scm.c source code [linux/net/core/scm.c]

1	// SPDX-License-Identifier: GPL-2.0-or-later
2	/ scm.c - Socket level control messages processing.*
3	*
4	* Author: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
5	* Alignment and value checking mods by Craig Metz
6	*/
7
8	#include <linux/module.h>
9	#include <linux/signal.h>
10	#include <linux/capability.h>
11	#include <linux/errno.h>
12	#include <linux/sched.h>
13	#include <linux/sched/user.h>
14	#include <linux/mm.h>
15	#include <linux/kernel.h>
16	#include <linux/stat.h>
17	#include <linux/socket.h>
18	#include <linux/file.h>
19	#include <linux/fcntl.h>
20	#include <linux/net.h>
21	#include <linux/interrupt.h>
22	#include <linux/netdevice.h>
23	#include <linux/security.h>
24	#include <linux/pid_namespace.h>
25	#include <linux/pid.h>
26	#include <linux/nsproxy.h>
27	#include <linux/slab.h>
28	#include <linux/errqueue.h>
29
30	#include <linux/uaccess.h>
31
32	#include <net/protocol.h>
33	#include <linux/skbuff.h>
34	#include <net/sock.h>
35	#include <net/compat.h>
36	#include <net/scm.h>
37	#include <net/cls_cgroup.h>
38
39
40	/*
41	* Only allow a user to send credentials, that they could set with
42	* setu(g)id.
43	*/
44
45	static __inline__ int scm_check_creds(struct ucred *creds)
46	{
47	const struct cred *cred = current_cred();
48	kuid_t uid = make_kuid(from: cred->user_ns, uid: creds->uid);
49	kgid_t gid = make_kgid(from: cred->user_ns, gid: creds->gid);
50
51	if (!uid_valid(uid) \|\| !gid_valid(gid))
52	return -EINVAL;
53
54	if ((creds->pid == task_tgid_vnr(current) \|\|
55	ns_capable(ns: task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
56	((uid_eq(left: uid, right: cred->uid) \|\| uid_eq(left: uid, right: cred->euid) \|\|
57	uid_eq(left: uid, right: cred->suid)) \|\| ns_capable(ns: cred->user_ns, CAP_SETUID)) &&
58	((gid_eq(left: gid, right: cred->gid) \|\| gid_eq(left: gid, right: cred->egid) \|\|
59	gid_eq(left: gid, right: cred->sgid)) \|\| ns_capable(ns: cred->user_ns, CAP_SETGID))) {
60	return `0`;
61	}
62	return -EPERM;
63	}
64
65	static int scm_fp_copy(struct cmsghdr cmsg, struct* scm_fp_list **fplp)
66	{
67	int fdp = (int**)CMSG_DATA(cmsg);
68	struct scm_fp_list fpl = fplp;
69	struct file **fpp;
70	int i, num;
71
72	num = (cmsg->cmsg_len - sizeof(struct cmsghdr))/sizeof(int);
73
74	if (num <= `0`)
75	return `0`;
76
77	if (num > SCM_MAX_FD)
78	return -EINVAL;
79
80	if (!fpl)
81	{
82	fpl = kmalloc(size: sizeof(struct scm_fp_list), GFP_KERNEL_ACCOUNT);
83	if (!fpl)
84	return -ENOMEM;
85	*fplp = fpl;
86	fpl->count = `0`;
87	fpl->max = SCM_MAX_FD;
88	fpl->user = NULL;
89	}
90	fpp = &fpl->fp[fpl->count];
91
92	if (fpl->count + num > fpl->max)
93	return -EINVAL;
94
95	/*
96	* Verify the descriptors and increment the usage count.
97	*/
98
99	for (i=`0`; i< num; i++)
100	{
101	int fd = fdp[i];
102	struct file *file;
103
104	if (fd < `0` \|\| !(file = fget_raw(fd)))
105	return -EBADF;
106	*fpp++ = file;
107	fpl->count++;
108	}
109
110	if (!fpl->user)
111	fpl->user = get_uid(current_user());
112
113	return num;
114	}
115
116	void __scm_destroy(struct scm_cookie *scm)
117	{
118	struct scm_fp_list *fpl = scm->fp;
119	int i;
120
121	if (fpl) {
122	scm->fp = NULL;
123	for (i=fpl->count-`1`; i>=`0`; i--)
124	fput(fpl->fp[i]);
125	free_uid(fpl->user);
126	kfree(objp: fpl);
127	}
128	}
129	EXPORT_SYMBOL(__scm_destroy);
130
131	int __scm_send(struct socket sock, struct* msghdr msg, struct* scm_cookie *p)
132	{
133	const struct proto_ops *ops = READ_ONCE(sock->ops);
134	struct cmsghdr *cmsg;
135	int err;
136
137	for_each_cmsghdr(cmsg, msg) {
138	err = -EINVAL;
139
140	/ Verify that cmsg_len is at least sizeof(struct cmsghdr) /
141	/ The first check was omitted in <= 2.2.5. The reasoning was*
142	that parser checks cmsg_len in any case, so that
143	additional check would be work duplication.
144	But if cmsg_level is not SOL_SOCKET, we do not check
145	for too short ancillary data object at all! Oops.
146	OK, let's add it...
147	*/
148	if (!CMSG_OK(msg, cmsg))
149	goto error;
150
151	if (cmsg->cmsg_level != SOL_SOCKET)
152	continue;
153
154	switch (cmsg->cmsg_type)
155	{
156	case SCM_RIGHTS:
157	if (!ops \|\| ops->family != PF_UNIX)
158	goto error;
159	err=scm_fp_copy(cmsg, fplp: &p->fp);
160	if (err<`0`)
161	goto error;
162	break;
163	case SCM_CREDENTIALS:
164	{
165	struct ucred creds;
166	kuid_t uid;
167	kgid_t gid;
168	if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
169	goto error;
170	memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred));
171	err = scm_check_creds(creds: &creds);
172	if (err)
173	goto error;
174
175	p->creds.pid = creds.pid;
176	if (!p->pid \|\| pid_vnr(pid: p->pid) != creds.pid) {
177	struct pid *pid;
178	err = -ESRCH;
179	pid = find_get_pid(nr: creds.pid);
180	if (!pid)
181	goto error;
182	put_pid(pid: p->pid);
183	p->pid = pid;
184	}
185
186	err = -EINVAL;
187	uid = make_kuid(current_user_ns(), uid: creds.uid);
188	gid = make_kgid(current_user_ns(), gid: creds.gid);
189	if (!uid_valid(uid) \|\| !gid_valid(gid))
190	goto error;
191
192	p->creds.uid = uid;
193	p->creds.gid = gid;
194	break;
195	}
196	default:
197	goto error;
198	}
199	}
200
201	if (p->fp && !p->fp->count)
202	{
203	kfree(objp: p->fp);
204	p->fp = NULL;
205	}
206	return `0`;
207
208	error:
209	scm_destroy(scm: p);
210	return err;
211	}
212	EXPORT_SYMBOL(__scm_send);
213
214	int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
215	{
216	int cmlen = CMSG_LEN(len);
217
218	if (msg->msg_flags & MSG_CMSG_COMPAT)
219	return put_cmsg_compat(msg, level, type, len, data);
220
221	if (!msg->msg_control \|\| msg->msg_controllen < sizeof(struct cmsghdr)) {
222	msg->msg_flags \|= MSG_CTRUNC;
223	return `0`; / XXX: return error? check spec. /
224	}
225	if (msg->msg_controllen < cmlen) {
226	msg->msg_flags \|= MSG_CTRUNC;
227	cmlen = msg->msg_controllen;
228	}
229
230	if (msg->msg_control_is_user) {
231	struct cmsghdr __user *cm = msg->msg_control_user;
232
233	check_object_size(ptr: data, n: cmlen - sizeof(*cm), to_user: true);
234
235	if (!user_write_access_begin(cm, cmlen))
236	goto efault;
237
238	unsafe_put_user(cmlen, &cm->cmsg_len, efault_end);
239	unsafe_put_user(level, &cm->cmsg_level, efault_end);
240	unsafe_put_user(type, &cm->cmsg_type, efault_end);
241	unsafe_copy_to_user(CMSG_USER_DATA(cm), data,
242	cmlen - sizeof(*cm), efault_end);
243	user_write_access_end();
244	} else {
245	struct cmsghdr *cm = msg->msg_control;
246
247	cm->cmsg_level = level;
248	cm->cmsg_type = type;
249	cm->cmsg_len = cmlen;
250	memcpy(CMSG_DATA(cm), data, cmlen - sizeof(*cm));
251	}
252
253	cmlen = min(CMSG_SPACE(len), msg->msg_controllen);
254	if (msg->msg_control_is_user)
255	msg->msg_control_user += cmlen;
256	else
257	msg->msg_control += cmlen;
258	msg->msg_controllen -= cmlen;
259	return `0`;
260
261	efault_end:
262	user_write_access_end();
263	efault:
264	return -EFAULT;
265	}
266	EXPORT_SYMBOL(put_cmsg);
267
268	void put_cmsg_scm_timestamping64(struct msghdr msg, struct* scm_timestamping_internal *tss_internal)
269	{
270	struct scm_timestamping64 tss;
271	int i;
272
273	for (i = `0`; i < ARRAY_SIZE(tss.ts); i++) {
274	tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
275	tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
276	}
277
278	put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_NEW, sizeof(tss), &tss);
279	}
280	EXPORT_SYMBOL(put_cmsg_scm_timestamping64);
281
282	void put_cmsg_scm_timestamping(struct msghdr msg, struct* scm_timestamping_internal *tss_internal)
283	{
284	struct scm_timestamping tss;
285	int i;
286
287	for (i = `0`; i < ARRAY_SIZE(tss.ts); i++) {
288	tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
289	tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
290	}
291
292	put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_OLD, sizeof(tss), &tss);
293	}
294	EXPORT_SYMBOL(put_cmsg_scm_timestamping);
295
296	static int scm_max_fds(struct msghdr *msg)
297	{
298	if (msg->msg_controllen <= sizeof(struct cmsghdr))
299	return `0`;
300	return (msg->msg_controllen - sizeof(struct cmsghdr)) / sizeof(int);
301	}
302
303	void scm_detach_fds(struct msghdr msg, struct* scm_cookie *scm)
304	{
305	struct cmsghdr __user *cm =
306	(__force struct cmsghdr __user *)msg->msg_control_user;
307	unsigned int o_flags = (msg->msg_flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : `0`;
308	int fdmax = min_t(int, scm_max_fds(msg), scm->fp->count);
309	int __user *cmsg_data = CMSG_USER_DATA(cm);
310	int err = `0`, i;
311
312	/ no use for FD passing from kernel space callers /
313	if (WARN_ON_ONCE(!msg->msg_control_is_user))
314	return;
315
316	if (msg->msg_flags & MSG_CMSG_COMPAT) {
317	scm_detach_fds_compat(msg, scm);
318	return;
319	}
320
321	for (i = `0`; i < fdmax; i++) {
322	err = receive_fd_user(file: scm->fp->fp[i], ufd: cmsg_data + i, o_flags);
323	if (err < `0`)
324	break;
325	}
326
327	if (i > `0`) {
328	int cmlen = CMSG_LEN(i * sizeof(int));
329
330	err = put_user(SOL_SOCKET, &cm->cmsg_level);
331	if (!err)
332	err = put_user(SCM_RIGHTS, &cm->cmsg_type);
333	if (!err)
334	err = put_user(cmlen, &cm->cmsg_len);
335	if (!err) {
336	cmlen = CMSG_SPACE(i * sizeof(int));
337	if (msg->msg_controllen < cmlen)
338	cmlen = msg->msg_controllen;
339	msg->msg_control_user += cmlen;
340	msg->msg_controllen -= cmlen;
341	}
342	}
343
344	if (i < scm->fp->count \|\| (scm->fp->count && fdmax <= `0`))
345	msg->msg_flags \|= MSG_CTRUNC;
346
347	/*
348	* All of the files that fit in the message have had their usage counts
349	* incremented, so we just free the list.
350	*/
351	__scm_destroy(scm);
352	}
353	EXPORT_SYMBOL(scm_detach_fds);
354
355	struct scm_fp_list scm_fp_dup(struct* scm_fp_list *fpl)
356	{
357	struct scm_fp_list *new_fpl;
358	int i;
359
360	if (!fpl)
361	return NULL;
362
363	new_fpl = kmemdup(p: fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
364	GFP_KERNEL_ACCOUNT);
365	if (new_fpl) {
366	for (i = `0`; i < fpl->count; i++)
367	get_file(f: fpl->fp[i]);
368	new_fpl->max = new_fpl->count;
369	new_fpl->user = get_uid(u: fpl->user);
370	}
371	return new_fpl;
372	}
373	EXPORT_SYMBOL(scm_fp_dup);
374

source code of linux/net/core/scm.c