xref: /openbmc/linux/net/core/scm.c (revision d5cb9783536a41df9f9cba5b0a1d78047ed787f7)
1 /* scm.c - Socket level control messages processing.
2  *
3  * Author:	Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
4  *              Alignment and value checking mods by Craig Metz
5  *
6  *		This program is free software; you can redistribute it and/or
7  *		modify it under the terms of the GNU General Public License
8  *		as published by the Free Software Foundation; either version
9  *		2 of the License, or (at your option) any later version.
10  */
11 
12 #include <linux/module.h>
13 #include <linux/signal.h>
14 #include <linux/errno.h>
15 #include <linux/sched.h>
16 #include <linux/mm.h>
17 #include <linux/kernel.h>
18 #include <linux/stat.h>
19 #include <linux/socket.h>
20 #include <linux/file.h>
21 #include <linux/fcntl.h>
22 #include <linux/net.h>
23 #include <linux/interrupt.h>
24 #include <linux/netdevice.h>
25 #include <linux/security.h>
26 
27 #include <asm/system.h>
28 #include <asm/uaccess.h>
29 
30 #include <net/protocol.h>
31 #include <linux/skbuff.h>
32 #include <net/sock.h>
33 #include <net/compat.h>
34 #include <net/scm.h>
35 
36 
37 /*
38  *	Only allow a user to send credentials, that they could set with
39  *	setu(g)id.
40  */
41 
42 static __inline__ int scm_check_creds(struct ucred *creds)
43 {
44 	if ((creds->pid == current->tgid || capable(CAP_SYS_ADMIN)) &&
45 	    ((creds->uid == current->uid || creds->uid == current->euid ||
46 	      creds->uid == current->suid) || capable(CAP_SETUID)) &&
47 	    ((creds->gid == current->gid || creds->gid == current->egid ||
48 	      creds->gid == current->sgid) || capable(CAP_SETGID))) {
49 	       return 0;
50 	}
51 	return -EPERM;
52 }
53 
54 static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
55 {
56 	int *fdp = (int*)CMSG_DATA(cmsg);
57 	struct scm_fp_list *fpl = *fplp;
58 	struct file **fpp;
59 	int i, num;
60 
61 	num = (cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr)))/sizeof(int);
62 
63 	if (num <= 0)
64 		return 0;
65 
66 	if (num > SCM_MAX_FD)
67 		return -EINVAL;
68 
69 	if (!fpl)
70 	{
71 		fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL);
72 		if (!fpl)
73 			return -ENOMEM;
74 		*fplp = fpl;
75 		fpl->count = 0;
76 	}
77 	fpp = &fpl->fp[fpl->count];
78 
79 	if (fpl->count + num > SCM_MAX_FD)
80 		return -EINVAL;
81 
82 	/*
83 	 *	Verify the descriptors and increment the usage count.
84 	 */
85 
86 	for (i=0; i< num; i++)
87 	{
88 		int fd = fdp[i];
89 		struct file *file;
90 
91 		if (fd < 0 || !(file = fget(fd)))
92 			return -EBADF;
93 		*fpp++ = file;
94 		fpl->count++;
95 	}
96 	return num;
97 }
98 
99 void __scm_destroy(struct scm_cookie *scm)
100 {
101 	struct scm_fp_list *fpl = scm->fp;
102 	int i;
103 
104 	if (fpl) {
105 		scm->fp = NULL;
106 		for (i=fpl->count-1; i>=0; i--)
107 			fput(fpl->fp[i]);
108 		kfree(fpl);
109 	}
110 }
111 
112 int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
113 {
114 	struct cmsghdr *cmsg;
115 	int err;
116 
117 	for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg))
118 	{
119 		err = -EINVAL;
120 
121 		/* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
122 		/* The first check was omitted in <= 2.2.5. The reasoning was
123 		   that parser checks cmsg_len in any case, so that
124 		   additional check would be work duplication.
125 		   But if cmsg_level is not SOL_SOCKET, we do not check
126 		   for too short ancillary data object at all! Oops.
127 		   OK, let's add it...
128 		 */
129 		if (!CMSG_OK(msg, cmsg))
130 			goto error;
131 
132 		if (cmsg->cmsg_level != SOL_SOCKET)
133 			continue;
134 
135 		switch (cmsg->cmsg_type)
136 		{
137 		case SCM_RIGHTS:
138 			err=scm_fp_copy(cmsg, &p->fp);
139 			if (err<0)
140 				goto error;
141 			break;
142 		case SCM_CREDENTIALS:
143 			if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
144 				goto error;
145 			memcpy(&p->creds, CMSG_DATA(cmsg), sizeof(struct ucred));
146 			err = scm_check_creds(&p->creds);
147 			if (err)
148 				goto error;
149 			break;
150 		default:
151 			goto error;
152 		}
153 	}
154 
155 	if (p->fp && !p->fp->count)
156 	{
157 		kfree(p->fp);
158 		p->fp = NULL;
159 	}
160 	return 0;
161 
162 error:
163 	scm_destroy(p);
164 	return err;
165 }
166 
167 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
168 {
169 	struct cmsghdr __user *cm = (struct cmsghdr __user *)msg->msg_control;
170 	struct cmsghdr cmhdr;
171 	int cmlen = CMSG_LEN(len);
172 	int err;
173 
174 	if (MSG_CMSG_COMPAT & msg->msg_flags)
175 		return put_cmsg_compat(msg, level, type, len, data);
176 
177 	if (cm==NULL || msg->msg_controllen < sizeof(*cm)) {
178 		msg->msg_flags |= MSG_CTRUNC;
179 		return 0; /* XXX: return error? check spec. */
180 	}
181 	if (msg->msg_controllen < cmlen) {
182 		msg->msg_flags |= MSG_CTRUNC;
183 		cmlen = msg->msg_controllen;
184 	}
185 	cmhdr.cmsg_level = level;
186 	cmhdr.cmsg_type = type;
187 	cmhdr.cmsg_len = cmlen;
188 
189 	err = -EFAULT;
190 	if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
191 		goto out;
192 	if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
193 		goto out;
194 	cmlen = CMSG_SPACE(len);
195 	msg->msg_control += cmlen;
196 	msg->msg_controllen -= cmlen;
197 	err = 0;
198 out:
199 	return err;
200 }
201 
202 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
203 {
204 	struct cmsghdr __user *cm = (struct cmsghdr __user*)msg->msg_control;
205 
206 	int fdmax = 0;
207 	int fdnum = scm->fp->count;
208 	struct file **fp = scm->fp->fp;
209 	int __user *cmfptr;
210 	int err = 0, i;
211 
212 	if (MSG_CMSG_COMPAT & msg->msg_flags) {
213 		scm_detach_fds_compat(msg, scm);
214 		return;
215 	}
216 
217 	if (msg->msg_controllen > sizeof(struct cmsghdr))
218 		fdmax = ((msg->msg_controllen - sizeof(struct cmsghdr))
219 			 / sizeof(int));
220 
221 	if (fdnum < fdmax)
222 		fdmax = fdnum;
223 
224 	for (i=0, cmfptr=(int __user *)CMSG_DATA(cm); i<fdmax; i++, cmfptr++)
225 	{
226 		int new_fd;
227 		err = security_file_receive(fp[i]);
228 		if (err)
229 			break;
230 		err = get_unused_fd();
231 		if (err < 0)
232 			break;
233 		new_fd = err;
234 		err = put_user(new_fd, cmfptr);
235 		if (err) {
236 			put_unused_fd(new_fd);
237 			break;
238 		}
239 		/* Bump the usage count and install the file. */
240 		get_file(fp[i]);
241 		fd_install(new_fd, fp[i]);
242 	}
243 
244 	if (i > 0)
245 	{
246 		int cmlen = CMSG_LEN(i*sizeof(int));
247 		if (!err)
248 			err = put_user(SOL_SOCKET, &cm->cmsg_level);
249 		if (!err)
250 			err = put_user(SCM_RIGHTS, &cm->cmsg_type);
251 		if (!err)
252 			err = put_user(cmlen, &cm->cmsg_len);
253 		if (!err) {
254 			cmlen = CMSG_SPACE(i*sizeof(int));
255 			msg->msg_control += cmlen;
256 			msg->msg_controllen -= cmlen;
257 		}
258 	}
259 	if (i < fdnum || (fdnum && fdmax <= 0))
260 		msg->msg_flags |= MSG_CTRUNC;
261 
262 	/*
263 	 * All of the files that fit in the message have had their
264 	 * usage counts incremented, so we just free the list.
265 	 */
266 	__scm_destroy(scm);
267 }
268 
269 struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
270 {
271 	struct scm_fp_list *new_fpl;
272 	int i;
273 
274 	if (!fpl)
275 		return NULL;
276 
277 	new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL);
278 	if (new_fpl) {
279 		for (i=fpl->count-1; i>=0; i--)
280 			get_file(fpl->fp[i]);
281 		memcpy(new_fpl, fpl, sizeof(*fpl));
282 	}
283 	return new_fpl;
284 }
285 
286 EXPORT_SYMBOL(__scm_destroy);
287 EXPORT_SYMBOL(__scm_send);
288 EXPORT_SYMBOL(put_cmsg);
289 EXPORT_SYMBOL(scm_detach_fds);
290 EXPORT_SYMBOL(scm_fp_dup);
291