1 /* scm.c - Socket level control messages processing. 2 * 3 * Author: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru> 4 * Alignment and value checking mods by Craig Metz 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/signal.h> 14 #include <linux/capability.h> 15 #include <linux/errno.h> 16 #include <linux/sched.h> 17 #include <linux/mm.h> 18 #include <linux/kernel.h> 19 #include <linux/stat.h> 20 #include <linux/socket.h> 21 #include <linux/file.h> 22 #include <linux/fcntl.h> 23 #include <linux/net.h> 24 #include <linux/interrupt.h> 25 #include <linux/netdevice.h> 26 #include <linux/security.h> 27 #include <linux/pid.h> 28 #include <linux/nsproxy.h> 29 #include <linux/slab.h> 30 31 #include <asm/uaccess.h> 32 33 #include <net/protocol.h> 34 #include <linux/skbuff.h> 35 #include <net/sock.h> 36 #include <net/compat.h> 37 #include <net/scm.h> 38 39 40 /* 41 * Only allow a user to send credentials, that they could set with 42 * setu(g)id. 43 */ 44 45 static __inline__ int scm_check_creds(struct ucred *creds) 46 { 47 const struct cred *cred = current_cred(); 48 49 if ((creds->pid == task_tgid_vnr(current) || capable(CAP_SYS_ADMIN)) && 50 ((creds->uid == cred->uid || creds->uid == cred->euid || 51 creds->uid == cred->suid) || capable(CAP_SETUID)) && 52 ((creds->gid == cred->gid || creds->gid == cred->egid || 53 creds->gid == cred->sgid) || capable(CAP_SETGID))) { 54 return 0; 55 } 56 return -EPERM; 57 } 58 59 static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) 60 { 61 int *fdp = (int*)CMSG_DATA(cmsg); 62 struct scm_fp_list *fpl = *fplp; 63 struct file **fpp; 64 int i, num; 65 66 num = (cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr)))/sizeof(int); 67 68 if (num <= 0) 69 return 0; 70 71 if (num > SCM_MAX_FD) 72 return -EINVAL; 73 74 if (!fpl) 75 { 76 fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL); 77 if (!fpl) 78 return -ENOMEM; 79 *fplp = fpl; 80 fpl->count = 0; 81 fpl->max = SCM_MAX_FD; 82 } 83 fpp = &fpl->fp[fpl->count]; 84 85 if (fpl->count + num > fpl->max) 86 return -EINVAL; 87 88 /* 89 * Verify the descriptors and increment the usage count. 90 */ 91 92 for (i=0; i< num; i++) 93 { 94 int fd = fdp[i]; 95 struct file *file; 96 97 if (fd < 0 || !(file = fget_raw(fd))) 98 return -EBADF; 99 *fpp++ = file; 100 fpl->count++; 101 } 102 return num; 103 } 104 105 void __scm_destroy(struct scm_cookie *scm) 106 { 107 struct scm_fp_list *fpl = scm->fp; 108 int i; 109 110 if (fpl) { 111 scm->fp = NULL; 112 for (i=fpl->count-1; i>=0; i--) 113 fput(fpl->fp[i]); 114 kfree(fpl); 115 } 116 } 117 EXPORT_SYMBOL(__scm_destroy); 118 119 int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p) 120 { 121 struct cmsghdr *cmsg; 122 int err; 123 124 for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) 125 { 126 err = -EINVAL; 127 128 /* Verify that cmsg_len is at least sizeof(struct cmsghdr) */ 129 /* The first check was omitted in <= 2.2.5. The reasoning was 130 that parser checks cmsg_len in any case, so that 131 additional check would be work duplication. 132 But if cmsg_level is not SOL_SOCKET, we do not check 133 for too short ancillary data object at all! Oops. 134 OK, let's add it... 135 */ 136 if (!CMSG_OK(msg, cmsg)) 137 goto error; 138 139 if (cmsg->cmsg_level != SOL_SOCKET) 140 continue; 141 142 switch (cmsg->cmsg_type) 143 { 144 case SCM_RIGHTS: 145 if (!sock->ops || sock->ops->family != PF_UNIX) 146 goto error; 147 err=scm_fp_copy(cmsg, &p->fp); 148 if (err<0) 149 goto error; 150 break; 151 case SCM_CREDENTIALS: 152 if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred))) 153 goto error; 154 memcpy(&p->creds, CMSG_DATA(cmsg), sizeof(struct ucred)); 155 err = scm_check_creds(&p->creds); 156 if (err) 157 goto error; 158 159 if (!p->pid || pid_vnr(p->pid) != p->creds.pid) { 160 struct pid *pid; 161 err = -ESRCH; 162 pid = find_get_pid(p->creds.pid); 163 if (!pid) 164 goto error; 165 put_pid(p->pid); 166 p->pid = pid; 167 } 168 169 if (!p->cred || 170 (p->cred->euid != p->creds.uid) || 171 (p->cred->egid != p->creds.gid)) { 172 struct cred *cred; 173 err = -ENOMEM; 174 cred = prepare_creds(); 175 if (!cred) 176 goto error; 177 178 cred->uid = cred->euid = p->creds.uid; 179 cred->gid = cred->egid = p->creds.gid; 180 if (p->cred) 181 put_cred(p->cred); 182 p->cred = cred; 183 } 184 break; 185 default: 186 goto error; 187 } 188 } 189 190 if (p->fp && !p->fp->count) 191 { 192 kfree(p->fp); 193 p->fp = NULL; 194 } 195 return 0; 196 197 error: 198 scm_destroy(p); 199 return err; 200 } 201 EXPORT_SYMBOL(__scm_send); 202 203 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data) 204 { 205 struct cmsghdr __user *cm 206 = (__force struct cmsghdr __user *)msg->msg_control; 207 struct cmsghdr cmhdr; 208 int cmlen = CMSG_LEN(len); 209 int err; 210 211 if (MSG_CMSG_COMPAT & msg->msg_flags) 212 return put_cmsg_compat(msg, level, type, len, data); 213 214 if (cm==NULL || msg->msg_controllen < sizeof(*cm)) { 215 msg->msg_flags |= MSG_CTRUNC; 216 return 0; /* XXX: return error? check spec. */ 217 } 218 if (msg->msg_controllen < cmlen) { 219 msg->msg_flags |= MSG_CTRUNC; 220 cmlen = msg->msg_controllen; 221 } 222 cmhdr.cmsg_level = level; 223 cmhdr.cmsg_type = type; 224 cmhdr.cmsg_len = cmlen; 225 226 err = -EFAULT; 227 if (copy_to_user(cm, &cmhdr, sizeof cmhdr)) 228 goto out; 229 if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr))) 230 goto out; 231 cmlen = CMSG_SPACE(len); 232 if (msg->msg_controllen < cmlen) 233 cmlen = msg->msg_controllen; 234 msg->msg_control += cmlen; 235 msg->msg_controllen -= cmlen; 236 err = 0; 237 out: 238 return err; 239 } 240 EXPORT_SYMBOL(put_cmsg); 241 242 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm) 243 { 244 struct cmsghdr __user *cm 245 = (__force struct cmsghdr __user*)msg->msg_control; 246 247 int fdmax = 0; 248 int fdnum = scm->fp->count; 249 struct file **fp = scm->fp->fp; 250 int __user *cmfptr; 251 int err = 0, i; 252 253 if (MSG_CMSG_COMPAT & msg->msg_flags) { 254 scm_detach_fds_compat(msg, scm); 255 return; 256 } 257 258 if (msg->msg_controllen > sizeof(struct cmsghdr)) 259 fdmax = ((msg->msg_controllen - sizeof(struct cmsghdr)) 260 / sizeof(int)); 261 262 if (fdnum < fdmax) 263 fdmax = fdnum; 264 265 for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax; 266 i++, cmfptr++) 267 { 268 int new_fd; 269 err = security_file_receive(fp[i]); 270 if (err) 271 break; 272 err = get_unused_fd_flags(MSG_CMSG_CLOEXEC & msg->msg_flags 273 ? O_CLOEXEC : 0); 274 if (err < 0) 275 break; 276 new_fd = err; 277 err = put_user(new_fd, cmfptr); 278 if (err) { 279 put_unused_fd(new_fd); 280 break; 281 } 282 /* Bump the usage count and install the file. */ 283 get_file(fp[i]); 284 fd_install(new_fd, fp[i]); 285 } 286 287 if (i > 0) 288 { 289 int cmlen = CMSG_LEN(i*sizeof(int)); 290 err = put_user(SOL_SOCKET, &cm->cmsg_level); 291 if (!err) 292 err = put_user(SCM_RIGHTS, &cm->cmsg_type); 293 if (!err) 294 err = put_user(cmlen, &cm->cmsg_len); 295 if (!err) { 296 cmlen = CMSG_SPACE(i*sizeof(int)); 297 msg->msg_control += cmlen; 298 msg->msg_controllen -= cmlen; 299 } 300 } 301 if (i < fdnum || (fdnum && fdmax <= 0)) 302 msg->msg_flags |= MSG_CTRUNC; 303 304 /* 305 * All of the files that fit in the message have had their 306 * usage counts incremented, so we just free the list. 307 */ 308 __scm_destroy(scm); 309 } 310 EXPORT_SYMBOL(scm_detach_fds); 311 312 struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl) 313 { 314 struct scm_fp_list *new_fpl; 315 int i; 316 317 if (!fpl) 318 return NULL; 319 320 new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]), 321 GFP_KERNEL); 322 if (new_fpl) { 323 for (i = 0; i < fpl->count; i++) 324 get_file(fpl->fp[i]); 325 new_fpl->max = new_fpl->count; 326 } 327 return new_fpl; 328 } 329 EXPORT_SYMBOL(scm_fp_dup); 330