scm.c 7.3 KB
Newer Older
L
Linus Torvalds 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13
/* scm.c - Socket level control messages processing.
 *
 * Author:	Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
 *              Alignment and value checking mods by Craig Metz
 *
 *		This program is free software; you can redistribute it and/or
 *		modify it under the terms of the GNU General Public License
 *		as published by the Free Software Foundation; either version
 *		2 of the License, or (at your option) any later version.
 */

#include <linux/module.h>
#include <linux/signal.h>
14
#include <linux/capability.h>
L
Linus Torvalds 已提交
15 16 17 18 19 20 21 22 23 24 25 26
#include <linux/errno.h>
#include <linux/sched.h>
#include <linux/mm.h>
#include <linux/kernel.h>
#include <linux/stat.h>
#include <linux/socket.h>
#include <linux/file.h>
#include <linux/fcntl.h>
#include <linux/net.h>
#include <linux/interrupt.h>
#include <linux/netdevice.h>
#include <linux/security.h>
27 28
#include <linux/pid.h>
#include <linux/nsproxy.h>
29
#include <linux/slab.h>
L
Linus Torvalds 已提交
30 31 32 33 34 35 36 37 38 39 40

#include <asm/uaccess.h>

#include <net/protocol.h>
#include <linux/skbuff.h>
#include <net/sock.h>
#include <net/compat.h>
#include <net/scm.h>


/*
41
 *	Only allow a user to send credentials, that they could set with
L
Linus Torvalds 已提交
42 43 44 45 46
 *	setu(g)id.
 */

static __inline__ int scm_check_creds(struct ucred *creds)
{
47
	const struct cred *cred = current_cred();
48

49
	if ((creds->pid == task_tgid_vnr(current) || capable(CAP_SYS_ADMIN)) &&
50 51 52 53
	    ((creds->uid == cred->uid   || creds->uid == cred->euid ||
	      creds->uid == cred->suid) || capable(CAP_SETUID)) &&
	    ((creds->gid == cred->gid   || creds->gid == cred->egid ||
	      creds->gid == cred->sgid) || capable(CAP_SETGID))) {
L
Linus Torvalds 已提交
54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80
	       return 0;
	}
	return -EPERM;
}

static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
{
	int *fdp = (int*)CMSG_DATA(cmsg);
	struct scm_fp_list *fpl = *fplp;
	struct file **fpp;
	int i, num;

	num = (cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr)))/sizeof(int);

	if (num <= 0)
		return 0;

	if (num > SCM_MAX_FD)
		return -EINVAL;

	if (!fpl)
	{
		fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL);
		if (!fpl)
			return -ENOMEM;
		*fplp = fpl;
		fpl->count = 0;
E
Eric Dumazet 已提交
81
		fpl->max = SCM_MAX_FD;
L
Linus Torvalds 已提交
82 83 84
	}
	fpp = &fpl->fp[fpl->count];

E
Eric Dumazet 已提交
85
	if (fpl->count + num > fpl->max)
L
Linus Torvalds 已提交
86
		return -EINVAL;
87

L
Linus Torvalds 已提交
88 89 90
	/*
	 *	Verify the descriptors and increment the usage count.
	 */
91

L
Linus Torvalds 已提交
92 93 94 95 96
	for (i=0; i< num; i++)
	{
		int fd = fdp[i];
		struct file *file;

97
		if (fd < 0 || !(file = fget_raw(fd)))
L
Linus Torvalds 已提交
98 99 100 101 102 103 104 105 106 107 108 109 110 111
			return -EBADF;
		*fpp++ = file;
		fpl->count++;
	}
	return num;
}

void __scm_destroy(struct scm_cookie *scm)
{
	struct scm_fp_list *fpl = scm->fp;
	int i;

	if (fpl) {
		scm->fp = NULL;
A
Al Viro 已提交
112 113 114
		for (i=fpl->count-1; i>=0; i--)
			fput(fpl->fp[i]);
		kfree(fpl);
L
Linus Torvalds 已提交
115 116
	}
}
E
Eric Dumazet 已提交
117
EXPORT_SYMBOL(__scm_destroy);
L
Linus Torvalds 已提交
118 119 120 121 122 123 124 125 126 127 128 129 130 131

int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
{
	struct cmsghdr *cmsg;
	int err;

	for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg))
	{
		err = -EINVAL;

		/* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
		/* The first check was omitted in <= 2.2.5. The reasoning was
		   that parser checks cmsg_len in any case, so that
		   additional check would be work duplication.
132
		   But if cmsg_level is not SOL_SOCKET, we do not check
L
Linus Torvalds 已提交
133 134 135 136 137 138 139 140 141 142 143 144
		   for too short ancillary data object at all! Oops.
		   OK, let's add it...
		 */
		if (!CMSG_OK(msg, cmsg))
			goto error;

		if (cmsg->cmsg_level != SOL_SOCKET)
			continue;

		switch (cmsg->cmsg_type)
		{
		case SCM_RIGHTS:
145 146
			if (!sock->ops || sock->ops->family != PF_UNIX)
				goto error;
L
Linus Torvalds 已提交
147 148 149 150 151 152 153 154 155 156 157
			err=scm_fp_copy(cmsg, &p->fp);
			if (err<0)
				goto error;
			break;
		case SCM_CREDENTIALS:
			if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
				goto error;
			memcpy(&p->creds, CMSG_DATA(cmsg), sizeof(struct ucred));
			err = scm_check_creds(&p->creds);
			if (err)
				goto error;
158

159
			if (!p->pid || pid_vnr(p->pid) != p->creds.pid) {
160 161 162 163 164 165 166 167 168
				struct pid *pid;
				err = -ESRCH;
				pid = find_get_pid(p->creds.pid);
				if (!pid)
					goto error;
				put_pid(p->pid);
				p->pid = pid;
			}

169 170 171
			if (!p->cred ||
			    (p->cred->euid != p->creds.uid) ||
			    (p->cred->egid != p->creds.gid)) {
172 173 174 175 176 177 178
				struct cred *cred;
				err = -ENOMEM;
				cred = prepare_creds();
				if (!cred)
					goto error;

				cred->uid = cred->euid = p->creds.uid;
179
				cred->gid = cred->egid = p->creds.gid;
180 181
				if (p->cred)
					put_cred(p->cred);
182 183
				p->cred = cred;
			}
L
Linus Torvalds 已提交
184 185 186 187 188 189 190 191 192 193 194 195
			break;
		default:
			goto error;
		}
	}

	if (p->fp && !p->fp->count)
	{
		kfree(p->fp);
		p->fp = NULL;
	}
	return 0;
196

L
Linus Torvalds 已提交
197 198 199 200
error:
	scm_destroy(p);
	return err;
}
E
Eric Dumazet 已提交
201
EXPORT_SYMBOL(__scm_send);
L
Linus Torvalds 已提交
202 203 204

int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
{
S
Stephen Hemminger 已提交
205 206
	struct cmsghdr __user *cm
		= (__force struct cmsghdr __user *)msg->msg_control;
L
Linus Torvalds 已提交
207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227
	struct cmsghdr cmhdr;
	int cmlen = CMSG_LEN(len);
	int err;

	if (MSG_CMSG_COMPAT & msg->msg_flags)
		return put_cmsg_compat(msg, level, type, len, data);

	if (cm==NULL || msg->msg_controllen < sizeof(*cm)) {
		msg->msg_flags |= MSG_CTRUNC;
		return 0; /* XXX: return error? check spec. */
	}
	if (msg->msg_controllen < cmlen) {
		msg->msg_flags |= MSG_CTRUNC;
		cmlen = msg->msg_controllen;
	}
	cmhdr.cmsg_level = level;
	cmhdr.cmsg_type = type;
	cmhdr.cmsg_len = cmlen;

	err = -EFAULT;
	if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
228
		goto out;
L
Linus Torvalds 已提交
229 230 231
	if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
		goto out;
	cmlen = CMSG_SPACE(len);
232 233
	if (msg->msg_controllen < cmlen)
		cmlen = msg->msg_controllen;
L
Linus Torvalds 已提交
234 235 236 237 238 239
	msg->msg_control += cmlen;
	msg->msg_controllen -= cmlen;
	err = 0;
out:
	return err;
}
E
Eric Dumazet 已提交
240
EXPORT_SYMBOL(put_cmsg);
L
Linus Torvalds 已提交
241 242 243

void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
{
S
Stephen Hemminger 已提交
244 245
	struct cmsghdr __user *cm
		= (__force struct cmsghdr __user*)msg->msg_control;
L
Linus Torvalds 已提交
246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264

	int fdmax = 0;
	int fdnum = scm->fp->count;
	struct file **fp = scm->fp->fp;
	int __user *cmfptr;
	int err = 0, i;

	if (MSG_CMSG_COMPAT & msg->msg_flags) {
		scm_detach_fds_compat(msg, scm);
		return;
	}

	if (msg->msg_controllen > sizeof(struct cmsghdr))
		fdmax = ((msg->msg_controllen - sizeof(struct cmsghdr))
			 / sizeof(int));

	if (fdnum < fdmax)
		fdmax = fdnum;

S
Stephen Hemminger 已提交
265 266
	for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
	     i++, cmfptr++)
L
Linus Torvalds 已提交
267 268 269 270 271
	{
		int new_fd;
		err = security_file_receive(fp[i]);
		if (err)
			break;
U
Ulrich Drepper 已提交
272 273
		err = get_unused_fd_flags(MSG_CMSG_CLOEXEC & msg->msg_flags
					  ? O_CLOEXEC : 0);
L
Linus Torvalds 已提交
274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289
		if (err < 0)
			break;
		new_fd = err;
		err = put_user(new_fd, cmfptr);
		if (err) {
			put_unused_fd(new_fd);
			break;
		}
		/* Bump the usage count and install the file. */
		get_file(fp[i]);
		fd_install(new_fd, fp[i]);
	}

	if (i > 0)
	{
		int cmlen = CMSG_LEN(i*sizeof(int));
290
		err = put_user(SOL_SOCKET, &cm->cmsg_level);
L
Linus Torvalds 已提交
291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309
		if (!err)
			err = put_user(SCM_RIGHTS, &cm->cmsg_type);
		if (!err)
			err = put_user(cmlen, &cm->cmsg_len);
		if (!err) {
			cmlen = CMSG_SPACE(i*sizeof(int));
			msg->msg_control += cmlen;
			msg->msg_controllen -= cmlen;
		}
	}
	if (i < fdnum || (fdnum && fdmax <= 0))
		msg->msg_flags |= MSG_CTRUNC;

	/*
	 * All of the files that fit in the message have had their
	 * usage counts incremented, so we just free the list.
	 */
	__scm_destroy(scm);
}
E
Eric Dumazet 已提交
310
EXPORT_SYMBOL(scm_detach_fds);
L
Linus Torvalds 已提交
311 312 313 314 315 316 317 318 319

struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
{
	struct scm_fp_list *new_fpl;
	int i;

	if (!fpl)
		return NULL;

E
Eric Dumazet 已提交
320 321
	new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
			  GFP_KERNEL);
L
Linus Torvalds 已提交
322
	if (new_fpl) {
E
Eric Dumazet 已提交
323
		for (i = 0; i < fpl->count; i++)
L
Linus Torvalds 已提交
324
			get_file(fpl->fp[i]);
E
Eric Dumazet 已提交
325
		new_fpl->max = new_fpl->count;
L
Linus Torvalds 已提交
326 327 328 329
	}
	return new_fpl;
}
EXPORT_SYMBOL(scm_fp_dup);