xref: /openbmc/linux/net/core/scm.c (revision c75c5ab575af7db707689cdbb5a5c458e9a034bb) 
1 /* scm.c - Socket level control messages processing.
2  *
3  * Author:	Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
4  *              Alignment and value checking mods by Craig Metz
5  *
6  *		This program is free software; you can redistribute it and/or
7  *		modify it under the terms of the GNU General Public License
8  *		as published by the Free Software Foundation; either version
9  *		2 of the License, or (at your option) any later version.
10  */
11 
12 #include <linux/module.h>
13 #include <linux/signal.h>
14 #include <linux/capability.h>
15 #include <linux/errno.h>
16 #include <linux/sched.h>
17 #include <linux/mm.h>
18 #include <linux/kernel.h>
19 #include <linux/stat.h>
20 #include <linux/socket.h>
21 #include <linux/file.h>
22 #include <linux/fcntl.h>
23 #include <linux/net.h>
24 #include <linux/interrupt.h>
25 #include <linux/netdevice.h>
26 #include <linux/security.h>
27 #include <linux/pid_namespace.h>
28 #include <linux/pid.h>
29 #include <linux/nsproxy.h>
30 #include <linux/slab.h>
31 
32 #include <asm/uaccess.h>
33 
34 #include <net/protocol.h>
35 #include <linux/skbuff.h>
36 #include <net/sock.h>
37 #include <net/compat.h>
38 #include <net/scm.h>
39 #include <net/cls_cgroup.h>
40 
41 
42 /*
43  *	Only allow a user to send credentials, that they could set with
44  *	setu(g)id.
45  */
46 
47 static __inline__ int scm_check_creds(struct ucred *creds)
48 {
49 	const struct cred *cred = current_cred();
50 	kuid_t uid = make_kuid(cred->user_ns, creds->uid);
51 	kgid_t gid = make_kgid(cred->user_ns, creds->gid);
52 
53 	if (!uid_valid(uid) || !gid_valid(gid))
54 		return -EINVAL;
55 
56 	if ((creds->pid == task_tgid_vnr(current) ||
57 	     ns_capable(current->nsproxy->pid_ns->user_ns, CAP_SYS_ADMIN)) &&
58 	    ((uid_eq(uid, cred->uid)   || uid_eq(uid, cred->euid) ||
59 	      uid_eq(uid, cred->suid)) || nsown_capable(CAP_SETUID)) &&
60 	    ((gid_eq(gid, cred->gid)   || gid_eq(gid, cred->egid) ||
61 	      gid_eq(gid, cred->sgid)) || nsown_capable(CAP_SETGID))) {
62 	       return 0;
63 	}
64 	return -EPERM;
65 }
66 
67 static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
68 {
69 	int *fdp = (int*)CMSG_DATA(cmsg);
70 	struct scm_fp_list *fpl = *fplp;
71 	struct file **fpp;
72 	int i, num;
73 
74 	num = (cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr)))/sizeof(int);
75 
76 	if (num <= 0)
77 		return 0;
78 
79 	if (num > SCM_MAX_FD)
80 		return -EINVAL;
81 
82 	if (!fpl)
83 	{
84 		fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL);
85 		if (!fpl)
86 			return -ENOMEM;
87 		*fplp = fpl;
88 		fpl->count = 0;
89 		fpl->max = SCM_MAX_FD;
90 	}
91 	fpp = &fpl->fp[fpl->count];
92 
93 	if (fpl->count + num > fpl->max)
94 		return -EINVAL;
95 
96 	/*
97 	 *	Verify the descriptors and increment the usage count.
98 	 */
99 
100 	for (i=0; i< num; i++)
101 	{
102 		int fd = fdp[i];
103 		struct file *file;
104 
105 		if (fd < 0 || !(file = fget_raw(fd)))
106 			return -EBADF;
107 		*fpp++ = file;
108 		fpl->count++;
109 	}
110 	return num;
111 }
112 
113 void __scm_destroy(struct scm_cookie *scm)
114 {
115 	struct scm_fp_list *fpl = scm->fp;
116 	int i;
117 
118 	if (fpl) {
119 		scm->fp = NULL;
120 		for (i=fpl->count-1; i>=0; i--)
121 			fput(fpl->fp[i]);
122 		kfree(fpl);
123 	}
124 }
125 EXPORT_SYMBOL(__scm_destroy);
126 
127 int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
128 {
129 	struct cmsghdr *cmsg;
130 	int err;
131 
132 	for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg))
133 	{
134 		err = -EINVAL;
135 
136 		/* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
137 		/* The first check was omitted in <= 2.2.5. The reasoning was
138 		   that parser checks cmsg_len in any case, so that
139 		   additional check would be work duplication.
140 		   But if cmsg_level is not SOL_SOCKET, we do not check
141 		   for too short ancillary data object at all! Oops.
142 		   OK, let's add it...
143 		 */
144 		if (!CMSG_OK(msg, cmsg))
145 			goto error;
146 
147 		if (cmsg->cmsg_level != SOL_SOCKET)
148 			continue;
149 
150 		switch (cmsg->cmsg_type)
151 		{
152 		case SCM_RIGHTS:
153 			if (!sock->ops || sock->ops->family != PF_UNIX)
154 				goto error;
155 			err=scm_fp_copy(cmsg, &p->fp);
156 			if (err<0)
157 				goto error;
158 			break;
159 		case SCM_CREDENTIALS:
160 		{
161 			struct ucred creds;
162 			kuid_t uid;
163 			kgid_t gid;
164 			if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
165 				goto error;
166 			memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred));
167 			err = scm_check_creds(&creds);
168 			if (err)
169 				goto error;
170 
171 			p->creds.pid = creds.pid;
172 			if (!p->pid || pid_vnr(p->pid) != creds.pid) {
173 				struct pid *pid;
174 				err = -ESRCH;
175 				pid = find_get_pid(creds.pid);
176 				if (!pid)
177 					goto error;
178 				put_pid(p->pid);
179 				p->pid = pid;
180 			}
181 
182 			err = -EINVAL;
183 			uid = make_kuid(current_user_ns(), creds.uid);
184 			gid = make_kgid(current_user_ns(), creds.gid);
185 			if (!uid_valid(uid) || !gid_valid(gid))
186 				goto error;
187 
188 			p->creds.uid = uid;
189 			p->creds.gid = gid;
190 
191 			if (!p->cred ||
192 			    !uid_eq(p->cred->euid, uid) ||
193 			    !gid_eq(p->cred->egid, gid)) {
194 				struct cred *cred;
195 				err = -ENOMEM;
196 				cred = prepare_creds();
197 				if (!cred)
198 					goto error;
199 
200 				cred->uid = cred->euid = uid;
201 				cred->gid = cred->egid = gid;
202 				if (p->cred)
203 					put_cred(p->cred);
204 				p->cred = cred;
205 			}
206 			break;
207 		}
208 		default:
209 			goto error;
210 		}
211 	}
212 
213 	if (p->fp && !p->fp->count)
214 	{
215 		kfree(p->fp);
216 		p->fp = NULL;
217 	}
218 	return 0;
219 
220 error:
221 	scm_destroy(p);
222 	return err;
223 }
224 EXPORT_SYMBOL(__scm_send);
225 
226 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
227 {
228 	struct cmsghdr __user *cm
229 		= (__force struct cmsghdr __user *)msg->msg_control;
230 	struct cmsghdr cmhdr;
231 	int cmlen = CMSG_LEN(len);
232 	int err;
233 
234 	if (MSG_CMSG_COMPAT & msg->msg_flags)
235 		return put_cmsg_compat(msg, level, type, len, data);
236 
237 	if (cm==NULL || msg->msg_controllen < sizeof(*cm)) {
238 		msg->msg_flags |= MSG_CTRUNC;
239 		return 0; /* XXX: return error? check spec. */
240 	}
241 	if (msg->msg_controllen < cmlen) {
242 		msg->msg_flags |= MSG_CTRUNC;
243 		cmlen = msg->msg_controllen;
244 	}
245 	cmhdr.cmsg_level = level;
246 	cmhdr.cmsg_type = type;
247 	cmhdr.cmsg_len = cmlen;
248 
249 	err = -EFAULT;
250 	if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
251 		goto out;
252 	if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
253 		goto out;
254 	cmlen = CMSG_SPACE(len);
255 	if (msg->msg_controllen < cmlen)
256 		cmlen = msg->msg_controllen;
257 	msg->msg_control += cmlen;
258 	msg->msg_controllen -= cmlen;
259 	err = 0;
260 out:
261 	return err;
262 }
263 EXPORT_SYMBOL(put_cmsg);
264 
265 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
266 {
267 	struct cmsghdr __user *cm
268 		= (__force struct cmsghdr __user*)msg->msg_control;
269 
270 	int fdmax = 0;
271 	int fdnum = scm->fp->count;
272 	struct file **fp = scm->fp->fp;
273 	int __user *cmfptr;
274 	int err = 0, i;
275 
276 	if (MSG_CMSG_COMPAT & msg->msg_flags) {
277 		scm_detach_fds_compat(msg, scm);
278 		return;
279 	}
280 
281 	if (msg->msg_controllen > sizeof(struct cmsghdr))
282 		fdmax = ((msg->msg_controllen - sizeof(struct cmsghdr))
283 			 / sizeof(int));
284 
285 	if (fdnum < fdmax)
286 		fdmax = fdnum;
287 
288 	for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
289 	     i++, cmfptr++)
290 	{
291 		struct socket *sock;
292 		int new_fd;
293 		err = security_file_receive(fp[i]);
294 		if (err)
295 			break;
296 		err = get_unused_fd_flags(MSG_CMSG_CLOEXEC & msg->msg_flags
297 					  ? O_CLOEXEC : 0);
298 		if (err < 0)
299 			break;
300 		new_fd = err;
301 		err = put_user(new_fd, cmfptr);
302 		if (err) {
303 			put_unused_fd(new_fd);
304 			break;
305 		}
306 		/* Bump the usage count and install the file. */
307 		sock = sock_from_file(fp[i], &err);
308 		if (sock) {
309 			sock_update_netprioidx(sock->sk, current);
310 			sock_update_classid(sock->sk, current);
311 		}
312 		fd_install(new_fd, get_file(fp[i]));
313 	}
314 
315 	if (i > 0)
316 	{
317 		int cmlen = CMSG_LEN(i*sizeof(int));
318 		err = put_user(SOL_SOCKET, &cm->cmsg_level);
319 		if (!err)
320 			err = put_user(SCM_RIGHTS, &cm->cmsg_type);
321 		if (!err)
322 			err = put_user(cmlen, &cm->cmsg_len);
323 		if (!err) {
324 			cmlen = CMSG_SPACE(i*sizeof(int));
325 			msg->msg_control += cmlen;
326 			msg->msg_controllen -= cmlen;
327 		}
328 	}
329 	if (i < fdnum || (fdnum && fdmax <= 0))
330 		msg->msg_flags |= MSG_CTRUNC;
331 
332 	/*
333 	 * All of the files that fit in the message have had their
334 	 * usage counts incremented, so we just free the list.
335 	 */
336 	__scm_destroy(scm);
337 }
338 EXPORT_SYMBOL(scm_detach_fds);
339 
340 struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
341 {
342 	struct scm_fp_list *new_fpl;
343 	int i;
344 
345 	if (!fpl)
346 		return NULL;
347 
348 	new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
349 			  GFP_KERNEL);
350 	if (new_fpl) {
351 		for (i = 0; i < fpl->count; i++)
352 			get_file(fpl->fp[i]);
353 		new_fpl->max = new_fpl->count;
354 	}
355 	return new_fpl;
356 }
357 EXPORT_SYMBOL(scm_fp_dup);
358