1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* |
3 | * Copyright (C) 1991, 1992 Linus Torvalds |
4 | */ |
5 | |
6 | #include <linux/types.h> |
7 | #include <linux/errno.h> |
8 | #include <linux/signal.h> |
9 | #include <linux/sched/signal.h> |
10 | #include <linux/sched/task.h> |
11 | #include <linux/tty.h> |
12 | #include <linux/fcntl.h> |
13 | #include <linux/uaccess.h> |
14 | #include "tty.h" |
15 | |
16 | static int is_ignored(int sig) |
17 | { |
18 | return (sigismember(set: ¤t->blocked, sig: sig) || |
19 | current->sighand->action[sig-1].sa.sa_handler == SIG_IGN); |
20 | } |
21 | |
22 | /** |
23 | * __tty_check_change - check for POSIX terminal changes |
24 | * @tty: tty to check |
25 | * @sig: signal to send |
26 | * |
27 | * If we try to write to, or set the state of, a terminal and we're |
28 | * not in the foreground, send a SIGTTOU. If the signal is blocked or |
29 | * ignored, go ahead and perform the operation. (POSIX 7.2) |
30 | * |
31 | * Locking: ctrl.lock |
32 | */ |
33 | int __tty_check_change(struct tty_struct *tty, int sig) |
34 | { |
35 | unsigned long flags; |
36 | struct pid *pgrp, *tty_pgrp; |
37 | int ret = 0; |
38 | |
39 | if (current->signal->tty != tty) |
40 | return 0; |
41 | |
42 | rcu_read_lock(); |
43 | pgrp = task_pgrp(current); |
44 | |
45 | spin_lock_irqsave(&tty->ctrl.lock, flags); |
46 | tty_pgrp = tty->ctrl.pgrp; |
47 | spin_unlock_irqrestore(lock: &tty->ctrl.lock, flags); |
48 | |
49 | if (tty_pgrp && pgrp != tty_pgrp) { |
50 | if (is_ignored(sig)) { |
51 | if (sig == SIGTTIN) |
52 | ret = -EIO; |
53 | } else if (is_current_pgrp_orphaned()) |
54 | ret = -EIO; |
55 | else { |
56 | kill_pgrp(pid: pgrp, sig, priv: 1); |
57 | set_thread_flag(TIF_SIGPENDING); |
58 | ret = -ERESTARTSYS; |
59 | } |
60 | } |
61 | rcu_read_unlock(); |
62 | |
63 | if (!tty_pgrp) |
64 | tty_warn(tty, "sig=%d, tty->pgrp == NULL!\n" , sig); |
65 | |
66 | return ret; |
67 | } |
68 | |
69 | int tty_check_change(struct tty_struct *tty) |
70 | { |
71 | return __tty_check_change(tty, SIGTTOU); |
72 | } |
73 | EXPORT_SYMBOL(tty_check_change); |
74 | |
75 | void proc_clear_tty(struct task_struct *p) |
76 | { |
77 | unsigned long flags; |
78 | struct tty_struct *tty; |
79 | |
80 | spin_lock_irqsave(&p->sighand->siglock, flags); |
81 | tty = p->signal->tty; |
82 | p->signal->tty = NULL; |
83 | spin_unlock_irqrestore(lock: &p->sighand->siglock, flags); |
84 | tty_kref_put(tty); |
85 | } |
86 | |
87 | /** |
88 | * __proc_set_tty - set the controlling terminal |
89 | * @tty: tty structure |
90 | * |
91 | * Only callable by the session leader and only if it does not already have |
92 | * a controlling terminal. |
93 | * |
94 | * Caller must hold: tty_lock() |
95 | * a readlock on tasklist_lock |
96 | * sighand lock |
97 | */ |
98 | static void __proc_set_tty(struct tty_struct *tty) |
99 | { |
100 | unsigned long flags; |
101 | |
102 | spin_lock_irqsave(&tty->ctrl.lock, flags); |
103 | /* |
104 | * The session and fg pgrp references will be non-NULL if |
105 | * tiocsctty() is stealing the controlling tty |
106 | */ |
107 | put_pid(pid: tty->ctrl.session); |
108 | put_pid(pid: tty->ctrl.pgrp); |
109 | tty->ctrl.pgrp = get_pid(pid: task_pgrp(current)); |
110 | tty->ctrl.session = get_pid(pid: task_session(current)); |
111 | spin_unlock_irqrestore(lock: &tty->ctrl.lock, flags); |
112 | if (current->signal->tty) { |
113 | tty_debug(tty, "current tty %s not NULL!!\n" , |
114 | current->signal->tty->name); |
115 | tty_kref_put(current->signal->tty); |
116 | } |
117 | put_pid(current->signal->tty_old_pgrp); |
118 | current->signal->tty = tty_kref_get(tty); |
119 | current->signal->tty_old_pgrp = NULL; |
120 | } |
121 | |
122 | static void proc_set_tty(struct tty_struct *tty) |
123 | { |
124 | spin_lock_irq(lock: ¤t->sighand->siglock); |
125 | __proc_set_tty(tty); |
126 | spin_unlock_irq(lock: ¤t->sighand->siglock); |
127 | } |
128 | |
129 | /* |
130 | * Called by tty_open() to set the controlling tty if applicable. |
131 | */ |
132 | void tty_open_proc_set_tty(struct file *filp, struct tty_struct *tty) |
133 | { |
134 | read_lock(&tasklist_lock); |
135 | spin_lock_irq(lock: ¤t->sighand->siglock); |
136 | if (current->signal->leader && |
137 | !current->signal->tty && |
138 | tty->ctrl.session == NULL) { |
139 | /* |
140 | * Don't let a process that only has write access to the tty |
141 | * obtain the privileges associated with having a tty as |
142 | * controlling terminal (being able to reopen it with full |
143 | * access through /dev/tty, being able to perform pushback). |
144 | * Many distributions set the group of all ttys to "tty" and |
145 | * grant write-only access to all terminals for setgid tty |
146 | * binaries, which should not imply full privileges on all ttys. |
147 | * |
148 | * This could theoretically break old code that performs open() |
149 | * on a write-only file descriptor. In that case, it might be |
150 | * necessary to also permit this if |
151 | * inode_permission(inode, MAY_READ) == 0. |
152 | */ |
153 | if (filp->f_mode & FMODE_READ) |
154 | __proc_set_tty(tty); |
155 | } |
156 | spin_unlock_irq(lock: ¤t->sighand->siglock); |
157 | read_unlock(&tasklist_lock); |
158 | } |
159 | |
160 | struct tty_struct *get_current_tty(void) |
161 | { |
162 | struct tty_struct *tty; |
163 | unsigned long flags; |
164 | |
165 | spin_lock_irqsave(¤t->sighand->siglock, flags); |
166 | tty = tty_kref_get(current->signal->tty); |
167 | spin_unlock_irqrestore(lock: ¤t->sighand->siglock, flags); |
168 | return tty; |
169 | } |
170 | EXPORT_SYMBOL_GPL(get_current_tty); |
171 | |
172 | /* |
173 | * Called from tty_release(). |
174 | */ |
175 | void session_clear_tty(struct pid *session) |
176 | { |
177 | struct task_struct *p; |
178 | |
179 | do_each_pid_task(session, PIDTYPE_SID, p) { |
180 | proc_clear_tty(p); |
181 | } while_each_pid_task(session, PIDTYPE_SID, p); |
182 | } |
183 | |
184 | /** |
185 | * tty_signal_session_leader - sends SIGHUP to session leader |
186 | * @tty: controlling tty |
187 | * @exit_session: if non-zero, signal all foreground group processes |
188 | * |
189 | * Send SIGHUP and SIGCONT to the session leader and its process group. |
190 | * Optionally, signal all processes in the foreground process group. |
191 | * |
192 | * Returns the number of processes in the session with this tty |
193 | * as their controlling terminal. This value is used to drop |
194 | * tty references for those processes. |
195 | */ |
196 | int tty_signal_session_leader(struct tty_struct *tty, int exit_session) |
197 | { |
198 | struct task_struct *p; |
199 | int refs = 0; |
200 | struct pid *tty_pgrp = NULL; |
201 | |
202 | read_lock(&tasklist_lock); |
203 | if (tty->ctrl.session) { |
204 | do_each_pid_task(tty->ctrl.session, PIDTYPE_SID, p) { |
205 | spin_lock_irq(lock: &p->sighand->siglock); |
206 | if (p->signal->tty == tty) { |
207 | p->signal->tty = NULL; |
208 | /* |
209 | * We defer the dereferences outside of |
210 | * the tasklist lock. |
211 | */ |
212 | refs++; |
213 | } |
214 | if (!p->signal->leader) { |
215 | spin_unlock_irq(lock: &p->sighand->siglock); |
216 | continue; |
217 | } |
218 | send_signal_locked(SIGHUP, SEND_SIG_PRIV, p, type: PIDTYPE_TGID); |
219 | send_signal_locked(SIGCONT, SEND_SIG_PRIV, p, type: PIDTYPE_TGID); |
220 | put_pid(pid: p->signal->tty_old_pgrp); /* A noop */ |
221 | spin_lock(lock: &tty->ctrl.lock); |
222 | tty_pgrp = get_pid(pid: tty->ctrl.pgrp); |
223 | if (tty->ctrl.pgrp) |
224 | p->signal->tty_old_pgrp = |
225 | get_pid(pid: tty->ctrl.pgrp); |
226 | spin_unlock(lock: &tty->ctrl.lock); |
227 | spin_unlock_irq(lock: &p->sighand->siglock); |
228 | } while_each_pid_task(tty->ctrl.session, PIDTYPE_SID, p); |
229 | } |
230 | read_unlock(&tasklist_lock); |
231 | |
232 | if (tty_pgrp) { |
233 | if (exit_session) |
234 | kill_pgrp(pid: tty_pgrp, SIGHUP, priv: exit_session); |
235 | put_pid(pid: tty_pgrp); |
236 | } |
237 | |
238 | return refs; |
239 | } |
240 | |
241 | /** |
242 | * disassociate_ctty - disconnect controlling tty |
243 | * @on_exit: true if exiting so need to "hang up" the session |
244 | * |
245 | * This function is typically called only by the session leader, when |
246 | * it wants to disassociate itself from its controlling tty. |
247 | * |
248 | * It performs the following functions: |
249 | * (1) Sends a SIGHUP and SIGCONT to the foreground process group |
250 | * (2) Clears the tty from being controlling the session |
251 | * (3) Clears the controlling tty for all processes in the |
252 | * session group. |
253 | * |
254 | * The argument on_exit is set to 1 if called when a process is |
255 | * exiting; it is 0 if called by the ioctl TIOCNOTTY. |
256 | * |
257 | * Locking: |
258 | * BTM is taken for hysterical raisons, and held when |
259 | * called from no_tty(). |
260 | * tty_mutex is taken to protect tty |
261 | * ->siglock is taken to protect ->signal/->sighand |
262 | * tasklist_lock is taken to walk process list for sessions |
263 | * ->siglock is taken to protect ->signal/->sighand |
264 | */ |
265 | void disassociate_ctty(int on_exit) |
266 | { |
267 | struct tty_struct *tty; |
268 | |
269 | if (!current->signal->leader) |
270 | return; |
271 | |
272 | tty = get_current_tty(); |
273 | if (tty) { |
274 | if (on_exit && tty->driver->type != TTY_DRIVER_TYPE_PTY) { |
275 | tty_vhangup_session(tty); |
276 | } else { |
277 | struct pid *tty_pgrp = tty_get_pgrp(tty); |
278 | |
279 | if (tty_pgrp) { |
280 | kill_pgrp(pid: tty_pgrp, SIGHUP, priv: on_exit); |
281 | if (!on_exit) |
282 | kill_pgrp(pid: tty_pgrp, SIGCONT, priv: on_exit); |
283 | put_pid(pid: tty_pgrp); |
284 | } |
285 | } |
286 | tty_kref_put(tty); |
287 | |
288 | } else if (on_exit) { |
289 | struct pid *old_pgrp; |
290 | |
291 | spin_lock_irq(lock: ¤t->sighand->siglock); |
292 | old_pgrp = current->signal->tty_old_pgrp; |
293 | current->signal->tty_old_pgrp = NULL; |
294 | spin_unlock_irq(lock: ¤t->sighand->siglock); |
295 | if (old_pgrp) { |
296 | kill_pgrp(pid: old_pgrp, SIGHUP, priv: on_exit); |
297 | kill_pgrp(pid: old_pgrp, SIGCONT, priv: on_exit); |
298 | put_pid(pid: old_pgrp); |
299 | } |
300 | return; |
301 | } |
302 | |
303 | tty = get_current_tty(); |
304 | if (tty) { |
305 | unsigned long flags; |
306 | |
307 | tty_lock(tty); |
308 | spin_lock_irqsave(&tty->ctrl.lock, flags); |
309 | put_pid(pid: tty->ctrl.session); |
310 | put_pid(pid: tty->ctrl.pgrp); |
311 | tty->ctrl.session = NULL; |
312 | tty->ctrl.pgrp = NULL; |
313 | spin_unlock_irqrestore(lock: &tty->ctrl.lock, flags); |
314 | tty_unlock(tty); |
315 | tty_kref_put(tty); |
316 | } |
317 | |
318 | /* If tty->ctrl.pgrp is not NULL, it may be assigned to |
319 | * current->signal->tty_old_pgrp in a race condition, and |
320 | * cause pid memleak. Release current->signal->tty_old_pgrp |
321 | * after tty->ctrl.pgrp set to NULL. |
322 | */ |
323 | spin_lock_irq(lock: ¤t->sighand->siglock); |
324 | put_pid(current->signal->tty_old_pgrp); |
325 | current->signal->tty_old_pgrp = NULL; |
326 | spin_unlock_irq(lock: ¤t->sighand->siglock); |
327 | |
328 | /* Now clear signal->tty under the lock */ |
329 | read_lock(&tasklist_lock); |
330 | session_clear_tty(session: task_session(current)); |
331 | read_unlock(&tasklist_lock); |
332 | } |
333 | |
334 | /* |
335 | * |
336 | * no_tty - Ensure the current process does not have a controlling tty |
337 | */ |
338 | void no_tty(void) |
339 | { |
340 | /* |
341 | * FIXME: Review locking here. The tty_lock never covered any race |
342 | * between a new association and proc_clear_tty but possibly we need |
343 | * to protect against this anyway. |
344 | */ |
345 | struct task_struct *tsk = current; |
346 | |
347 | disassociate_ctty(on_exit: 0); |
348 | proc_clear_tty(p: tsk); |
349 | } |
350 | |
351 | /** |
352 | * tiocsctty - set controlling tty |
353 | * @tty: tty structure |
354 | * @file: file structure used to check permissions |
355 | * @arg: user argument |
356 | * |
357 | * This ioctl is used to manage job control. It permits a session |
358 | * leader to set this tty as the controlling tty for the session. |
359 | * |
360 | * Locking: |
361 | * Takes tty_lock() to serialize proc_set_tty() for this tty |
362 | * Takes tasklist_lock internally to walk sessions |
363 | * Takes ->siglock() when updating signal->tty |
364 | */ |
365 | static int tiocsctty(struct tty_struct *tty, struct file *file, int arg) |
366 | { |
367 | int ret = 0; |
368 | |
369 | tty_lock(tty); |
370 | read_lock(&tasklist_lock); |
371 | |
372 | if (current->signal->leader && |
373 | task_session(current) == tty->ctrl.session) |
374 | goto unlock; |
375 | |
376 | /* |
377 | * The process must be a session leader and |
378 | * not have a controlling tty already. |
379 | */ |
380 | if (!current->signal->leader || current->signal->tty) { |
381 | ret = -EPERM; |
382 | goto unlock; |
383 | } |
384 | |
385 | if (tty->ctrl.session) { |
386 | /* |
387 | * This tty is already the controlling |
388 | * tty for another session group! |
389 | */ |
390 | if (arg == 1 && capable(CAP_SYS_ADMIN)) { |
391 | /* |
392 | * Steal it away |
393 | */ |
394 | session_clear_tty(session: tty->ctrl.session); |
395 | } else { |
396 | ret = -EPERM; |
397 | goto unlock; |
398 | } |
399 | } |
400 | |
401 | /* See the comment in tty_open_proc_set_tty(). */ |
402 | if ((file->f_mode & FMODE_READ) == 0 && !capable(CAP_SYS_ADMIN)) { |
403 | ret = -EPERM; |
404 | goto unlock; |
405 | } |
406 | |
407 | proc_set_tty(tty); |
408 | unlock: |
409 | read_unlock(&tasklist_lock); |
410 | tty_unlock(tty); |
411 | return ret; |
412 | } |
413 | |
414 | /** |
415 | * tty_get_pgrp - return a ref counted pgrp pid |
416 | * @tty: tty to read |
417 | * |
418 | * Returns a refcounted instance of the pid struct for the process |
419 | * group controlling the tty. |
420 | */ |
421 | struct pid *tty_get_pgrp(struct tty_struct *tty) |
422 | { |
423 | unsigned long flags; |
424 | struct pid *pgrp; |
425 | |
426 | spin_lock_irqsave(&tty->ctrl.lock, flags); |
427 | pgrp = get_pid(pid: tty->ctrl.pgrp); |
428 | spin_unlock_irqrestore(lock: &tty->ctrl.lock, flags); |
429 | |
430 | return pgrp; |
431 | } |
432 | EXPORT_SYMBOL_GPL(tty_get_pgrp); |
433 | |
434 | /* |
435 | * This checks not only the pgrp, but falls back on the pid if no |
436 | * satisfactory pgrp is found. I dunno - gdb doesn't work correctly |
437 | * without this... |
438 | * |
439 | * The caller must hold rcu lock or the tasklist lock. |
440 | */ |
441 | static struct pid *session_of_pgrp(struct pid *pgrp) |
442 | { |
443 | struct task_struct *p; |
444 | struct pid *sid = NULL; |
445 | |
446 | p = pid_task(pid: pgrp, PIDTYPE_PGID); |
447 | if (p == NULL) |
448 | p = pid_task(pid: pgrp, PIDTYPE_PID); |
449 | if (p != NULL) |
450 | sid = task_session(task: p); |
451 | |
452 | return sid; |
453 | } |
454 | |
455 | /** |
456 | * tiocgpgrp - get process group |
457 | * @tty: tty passed by user |
458 | * @real_tty: tty side of the tty passed by the user if a pty else the tty |
459 | * @p: returned pid |
460 | * |
461 | * Obtain the process group of the tty. If there is no process group |
462 | * return an error. |
463 | * |
464 | * Locking: none. Reference to current->signal->tty is safe. |
465 | */ |
466 | static int tiocgpgrp(struct tty_struct *tty, struct tty_struct *real_tty, pid_t __user *p) |
467 | { |
468 | struct pid *pid; |
469 | int ret; |
470 | /* |
471 | * (tty == real_tty) is a cheap way of |
472 | * testing if the tty is NOT a master pty. |
473 | */ |
474 | if (tty == real_tty && current->signal->tty != real_tty) |
475 | return -ENOTTY; |
476 | pid = tty_get_pgrp(real_tty); |
477 | ret = put_user(pid_vnr(pid), p); |
478 | put_pid(pid); |
479 | return ret; |
480 | } |
481 | |
482 | /** |
483 | * tiocspgrp - attempt to set process group |
484 | * @tty: tty passed by user |
485 | * @real_tty: tty side device matching tty passed by user |
486 | * @p: pid pointer |
487 | * |
488 | * Set the process group of the tty to the session passed. Only |
489 | * permitted where the tty session is our session. |
490 | * |
491 | * Locking: RCU, ctrl lock |
492 | */ |
493 | static int tiocspgrp(struct tty_struct *tty, struct tty_struct *real_tty, pid_t __user *p) |
494 | { |
495 | struct pid *pgrp; |
496 | pid_t pgrp_nr; |
497 | int retval = tty_check_change(real_tty); |
498 | |
499 | if (retval == -EIO) |
500 | return -ENOTTY; |
501 | if (retval) |
502 | return retval; |
503 | |
504 | if (get_user(pgrp_nr, p)) |
505 | return -EFAULT; |
506 | if (pgrp_nr < 0) |
507 | return -EINVAL; |
508 | |
509 | spin_lock_irq(lock: &real_tty->ctrl.lock); |
510 | if (!current->signal->tty || |
511 | (current->signal->tty != real_tty) || |
512 | (real_tty->ctrl.session != task_session(current))) { |
513 | retval = -ENOTTY; |
514 | goto out_unlock_ctrl; |
515 | } |
516 | rcu_read_lock(); |
517 | pgrp = find_vpid(nr: pgrp_nr); |
518 | retval = -ESRCH; |
519 | if (!pgrp) |
520 | goto out_unlock; |
521 | retval = -EPERM; |
522 | if (session_of_pgrp(pgrp) != task_session(current)) |
523 | goto out_unlock; |
524 | retval = 0; |
525 | put_pid(pid: real_tty->ctrl.pgrp); |
526 | real_tty->ctrl.pgrp = get_pid(pid: pgrp); |
527 | out_unlock: |
528 | rcu_read_unlock(); |
529 | out_unlock_ctrl: |
530 | spin_unlock_irq(lock: &real_tty->ctrl.lock); |
531 | return retval; |
532 | } |
533 | |
534 | /** |
535 | * tiocgsid - get session id |
536 | * @tty: tty passed by user |
537 | * @real_tty: tty side of the tty passed by the user if a pty else the tty |
538 | * @p: pointer to returned session id |
539 | * |
540 | * Obtain the session id of the tty. If there is no session |
541 | * return an error. |
542 | */ |
543 | static int tiocgsid(struct tty_struct *tty, struct tty_struct *real_tty, pid_t __user *p) |
544 | { |
545 | unsigned long flags; |
546 | pid_t sid; |
547 | |
548 | /* |
549 | * (tty == real_tty) is a cheap way of |
550 | * testing if the tty is NOT a master pty. |
551 | */ |
552 | if (tty == real_tty && current->signal->tty != real_tty) |
553 | return -ENOTTY; |
554 | |
555 | spin_lock_irqsave(&real_tty->ctrl.lock, flags); |
556 | if (!real_tty->ctrl.session) |
557 | goto err; |
558 | sid = pid_vnr(pid: real_tty->ctrl.session); |
559 | spin_unlock_irqrestore(lock: &real_tty->ctrl.lock, flags); |
560 | |
561 | return put_user(sid, p); |
562 | |
563 | err: |
564 | spin_unlock_irqrestore(lock: &real_tty->ctrl.lock, flags); |
565 | return -ENOTTY; |
566 | } |
567 | |
568 | /* |
569 | * Called from tty_ioctl(). If tty is a pty then real_tty is the slave side, |
570 | * if not then tty == real_tty. |
571 | */ |
572 | long tty_jobctrl_ioctl(struct tty_struct *tty, struct tty_struct *real_tty, |
573 | struct file *file, unsigned int cmd, unsigned long arg) |
574 | { |
575 | void __user *p = (void __user *)arg; |
576 | |
577 | switch (cmd) { |
578 | case TIOCNOTTY: |
579 | if (current->signal->tty != tty) |
580 | return -ENOTTY; |
581 | no_tty(); |
582 | return 0; |
583 | case TIOCSCTTY: |
584 | return tiocsctty(tty: real_tty, file, arg); |
585 | case TIOCGPGRP: |
586 | return tiocgpgrp(tty, real_tty, p); |
587 | case TIOCSPGRP: |
588 | return tiocspgrp(tty, real_tty, p); |
589 | case TIOCGSID: |
590 | return tiocgsid(tty, real_tty, p); |
591 | } |
592 | return -ENOIOCTLCMD; |
593 | } |
594 | |