• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* scm.c - Socket level control messages processing.
2  *
3  * Author:	Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
4  *              Alignment and value checking mods by Craig Metz
5  *
6  *		This program is free software; you can redistribute it and/or
7  *		modify it under the terms of the GNU General Public License
8  *		as published by the Free Software Foundation; either version
9  *		2 of the License, or (at your option) any later version.
10  */
11 
12 #include <linux/module.h>
13 #include <linux/signal.h>
14 #include <linux/capability.h>
15 #include <linux/errno.h>
16 #include <linux/sched.h>
17 #include <linux/mm.h>
18 #include <linux/kernel.h>
19 #include <linux/stat.h>
20 #include <linux/socket.h>
21 #include <linux/file.h>
22 #include <linux/fcntl.h>
23 #include <linux/net.h>
24 #include <linux/interrupt.h>
25 #include <linux/netdevice.h>
26 #include <linux/security.h>
27 #include <linux/pid_namespace.h>
28 #include <linux/pid.h>
29 #include <linux/nsproxy.h>
30 #include <linux/slab.h>
31 
32 #include <asm/uaccess.h>
33 
34 #include <net/protocol.h>
35 #include <linux/skbuff.h>
36 #include <net/sock.h>
37 #include <net/compat.h>
38 #include <net/scm.h>
39 #include <net/cls_cgroup.h>
40 
41 
42 /*
43  *	Only allow a user to send credentials, that they could set with
44  *	setu(g)id.
45  */
46 
scm_check_creds(struct ucred * creds)47 static __inline__ int scm_check_creds(struct ucred *creds)
48 {
49 	const struct cred *cred = current_cred();
50 	kuid_t uid = make_kuid(cred->user_ns, creds->uid);
51 	kgid_t gid = make_kgid(cred->user_ns, creds->gid);
52 
53 	if (!uid_valid(uid) || !gid_valid(gid))
54 		return -EINVAL;
55 
56 	if ((creds->pid == task_tgid_vnr(current) ||
57 	     ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
58 	    ((uid_eq(uid, cred->uid)   || uid_eq(uid, cred->euid) ||
59 	      uid_eq(uid, cred->suid)) || ns_capable(cred->user_ns, CAP_SETUID)) &&
60 	    ((gid_eq(gid, cred->gid)   || gid_eq(gid, cred->egid) ||
61 	      gid_eq(gid, cred->sgid)) || ns_capable(cred->user_ns, CAP_SETGID))) {
62 	       return 0;
63 	}
64 	return -EPERM;
65 }
66 
scm_fp_copy(struct cmsghdr * cmsg,struct scm_fp_list ** fplp)67 static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
68 {
69 	int *fdp = (int*)CMSG_DATA(cmsg);
70 	struct scm_fp_list *fpl = *fplp;
71 	struct file **fpp;
72 	int i, num;
73 
74 	num = (cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr)))/sizeof(int);
75 
76 	if (num <= 0)
77 		return 0;
78 
79 	if (num > SCM_MAX_FD)
80 		return -EINVAL;
81 
82 	if (!fpl)
83 	{
84 		fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL);
85 		if (!fpl)
86 			return -ENOMEM;
87 		*fplp = fpl;
88 		fpl->count = 0;
89 		fpl->max = SCM_MAX_FD;
90 		fpl->user = NULL;
91 	}
92 	fpp = &fpl->fp[fpl->count];
93 
94 	if (fpl->count + num > fpl->max)
95 		return -EINVAL;
96 
97 	/*
98 	 *	Verify the descriptors and increment the usage count.
99 	 */
100 
101 	for (i=0; i< num; i++)
102 	{
103 		int fd = fdp[i];
104 		struct file *file;
105 
106 		if (fd < 0 || !(file = fget_raw(fd)))
107 			return -EBADF;
108 		*fpp++ = file;
109 		fpl->count++;
110 	}
111 
112 	if (!fpl->user)
113 		fpl->user = get_uid(current_user());
114 
115 	return num;
116 }
117 
__scm_destroy(struct scm_cookie * scm)118 void __scm_destroy(struct scm_cookie *scm)
119 {
120 	struct scm_fp_list *fpl = scm->fp;
121 	int i;
122 
123 	if (fpl) {
124 		scm->fp = NULL;
125 		for (i=fpl->count-1; i>=0; i--)
126 			fput(fpl->fp[i]);
127 		free_uid(fpl->user);
128 		kfree(fpl);
129 	}
130 }
131 EXPORT_SYMBOL(__scm_destroy);
132 
__scm_send(struct socket * sock,struct msghdr * msg,struct scm_cookie * p)133 int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
134 {
135 	struct cmsghdr *cmsg;
136 	int err;
137 
138 	for_each_cmsghdr(cmsg, msg) {
139 		err = -EINVAL;
140 
141 		/* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
142 		/* The first check was omitted in <= 2.2.5. The reasoning was
143 		   that parser checks cmsg_len in any case, so that
144 		   additional check would be work duplication.
145 		   But if cmsg_level is not SOL_SOCKET, we do not check
146 		   for too short ancillary data object at all! Oops.
147 		   OK, let's add it...
148 		 */
149 		if (!CMSG_OK(msg, cmsg))
150 			goto error;
151 
152 		if (cmsg->cmsg_level != SOL_SOCKET)
153 			continue;
154 
155 		switch (cmsg->cmsg_type)
156 		{
157 		case SCM_RIGHTS:
158 			if (!sock->ops || sock->ops->family != PF_UNIX)
159 				goto error;
160 			err=scm_fp_copy(cmsg, &p->fp);
161 			if (err<0)
162 				goto error;
163 			break;
164 		case SCM_CREDENTIALS:
165 		{
166 			struct ucred creds;
167 			kuid_t uid;
168 			kgid_t gid;
169 			if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
170 				goto error;
171 			memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred));
172 			err = scm_check_creds(&creds);
173 			if (err)
174 				goto error;
175 
176 			p->creds.pid = creds.pid;
177 			if (!p->pid || pid_vnr(p->pid) != creds.pid) {
178 				struct pid *pid;
179 				err = -ESRCH;
180 				pid = find_get_pid(creds.pid);
181 				if (!pid)
182 					goto error;
183 				put_pid(p->pid);
184 				p->pid = pid;
185 			}
186 
187 			err = -EINVAL;
188 			uid = make_kuid(current_user_ns(), creds.uid);
189 			gid = make_kgid(current_user_ns(), creds.gid);
190 			if (!uid_valid(uid) || !gid_valid(gid))
191 				goto error;
192 
193 			p->creds.uid = uid;
194 			p->creds.gid = gid;
195 			break;
196 		}
197 		default:
198 			goto error;
199 		}
200 	}
201 
202 	if (p->fp && !p->fp->count)
203 	{
204 		kfree(p->fp);
205 		p->fp = NULL;
206 	}
207 	return 0;
208 
209 error:
210 	scm_destroy(p);
211 	return err;
212 }
213 EXPORT_SYMBOL(__scm_send);
214 
put_cmsg(struct msghdr * msg,int level,int type,int len,void * data)215 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
216 {
217 	struct cmsghdr __user *cm
218 		= (__force struct cmsghdr __user *)msg->msg_control;
219 	struct cmsghdr cmhdr;
220 	int cmlen = CMSG_LEN(len);
221 	int err;
222 
223 	if (MSG_CMSG_COMPAT & msg->msg_flags)
224 		return put_cmsg_compat(msg, level, type, len, data);
225 
226 	if (cm==NULL || msg->msg_controllen < sizeof(*cm)) {
227 		msg->msg_flags |= MSG_CTRUNC;
228 		return 0; /* XXX: return error? check spec. */
229 	}
230 	if (msg->msg_controllen < cmlen) {
231 		msg->msg_flags |= MSG_CTRUNC;
232 		cmlen = msg->msg_controllen;
233 	}
234 	cmhdr.cmsg_level = level;
235 	cmhdr.cmsg_type = type;
236 	cmhdr.cmsg_len = cmlen;
237 
238 	err = -EFAULT;
239 	if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
240 		goto out;
241 	if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
242 		goto out;
243 	cmlen = CMSG_SPACE(len);
244 	if (msg->msg_controllen < cmlen)
245 		cmlen = msg->msg_controllen;
246 	msg->msg_control += cmlen;
247 	msg->msg_controllen -= cmlen;
248 	err = 0;
249 out:
250 	return err;
251 }
252 EXPORT_SYMBOL(put_cmsg);
253 
scm_detach_fds(struct msghdr * msg,struct scm_cookie * scm)254 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
255 {
256 	struct cmsghdr __user *cm
257 		= (__force struct cmsghdr __user*)msg->msg_control;
258 
259 	int fdmax = 0;
260 	int fdnum = scm->fp->count;
261 	struct file **fp = scm->fp->fp;
262 	int __user *cmfptr;
263 	int err = 0, i;
264 
265 	if (MSG_CMSG_COMPAT & msg->msg_flags) {
266 		scm_detach_fds_compat(msg, scm);
267 		return;
268 	}
269 
270 	if (msg->msg_controllen > sizeof(struct cmsghdr))
271 		fdmax = ((msg->msg_controllen - sizeof(struct cmsghdr))
272 			 / sizeof(int));
273 
274 	if (fdnum < fdmax)
275 		fdmax = fdnum;
276 
277 	for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
278 	     i++, cmfptr++)
279 	{
280 		struct socket *sock;
281 		int new_fd;
282 		err = security_file_receive(fp[i]);
283 		if (err)
284 			break;
285 		err = get_unused_fd_flags(MSG_CMSG_CLOEXEC & msg->msg_flags
286 					  ? O_CLOEXEC : 0);
287 		if (err < 0)
288 			break;
289 		new_fd = err;
290 		err = put_user(new_fd, cmfptr);
291 		if (err) {
292 			put_unused_fd(new_fd);
293 			break;
294 		}
295 		/* Bump the usage count and install the file. */
296 		sock = sock_from_file(fp[i], &err);
297 		if (sock) {
298 			sock_update_netprioidx(&sock->sk->sk_cgrp_data);
299 			sock_update_classid(&sock->sk->sk_cgrp_data);
300 		}
301 		fd_install(new_fd, get_file(fp[i]));
302 	}
303 
304 	if (i > 0)
305 	{
306 		int cmlen = CMSG_LEN(i*sizeof(int));
307 		err = put_user(SOL_SOCKET, &cm->cmsg_level);
308 		if (!err)
309 			err = put_user(SCM_RIGHTS, &cm->cmsg_type);
310 		if (!err)
311 			err = put_user(cmlen, &cm->cmsg_len);
312 		if (!err) {
313 			cmlen = CMSG_SPACE(i*sizeof(int));
314 			if (msg->msg_controllen < cmlen)
315 				cmlen = msg->msg_controllen;
316 			msg->msg_control += cmlen;
317 			msg->msg_controllen -= cmlen;
318 		}
319 	}
320 	if (i < fdnum || (fdnum && fdmax <= 0))
321 		msg->msg_flags |= MSG_CTRUNC;
322 
323 	/*
324 	 * All of the files that fit in the message have had their
325 	 * usage counts incremented, so we just free the list.
326 	 */
327 	__scm_destroy(scm);
328 }
329 EXPORT_SYMBOL(scm_detach_fds);
330 
scm_fp_dup(struct scm_fp_list * fpl)331 struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
332 {
333 	struct scm_fp_list *new_fpl;
334 	int i;
335 
336 	if (!fpl)
337 		return NULL;
338 
339 	new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
340 			  GFP_KERNEL);
341 	if (new_fpl) {
342 		for (i = 0; i < fpl->count; i++)
343 			get_file(fpl->fp[i]);
344 		new_fpl->max = new_fpl->count;
345 		new_fpl->user = get_uid(fpl->user);
346 	}
347 	return new_fpl;
348 }
349 EXPORT_SYMBOL(scm_fp_dup);
350