1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * linux/ipc/util.c 4 * Copyright (C) 1992 Krishna Balasubramanian 5 * 6 * Sep 1997 - Call suser() last after "normal" permission checks so we 7 * get BSD style process accounting right. 8 * Occurs in several places in the IPC code. 9 * Chris Evans, <chris@ferret.lmh.ox.ac.uk> 10 * Nov 1999 - ipc helper functions, unified SMP locking 11 * Manfred Spraul <manfred@colorfullife.com> 12 * Oct 2002 - One lock per IPC id. RCU ipc_free for lock-free grow_ary(). 13 * Mingming Cao <cmm@us.ibm.com> 14 * Mar 2006 - support for audit of ipc object properties 15 * Dustin Kirkland <dustin.kirkland@us.ibm.com> 16 * Jun 2006 - namespaces ssupport 17 * OpenVZ, SWsoft Inc. 18 * Pavel Emelianov <xemul@openvz.org> 19 * 20 * General sysv ipc locking scheme: 21 * rcu_read_lock() 22 * obtain the ipc object (kern_ipc_perm) by looking up the id in an idr 23 * tree. 24 * - perform initial checks (capabilities, auditing and permission, 25 * etc). 26 * - perform read-only operations, such as INFO command, that 27 * do not demand atomicity 28 * acquire the ipc lock (kern_ipc_perm.lock) through 29 * ipc_lock_object() 30 * - perform read-only operations that demand atomicity, 31 * such as STAT command. 32 * - perform data updates, such as SET, RMID commands and 33 * mechanism-specific operations (semop/semtimedop, 34 * msgsnd/msgrcv, shmat/shmdt). 35 * drop the ipc lock, through ipc_unlock_object(). 36 * rcu_read_unlock() 37 * 38 * The ids->rwsem must be taken when: 39 * - creating, removing and iterating the existing entries in ipc 40 * identifier sets. 41 * - iterating through files under /proc/sysvipc/ 42 * 43 * Note that sems have a special fast path that avoids kern_ipc_perm.lock - 44 * see sem_lock(). 45 */ 46 47 #include <linux/mm.h> 48 #include <linux/shm.h> 49 #include <linux/init.h> 50 #include <linux/msg.h> 51 #include <linux/vmalloc.h> 52 #include <linux/slab.h> 53 #include <linux/notifier.h> 54 #include <linux/capability.h> 55 #include <linux/highuid.h> 56 #include <linux/security.h> 57 #include <linux/rcupdate.h> 58 #include <linux/workqueue.h> 59 #include <linux/seq_file.h> 60 #include <linux/proc_fs.h> 61 #include <linux/audit.h> 62 #include <linux/nsproxy.h> 63 #include <linux/rwsem.h> 64 #include <linux/memory.h> 65 #include <linux/ipc_namespace.h> 66 #include <linux/rhashtable.h> 67 68 #include <asm/unistd.h> 69 70 #include "util.h" 71 72 struct ipc_proc_iface { 73 const char *path; 74 const char *header; 75 int ids; 76 int (*show)(struct seq_file *, void *); 77 }; 78 79 /** 80 * ipc_init - initialise ipc subsystem 81 * 82 * The various sysv ipc resources (semaphores, messages and shared 83 * memory) are initialised. 84 * 85 * A callback routine is registered into the memory hotplug notifier 86 * chain: since msgmni scales to lowmem this callback routine will be 87 * called upon successful memory add / remove to recompute msmgni. 88 */ 89 static int __init ipc_init(void) 90 { 91 int err_sem, err_msg; 92 93 proc_mkdir("sysvipc", NULL); 94 err_sem = sem_init(); 95 WARN(err_sem, "ipc: sysv sem_init failed: %d\n", err_sem); 96 err_msg = msg_init(); 97 WARN(err_msg, "ipc: sysv msg_init failed: %d\n", err_msg); 98 shm_init(); 99 100 return err_msg ? err_msg : err_sem; 101 } 102 device_initcall(ipc_init); 103 104 static const struct rhashtable_params ipc_kht_params = { 105 .head_offset = offsetof(struct kern_ipc_perm, khtnode), 106 .key_offset = offsetof(struct kern_ipc_perm, key), 107 .key_len = FIELD_SIZEOF(struct kern_ipc_perm, key), 108 .locks_mul = 1, 109 .automatic_shrinking = true, 110 }; 111 112 /** 113 * ipc_init_ids - initialise ipc identifiers 114 * @ids: ipc identifier set 115 * 116 * Set up the sequence range to use for the ipc identifier range (limited 117 * below IPCMNI) then initialise the keys hashtable and ids idr. 118 */ 119 int ipc_init_ids(struct ipc_ids *ids) 120 { 121 int err; 122 ids->in_use = 0; 123 ids->seq = 0; 124 init_rwsem(&ids->rwsem); 125 err = rhashtable_init(&ids->key_ht, &ipc_kht_params); 126 if (err) 127 return err; 128 idr_init(&ids->ipcs_idr); 129 ids->tables_initialized = true; 130 ids->max_id = -1; 131 #ifdef CONFIG_CHECKPOINT_RESTORE 132 ids->next_id = -1; 133 #endif 134 return 0; 135 } 136 137 #ifdef CONFIG_PROC_FS 138 static const struct file_operations sysvipc_proc_fops; 139 /** 140 * ipc_init_proc_interface - create a proc interface for sysipc types using a seq_file interface. 141 * @path: Path in procfs 142 * @header: Banner to be printed at the beginning of the file. 143 * @ids: ipc id table to iterate. 144 * @show: show routine. 145 */ 146 void __init ipc_init_proc_interface(const char *path, const char *header, 147 int ids, int (*show)(struct seq_file *, void *)) 148 { 149 struct proc_dir_entry *pde; 150 struct ipc_proc_iface *iface; 151 152 iface = kmalloc(sizeof(*iface), GFP_KERNEL); 153 if (!iface) 154 return; 155 iface->path = path; 156 iface->header = header; 157 iface->ids = ids; 158 iface->show = show; 159 160 pde = proc_create_data(path, 161 S_IRUGO, /* world readable */ 162 NULL, /* parent dir */ 163 &sysvipc_proc_fops, 164 iface); 165 if (!pde) 166 kfree(iface); 167 } 168 #endif 169 170 /** 171 * ipc_findkey - find a key in an ipc identifier set 172 * @ids: ipc identifier set 173 * @key: key to find 174 * 175 * Returns the locked pointer to the ipc structure if found or NULL 176 * otherwise. If key is found ipc points to the owning ipc structure 177 * 178 * Called with writer ipc_ids.rwsem held. 179 */ 180 static struct kern_ipc_perm *ipc_findkey(struct ipc_ids *ids, key_t key) 181 { 182 struct kern_ipc_perm *ipcp = NULL; 183 184 if (likely(ids->tables_initialized)) 185 ipcp = rhashtable_lookup_fast(&ids->key_ht, &key, 186 ipc_kht_params); 187 188 if (ipcp) { 189 rcu_read_lock(); 190 ipc_lock_object(ipcp); 191 return ipcp; 192 } 193 194 return NULL; 195 } 196 197 #ifdef CONFIG_CHECKPOINT_RESTORE 198 /* 199 * Specify desired id for next allocated IPC object. 200 */ 201 #define ipc_idr_alloc(ids, new) \ 202 idr_alloc(&(ids)->ipcs_idr, (new), \ 203 (ids)->next_id < 0 ? 0 : ipcid_to_idx((ids)->next_id),\ 204 0, GFP_NOWAIT) 205 206 static inline int ipc_buildid(int id, struct ipc_ids *ids, 207 struct kern_ipc_perm *new) 208 { 209 if (ids->next_id < 0) { /* default, behave as !CHECKPOINT_RESTORE */ 210 new->seq = ids->seq++; 211 if (ids->seq > IPCID_SEQ_MAX) 212 ids->seq = 0; 213 } else { 214 new->seq = ipcid_to_seqx(ids->next_id); 215 ids->next_id = -1; 216 } 217 218 return SEQ_MULTIPLIER * new->seq + id; 219 } 220 221 #else 222 #define ipc_idr_alloc(ids, new) \ 223 idr_alloc(&(ids)->ipcs_idr, (new), 0, 0, GFP_NOWAIT) 224 225 static inline int ipc_buildid(int id, struct ipc_ids *ids, 226 struct kern_ipc_perm *new) 227 { 228 new->seq = ids->seq++; 229 if (ids->seq > IPCID_SEQ_MAX) 230 ids->seq = 0; 231 232 return SEQ_MULTIPLIER * new->seq + id; 233 } 234 235 #endif /* CONFIG_CHECKPOINT_RESTORE */ 236 237 /** 238 * ipc_addid - add an ipc identifier 239 * @ids: ipc identifier set 240 * @new: new ipc permission set 241 * @limit: limit for the number of used ids 242 * 243 * Add an entry 'new' to the ipc ids idr. The permissions object is 244 * initialised and the first free entry is set up and the id assigned 245 * is returned. The 'new' entry is returned in a locked state on success. 246 * On failure the entry is not locked and a negative err-code is returned. 247 * 248 * Called with writer ipc_ids.rwsem held. 249 */ 250 int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int limit) 251 { 252 kuid_t euid; 253 kgid_t egid; 254 int id, err; 255 256 if (limit > IPCMNI) 257 limit = IPCMNI; 258 259 if (!ids->tables_initialized || ids->in_use >= limit) 260 return -ENOSPC; 261 262 idr_preload(GFP_KERNEL); 263 264 refcount_set(&new->refcount, 1); 265 spin_lock_init(&new->lock); 266 new->deleted = false; 267 rcu_read_lock(); 268 spin_lock(&new->lock); 269 270 current_euid_egid(&euid, &egid); 271 new->cuid = new->uid = euid; 272 new->gid = new->cgid = egid; 273 274 id = ipc_idr_alloc(ids, new); 275 idr_preload_end(); 276 277 if (id >= 0 && new->key != IPC_PRIVATE) { 278 err = rhashtable_insert_fast(&ids->key_ht, &new->khtnode, 279 ipc_kht_params); 280 if (err < 0) { 281 idr_remove(&ids->ipcs_idr, id); 282 id = err; 283 } 284 } 285 if (id < 0) { 286 spin_unlock(&new->lock); 287 rcu_read_unlock(); 288 return id; 289 } 290 291 ids->in_use++; 292 if (id > ids->max_id) 293 ids->max_id = id; 294 295 new->id = ipc_buildid(id, ids, new); 296 297 return id; 298 } 299 300 /** 301 * ipcget_new - create a new ipc object 302 * @ns: ipc namespace 303 * @ids: ipc identifier set 304 * @ops: the actual creation routine to call 305 * @params: its parameters 306 * 307 * This routine is called by sys_msgget, sys_semget() and sys_shmget() 308 * when the key is IPC_PRIVATE. 309 */ 310 static int ipcget_new(struct ipc_namespace *ns, struct ipc_ids *ids, 311 const struct ipc_ops *ops, struct ipc_params *params) 312 { 313 int err; 314 315 down_write(&ids->rwsem); 316 err = ops->getnew(ns, params); 317 up_write(&ids->rwsem); 318 return err; 319 } 320 321 /** 322 * ipc_check_perms - check security and permissions for an ipc object 323 * @ns: ipc namespace 324 * @ipcp: ipc permission set 325 * @ops: the actual security routine to call 326 * @params: its parameters 327 * 328 * This routine is called by sys_msgget(), sys_semget() and sys_shmget() 329 * when the key is not IPC_PRIVATE and that key already exists in the 330 * ds IDR. 331 * 332 * On success, the ipc id is returned. 333 * 334 * It is called with ipc_ids.rwsem and ipcp->lock held. 335 */ 336 static int ipc_check_perms(struct ipc_namespace *ns, 337 struct kern_ipc_perm *ipcp, 338 const struct ipc_ops *ops, 339 struct ipc_params *params) 340 { 341 int err; 342 343 if (ipcperms(ns, ipcp, params->flg)) 344 err = -EACCES; 345 else { 346 err = ops->associate(ipcp, params->flg); 347 if (!err) 348 err = ipcp->id; 349 } 350 351 return err; 352 } 353 354 /** 355 * ipcget_public - get an ipc object or create a new one 356 * @ns: ipc namespace 357 * @ids: ipc identifier set 358 * @ops: the actual creation routine to call 359 * @params: its parameters 360 * 361 * This routine is called by sys_msgget, sys_semget() and sys_shmget() 362 * when the key is not IPC_PRIVATE. 363 * It adds a new entry if the key is not found and does some permission 364 * / security checkings if the key is found. 365 * 366 * On success, the ipc id is returned. 367 */ 368 static int ipcget_public(struct ipc_namespace *ns, struct ipc_ids *ids, 369 const struct ipc_ops *ops, struct ipc_params *params) 370 { 371 struct kern_ipc_perm *ipcp; 372 int flg = params->flg; 373 int err; 374 375 /* 376 * Take the lock as a writer since we are potentially going to add 377 * a new entry + read locks are not "upgradable" 378 */ 379 down_write(&ids->rwsem); 380 ipcp = ipc_findkey(ids, params->key); 381 if (ipcp == NULL) { 382 /* key not used */ 383 if (!(flg & IPC_CREAT)) 384 err = -ENOENT; 385 else 386 err = ops->getnew(ns, params); 387 } else { 388 /* ipc object has been locked by ipc_findkey() */ 389 390 if (flg & IPC_CREAT && flg & IPC_EXCL) 391 err = -EEXIST; 392 else { 393 err = 0; 394 if (ops->more_checks) 395 err = ops->more_checks(ipcp, params); 396 if (!err) 397 /* 398 * ipc_check_perms returns the IPC id on 399 * success 400 */ 401 err = ipc_check_perms(ns, ipcp, ops, params); 402 } 403 ipc_unlock(ipcp); 404 } 405 up_write(&ids->rwsem); 406 407 return err; 408 } 409 410 /** 411 * ipc_kht_remove - remove an ipc from the key hashtable 412 * @ids: ipc identifier set 413 * @ipcp: ipc perm structure containing the key to remove 414 * 415 * ipc_ids.rwsem (as a writer) and the spinlock for this ID are held 416 * before this function is called, and remain locked on the exit. 417 */ 418 static void ipc_kht_remove(struct ipc_ids *ids, struct kern_ipc_perm *ipcp) 419 { 420 if (ipcp->key != IPC_PRIVATE) 421 rhashtable_remove_fast(&ids->key_ht, &ipcp->khtnode, 422 ipc_kht_params); 423 } 424 425 /** 426 * ipc_rmid - remove an ipc identifier 427 * @ids: ipc identifier set 428 * @ipcp: ipc perm structure containing the identifier to remove 429 * 430 * ipc_ids.rwsem (as a writer) and the spinlock for this ID are held 431 * before this function is called, and remain locked on the exit. 432 */ 433 void ipc_rmid(struct ipc_ids *ids, struct kern_ipc_perm *ipcp) 434 { 435 int lid = ipcid_to_idx(ipcp->id); 436 437 idr_remove(&ids->ipcs_idr, lid); 438 ipc_kht_remove(ids, ipcp); 439 ids->in_use--; 440 ipcp->deleted = true; 441 442 if (unlikely(lid == ids->max_id)) { 443 do { 444 lid--; 445 if (lid == -1) 446 break; 447 } while (!idr_find(&ids->ipcs_idr, lid)); 448 ids->max_id = lid; 449 } 450 } 451 452 /** 453 * ipc_set_key_private - switch the key of an existing ipc to IPC_PRIVATE 454 * @ids: ipc identifier set 455 * @ipcp: ipc perm structure containing the key to modify 456 * 457 * ipc_ids.rwsem (as a writer) and the spinlock for this ID are held 458 * before this function is called, and remain locked on the exit. 459 */ 460 void ipc_set_key_private(struct ipc_ids *ids, struct kern_ipc_perm *ipcp) 461 { 462 ipc_kht_remove(ids, ipcp); 463 ipcp->key = IPC_PRIVATE; 464 } 465 466 int ipc_rcu_getref(struct kern_ipc_perm *ptr) 467 { 468 return refcount_inc_not_zero(&ptr->refcount); 469 } 470 471 void ipc_rcu_putref(struct kern_ipc_perm *ptr, 472 void (*func)(struct rcu_head *head)) 473 { 474 if (!refcount_dec_and_test(&ptr->refcount)) 475 return; 476 477 call_rcu(&ptr->rcu, func); 478 } 479 480 /** 481 * ipcperms - check ipc permissions 482 * @ns: ipc namespace 483 * @ipcp: ipc permission set 484 * @flag: desired permission set 485 * 486 * Check user, group, other permissions for access 487 * to ipc resources. return 0 if allowed 488 * 489 * @flag will most probably be 0 or ``S_...UGO`` from <linux/stat.h> 490 */ 491 int ipcperms(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, short flag) 492 { 493 kuid_t euid = current_euid(); 494 int requested_mode, granted_mode; 495 496 audit_ipc_obj(ipcp); 497 requested_mode = (flag >> 6) | (flag >> 3) | flag; 498 granted_mode = ipcp->mode; 499 if (uid_eq(euid, ipcp->cuid) || 500 uid_eq(euid, ipcp->uid)) 501 granted_mode >>= 6; 502 else if (in_group_p(ipcp->cgid) || in_group_p(ipcp->gid)) 503 granted_mode >>= 3; 504 /* is there some bit set in requested_mode but not in granted_mode? */ 505 if ((requested_mode & ~granted_mode & 0007) && 506 !ns_capable(ns->user_ns, CAP_IPC_OWNER)) 507 return -1; 508 509 return security_ipc_permission(ipcp, flag); 510 } 511 512 /* 513 * Functions to convert between the kern_ipc_perm structure and the 514 * old/new ipc_perm structures 515 */ 516 517 /** 518 * kernel_to_ipc64_perm - convert kernel ipc permissions to user 519 * @in: kernel permissions 520 * @out: new style ipc permissions 521 * 522 * Turn the kernel object @in into a set of permissions descriptions 523 * for returning to userspace (@out). 524 */ 525 void kernel_to_ipc64_perm(struct kern_ipc_perm *in, struct ipc64_perm *out) 526 { 527 out->key = in->key; 528 out->uid = from_kuid_munged(current_user_ns(), in->uid); 529 out->gid = from_kgid_munged(current_user_ns(), in->gid); 530 out->cuid = from_kuid_munged(current_user_ns(), in->cuid); 531 out->cgid = from_kgid_munged(current_user_ns(), in->cgid); 532 out->mode = in->mode; 533 out->seq = in->seq; 534 } 535 536 /** 537 * ipc64_perm_to_ipc_perm - convert new ipc permissions to old 538 * @in: new style ipc permissions 539 * @out: old style ipc permissions 540 * 541 * Turn the new style permissions object @in into a compatibility 542 * object and store it into the @out pointer. 543 */ 544 void ipc64_perm_to_ipc_perm(struct ipc64_perm *in, struct ipc_perm *out) 545 { 546 out->key = in->key; 547 SET_UID(out->uid, in->uid); 548 SET_GID(out->gid, in->gid); 549 SET_UID(out->cuid, in->cuid); 550 SET_GID(out->cgid, in->cgid); 551 out->mode = in->mode; 552 out->seq = in->seq; 553 } 554 555 /** 556 * ipc_obtain_object_idr 557 * @ids: ipc identifier set 558 * @id: ipc id to look for 559 * 560 * Look for an id in the ipc ids idr and return associated ipc object. 561 * 562 * Call inside the RCU critical section. 563 * The ipc object is *not* locked on exit. 564 */ 565 struct kern_ipc_perm *ipc_obtain_object_idr(struct ipc_ids *ids, int id) 566 { 567 struct kern_ipc_perm *out; 568 int lid = ipcid_to_idx(id); 569 570 if (unlikely(!ids->tables_initialized)) 571 return ERR_PTR(-EINVAL); 572 573 out = idr_find(&ids->ipcs_idr, lid); 574 if (!out) 575 return ERR_PTR(-EINVAL); 576 577 return out; 578 } 579 580 /** 581 * ipc_lock - lock an ipc structure without rwsem held 582 * @ids: ipc identifier set 583 * @id: ipc id to look for 584 * 585 * Look for an id in the ipc ids idr and lock the associated ipc object. 586 * 587 * The ipc object is locked on successful exit. 588 */ 589 struct kern_ipc_perm *ipc_lock(struct ipc_ids *ids, int id) 590 { 591 struct kern_ipc_perm *out; 592 593 rcu_read_lock(); 594 out = ipc_obtain_object_idr(ids, id); 595 if (IS_ERR(out)) 596 goto err; 597 598 spin_lock(&out->lock); 599 600 /* 601 * ipc_rmid() may have already freed the ID while ipc_lock() 602 * was spinning: here verify that the structure is still valid. 603 * Upon races with RMID, return -EIDRM, thus indicating that 604 * the ID points to a removed identifier. 605 */ 606 if (ipc_valid_object(out)) 607 return out; 608 609 spin_unlock(&out->lock); 610 out = ERR_PTR(-EIDRM); 611 err: 612 rcu_read_unlock(); 613 return out; 614 } 615 616 /** 617 * ipc_obtain_object_check 618 * @ids: ipc identifier set 619 * @id: ipc id to look for 620 * 621 * Similar to ipc_obtain_object_idr() but also checks 622 * the ipc object reference counter. 623 * 624 * Call inside the RCU critical section. 625 * The ipc object is *not* locked on exit. 626 */ 627 struct kern_ipc_perm *ipc_obtain_object_check(struct ipc_ids *ids, int id) 628 { 629 struct kern_ipc_perm *out = ipc_obtain_object_idr(ids, id); 630 631 if (IS_ERR(out)) 632 goto out; 633 634 if (ipc_checkid(out, id)) 635 return ERR_PTR(-EINVAL); 636 out: 637 return out; 638 } 639 640 /** 641 * ipcget - Common sys_*get() code 642 * @ns: namespace 643 * @ids: ipc identifier set 644 * @ops: operations to be called on ipc object creation, permission checks 645 * and further checks 646 * @params: the parameters needed by the previous operations. 647 * 648 * Common routine called by sys_msgget(), sys_semget() and sys_shmget(). 649 */ 650 int ipcget(struct ipc_namespace *ns, struct ipc_ids *ids, 651 const struct ipc_ops *ops, struct ipc_params *params) 652 { 653 if (params->key == IPC_PRIVATE) 654 return ipcget_new(ns, ids, ops, params); 655 else 656 return ipcget_public(ns, ids, ops, params); 657 } 658 659 /** 660 * ipc_update_perm - update the permissions of an ipc object 661 * @in: the permission given as input. 662 * @out: the permission of the ipc to set. 663 */ 664 int ipc_update_perm(struct ipc64_perm *in, struct kern_ipc_perm *out) 665 { 666 kuid_t uid = make_kuid(current_user_ns(), in->uid); 667 kgid_t gid = make_kgid(current_user_ns(), in->gid); 668 if (!uid_valid(uid) || !gid_valid(gid)) 669 return -EINVAL; 670 671 out->uid = uid; 672 out->gid = gid; 673 out->mode = (out->mode & ~S_IRWXUGO) 674 | (in->mode & S_IRWXUGO); 675 676 return 0; 677 } 678 679 /** 680 * ipcctl_pre_down_nolock - retrieve an ipc and check permissions for some IPC_XXX cmd 681 * @ns: ipc namespace 682 * @ids: the table of ids where to look for the ipc 683 * @id: the id of the ipc to retrieve 684 * @cmd: the cmd to check 685 * @perm: the permission to set 686 * @extra_perm: one extra permission parameter used by msq 687 * 688 * This function does some common audit and permissions check for some IPC_XXX 689 * cmd and is called from semctl_down, shmctl_down and msgctl_down. 690 * It must be called without any lock held and: 691 * 692 * - retrieves the ipc with the given id in the given table. 693 * - performs some audit and permission check, depending on the given cmd 694 * - returns a pointer to the ipc object or otherwise, the corresponding 695 * error. 696 * 697 * Call holding the both the rwsem and the rcu read lock. 698 */ 699 struct kern_ipc_perm *ipcctl_pre_down_nolock(struct ipc_namespace *ns, 700 struct ipc_ids *ids, int id, int cmd, 701 struct ipc64_perm *perm, int extra_perm) 702 { 703 kuid_t euid; 704 int err = -EPERM; 705 struct kern_ipc_perm *ipcp; 706 707 ipcp = ipc_obtain_object_check(ids, id); 708 if (IS_ERR(ipcp)) { 709 err = PTR_ERR(ipcp); 710 goto err; 711 } 712 713 audit_ipc_obj(ipcp); 714 if (cmd == IPC_SET) 715 audit_ipc_set_perm(extra_perm, perm->uid, 716 perm->gid, perm->mode); 717 718 euid = current_euid(); 719 if (uid_eq(euid, ipcp->cuid) || uid_eq(euid, ipcp->uid) || 720 ns_capable(ns->user_ns, CAP_SYS_ADMIN)) 721 return ipcp; /* successful lookup */ 722 err: 723 return ERR_PTR(err); 724 } 725 726 #ifdef CONFIG_ARCH_WANT_IPC_PARSE_VERSION 727 728 729 /** 730 * ipc_parse_version - ipc call version 731 * @cmd: pointer to command 732 * 733 * Return IPC_64 for new style IPC and IPC_OLD for old style IPC. 734 * The @cmd value is turned from an encoding command and version into 735 * just the command code. 736 */ 737 int ipc_parse_version(int *cmd) 738 { 739 if (*cmd & IPC_64) { 740 *cmd ^= IPC_64; 741 return IPC_64; 742 } else { 743 return IPC_OLD; 744 } 745 } 746 747 #endif /* CONFIG_ARCH_WANT_IPC_PARSE_VERSION */ 748 749 #ifdef CONFIG_PROC_FS 750 struct ipc_proc_iter { 751 struct ipc_namespace *ns; 752 struct pid_namespace *pid_ns; 753 struct ipc_proc_iface *iface; 754 }; 755 756 struct pid_namespace *ipc_seq_pid_ns(struct seq_file *s) 757 { 758 struct ipc_proc_iter *iter = s->private; 759 return iter->pid_ns; 760 } 761 762 /* 763 * This routine locks the ipc structure found at least at position pos. 764 */ 765 static struct kern_ipc_perm *sysvipc_find_ipc(struct ipc_ids *ids, loff_t pos, 766 loff_t *new_pos) 767 { 768 struct kern_ipc_perm *ipc; 769 int total, id; 770 771 total = 0; 772 for (id = 0; id < pos && total < ids->in_use; id++) { 773 ipc = idr_find(&ids->ipcs_idr, id); 774 if (ipc != NULL) 775 total++; 776 } 777 778 if (total >= ids->in_use) 779 return NULL; 780 781 for (; pos < IPCMNI; pos++) { 782 ipc = idr_find(&ids->ipcs_idr, pos); 783 if (ipc != NULL) { 784 *new_pos = pos + 1; 785 rcu_read_lock(); 786 ipc_lock_object(ipc); 787 return ipc; 788 } 789 } 790 791 /* Out of range - return NULL to terminate iteration */ 792 return NULL; 793 } 794 795 static void *sysvipc_proc_next(struct seq_file *s, void *it, loff_t *pos) 796 { 797 struct ipc_proc_iter *iter = s->private; 798 struct ipc_proc_iface *iface = iter->iface; 799 struct kern_ipc_perm *ipc = it; 800 801 /* If we had an ipc id locked before, unlock it */ 802 if (ipc && ipc != SEQ_START_TOKEN) 803 ipc_unlock(ipc); 804 805 return sysvipc_find_ipc(&iter->ns->ids[iface->ids], *pos, pos); 806 } 807 808 /* 809 * File positions: pos 0 -> header, pos n -> ipc id = n - 1. 810 * SeqFile iterator: iterator value locked ipc pointer or SEQ_TOKEN_START. 811 */ 812 static void *sysvipc_proc_start(struct seq_file *s, loff_t *pos) 813 { 814 struct ipc_proc_iter *iter = s->private; 815 struct ipc_proc_iface *iface = iter->iface; 816 struct ipc_ids *ids; 817 818 ids = &iter->ns->ids[iface->ids]; 819 820 /* 821 * Take the lock - this will be released by the corresponding 822 * call to stop(). 823 */ 824 down_read(&ids->rwsem); 825 826 /* pos < 0 is invalid */ 827 if (*pos < 0) 828 return NULL; 829 830 /* pos == 0 means header */ 831 if (*pos == 0) 832 return SEQ_START_TOKEN; 833 834 /* Find the (pos-1)th ipc */ 835 return sysvipc_find_ipc(ids, *pos - 1, pos); 836 } 837 838 static void sysvipc_proc_stop(struct seq_file *s, void *it) 839 { 840 struct kern_ipc_perm *ipc = it; 841 struct ipc_proc_iter *iter = s->private; 842 struct ipc_proc_iface *iface = iter->iface; 843 struct ipc_ids *ids; 844 845 /* If we had a locked structure, release it */ 846 if (ipc && ipc != SEQ_START_TOKEN) 847 ipc_unlock(ipc); 848 849 ids = &iter->ns->ids[iface->ids]; 850 /* Release the lock we took in start() */ 851 up_read(&ids->rwsem); 852 } 853 854 static int sysvipc_proc_show(struct seq_file *s, void *it) 855 { 856 struct ipc_proc_iter *iter = s->private; 857 struct ipc_proc_iface *iface = iter->iface; 858 859 if (it == SEQ_START_TOKEN) { 860 seq_puts(s, iface->header); 861 return 0; 862 } 863 864 return iface->show(s, it); 865 } 866 867 static const struct seq_operations sysvipc_proc_seqops = { 868 .start = sysvipc_proc_start, 869 .stop = sysvipc_proc_stop, 870 .next = sysvipc_proc_next, 871 .show = sysvipc_proc_show, 872 }; 873 874 static int sysvipc_proc_open(struct inode *inode, struct file *file) 875 { 876 struct ipc_proc_iter *iter; 877 878 iter = __seq_open_private(file, &sysvipc_proc_seqops, sizeof(*iter)); 879 if (!iter) 880 return -ENOMEM; 881 882 iter->iface = PDE_DATA(inode); 883 iter->ns = get_ipc_ns(current->nsproxy->ipc_ns); 884 iter->pid_ns = get_pid_ns(task_active_pid_ns(current)); 885 886 return 0; 887 } 888 889 static int sysvipc_proc_release(struct inode *inode, struct file *file) 890 { 891 struct seq_file *seq = file->private_data; 892 struct ipc_proc_iter *iter = seq->private; 893 put_ipc_ns(iter->ns); 894 put_pid_ns(iter->pid_ns); 895 return seq_release_private(inode, file); 896 } 897 898 static const struct file_operations sysvipc_proc_fops = { 899 .open = sysvipc_proc_open, 900 .read = seq_read, 901 .llseek = seq_lseek, 902 .release = sysvipc_proc_release, 903 }; 904 #endif /* CONFIG_PROC_FS */ 905