Commit | Line | Data |
---|---|---|
2874c5fd | 1 | // SPDX-License-Identifier: GPL-2.0-or-later |
1da177e4 LT |
2 | /* scm.c - Socket level control messages processing. |
3 | * | |
4 | * Author: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru> | |
5 | * Alignment and value checking mods by Craig Metz | |
1da177e4 LT |
6 | */ |
7 | ||
8 | #include <linux/module.h> | |
9 | #include <linux/signal.h> | |
4fc268d2 | 10 | #include <linux/capability.h> |
1da177e4 LT |
11 | #include <linux/errno.h> |
12 | #include <linux/sched.h> | |
8703e8a4 | 13 | #include <linux/sched/user.h> |
1da177e4 LT |
14 | #include <linux/mm.h> |
15 | #include <linux/kernel.h> | |
1da177e4 LT |
16 | #include <linux/stat.h> |
17 | #include <linux/socket.h> | |
18 | #include <linux/file.h> | |
19 | #include <linux/fcntl.h> | |
20 | #include <linux/net.h> | |
21 | #include <linux/interrupt.h> | |
22 | #include <linux/netdevice.h> | |
23 | #include <linux/security.h> | |
92f28d97 | 24 | #include <linux/pid_namespace.h> |
b488893a PE |
25 | #include <linux/pid.h> |
26 | #include <linux/nsproxy.h> | |
5a0e3ad6 | 27 | #include <linux/slab.h> |
9718475e | 28 | #include <linux/errqueue.h> |
705318a9 | 29 | #include <linux/io_uring.h> |
1da177e4 | 30 | |
7c0f6ba6 | 31 | #include <linux/uaccess.h> |
1da177e4 LT |
32 | |
33 | #include <net/protocol.h> | |
34 | #include <linux/skbuff.h> | |
35 | #include <net/sock.h> | |
36 | #include <net/compat.h> | |
37 | #include <net/scm.h> | |
d8429506 | 38 | #include <net/cls_cgroup.h> |
1da177e4 LT |
39 | |
40 | ||
41 | /* | |
4ec93edb | 42 | * Only allow a user to send credentials, that they could set with |
1da177e4 LT |
43 | * setu(g)id. |
44 | */ | |
45 | ||
46 | static __inline__ int scm_check_creds(struct ucred *creds) | |
47 | { | |
86a264ab | 48 | const struct cred *cred = current_cred(); |
b2e4f544 EB |
49 | kuid_t uid = make_kuid(cred->user_ns, creds->uid); |
50 | kgid_t gid = make_kgid(cred->user_ns, creds->gid); | |
51 | ||
52 | if (!uid_valid(uid) || !gid_valid(gid)) | |
53 | return -EINVAL; | |
b6dff3ec | 54 | |
92f28d97 | 55 | if ((creds->pid == task_tgid_vnr(current) || |
d661684c | 56 | ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) && |
b2e4f544 | 57 | ((uid_eq(uid, cred->uid) || uid_eq(uid, cred->euid) || |
c7b96acf | 58 | uid_eq(uid, cred->suid)) || ns_capable(cred->user_ns, CAP_SETUID)) && |
b2e4f544 | 59 | ((gid_eq(gid, cred->gid) || gid_eq(gid, cred->egid) || |
c7b96acf | 60 | gid_eq(gid, cred->sgid)) || ns_capable(cred->user_ns, CAP_SETGID))) { |
1da177e4 LT |
61 | return 0; |
62 | } | |
63 | return -EPERM; | |
64 | } | |
65 | ||
66 | static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) | |
67 | { | |
68 | int *fdp = (int*)CMSG_DATA(cmsg); | |
69 | struct scm_fp_list *fpl = *fplp; | |
70 | struct file **fpp; | |
71 | int i, num; | |
72 | ||
1ff8cebf | 73 | num = (cmsg->cmsg_len - sizeof(struct cmsghdr))/sizeof(int); |
1da177e4 LT |
74 | |
75 | if (num <= 0) | |
76 | return 0; | |
77 | ||
78 | if (num > SCM_MAX_FD) | |
79 | return -EINVAL; | |
80 | ||
81 | if (!fpl) | |
82 | { | |
2c6ad20b | 83 | fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL_ACCOUNT); |
1da177e4 LT |
84 | if (!fpl) |
85 | return -ENOMEM; | |
86 | *fplp = fpl; | |
87 | fpl->count = 0; | |
bba14de9 | 88 | fpl->max = SCM_MAX_FD; |
415e3d3e | 89 | fpl->user = NULL; |
1da177e4 LT |
90 | } |
91 | fpp = &fpl->fp[fpl->count]; | |
92 | ||
bba14de9 | 93 | if (fpl->count + num > fpl->max) |
1da177e4 | 94 | return -EINVAL; |
4ec93edb | 95 | |
1da177e4 LT |
96 | /* |
97 | * Verify the descriptors and increment the usage count. | |
98 | */ | |
4ec93edb | 99 | |
1da177e4 LT |
100 | for (i=0; i< num; i++) |
101 | { | |
102 | int fd = fdp[i]; | |
103 | struct file *file; | |
104 | ||
326be7b4 | 105 | if (fd < 0 || !(file = fget_raw(fd))) |
1da177e4 | 106 | return -EBADF; |
705318a9 | 107 | /* don't allow io_uring files */ |
a4104821 | 108 | if (io_is_uring_fops(file)) { |
705318a9 PB |
109 | fput(file); |
110 | return -EINVAL; | |
111 | } | |
1da177e4 LT |
112 | *fpp++ = file; |
113 | fpl->count++; | |
114 | } | |
415e3d3e HFS |
115 | |
116 | if (!fpl->user) | |
117 | fpl->user = get_uid(current_user()); | |
118 | ||
1da177e4 LT |
119 | return num; |
120 | } | |
121 | ||
122 | void __scm_destroy(struct scm_cookie *scm) | |
123 | { | |
124 | struct scm_fp_list *fpl = scm->fp; | |
125 | int i; | |
126 | ||
127 | if (fpl) { | |
128 | scm->fp = NULL; | |
6120d3db AV |
129 | for (i=fpl->count-1; i>=0; i--) |
130 | fput(fpl->fp[i]); | |
415e3d3e | 131 | free_uid(fpl->user); |
6120d3db | 132 | kfree(fpl); |
1da177e4 LT |
133 | } |
134 | } | |
9e34a5b5 | 135 | EXPORT_SYMBOL(__scm_destroy); |
1da177e4 LT |
136 | |
137 | int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p) | |
138 | { | |
1ded5e5a | 139 | const struct proto_ops *ops = READ_ONCE(sock->ops); |
1da177e4 LT |
140 | struct cmsghdr *cmsg; |
141 | int err; | |
142 | ||
f95b414e | 143 | for_each_cmsghdr(cmsg, msg) { |
1da177e4 LT |
144 | err = -EINVAL; |
145 | ||
146 | /* Verify that cmsg_len is at least sizeof(struct cmsghdr) */ | |
147 | /* The first check was omitted in <= 2.2.5. The reasoning was | |
148 | that parser checks cmsg_len in any case, so that | |
149 | additional check would be work duplication. | |
4ec93edb | 150 | But if cmsg_level is not SOL_SOCKET, we do not check |
1da177e4 LT |
151 | for too short ancillary data object at all! Oops. |
152 | OK, let's add it... | |
153 | */ | |
154 | if (!CMSG_OK(msg, cmsg)) | |
155 | goto error; | |
156 | ||
157 | if (cmsg->cmsg_level != SOL_SOCKET) | |
158 | continue; | |
159 | ||
160 | switch (cmsg->cmsg_type) | |
161 | { | |
162 | case SCM_RIGHTS: | |
1ded5e5a | 163 | if (!ops || ops->family != PF_UNIX) |
76dadd76 | 164 | goto error; |
1da177e4 LT |
165 | err=scm_fp_copy(cmsg, &p->fp); |
166 | if (err<0) | |
167 | goto error; | |
168 | break; | |
169 | case SCM_CREDENTIALS: | |
b2e4f544 | 170 | { |
dbe9a417 | 171 | struct ucred creds; |
b2e4f544 EB |
172 | kuid_t uid; |
173 | kgid_t gid; | |
1da177e4 LT |
174 | if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred))) |
175 | goto error; | |
dbe9a417 EB |
176 | memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred)); |
177 | err = scm_check_creds(&creds); | |
1da177e4 LT |
178 | if (err) |
179 | goto error; | |
257b5358 | 180 | |
dbe9a417 EB |
181 | p->creds.pid = creds.pid; |
182 | if (!p->pid || pid_vnr(p->pid) != creds.pid) { | |
257b5358 EB |
183 | struct pid *pid; |
184 | err = -ESRCH; | |
dbe9a417 | 185 | pid = find_get_pid(creds.pid); |
257b5358 EB |
186 | if (!pid) |
187 | goto error; | |
188 | put_pid(p->pid); | |
189 | p->pid = pid; | |
190 | } | |
191 | ||
b2e4f544 | 192 | err = -EINVAL; |
dbe9a417 EB |
193 | uid = make_kuid(current_user_ns(), creds.uid); |
194 | gid = make_kgid(current_user_ns(), creds.gid); | |
b2e4f544 EB |
195 | if (!uid_valid(uid) || !gid_valid(gid)) |
196 | goto error; | |
197 | ||
dbe9a417 EB |
198 | p->creds.uid = uid; |
199 | p->creds.gid = gid; | |
1da177e4 | 200 | break; |
b2e4f544 | 201 | } |
1da177e4 LT |
202 | default: |
203 | goto error; | |
204 | } | |
205 | } | |
206 | ||
207 | if (p->fp && !p->fp->count) | |
208 | { | |
209 | kfree(p->fp); | |
210 | p->fp = NULL; | |
211 | } | |
212 | return 0; | |
4ec93edb | 213 | |
1da177e4 LT |
214 | error: |
215 | scm_destroy(p); | |
216 | return err; | |
217 | } | |
9e34a5b5 | 218 | EXPORT_SYMBOL(__scm_send); |
1da177e4 LT |
219 | |
220 | int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data) | |
221 | { | |
1da177e4 | 222 | int cmlen = CMSG_LEN(len); |
1da177e4 | 223 | |
1f466e1f | 224 | if (msg->msg_flags & MSG_CMSG_COMPAT) |
1da177e4 LT |
225 | return put_cmsg_compat(msg, level, type, len, data); |
226 | ||
1f466e1f | 227 | if (!msg->msg_control || msg->msg_controllen < sizeof(struct cmsghdr)) { |
1da177e4 LT |
228 | msg->msg_flags |= MSG_CTRUNC; |
229 | return 0; /* XXX: return error? check spec. */ | |
230 | } | |
231 | if (msg->msg_controllen < cmlen) { | |
232 | msg->msg_flags |= MSG_CTRUNC; | |
233 | cmlen = msg->msg_controllen; | |
234 | } | |
1f466e1f CH |
235 | |
236 | if (msg->msg_control_is_user) { | |
237 | struct cmsghdr __user *cm = msg->msg_control_user; | |
38ebcf50 | 238 | |
5f1eb1ff ED |
239 | check_object_size(data, cmlen - sizeof(*cm), true); |
240 | ||
38ebcf50 ED |
241 | if (!user_write_access_begin(cm, cmlen)) |
242 | goto efault; | |
243 | ||
e7ad33fa | 244 | unsafe_put_user(cmlen, &cm->cmsg_len, efault_end); |
38ebcf50 ED |
245 | unsafe_put_user(level, &cm->cmsg_level, efault_end); |
246 | unsafe_put_user(type, &cm->cmsg_type, efault_end); | |
247 | unsafe_copy_to_user(CMSG_USER_DATA(cm), data, | |
248 | cmlen - sizeof(*cm), efault_end); | |
249 | user_write_access_end(); | |
1f466e1f CH |
250 | } else { |
251 | struct cmsghdr *cm = msg->msg_control; | |
252 | ||
253 | cm->cmsg_level = level; | |
254 | cm->cmsg_type = type; | |
255 | cm->cmsg_len = cmlen; | |
256 | memcpy(CMSG_DATA(cm), data, cmlen - sizeof(*cm)); | |
257 | } | |
258 | ||
259 | cmlen = min(CMSG_SPACE(len), msg->msg_controllen); | |
c39ef213 KB |
260 | if (msg->msg_control_is_user) |
261 | msg->msg_control_user += cmlen; | |
262 | else | |
263 | msg->msg_control += cmlen; | |
1da177e4 | 264 | msg->msg_controllen -= cmlen; |
1f466e1f | 265 | return 0; |
38ebcf50 ED |
266 | |
267 | efault_end: | |
268 | user_write_access_end(); | |
269 | efault: | |
270 | return -EFAULT; | |
1da177e4 | 271 | } |
9e34a5b5 | 272 | EXPORT_SYMBOL(put_cmsg); |
1da177e4 | 273 | |
9718475e DD |
274 | void put_cmsg_scm_timestamping64(struct msghdr *msg, struct scm_timestamping_internal *tss_internal) |
275 | { | |
276 | struct scm_timestamping64 tss; | |
277 | int i; | |
278 | ||
279 | for (i = 0; i < ARRAY_SIZE(tss.ts); i++) { | |
280 | tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec; | |
281 | tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec; | |
282 | } | |
283 | ||
284 | put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_NEW, sizeof(tss), &tss); | |
285 | } | |
286 | EXPORT_SYMBOL(put_cmsg_scm_timestamping64); | |
287 | ||
288 | void put_cmsg_scm_timestamping(struct msghdr *msg, struct scm_timestamping_internal *tss_internal) | |
289 | { | |
290 | struct scm_timestamping tss; | |
291 | int i; | |
292 | ||
0309f98f AB |
293 | for (i = 0; i < ARRAY_SIZE(tss.ts); i++) { |
294 | tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec; | |
295 | tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec; | |
296 | } | |
9718475e DD |
297 | |
298 | put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_OLD, sizeof(tss), &tss); | |
299 | } | |
300 | EXPORT_SYMBOL(put_cmsg_scm_timestamping); | |
301 | ||
2618d530 CH |
302 | static int scm_max_fds(struct msghdr *msg) |
303 | { | |
304 | if (msg->msg_controllen <= sizeof(struct cmsghdr)) | |
305 | return 0; | |
306 | return (msg->msg_controllen - sizeof(struct cmsghdr)) / sizeof(int); | |
307 | } | |
308 | ||
1da177e4 LT |
309 | void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm) |
310 | { | |
c0029de5 | 311 | struct cmsghdr __user *cm = |
c39ef213 | 312 | (__force struct cmsghdr __user *)msg->msg_control_user; |
c0029de5 | 313 | unsigned int o_flags = (msg->msg_flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0; |
2618d530 CH |
314 | int fdmax = min_t(int, scm_max_fds(msg), scm->fp->count); |
315 | int __user *cmsg_data = CMSG_USER_DATA(cm); | |
1da177e4 LT |
316 | int err = 0, i; |
317 | ||
c0029de5 KC |
318 | /* no use for FD passing from kernel space callers */ |
319 | if (WARN_ON_ONCE(!msg->msg_control_is_user)) | |
320 | return; | |
321 | ||
2618d530 | 322 | if (msg->msg_flags & MSG_CMSG_COMPAT) { |
1da177e4 LT |
323 | scm_detach_fds_compat(msg, scm); |
324 | return; | |
325 | } | |
326 | ||
2618d530 | 327 | for (i = 0; i < fdmax; i++) { |
eac9189c | 328 | err = scm_recv_one_fd(scm->fp->fp[i], cmsg_data + i, o_flags); |
deefa7f3 | 329 | if (err < 0) |
1da177e4 | 330 | break; |
1da177e4 LT |
331 | } |
332 | ||
c0029de5 | 333 | if (i > 0) { |
2618d530 CH |
334 | int cmlen = CMSG_LEN(i * sizeof(int)); |
335 | ||
effee6a0 | 336 | err = put_user(SOL_SOCKET, &cm->cmsg_level); |
1da177e4 LT |
337 | if (!err) |
338 | err = put_user(SCM_RIGHTS, &cm->cmsg_type); | |
339 | if (!err) | |
340 | err = put_user(cmlen, &cm->cmsg_len); | |
341 | if (!err) { | |
2618d530 | 342 | cmlen = CMSG_SPACE(i * sizeof(int)); |
6900317f DB |
343 | if (msg->msg_controllen < cmlen) |
344 | cmlen = msg->msg_controllen; | |
c39ef213 | 345 | msg->msg_control_user += cmlen; |
1da177e4 LT |
346 | msg->msg_controllen -= cmlen; |
347 | } | |
348 | } | |
2618d530 CH |
349 | |
350 | if (i < scm->fp->count || (scm->fp->count && fdmax <= 0)) | |
1da177e4 LT |
351 | msg->msg_flags |= MSG_CTRUNC; |
352 | ||
353 | /* | |
2618d530 CH |
354 | * All of the files that fit in the message have had their usage counts |
355 | * incremented, so we just free the list. | |
1da177e4 LT |
356 | */ |
357 | __scm_destroy(scm); | |
358 | } | |
9e34a5b5 | 359 | EXPORT_SYMBOL(scm_detach_fds); |
1da177e4 LT |
360 | |
361 | struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl) | |
362 | { | |
363 | struct scm_fp_list *new_fpl; | |
364 | int i; | |
365 | ||
366 | if (!fpl) | |
367 | return NULL; | |
368 | ||
bba14de9 | 369 | new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]), |
2c6ad20b | 370 | GFP_KERNEL_ACCOUNT); |
1da177e4 | 371 | if (new_fpl) { |
bba14de9 | 372 | for (i = 0; i < fpl->count; i++) |
1da177e4 | 373 | get_file(fpl->fp[i]); |
bba14de9 | 374 | new_fpl->max = new_fpl->count; |
415e3d3e | 375 | new_fpl->user = get_uid(fpl->user); |
1da177e4 LT |
376 | } |
377 | return new_fpl; | |
378 | } | |
1da177e4 | 379 | EXPORT_SYMBOL(scm_fp_dup); |