1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* scm.c - Socket level control messages processing.
3 *
4 * Author: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
5 * Alignment and value checking mods by Craig Metz
6 */
7
8 #include <linux/module.h>
9 #include <linux/signal.h>
10 #include <linux/capability.h>
11 #include <linux/errno.h>
12 #include <linux/sched.h>
13 #include <linux/sched/user.h>
14 #include <linux/mm.h>
15 #include <linux/kernel.h>
16 #include <linux/stat.h>
17 #include <linux/socket.h>
18 #include <linux/file.h>
19 #include <linux/fcntl.h>
20 #include <linux/net.h>
21 #include <linux/interrupt.h>
22 #include <linux/netdevice.h>
23 #include <linux/security.h>
24 #include <linux/pid_namespace.h>
25 #include <linux/pid.h>
26 #include <linux/nsproxy.h>
27 #include <linux/slab.h>
28 #include <linux/errqueue.h>
29 #ifndef __GENKSYMS__
30 #include <linux/io_uring.h>
31 #endif
32
33 #include <linux/uaccess.h>
34
35 #include <net/protocol.h>
36 #include <linux/skbuff.h>
37 #include <net/sock.h>
38 #include <net/compat.h>
39 #include <net/scm.h>
40 #include <net/cls_cgroup.h>
41
42
43 /*
44 * Only allow a user to send credentials, that they could set with
45 * setu(g)id.
46 */
47
scm_check_creds(struct ucred * creds)48 static __inline__ int scm_check_creds(struct ucred *creds)
49 {
50 const struct cred *cred = current_cred();
51 kuid_t uid = make_kuid(cred->user_ns, creds->uid);
52 kgid_t gid = make_kgid(cred->user_ns, creds->gid);
53
54 if (!uid_valid(uid) || !gid_valid(gid))
55 return -EINVAL;
56
57 if ((creds->pid == task_tgid_vnr(current) ||
58 ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
59 ((uid_eq(uid, cred->uid) || uid_eq(uid, cred->euid) ||
60 uid_eq(uid, cred->suid)) || ns_capable(cred->user_ns, CAP_SETUID)) &&
61 ((gid_eq(gid, cred->gid) || gid_eq(gid, cred->egid) ||
62 gid_eq(gid, cred->sgid)) || ns_capable(cred->user_ns, CAP_SETGID))) {
63 return 0;
64 }
65 return -EPERM;
66 }
67
scm_fp_copy(struct cmsghdr * cmsg,struct scm_fp_list ** fplp)68 static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
69 {
70 int *fdp = (int*)CMSG_DATA(cmsg);
71 struct scm_fp_list *fpl = *fplp;
72 struct file **fpp;
73 int i, num;
74
75 num = (cmsg->cmsg_len - sizeof(struct cmsghdr))/sizeof(int);
76
77 if (num <= 0)
78 return 0;
79
80 if (num > SCM_MAX_FD)
81 return -EINVAL;
82
83 if (!fpl)
84 {
85 fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL_ACCOUNT);
86 if (!fpl)
87 return -ENOMEM;
88 *fplp = fpl;
89 fpl->count = 0;
90 fpl->max = SCM_MAX_FD;
91 fpl->user = NULL;
92 }
93 fpp = &fpl->fp[fpl->count];
94
95 if (fpl->count + num > fpl->max)
96 return -EINVAL;
97
98 /*
99 * Verify the descriptors and increment the usage count.
100 */
101
102 for (i=0; i< num; i++)
103 {
104 int fd = fdp[i];
105 struct file *file;
106
107 if (fd < 0 || !(file = fget_raw(fd)))
108 return -EBADF;
109 /* don't allow io_uring files */
110 if (io_uring_get_socket(file)) {
111 fput(file);
112 return -EINVAL;
113 }
114 *fpp++ = file;
115 fpl->count++;
116 }
117
118 if (!fpl->user)
119 fpl->user = get_uid(current_user());
120
121 return num;
122 }
123
__scm_destroy(struct scm_cookie * scm)124 void __scm_destroy(struct scm_cookie *scm)
125 {
126 struct scm_fp_list *fpl = scm->fp;
127 int i;
128
129 if (fpl) {
130 scm->fp = NULL;
131 for (i=fpl->count-1; i>=0; i--)
132 fput(fpl->fp[i]);
133 free_uid(fpl->user);
134 kfree(fpl);
135 }
136 }
137 EXPORT_SYMBOL(__scm_destroy);
138
__scm_send(struct socket * sock,struct msghdr * msg,struct scm_cookie * p)139 int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
140 {
141 struct cmsghdr *cmsg;
142 int err;
143
144 for_each_cmsghdr(cmsg, msg) {
145 err = -EINVAL;
146
147 /* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
148 /* The first check was omitted in <= 2.2.5. The reasoning was
149 that parser checks cmsg_len in any case, so that
150 additional check would be work duplication.
151 But if cmsg_level is not SOL_SOCKET, we do not check
152 for too short ancillary data object at all! Oops.
153 OK, let's add it...
154 */
155 if (!CMSG_OK(msg, cmsg))
156 goto error;
157
158 if (cmsg->cmsg_level != SOL_SOCKET)
159 continue;
160
161 switch (cmsg->cmsg_type)
162 {
163 case SCM_RIGHTS:
164 if (!sock->ops || sock->ops->family != PF_UNIX)
165 goto error;
166 err=scm_fp_copy(cmsg, &p->fp);
167 if (err<0)
168 goto error;
169 break;
170 case SCM_CREDENTIALS:
171 {
172 struct ucred creds;
173 kuid_t uid;
174 kgid_t gid;
175 if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
176 goto error;
177 memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred));
178 err = scm_check_creds(&creds);
179 if (err)
180 goto error;
181
182 p->creds.pid = creds.pid;
183 if (!p->pid || pid_vnr(p->pid) != creds.pid) {
184 struct pid *pid;
185 err = -ESRCH;
186 pid = find_get_pid(creds.pid);
187 if (!pid)
188 goto error;
189 put_pid(p->pid);
190 p->pid = pid;
191 }
192
193 err = -EINVAL;
194 uid = make_kuid(current_user_ns(), creds.uid);
195 gid = make_kgid(current_user_ns(), creds.gid);
196 if (!uid_valid(uid) || !gid_valid(gid))
197 goto error;
198
199 p->creds.uid = uid;
200 p->creds.gid = gid;
201 break;
202 }
203 default:
204 goto error;
205 }
206 }
207
208 if (p->fp && !p->fp->count)
209 {
210 kfree(p->fp);
211 p->fp = NULL;
212 }
213 return 0;
214
215 error:
216 scm_destroy(p);
217 return err;
218 }
219 EXPORT_SYMBOL(__scm_send);
220
put_cmsg(struct msghdr * msg,int level,int type,int len,void * data)221 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
222 {
223 int cmlen = CMSG_LEN(len);
224
225 if (msg->msg_flags & MSG_CMSG_COMPAT)
226 return put_cmsg_compat(msg, level, type, len, data);
227
228 if (!msg->msg_control || msg->msg_controllen < sizeof(struct cmsghdr)) {
229 msg->msg_flags |= MSG_CTRUNC;
230 return 0; /* XXX: return error? check spec. */
231 }
232 if (msg->msg_controllen < cmlen) {
233 msg->msg_flags |= MSG_CTRUNC;
234 cmlen = msg->msg_controllen;
235 }
236
237 if (msg->msg_control_is_user) {
238 struct cmsghdr __user *cm = msg->msg_control_user;
239
240 check_object_size(data, cmlen - sizeof(*cm), true);
241
242 if (!user_write_access_begin(cm, cmlen))
243 goto efault;
244
245 unsafe_put_user(cmlen, &cm->cmsg_len, efault_end);
246 unsafe_put_user(level, &cm->cmsg_level, efault_end);
247 unsafe_put_user(type, &cm->cmsg_type, efault_end);
248 unsafe_copy_to_user(CMSG_USER_DATA(cm), data,
249 cmlen - sizeof(*cm), efault_end);
250 user_write_access_end();
251 } else {
252 struct cmsghdr *cm = msg->msg_control;
253
254 cm->cmsg_level = level;
255 cm->cmsg_type = type;
256 cm->cmsg_len = cmlen;
257 memcpy(CMSG_DATA(cm), data, cmlen - sizeof(*cm));
258 }
259
260 cmlen = min(CMSG_SPACE(len), msg->msg_controllen);
261 msg->msg_control += cmlen;
262 msg->msg_controllen -= cmlen;
263 return 0;
264
265 efault_end:
266 user_write_access_end();
267 efault:
268 return -EFAULT;
269 }
270 EXPORT_SYMBOL(put_cmsg);
271
put_cmsg_scm_timestamping64(struct msghdr * msg,struct scm_timestamping_internal * tss_internal)272 void put_cmsg_scm_timestamping64(struct msghdr *msg, struct scm_timestamping_internal *tss_internal)
273 {
274 struct scm_timestamping64 tss;
275 int i;
276
277 for (i = 0; i < ARRAY_SIZE(tss.ts); i++) {
278 tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
279 tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
280 }
281
282 put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_NEW, sizeof(tss), &tss);
283 }
284 EXPORT_SYMBOL(put_cmsg_scm_timestamping64);
285
put_cmsg_scm_timestamping(struct msghdr * msg,struct scm_timestamping_internal * tss_internal)286 void put_cmsg_scm_timestamping(struct msghdr *msg, struct scm_timestamping_internal *tss_internal)
287 {
288 struct scm_timestamping tss;
289 int i;
290
291 for (i = 0; i < ARRAY_SIZE(tss.ts); i++) {
292 tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
293 tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
294 }
295
296 put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_OLD, sizeof(tss), &tss);
297 }
298 EXPORT_SYMBOL(put_cmsg_scm_timestamping);
299
scm_max_fds(struct msghdr * msg)300 static int scm_max_fds(struct msghdr *msg)
301 {
302 if (msg->msg_controllen <= sizeof(struct cmsghdr))
303 return 0;
304 return (msg->msg_controllen - sizeof(struct cmsghdr)) / sizeof(int);
305 }
306
scm_detach_fds(struct msghdr * msg,struct scm_cookie * scm)307 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
308 {
309 struct cmsghdr __user *cm =
310 (__force struct cmsghdr __user *)msg->msg_control;
311 unsigned int o_flags = (msg->msg_flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0;
312 int fdmax = min_t(int, scm_max_fds(msg), scm->fp->count);
313 int __user *cmsg_data = CMSG_USER_DATA(cm);
314 int err = 0, i;
315
316 /* no use for FD passing from kernel space callers */
317 if (WARN_ON_ONCE(!msg->msg_control_is_user))
318 return;
319
320 if (msg->msg_flags & MSG_CMSG_COMPAT) {
321 scm_detach_fds_compat(msg, scm);
322 return;
323 }
324
325 for (i = 0; i < fdmax; i++) {
326 err = receive_fd_user(scm->fp->fp[i], cmsg_data + i, o_flags);
327 if (err < 0)
328 break;
329 }
330
331 if (i > 0) {
332 int cmlen = CMSG_LEN(i * sizeof(int));
333
334 err = put_user(SOL_SOCKET, &cm->cmsg_level);
335 if (!err)
336 err = put_user(SCM_RIGHTS, &cm->cmsg_type);
337 if (!err)
338 err = put_user(cmlen, &cm->cmsg_len);
339 if (!err) {
340 cmlen = CMSG_SPACE(i * sizeof(int));
341 if (msg->msg_controllen < cmlen)
342 cmlen = msg->msg_controllen;
343 msg->msg_control += cmlen;
344 msg->msg_controllen -= cmlen;
345 }
346 }
347
348 if (i < scm->fp->count || (scm->fp->count && fdmax <= 0))
349 msg->msg_flags |= MSG_CTRUNC;
350
351 /*
352 * All of the files that fit in the message have had their usage counts
353 * incremented, so we just free the list.
354 */
355 __scm_destroy(scm);
356 }
357 EXPORT_SYMBOL(scm_detach_fds);
358
scm_fp_dup(struct scm_fp_list * fpl)359 struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
360 {
361 struct scm_fp_list *new_fpl;
362 int i;
363
364 if (!fpl)
365 return NULL;
366
367 new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
368 GFP_KERNEL_ACCOUNT);
369 if (new_fpl) {
370 for (i = 0; i < fpl->count; i++)
371 get_file(fpl->fp[i]);
372 new_fpl->max = new_fpl->count;
373 new_fpl->user = get_uid(fpl->user);
374 }
375 return new_fpl;
376 }
377 EXPORT_SYMBOL(scm_fp_dup);
378