Linux Audio

Check our new training course

Loading...
v3.15
  1/* scm.c - Socket level control messages processing.
  2 *
  3 * Author:	Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
  4 *              Alignment and value checking mods by Craig Metz
  5 *
  6 *		This program is free software; you can redistribute it and/or
  7 *		modify it under the terms of the GNU General Public License
  8 *		as published by the Free Software Foundation; either version
  9 *		2 of the License, or (at your option) any later version.
 10 */
 11
 12#include <linux/module.h>
 13#include <linux/signal.h>
 14#include <linux/capability.h>
 15#include <linux/errno.h>
 16#include <linux/sched.h>
 
 17#include <linux/mm.h>
 18#include <linux/kernel.h>
 19#include <linux/stat.h>
 20#include <linux/socket.h>
 21#include <linux/file.h>
 22#include <linux/fcntl.h>
 23#include <linux/net.h>
 24#include <linux/interrupt.h>
 25#include <linux/netdevice.h>
 26#include <linux/security.h>
 27#include <linux/pid_namespace.h>
 28#include <linux/pid.h>
 29#include <linux/nsproxy.h>
 30#include <linux/slab.h>
 31
 32#include <asm/uaccess.h>
 33
 34#include <net/protocol.h>
 35#include <linux/skbuff.h>
 36#include <net/sock.h>
 37#include <net/compat.h>
 38#include <net/scm.h>
 39#include <net/cls_cgroup.h>
 40
 41
 42/*
 43 *	Only allow a user to send credentials, that they could set with
 44 *	setu(g)id.
 45 */
 46
 47static __inline__ int scm_check_creds(struct ucred *creds)
 48{
 49	const struct cred *cred = current_cred();
 50	kuid_t uid = make_kuid(cred->user_ns, creds->uid);
 51	kgid_t gid = make_kgid(cred->user_ns, creds->gid);
 52
 53	if (!uid_valid(uid) || !gid_valid(gid))
 54		return -EINVAL;
 55
 56	if ((creds->pid == task_tgid_vnr(current) ||
 57	     ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
 58	    ((uid_eq(uid, cred->uid)   || uid_eq(uid, cred->euid) ||
 59	      uid_eq(uid, cred->suid)) || ns_capable(cred->user_ns, CAP_SETUID)) &&
 60	    ((gid_eq(gid, cred->gid)   || gid_eq(gid, cred->egid) ||
 61	      gid_eq(gid, cred->sgid)) || ns_capable(cred->user_ns, CAP_SETGID))) {
 62	       return 0;
 63	}
 64	return -EPERM;
 65}
 66
 67static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
 68{
 69	int *fdp = (int*)CMSG_DATA(cmsg);
 70	struct scm_fp_list *fpl = *fplp;
 71	struct file **fpp;
 72	int i, num;
 73
 74	num = (cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr)))/sizeof(int);
 75
 76	if (num <= 0)
 77		return 0;
 78
 79	if (num > SCM_MAX_FD)
 80		return -EINVAL;
 81
 82	if (!fpl)
 83	{
 84		fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL);
 85		if (!fpl)
 86			return -ENOMEM;
 87		*fplp = fpl;
 88		fpl->count = 0;
 89		fpl->max = SCM_MAX_FD;
 
 90	}
 91	fpp = &fpl->fp[fpl->count];
 92
 93	if (fpl->count + num > fpl->max)
 94		return -EINVAL;
 95
 96	/*
 97	 *	Verify the descriptors and increment the usage count.
 98	 */
 99
100	for (i=0; i< num; i++)
101	{
102		int fd = fdp[i];
103		struct file *file;
104
105		if (fd < 0 || !(file = fget_raw(fd)))
106			return -EBADF;
107		*fpp++ = file;
108		fpl->count++;
109	}
 
 
 
 
110	return num;
111}
112
113void __scm_destroy(struct scm_cookie *scm)
114{
115	struct scm_fp_list *fpl = scm->fp;
116	int i;
117
118	if (fpl) {
119		scm->fp = NULL;
120		for (i=fpl->count-1; i>=0; i--)
121			fput(fpl->fp[i]);
 
122		kfree(fpl);
123	}
124}
125EXPORT_SYMBOL(__scm_destroy);
126
127int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
128{
129	struct cmsghdr *cmsg;
130	int err;
131
132	for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg))
133	{
134		err = -EINVAL;
135
136		/* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
137		/* The first check was omitted in <= 2.2.5. The reasoning was
138		   that parser checks cmsg_len in any case, so that
139		   additional check would be work duplication.
140		   But if cmsg_level is not SOL_SOCKET, we do not check
141		   for too short ancillary data object at all! Oops.
142		   OK, let's add it...
143		 */
144		if (!CMSG_OK(msg, cmsg))
145			goto error;
146
147		if (cmsg->cmsg_level != SOL_SOCKET)
148			continue;
149
150		switch (cmsg->cmsg_type)
151		{
152		case SCM_RIGHTS:
153			if (!sock->ops || sock->ops->family != PF_UNIX)
154				goto error;
155			err=scm_fp_copy(cmsg, &p->fp);
156			if (err<0)
157				goto error;
158			break;
159		case SCM_CREDENTIALS:
160		{
161			struct ucred creds;
162			kuid_t uid;
163			kgid_t gid;
164			if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
165				goto error;
166			memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred));
167			err = scm_check_creds(&creds);
168			if (err)
169				goto error;
170
171			p->creds.pid = creds.pid;
172			if (!p->pid || pid_vnr(p->pid) != creds.pid) {
173				struct pid *pid;
174				err = -ESRCH;
175				pid = find_get_pid(creds.pid);
176				if (!pid)
177					goto error;
178				put_pid(p->pid);
179				p->pid = pid;
180			}
181
182			err = -EINVAL;
183			uid = make_kuid(current_user_ns(), creds.uid);
184			gid = make_kgid(current_user_ns(), creds.gid);
185			if (!uid_valid(uid) || !gid_valid(gid))
186				goto error;
187
188			p->creds.uid = uid;
189			p->creds.gid = gid;
190			break;
191		}
192		default:
193			goto error;
194		}
195	}
196
197	if (p->fp && !p->fp->count)
198	{
199		kfree(p->fp);
200		p->fp = NULL;
201	}
202	return 0;
203
204error:
205	scm_destroy(p);
206	return err;
207}
208EXPORT_SYMBOL(__scm_send);
209
210int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
211{
212	struct cmsghdr __user *cm
213		= (__force struct cmsghdr __user *)msg->msg_control;
214	struct cmsghdr cmhdr;
215	int cmlen = CMSG_LEN(len);
216	int err;
217
218	if (MSG_CMSG_COMPAT & msg->msg_flags)
219		return put_cmsg_compat(msg, level, type, len, data);
220
221	if (cm==NULL || msg->msg_controllen < sizeof(*cm)) {
222		msg->msg_flags |= MSG_CTRUNC;
223		return 0; /* XXX: return error? check spec. */
224	}
225	if (msg->msg_controllen < cmlen) {
226		msg->msg_flags |= MSG_CTRUNC;
227		cmlen = msg->msg_controllen;
228	}
229	cmhdr.cmsg_level = level;
230	cmhdr.cmsg_type = type;
231	cmhdr.cmsg_len = cmlen;
232
233	err = -EFAULT;
234	if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
235		goto out;
236	if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
237		goto out;
238	cmlen = CMSG_SPACE(len);
239	if (msg->msg_controllen < cmlen)
240		cmlen = msg->msg_controllen;
241	msg->msg_control += cmlen;
242	msg->msg_controllen -= cmlen;
243	err = 0;
244out:
245	return err;
246}
247EXPORT_SYMBOL(put_cmsg);
248
249void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
250{
251	struct cmsghdr __user *cm
252		= (__force struct cmsghdr __user*)msg->msg_control;
253
254	int fdmax = 0;
255	int fdnum = scm->fp->count;
256	struct file **fp = scm->fp->fp;
257	int __user *cmfptr;
258	int err = 0, i;
259
260	if (MSG_CMSG_COMPAT & msg->msg_flags) {
261		scm_detach_fds_compat(msg, scm);
262		return;
263	}
264
265	if (msg->msg_controllen > sizeof(struct cmsghdr))
266		fdmax = ((msg->msg_controllen - sizeof(struct cmsghdr))
267			 / sizeof(int));
268
269	if (fdnum < fdmax)
270		fdmax = fdnum;
271
272	for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
273	     i++, cmfptr++)
274	{
275		struct socket *sock;
276		int new_fd;
277		err = security_file_receive(fp[i]);
278		if (err)
279			break;
280		err = get_unused_fd_flags(MSG_CMSG_CLOEXEC & msg->msg_flags
281					  ? O_CLOEXEC : 0);
282		if (err < 0)
283			break;
284		new_fd = err;
285		err = put_user(new_fd, cmfptr);
286		if (err) {
287			put_unused_fd(new_fd);
288			break;
289		}
290		/* Bump the usage count and install the file. */
291		sock = sock_from_file(fp[i], &err);
292		if (sock) {
293			sock_update_netprioidx(sock->sk);
294			sock_update_classid(sock->sk);
295		}
296		fd_install(new_fd, get_file(fp[i]));
297	}
298
299	if (i > 0)
300	{
301		int cmlen = CMSG_LEN(i*sizeof(int));
302		err = put_user(SOL_SOCKET, &cm->cmsg_level);
303		if (!err)
304			err = put_user(SCM_RIGHTS, &cm->cmsg_type);
305		if (!err)
306			err = put_user(cmlen, &cm->cmsg_len);
307		if (!err) {
308			cmlen = CMSG_SPACE(i*sizeof(int));
 
 
309			msg->msg_control += cmlen;
310			msg->msg_controllen -= cmlen;
311		}
312	}
313	if (i < fdnum || (fdnum && fdmax <= 0))
314		msg->msg_flags |= MSG_CTRUNC;
315
316	/*
317	 * All of the files that fit in the message have had their
318	 * usage counts incremented, so we just free the list.
319	 */
320	__scm_destroy(scm);
321}
322EXPORT_SYMBOL(scm_detach_fds);
323
324struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
325{
326	struct scm_fp_list *new_fpl;
327	int i;
328
329	if (!fpl)
330		return NULL;
331
332	new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
333			  GFP_KERNEL);
334	if (new_fpl) {
335		for (i = 0; i < fpl->count; i++)
336			get_file(fpl->fp[i]);
337		new_fpl->max = new_fpl->count;
 
338	}
339	return new_fpl;
340}
341EXPORT_SYMBOL(scm_fp_dup);
v4.17
  1/* scm.c - Socket level control messages processing.
  2 *
  3 * Author:	Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
  4 *              Alignment and value checking mods by Craig Metz
  5 *
  6 *		This program is free software; you can redistribute it and/or
  7 *		modify it under the terms of the GNU General Public License
  8 *		as published by the Free Software Foundation; either version
  9 *		2 of the License, or (at your option) any later version.
 10 */
 11
 12#include <linux/module.h>
 13#include <linux/signal.h>
 14#include <linux/capability.h>
 15#include <linux/errno.h>
 16#include <linux/sched.h>
 17#include <linux/sched/user.h>
 18#include <linux/mm.h>
 19#include <linux/kernel.h>
 20#include <linux/stat.h>
 21#include <linux/socket.h>
 22#include <linux/file.h>
 23#include <linux/fcntl.h>
 24#include <linux/net.h>
 25#include <linux/interrupt.h>
 26#include <linux/netdevice.h>
 27#include <linux/security.h>
 28#include <linux/pid_namespace.h>
 29#include <linux/pid.h>
 30#include <linux/nsproxy.h>
 31#include <linux/slab.h>
 32
 33#include <linux/uaccess.h>
 34
 35#include <net/protocol.h>
 36#include <linux/skbuff.h>
 37#include <net/sock.h>
 38#include <net/compat.h>
 39#include <net/scm.h>
 40#include <net/cls_cgroup.h>
 41
 42
 43/*
 44 *	Only allow a user to send credentials, that they could set with
 45 *	setu(g)id.
 46 */
 47
 48static __inline__ int scm_check_creds(struct ucred *creds)
 49{
 50	const struct cred *cred = current_cred();
 51	kuid_t uid = make_kuid(cred->user_ns, creds->uid);
 52	kgid_t gid = make_kgid(cred->user_ns, creds->gid);
 53
 54	if (!uid_valid(uid) || !gid_valid(gid))
 55		return -EINVAL;
 56
 57	if ((creds->pid == task_tgid_vnr(current) ||
 58	     ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
 59	    ((uid_eq(uid, cred->uid)   || uid_eq(uid, cred->euid) ||
 60	      uid_eq(uid, cred->suid)) || ns_capable(cred->user_ns, CAP_SETUID)) &&
 61	    ((gid_eq(gid, cred->gid)   || gid_eq(gid, cred->egid) ||
 62	      gid_eq(gid, cred->sgid)) || ns_capable(cred->user_ns, CAP_SETGID))) {
 63	       return 0;
 64	}
 65	return -EPERM;
 66}
 67
 68static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
 69{
 70	int *fdp = (int*)CMSG_DATA(cmsg);
 71	struct scm_fp_list *fpl = *fplp;
 72	struct file **fpp;
 73	int i, num;
 74
 75	num = (cmsg->cmsg_len - sizeof(struct cmsghdr))/sizeof(int);
 76
 77	if (num <= 0)
 78		return 0;
 79
 80	if (num > SCM_MAX_FD)
 81		return -EINVAL;
 82
 83	if (!fpl)
 84	{
 85		fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL);
 86		if (!fpl)
 87			return -ENOMEM;
 88		*fplp = fpl;
 89		fpl->count = 0;
 90		fpl->max = SCM_MAX_FD;
 91		fpl->user = NULL;
 92	}
 93	fpp = &fpl->fp[fpl->count];
 94
 95	if (fpl->count + num > fpl->max)
 96		return -EINVAL;
 97
 98	/*
 99	 *	Verify the descriptors and increment the usage count.
100	 */
101
102	for (i=0; i< num; i++)
103	{
104		int fd = fdp[i];
105		struct file *file;
106
107		if (fd < 0 || !(file = fget_raw(fd)))
108			return -EBADF;
109		*fpp++ = file;
110		fpl->count++;
111	}
112
113	if (!fpl->user)
114		fpl->user = get_uid(current_user());
115
116	return num;
117}
118
119void __scm_destroy(struct scm_cookie *scm)
120{
121	struct scm_fp_list *fpl = scm->fp;
122	int i;
123
124	if (fpl) {
125		scm->fp = NULL;
126		for (i=fpl->count-1; i>=0; i--)
127			fput(fpl->fp[i]);
128		free_uid(fpl->user);
129		kfree(fpl);
130	}
131}
132EXPORT_SYMBOL(__scm_destroy);
133
134int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
135{
136	struct cmsghdr *cmsg;
137	int err;
138
139	for_each_cmsghdr(cmsg, msg) {
 
140		err = -EINVAL;
141
142		/* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
143		/* The first check was omitted in <= 2.2.5. The reasoning was
144		   that parser checks cmsg_len in any case, so that
145		   additional check would be work duplication.
146		   But if cmsg_level is not SOL_SOCKET, we do not check
147		   for too short ancillary data object at all! Oops.
148		   OK, let's add it...
149		 */
150		if (!CMSG_OK(msg, cmsg))
151			goto error;
152
153		if (cmsg->cmsg_level != SOL_SOCKET)
154			continue;
155
156		switch (cmsg->cmsg_type)
157		{
158		case SCM_RIGHTS:
159			if (!sock->ops || sock->ops->family != PF_UNIX)
160				goto error;
161			err=scm_fp_copy(cmsg, &p->fp);
162			if (err<0)
163				goto error;
164			break;
165		case SCM_CREDENTIALS:
166		{
167			struct ucred creds;
168			kuid_t uid;
169			kgid_t gid;
170			if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
171				goto error;
172			memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred));
173			err = scm_check_creds(&creds);
174			if (err)
175				goto error;
176
177			p->creds.pid = creds.pid;
178			if (!p->pid || pid_vnr(p->pid) != creds.pid) {
179				struct pid *pid;
180				err = -ESRCH;
181				pid = find_get_pid(creds.pid);
182				if (!pid)
183					goto error;
184				put_pid(p->pid);
185				p->pid = pid;
186			}
187
188			err = -EINVAL;
189			uid = make_kuid(current_user_ns(), creds.uid);
190			gid = make_kgid(current_user_ns(), creds.gid);
191			if (!uid_valid(uid) || !gid_valid(gid))
192				goto error;
193
194			p->creds.uid = uid;
195			p->creds.gid = gid;
196			break;
197		}
198		default:
199			goto error;
200		}
201	}
202
203	if (p->fp && !p->fp->count)
204	{
205		kfree(p->fp);
206		p->fp = NULL;
207	}
208	return 0;
209
210error:
211	scm_destroy(p);
212	return err;
213}
214EXPORT_SYMBOL(__scm_send);
215
216int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
217{
218	struct cmsghdr __user *cm
219		= (__force struct cmsghdr __user *)msg->msg_control;
220	struct cmsghdr cmhdr;
221	int cmlen = CMSG_LEN(len);
222	int err;
223
224	if (MSG_CMSG_COMPAT & msg->msg_flags)
225		return put_cmsg_compat(msg, level, type, len, data);
226
227	if (cm==NULL || msg->msg_controllen < sizeof(*cm)) {
228		msg->msg_flags |= MSG_CTRUNC;
229		return 0; /* XXX: return error? check spec. */
230	}
231	if (msg->msg_controllen < cmlen) {
232		msg->msg_flags |= MSG_CTRUNC;
233		cmlen = msg->msg_controllen;
234	}
235	cmhdr.cmsg_level = level;
236	cmhdr.cmsg_type = type;
237	cmhdr.cmsg_len = cmlen;
238
239	err = -EFAULT;
240	if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
241		goto out;
242	if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
243		goto out;
244	cmlen = CMSG_SPACE(len);
245	if (msg->msg_controllen < cmlen)
246		cmlen = msg->msg_controllen;
247	msg->msg_control += cmlen;
248	msg->msg_controllen -= cmlen;
249	err = 0;
250out:
251	return err;
252}
253EXPORT_SYMBOL(put_cmsg);
254
255void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
256{
257	struct cmsghdr __user *cm
258		= (__force struct cmsghdr __user*)msg->msg_control;
259
260	int fdmax = 0;
261	int fdnum = scm->fp->count;
262	struct file **fp = scm->fp->fp;
263	int __user *cmfptr;
264	int err = 0, i;
265
266	if (MSG_CMSG_COMPAT & msg->msg_flags) {
267		scm_detach_fds_compat(msg, scm);
268		return;
269	}
270
271	if (msg->msg_controllen > sizeof(struct cmsghdr))
272		fdmax = ((msg->msg_controllen - sizeof(struct cmsghdr))
273			 / sizeof(int));
274
275	if (fdnum < fdmax)
276		fdmax = fdnum;
277
278	for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
279	     i++, cmfptr++)
280	{
281		struct socket *sock;
282		int new_fd;
283		err = security_file_receive(fp[i]);
284		if (err)
285			break;
286		err = get_unused_fd_flags(MSG_CMSG_CLOEXEC & msg->msg_flags
287					  ? O_CLOEXEC : 0);
288		if (err < 0)
289			break;
290		new_fd = err;
291		err = put_user(new_fd, cmfptr);
292		if (err) {
293			put_unused_fd(new_fd);
294			break;
295		}
296		/* Bump the usage count and install the file. */
297		sock = sock_from_file(fp[i], &err);
298		if (sock) {
299			sock_update_netprioidx(&sock->sk->sk_cgrp_data);
300			sock_update_classid(&sock->sk->sk_cgrp_data);
301		}
302		fd_install(new_fd, get_file(fp[i]));
303	}
304
305	if (i > 0)
306	{
307		int cmlen = CMSG_LEN(i*sizeof(int));
308		err = put_user(SOL_SOCKET, &cm->cmsg_level);
309		if (!err)
310			err = put_user(SCM_RIGHTS, &cm->cmsg_type);
311		if (!err)
312			err = put_user(cmlen, &cm->cmsg_len);
313		if (!err) {
314			cmlen = CMSG_SPACE(i*sizeof(int));
315			if (msg->msg_controllen < cmlen)
316				cmlen = msg->msg_controllen;
317			msg->msg_control += cmlen;
318			msg->msg_controllen -= cmlen;
319		}
320	}
321	if (i < fdnum || (fdnum && fdmax <= 0))
322		msg->msg_flags |= MSG_CTRUNC;
323
324	/*
325	 * All of the files that fit in the message have had their
326	 * usage counts incremented, so we just free the list.
327	 */
328	__scm_destroy(scm);
329}
330EXPORT_SYMBOL(scm_detach_fds);
331
332struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
333{
334	struct scm_fp_list *new_fpl;
335	int i;
336
337	if (!fpl)
338		return NULL;
339
340	new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
341			  GFP_KERNEL);
342	if (new_fpl) {
343		for (i = 0; i < fpl->count; i++)
344			get_file(fpl->fp[i]);
345		new_fpl->max = new_fpl->count;
346		new_fpl->user = get_uid(fpl->user);
347	}
348	return new_fpl;
349}
350EXPORT_SYMBOL(scm_fp_dup);