scm.c 7.6 KB
Newer Older
L
Linus Torvalds 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13
/* scm.c - Socket level control messages processing.
 *
 * Author:	Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
 *              Alignment and value checking mods by Craig Metz
 *
 *		This program is free software; you can redistribute it and/or
 *		modify it under the terms of the GNU General Public License
 *		as published by the Free Software Foundation; either version
 *		2 of the License, or (at your option) any later version.
 */

#include <linux/module.h>
#include <linux/signal.h>
14
#include <linux/capability.h>
L
Linus Torvalds 已提交
15 16 17 18 19 20 21 22 23 24 25 26
#include <linux/errno.h>
#include <linux/sched.h>
#include <linux/mm.h>
#include <linux/kernel.h>
#include <linux/stat.h>
#include <linux/socket.h>
#include <linux/file.h>
#include <linux/fcntl.h>
#include <linux/net.h>
#include <linux/interrupt.h>
#include <linux/netdevice.h>
#include <linux/security.h>
27 28
#include <linux/pid.h>
#include <linux/nsproxy.h>
29
#include <linux/slab.h>
L
Linus Torvalds 已提交
30 31 32 33 34 35 36 37 38 39 40 41

#include <asm/system.h>
#include <asm/uaccess.h>

#include <net/protocol.h>
#include <linux/skbuff.h>
#include <net/sock.h>
#include <net/compat.h>
#include <net/scm.h>


/*
42
 *	Only allow a user to send credentials, that they could set with
L
Linus Torvalds 已提交
43 44 45 46 47
 *	setu(g)id.
 */

static __inline__ int scm_check_creds(struct ucred *creds)
{
48
	const struct cred *cred = current_cred();
49

50
	if ((creds->pid == task_tgid_vnr(current) || capable(CAP_SYS_ADMIN)) &&
51 52 53 54
	    ((creds->uid == cred->uid   || creds->uid == cred->euid ||
	      creds->uid == cred->suid) || capable(CAP_SETUID)) &&
	    ((creds->gid == cred->gid   || creds->gid == cred->egid ||
	      creds->gid == cred->sgid) || capable(CAP_SETGID))) {
L
Linus Torvalds 已提交
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81
	       return 0;
	}
	return -EPERM;
}

static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
{
	int *fdp = (int*)CMSG_DATA(cmsg);
	struct scm_fp_list *fpl = *fplp;
	struct file **fpp;
	int i, num;

	num = (cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr)))/sizeof(int);

	if (num <= 0)
		return 0;

	if (num > SCM_MAX_FD)
		return -EINVAL;

	if (!fpl)
	{
		fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL);
		if (!fpl)
			return -ENOMEM;
		*fplp = fpl;
		fpl->count = 0;
E
Eric Dumazet 已提交
82
		fpl->max = SCM_MAX_FD;
L
Linus Torvalds 已提交
83 84 85
	}
	fpp = &fpl->fp[fpl->count];

E
Eric Dumazet 已提交
86
	if (fpl->count + num > fpl->max)
L
Linus Torvalds 已提交
87
		return -EINVAL;
88

L
Linus Torvalds 已提交
89 90 91
	/*
	 *	Verify the descriptors and increment the usage count.
	 */
92

L
Linus Torvalds 已提交
93 94 95 96 97
	for (i=0; i< num; i++)
	{
		int fd = fdp[i];
		struct file *file;

98
		if (fd < 0 || !(file = fget_raw(fd)))
L
Linus Torvalds 已提交
99 100 101 102 103 104 105 106 107 108 109 110 111 112
			return -EBADF;
		*fpp++ = file;
		fpl->count++;
	}
	return num;
}

void __scm_destroy(struct scm_cookie *scm)
{
	struct scm_fp_list *fpl = scm->fp;
	int i;

	if (fpl) {
		scm->fp = NULL;
113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131
		if (current->scm_work_list) {
			list_add_tail(&fpl->list, current->scm_work_list);
		} else {
			LIST_HEAD(work_list);

			current->scm_work_list = &work_list;

			list_add(&fpl->list, &work_list);
			while (!list_empty(&work_list)) {
				fpl = list_first_entry(&work_list, struct scm_fp_list, list);

				list_del(&fpl->list);
				for (i=fpl->count-1; i>=0; i--)
					fput(fpl->fp[i]);
				kfree(fpl);
			}

			current->scm_work_list = NULL;
		}
L
Linus Torvalds 已提交
132 133
	}
}
E
Eric Dumazet 已提交
134
EXPORT_SYMBOL(__scm_destroy);
L
Linus Torvalds 已提交
135 136 137 138 139 140 141 142 143 144 145 146 147 148

int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
{
	struct cmsghdr *cmsg;
	int err;

	for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg))
	{
		err = -EINVAL;

		/* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
		/* The first check was omitted in <= 2.2.5. The reasoning was
		   that parser checks cmsg_len in any case, so that
		   additional check would be work duplication.
149
		   But if cmsg_level is not SOL_SOCKET, we do not check
L
Linus Torvalds 已提交
150 151 152 153 154 155 156 157 158 159 160 161
		   for too short ancillary data object at all! Oops.
		   OK, let's add it...
		 */
		if (!CMSG_OK(msg, cmsg))
			goto error;

		if (cmsg->cmsg_level != SOL_SOCKET)
			continue;

		switch (cmsg->cmsg_type)
		{
		case SCM_RIGHTS:
162 163
			if (!sock->ops || sock->ops->family != PF_UNIX)
				goto error;
L
Linus Torvalds 已提交
164 165 166 167 168 169 170 171 172 173 174
			err=scm_fp_copy(cmsg, &p->fp);
			if (err<0)
				goto error;
			break;
		case SCM_CREDENTIALS:
			if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
				goto error;
			memcpy(&p->creds, CMSG_DATA(cmsg), sizeof(struct ucred));
			err = scm_check_creds(&p->creds);
			if (err)
				goto error;
175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194

			if (pid_vnr(p->pid) != p->creds.pid) {
				struct pid *pid;
				err = -ESRCH;
				pid = find_get_pid(p->creds.pid);
				if (!pid)
					goto error;
				put_pid(p->pid);
				p->pid = pid;
			}

			if ((p->cred->euid != p->creds.uid) ||
				(p->cred->egid != p->creds.gid)) {
				struct cred *cred;
				err = -ENOMEM;
				cred = prepare_creds();
				if (!cred)
					goto error;

				cred->uid = cred->euid = p->creds.uid;
195
				cred->gid = cred->egid = p->creds.gid;
196 197 198
				put_cred(p->cred);
				p->cred = cred;
			}
L
Linus Torvalds 已提交
199 200 201 202 203 204 205 206 207 208 209 210
			break;
		default:
			goto error;
		}
	}

	if (p->fp && !p->fp->count)
	{
		kfree(p->fp);
		p->fp = NULL;
	}
	return 0;
211

L
Linus Torvalds 已提交
212 213 214 215
error:
	scm_destroy(p);
	return err;
}
E
Eric Dumazet 已提交
216
EXPORT_SYMBOL(__scm_send);
L
Linus Torvalds 已提交
217 218 219

int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
{
S
Stephen Hemminger 已提交
220 221
	struct cmsghdr __user *cm
		= (__force struct cmsghdr __user *)msg->msg_control;
L
Linus Torvalds 已提交
222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242
	struct cmsghdr cmhdr;
	int cmlen = CMSG_LEN(len);
	int err;

	if (MSG_CMSG_COMPAT & msg->msg_flags)
		return put_cmsg_compat(msg, level, type, len, data);

	if (cm==NULL || msg->msg_controllen < sizeof(*cm)) {
		msg->msg_flags |= MSG_CTRUNC;
		return 0; /* XXX: return error? check spec. */
	}
	if (msg->msg_controllen < cmlen) {
		msg->msg_flags |= MSG_CTRUNC;
		cmlen = msg->msg_controllen;
	}
	cmhdr.cmsg_level = level;
	cmhdr.cmsg_type = type;
	cmhdr.cmsg_len = cmlen;

	err = -EFAULT;
	if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
243
		goto out;
L
Linus Torvalds 已提交
244 245 246
	if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
		goto out;
	cmlen = CMSG_SPACE(len);
247 248
	if (msg->msg_controllen < cmlen)
		cmlen = msg->msg_controllen;
L
Linus Torvalds 已提交
249 250 251 252 253 254
	msg->msg_control += cmlen;
	msg->msg_controllen -= cmlen;
	err = 0;
out:
	return err;
}
E
Eric Dumazet 已提交
255
EXPORT_SYMBOL(put_cmsg);
L
Linus Torvalds 已提交
256 257 258

void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
{
S
Stephen Hemminger 已提交
259 260
	struct cmsghdr __user *cm
		= (__force struct cmsghdr __user*)msg->msg_control;
L
Linus Torvalds 已提交
261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279

	int fdmax = 0;
	int fdnum = scm->fp->count;
	struct file **fp = scm->fp->fp;
	int __user *cmfptr;
	int err = 0, i;

	if (MSG_CMSG_COMPAT & msg->msg_flags) {
		scm_detach_fds_compat(msg, scm);
		return;
	}

	if (msg->msg_controllen > sizeof(struct cmsghdr))
		fdmax = ((msg->msg_controllen - sizeof(struct cmsghdr))
			 / sizeof(int));

	if (fdnum < fdmax)
		fdmax = fdnum;

S
Stephen Hemminger 已提交
280 281
	for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
	     i++, cmfptr++)
L
Linus Torvalds 已提交
282 283 284 285 286
	{
		int new_fd;
		err = security_file_receive(fp[i]);
		if (err)
			break;
U
Ulrich Drepper 已提交
287 288
		err = get_unused_fd_flags(MSG_CMSG_CLOEXEC & msg->msg_flags
					  ? O_CLOEXEC : 0);
L
Linus Torvalds 已提交
289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304
		if (err < 0)
			break;
		new_fd = err;
		err = put_user(new_fd, cmfptr);
		if (err) {
			put_unused_fd(new_fd);
			break;
		}
		/* Bump the usage count and install the file. */
		get_file(fp[i]);
		fd_install(new_fd, fp[i]);
	}

	if (i > 0)
	{
		int cmlen = CMSG_LEN(i*sizeof(int));
305
		err = put_user(SOL_SOCKET, &cm->cmsg_level);
L
Linus Torvalds 已提交
306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324
		if (!err)
			err = put_user(SCM_RIGHTS, &cm->cmsg_type);
		if (!err)
			err = put_user(cmlen, &cm->cmsg_len);
		if (!err) {
			cmlen = CMSG_SPACE(i*sizeof(int));
			msg->msg_control += cmlen;
			msg->msg_controllen -= cmlen;
		}
	}
	if (i < fdnum || (fdnum && fdmax <= 0))
		msg->msg_flags |= MSG_CTRUNC;

	/*
	 * All of the files that fit in the message have had their
	 * usage counts incremented, so we just free the list.
	 */
	__scm_destroy(scm);
}
E
Eric Dumazet 已提交
325
EXPORT_SYMBOL(scm_detach_fds);
L
Linus Torvalds 已提交
326 327 328 329 330 331 332 333 334

struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
{
	struct scm_fp_list *new_fpl;
	int i;

	if (!fpl)
		return NULL;

E
Eric Dumazet 已提交
335 336
	new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
			  GFP_KERNEL);
L
Linus Torvalds 已提交
337
	if (new_fpl) {
E
Eric Dumazet 已提交
338
		for (i = 0; i < fpl->count; i++)
L
Linus Torvalds 已提交
339
			get_file(fpl->fp[i]);
E
Eric Dumazet 已提交
340
		new_fpl->max = new_fpl->count;
L
Linus Torvalds 已提交
341 342 343 344
	}
	return new_fpl;
}
EXPORT_SYMBOL(scm_fp_dup);