1 /* scm.c - Socket level control messages processing. 2 * 3 * Author: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru> 4 * Alignment and value checking mods by Craig Metz 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/signal.h> 14 #include <linux/capability.h> 15 #include <linux/errno.h> 16 #include <linux/sched.h> 17 #include <linux/sched/user.h> 18 #include <linux/mm.h> 19 #include <linux/kernel.h> 20 #include <linux/stat.h> 21 #include <linux/socket.h> 22 #include <linux/file.h> 23 #include <linux/fcntl.h> 24 #include <linux/net.h> 25 #include <linux/interrupt.h> 26 #include <linux/netdevice.h> 27 #include <linux/security.h> 28 #include <linux/pid_namespace.h> 29 #include <linux/pid.h> 30 #include <linux/nsproxy.h> 31 #include <linux/slab.h> 32 #include <linux/errqueue.h> 33 34 #include <linux/uaccess.h> 35 36 #include <net/protocol.h> 37 #include <linux/skbuff.h> 38 #include <net/sock.h> 39 #include <net/compat.h> 40 #include <net/scm.h> 41 #include <net/cls_cgroup.h> 42 43 44 /* 45 * Only allow a user to send credentials, that they could set with 46 * setu(g)id. 47 */ 48 49 static __inline__ int scm_check_creds(struct ucred *creds) 50 { 51 const struct cred *cred = current_cred(); 52 kuid_t uid = make_kuid(cred->user_ns, creds->uid); 53 kgid_t gid = make_kgid(cred->user_ns, creds->gid); 54 55 if (!uid_valid(uid) || !gid_valid(gid)) 56 return -EINVAL; 57 58 if ((creds->pid == task_tgid_vnr(current) || 59 ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) && 60 ((uid_eq(uid, cred->uid) || uid_eq(uid, cred->euid) || 61 uid_eq(uid, cred->suid)) || ns_capable(cred->user_ns, CAP_SETUID)) && 62 ((gid_eq(gid, cred->gid) || gid_eq(gid, cred->egid) || 63 gid_eq(gid, cred->sgid)) || ns_capable(cred->user_ns, CAP_SETGID))) { 64 return 0; 65 } 66 return -EPERM; 67 } 68 69 static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) 70 { 71 int *fdp = (int*)CMSG_DATA(cmsg); 72 struct scm_fp_list *fpl = *fplp; 73 struct file **fpp; 74 int i, num; 75 76 num = (cmsg->cmsg_len - sizeof(struct cmsghdr))/sizeof(int); 77 78 if (num <= 0) 79 return 0; 80 81 if (num > SCM_MAX_FD) 82 return -EINVAL; 83 84 if (!fpl) 85 { 86 fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL); 87 if (!fpl) 88 return -ENOMEM; 89 *fplp = fpl; 90 fpl->count = 0; 91 fpl->max = SCM_MAX_FD; 92 fpl->user = NULL; 93 } 94 fpp = &fpl->fp[fpl->count]; 95 96 if (fpl->count + num > fpl->max) 97 return -EINVAL; 98 99 /* 100 * Verify the descriptors and increment the usage count. 101 */ 102 103 for (i=0; i< num; i++) 104 { 105 int fd = fdp[i]; 106 struct file *file; 107 108 if (fd < 0 || !(file = fget_raw(fd))) 109 return -EBADF; 110 *fpp++ = file; 111 fpl->count++; 112 } 113 114 if (!fpl->user) 115 fpl->user = get_uid(current_user()); 116 117 return num; 118 } 119 120 void __scm_destroy(struct scm_cookie *scm) 121 { 122 struct scm_fp_list *fpl = scm->fp; 123 int i; 124 125 if (fpl) { 126 scm->fp = NULL; 127 for (i=fpl->count-1; i>=0; i--) 128 fput(fpl->fp[i]); 129 free_uid(fpl->user); 130 kfree(fpl); 131 } 132 } 133 EXPORT_SYMBOL(__scm_destroy); 134 135 int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p) 136 { 137 struct cmsghdr *cmsg; 138 int err; 139 140 for_each_cmsghdr(cmsg, msg) { 141 err = -EINVAL; 142 143 /* Verify that cmsg_len is at least sizeof(struct cmsghdr) */ 144 /* The first check was omitted in <= 2.2.5. The reasoning was 145 that parser checks cmsg_len in any case, so that 146 additional check would be work duplication. 147 But if cmsg_level is not SOL_SOCKET, we do not check 148 for too short ancillary data object at all! Oops. 149 OK, let's add it... 150 */ 151 if (!CMSG_OK(msg, cmsg)) 152 goto error; 153 154 if (cmsg->cmsg_level != SOL_SOCKET) 155 continue; 156 157 switch (cmsg->cmsg_type) 158 { 159 case SCM_RIGHTS: 160 if (!sock->ops || sock->ops->family != PF_UNIX) 161 goto error; 162 err=scm_fp_copy(cmsg, &p->fp); 163 if (err<0) 164 goto error; 165 break; 166 case SCM_CREDENTIALS: 167 { 168 struct ucred creds; 169 kuid_t uid; 170 kgid_t gid; 171 if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred))) 172 goto error; 173 memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred)); 174 err = scm_check_creds(&creds); 175 if (err) 176 goto error; 177 178 p->creds.pid = creds.pid; 179 if (!p->pid || pid_vnr(p->pid) != creds.pid) { 180 struct pid *pid; 181 err = -ESRCH; 182 pid = find_get_pid(creds.pid); 183 if (!pid) 184 goto error; 185 put_pid(p->pid); 186 p->pid = pid; 187 } 188 189 err = -EINVAL; 190 uid = make_kuid(current_user_ns(), creds.uid); 191 gid = make_kgid(current_user_ns(), creds.gid); 192 if (!uid_valid(uid) || !gid_valid(gid)) 193 goto error; 194 195 p->creds.uid = uid; 196 p->creds.gid = gid; 197 break; 198 } 199 default: 200 goto error; 201 } 202 } 203 204 if (p->fp && !p->fp->count) 205 { 206 kfree(p->fp); 207 p->fp = NULL; 208 } 209 return 0; 210 211 error: 212 scm_destroy(p); 213 return err; 214 } 215 EXPORT_SYMBOL(__scm_send); 216 217 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data) 218 { 219 struct cmsghdr __user *cm 220 = (__force struct cmsghdr __user *)msg->msg_control; 221 struct cmsghdr cmhdr; 222 int cmlen = CMSG_LEN(len); 223 int err; 224 225 if (MSG_CMSG_COMPAT & msg->msg_flags) 226 return put_cmsg_compat(msg, level, type, len, data); 227 228 if (cm==NULL || msg->msg_controllen < sizeof(*cm)) { 229 msg->msg_flags |= MSG_CTRUNC; 230 return 0; /* XXX: return error? check spec. */ 231 } 232 if (msg->msg_controllen < cmlen) { 233 msg->msg_flags |= MSG_CTRUNC; 234 cmlen = msg->msg_controllen; 235 } 236 cmhdr.cmsg_level = level; 237 cmhdr.cmsg_type = type; 238 cmhdr.cmsg_len = cmlen; 239 240 err = -EFAULT; 241 if (copy_to_user(cm, &cmhdr, sizeof cmhdr)) 242 goto out; 243 if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr))) 244 goto out; 245 cmlen = CMSG_SPACE(len); 246 if (msg->msg_controllen < cmlen) 247 cmlen = msg->msg_controllen; 248 msg->msg_control += cmlen; 249 msg->msg_controllen -= cmlen; 250 err = 0; 251 out: 252 return err; 253 } 254 EXPORT_SYMBOL(put_cmsg); 255 256 void put_cmsg_scm_timestamping64(struct msghdr *msg, struct scm_timestamping_internal *tss_internal) 257 { 258 struct scm_timestamping64 tss; 259 int i; 260 261 for (i = 0; i < ARRAY_SIZE(tss.ts); i++) { 262 tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec; 263 tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec; 264 } 265 266 put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_NEW, sizeof(tss), &tss); 267 } 268 EXPORT_SYMBOL(put_cmsg_scm_timestamping64); 269 270 void put_cmsg_scm_timestamping(struct msghdr *msg, struct scm_timestamping_internal *tss_internal) 271 { 272 struct scm_timestamping tss; 273 int i; 274 275 for (i = 0; i < ARRAY_SIZE(tss.ts); i++) 276 tss.ts[i] = timespec64_to_timespec(tss_internal->ts[i]); 277 278 put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_OLD, sizeof(tss), &tss); 279 } 280 EXPORT_SYMBOL(put_cmsg_scm_timestamping); 281 282 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm) 283 { 284 struct cmsghdr __user *cm 285 = (__force struct cmsghdr __user*)msg->msg_control; 286 287 int fdmax = 0; 288 int fdnum = scm->fp->count; 289 struct file **fp = scm->fp->fp; 290 int __user *cmfptr; 291 int err = 0, i; 292 293 if (MSG_CMSG_COMPAT & msg->msg_flags) { 294 scm_detach_fds_compat(msg, scm); 295 return; 296 } 297 298 if (msg->msg_controllen > sizeof(struct cmsghdr)) 299 fdmax = ((msg->msg_controllen - sizeof(struct cmsghdr)) 300 / sizeof(int)); 301 302 if (fdnum < fdmax) 303 fdmax = fdnum; 304 305 for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax; 306 i++, cmfptr++) 307 { 308 struct socket *sock; 309 int new_fd; 310 err = security_file_receive(fp[i]); 311 if (err) 312 break; 313 err = get_unused_fd_flags(MSG_CMSG_CLOEXEC & msg->msg_flags 314 ? O_CLOEXEC : 0); 315 if (err < 0) 316 break; 317 new_fd = err; 318 err = put_user(new_fd, cmfptr); 319 if (err) { 320 put_unused_fd(new_fd); 321 break; 322 } 323 /* Bump the usage count and install the file. */ 324 sock = sock_from_file(fp[i], &err); 325 if (sock) { 326 sock_update_netprioidx(&sock->sk->sk_cgrp_data); 327 sock_update_classid(&sock->sk->sk_cgrp_data); 328 } 329 fd_install(new_fd, get_file(fp[i])); 330 } 331 332 if (i > 0) 333 { 334 int cmlen = CMSG_LEN(i*sizeof(int)); 335 err = put_user(SOL_SOCKET, &cm->cmsg_level); 336 if (!err) 337 err = put_user(SCM_RIGHTS, &cm->cmsg_type); 338 if (!err) 339 err = put_user(cmlen, &cm->cmsg_len); 340 if (!err) { 341 cmlen = CMSG_SPACE(i*sizeof(int)); 342 if (msg->msg_controllen < cmlen) 343 cmlen = msg->msg_controllen; 344 msg->msg_control += cmlen; 345 msg->msg_controllen -= cmlen; 346 } 347 } 348 if (i < fdnum || (fdnum && fdmax <= 0)) 349 msg->msg_flags |= MSG_CTRUNC; 350 351 /* 352 * All of the files that fit in the message have had their 353 * usage counts incremented, so we just free the list. 354 */ 355 __scm_destroy(scm); 356 } 357 EXPORT_SYMBOL(scm_detach_fds); 358 359 struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl) 360 { 361 struct scm_fp_list *new_fpl; 362 int i; 363 364 if (!fpl) 365 return NULL; 366 367 new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]), 368 GFP_KERNEL); 369 if (new_fpl) { 370 for (i = 0; i < fpl->count; i++) 371 get_file(fpl->fp[i]); 372 new_fpl->max = new_fpl->count; 373 new_fpl->user = get_uid(fpl->user); 374 } 375 return new_fpl; 376 } 377 EXPORT_SYMBOL(scm_fp_dup); 378