #include <linux/module.h>
  12. #include <linux/signal.h>
  13. #include <linux/capability.h>
  14. #include <linux/errno.h>
  15. #include <linux/sched.h>
  16. #include <linux/mm.h>
  17. #include <linux/kernel.h>
  18. #include <linux/stat.h>
  19. #include <linux/socket.h>
  20. #include <linux/file.h>
  21. #include <linux/fcntl.h>
  22. #include <linux/net.h>
  23. #include <linux/interrupt.h>
  24. #include <linux/netdevice.h>
  25. #include <linux/security.h>
  26. #include <linux/pid_namespace.h>
  27. #include <linux/pid.h>
  28. #include <linux/nsproxy.h>
  29. #include <linux/slab.h>
  30. #include <asm/uaccess.h>
  31. #include <net/protocol.h>
  32. #include <linux/skbuff.h>
  33. #include <net/sock.h>
  34. #include <net/compat.h>
  35. #include <net/scm.h>
  36. #include <net/cls_cgroup.h>
  37. /*
  38. * Only allow a user to send credentials, that they could set with
  39. * setu(g)id.
  40. */
  41. static __inline__ int scm_check_creds(struct ucred *creds)
  42. {
  43. const struct cred *cred = current_cred();
  44. kuid_t uid = make_kuid(cred->user_ns, creds->uid);
  45. kgid_t gid = make_kgid(cred->user_ns, creds->gid);
  46. if (!uid_valid(uid) || !gid_valid(gid))
  47. return -EINVAL;
  48. if ((creds->pid == task_tgid_vnr(current) ||
  49. ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
  50. ((uid_eq(uid, cred->uid) || uid_eq(uid, cred->euid) ||
  51. uid_eq(uid, cred->suid)) || ns_capable(cred->user_ns, CAP_SETUID)) &&
  52. ((gid_eq(gid, cred->gid) || gid_eq(gid, cred->egid) ||
  53. gid_eq(gid, cred->sgid)) || ns_capable(cred->user_ns, CAP_SETGID))) {
  54. return 0;
  55. }
  56. return -EPERM;
  57. }
  58. static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
  59. {
  60. int *fdp = (int*)CMSG_DATA(cmsg);
  61. struct scm_fp_list *fpl = *fplp;
  62. struct file **fpp;
  63. int i, num;
  64. num = (cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr)))/sizeof(int);
  65. if (num <= 0)
  66. return 0;
  67. if (num > SCM_MAX_FD)
  68. return -EINVAL;
  69. if (!fpl)
  70. {
  71. fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL);
  72. if (!fpl)
  73. return -ENOMEM;
  74. *fplp = fpl;
  75. fpl->count = 0;
  76. fpl->max = SCM_MAX_FD;
  77. }
  78. fpp = &fpl->fp[fpl->count];
  79. if (fpl->count + num > fpl->max)
  80. return -EINVAL;
  81. /*
  82. * Verify the descriptors and increment the usage count.
  83. */
  84. for (i=0; i< num; i++)
  85. {
  86. int fd = fdp[i];
  87. struct file *file;
  88. if (fd < 0 || !(file = fget_raw(fd)))
  89. return -EBADF;
  90. *fpp++ = file;
  91. fpl->count++;
  92. }
  93. return num;
  94. }
  95. void __scm_destroy(struct scm_cookie *scm)
  96. {
  97. struct scm_fp_list *fpl = scm->fp;
  98. int i;
  99. if (fpl) {
  100. scm->fp = NULL;
  101. for (i=fpl->count-1; i>=0; i--)
  102. fput(fpl->fp[i]);
  103. kfree(fpl);
  104. }
  105. }
  106. EXPORT_SYMBOL(__scm_destroy);
  107. int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
  108. {
  109. struct cmsghdr *cmsg;
  110. int err;
  111. for_each_cmsghdr(cmsg, msg) {
  112. err = -EINVAL;
  113. /* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
  114. /* The first check was omitted in <= 2.2.5. The reasoning was
  115. that parser checks cmsg_len in any case, so that
  116. additional check would be work duplication.
  117. But if cmsg_level is not SOL_SOCKET, we do not check
  118. for too short ancillary data object at all! Oops.
  119. OK, let's add it...
  120. */
  121. if (!CMSG_OK(msg, cmsg))
  122. goto error;
  123. if (cmsg->cmsg_level != SOL_SOCKET)
  124. continue;
  125. switch (cmsg->cmsg_type)
  126. {
  127. case SCM_RIGHTS:
  128. if (!sock->ops || sock->ops->family != PF_UNIX)
  129. goto error;
  130. err=scm_fp_copy(cmsg, &p->fp);
  131. if (err<0)
  132. goto error;
  133. break;
  134. case SCM_CREDENTIALS:
  135. {
  136. struct ucred creds;
  137. kuid_t uid;
  138. kgid_t gid;
  139. if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
  140. goto error;
  141. memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred));
  142. err = scm_check_creds(&creds);
  143. if (err)
  144. goto error;
  145. p->creds.pid = creds.pid;
  146. if (!p->pid || pid_vnr(p->pid) != creds.pid) {
  147. struct pid *pid;
  148. err = -ESRCH;
  149. pid = find_get_pid(creds.pid);
  150. if (!pid)
  151. goto error;
  152. put_pid(p->pid);
  153. p->pid = pid;
  154. }
  155. err = -EINVAL;
  156. uid = make_kuid(current_user_ns(), creds.uid);
  157. gid = make_kgid(current_user_ns(), creds.gid);
  158. if (!uid_valid(uid) || !gid_valid(gid))
  159. goto error;
  160. p->creds.uid = uid;
  161. p->creds.gid = gid;
  162. break;
  163. }
  164. default:
  165. goto error;
  166. }
  167. }
  168. if (p->fp && !p->fp->count)
  169. {
  170. kfree(p->fp);
  171. p->fp = NULL;
  172. }
  173. return 0;
  174. error:
  175. scm_destroy(p);
  176. return err;
  177. }
  178. EXPORT_SYMBOL(__scm_send);
  179. int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
  180. {
  181. struct cmsghdr __user *cm
  182. = (__force struct cmsghdr __user *)msg->msg_control;
  183. struct cmsghdr cmhdr;
  184. int cmlen = CMSG_LEN(len);
  185. int err;
  186. if (MSG_CMSG_COMPAT & msg->msg_flags)
  187. return put_cmsg_compat(msg, level, type, len, data);
  188. if (cm==NULL || msg->msg_controllen < sizeof(*cm)) {
  189. msg->msg_flags |= MSG_CTRUNC;
  190. return 0; /* XXX: return error? check spec. */
  191. }
  192. if (msg->msg_controllen < cmlen) {
  193. msg->msg_flags |= MSG_CTRUNC;
  194. cmlen = msg->msg_controllen;
  195. }
  196. cmhdr.cmsg_level = level;
  197. cmhdr.cmsg_type = type;
  198. cmhdr.cmsg_len = cmlen;
  199. err = -EFAULT;
  200. if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
  201. goto out;
  202. if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
  203. goto out;
  204. cmlen = CMSG_SPACE(len);
  205. if (msg->msg_controllen < cmlen)
  206. cmlen = msg->msg_controllen;
  207. msg->msg_control += cmlen;
  208. msg->msg_controllen -= cmlen;
  209. err = 0;
  210. out:
  211. return err;
  212. }
  213. EXPORT_SYMBOL(put_cmsg);
  214. void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
  215. {
  216. struct cmsghdr __user *cm
  217. = (__force struct cmsghdr __user*)msg->msg_control;
  218. int fdmax = 0;
  219. int fdnum = scm->fp->count;
  220. struct file **fp = scm->fp->fp;
  221. int __user *cmfptr;
  222. int err = 0, i;
  223. if (MSG_CMSG_COMPAT & msg->msg_flags) {
  224. scm_detach_fds_compat(msg, scm);
  225. return;
  226. }
  227. if (msg->msg_controllen > sizeof(struct cmsghdr))
  228. fdmax = ((msg->msg_controllen - sizeof(struct cmsghdr))
  229. / sizeof(int));
  230. if (fdnum < fdmax)
  231. fdmax = fdnum;
  232. for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
  233. i++, cmfptr++)
  234. {
  235. struct socket *sock;
  236. int new_fd;
  237. err = security_file_receive(fp[i]);
  238. if (err)
  239. break;
  240. err = get_unused_fd_flags(MSG_CMSG_CLOEXEC & msg->msg_flags
  241. ? O_CLOEXEC : 0);
  242. if (err < 0)
  243. break;
  244. new_fd = err;
  245. err = put_user(new_fd, cmfptr);
  246. if (err) {
  247. put_unused_fd(new_fd);
  248. break;
  249. }
  250. /* Bump the usage count and install the file. */
  251. sock = sock_from_file(fp[i], &err);
  252. if (sock) {
  253. sock_update_netprioidx(&sock->sk->sk_cgrp_data);
  254. sock_update_classid(&sock->sk->sk_cgrp_data);
  255. }
  256. fd_install(new_fd, get_file(fp[i]));
  257. }
  258. if (i > 0)
  259. {
  260. int cmlen = CMSG_LEN(i*sizeof(int));
  261. err = put_user(SOL_SOCKET, &cm->cmsg_level);
  262. if (!err)
  263. err = put_user(SCM_RIGHTS, &cm->cmsg_type);
  264. if (!err)
  265. err = put_user(cmlen, &cm->cmsg_len);
  266. if (!err) {
  267. cmlen = CMSG_SPACE(i*sizeof(int));
  268. if (msg->msg_controllen < cmlen)
  269. cmlen = msg->msg_controllen;
  270. msg->msg_control += cmlen;
  271. msg->msg_controllen -= cmlen;
  272. }
  273. }
  274. if (i < fdnum || (fdnum && fdmax <= 0))
  275. msg->msg_flags |= MSG_CTRUNC;
  276. /*
  277. * All of the files that fit in the message have had their
  278. * usage counts incremented, so we just free the list.
  279. */
  280. __scm_destroy(scm);
  281. }
  282. EXPORT_SYMBOL(scm_detach_fds);
  283. struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
  284. {
  285. struct scm_fp_list *new_fpl;
  286. int i;
  287. if (!fpl)
  288. return NULL;
  289. new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
  290. GFP_KERNEL);
  291. if (new_fpl) {
  292. for (i = 0; i < fpl->count; i++)
  293. get_file(fpl->fp[i]);
  294. new_fpl->max = new_fpl->count;
  295. }
  296. return new_fpl;
  297. }
  298. EXPORT_SYMBOL(scm_fp_dup);