1 | // SPDX-License-Identifier: GPL-2.0-or-later |
2 | /* scm.c - Socket level control messages processing. |
3 | * |
4 | * Author: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru> |
5 | * Alignment and value checking mods by Craig Metz |
6 | */ |
7 | |
8 | #include <linux/module.h> |
9 | #include <linux/signal.h> |
10 | #include <linux/capability.h> |
11 | #include <linux/errno.h> |
12 | #include <linux/sched.h> |
13 | #include <linux/sched/user.h> |
14 | #include <linux/mm.h> |
15 | #include <linux/kernel.h> |
16 | #include <linux/stat.h> |
17 | #include <linux/socket.h> |
18 | #include <linux/file.h> |
19 | #include <linux/fcntl.h> |
20 | #include <linux/net.h> |
21 | #include <linux/interrupt.h> |
22 | #include <linux/netdevice.h> |
23 | #include <linux/security.h> |
24 | #include <linux/pid_namespace.h> |
25 | #include <linux/pid.h> |
26 | #include <linux/nsproxy.h> |
27 | #include <linux/slab.h> |
28 | #include <linux/errqueue.h> |
29 | |
30 | #include <linux/uaccess.h> |
31 | |
32 | #include <net/protocol.h> |
33 | #include <linux/skbuff.h> |
34 | #include <net/sock.h> |
35 | #include <net/compat.h> |
36 | #include <net/scm.h> |
37 | #include <net/cls_cgroup.h> |
38 | |
39 | |
40 | /* |
41 | * Only allow a user to send credentials, that they could set with |
42 | * setu(g)id. |
43 | */ |
44 | |
45 | static __inline__ int scm_check_creds(struct ucred *creds) |
46 | { |
47 | const struct cred *cred = current_cred(); |
48 | kuid_t uid = make_kuid(from: cred->user_ns, uid: creds->uid); |
49 | kgid_t gid = make_kgid(from: cred->user_ns, gid: creds->gid); |
50 | |
51 | if (!uid_valid(uid) || !gid_valid(gid)) |
52 | return -EINVAL; |
53 | |
54 | if ((creds->pid == task_tgid_vnr(current) || |
55 | ns_capable(ns: task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) && |
56 | ((uid_eq(left: uid, right: cred->uid) || uid_eq(left: uid, right: cred->euid) || |
57 | uid_eq(left: uid, right: cred->suid)) || ns_capable(ns: cred->user_ns, CAP_SETUID)) && |
58 | ((gid_eq(left: gid, right: cred->gid) || gid_eq(left: gid, right: cred->egid) || |
59 | gid_eq(left: gid, right: cred->sgid)) || ns_capable(ns: cred->user_ns, CAP_SETGID))) { |
60 | return 0; |
61 | } |
62 | return -EPERM; |
63 | } |
64 | |
65 | static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) |
66 | { |
67 | int *fdp = (int*)CMSG_DATA(cmsg); |
68 | struct scm_fp_list *fpl = *fplp; |
69 | struct file **fpp; |
70 | int i, num; |
71 | |
72 | num = (cmsg->cmsg_len - sizeof(struct cmsghdr))/sizeof(int); |
73 | |
74 | if (num <= 0) |
75 | return 0; |
76 | |
77 | if (num > SCM_MAX_FD) |
78 | return -EINVAL; |
79 | |
80 | if (!fpl) |
81 | { |
82 | fpl = kmalloc(size: sizeof(struct scm_fp_list), GFP_KERNEL_ACCOUNT); |
83 | if (!fpl) |
84 | return -ENOMEM; |
85 | *fplp = fpl; |
86 | fpl->count = 0; |
87 | fpl->max = SCM_MAX_FD; |
88 | fpl->user = NULL; |
89 | } |
90 | fpp = &fpl->fp[fpl->count]; |
91 | |
92 | if (fpl->count + num > fpl->max) |
93 | return -EINVAL; |
94 | |
95 | /* |
96 | * Verify the descriptors and increment the usage count. |
97 | */ |
98 | |
99 | for (i=0; i< num; i++) |
100 | { |
101 | int fd = fdp[i]; |
102 | struct file *file; |
103 | |
104 | if (fd < 0 || !(file = fget_raw(fd))) |
105 | return -EBADF; |
106 | *fpp++ = file; |
107 | fpl->count++; |
108 | } |
109 | |
110 | if (!fpl->user) |
111 | fpl->user = get_uid(current_user()); |
112 | |
113 | return num; |
114 | } |
115 | |
116 | void __scm_destroy(struct scm_cookie *scm) |
117 | { |
118 | struct scm_fp_list *fpl = scm->fp; |
119 | int i; |
120 | |
121 | if (fpl) { |
122 | scm->fp = NULL; |
123 | for (i=fpl->count-1; i>=0; i--) |
124 | fput(fpl->fp[i]); |
125 | free_uid(fpl->user); |
126 | kfree(objp: fpl); |
127 | } |
128 | } |
129 | EXPORT_SYMBOL(__scm_destroy); |
130 | |
131 | int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p) |
132 | { |
133 | const struct proto_ops *ops = READ_ONCE(sock->ops); |
134 | struct cmsghdr *cmsg; |
135 | int err; |
136 | |
137 | for_each_cmsghdr(cmsg, msg) { |
138 | err = -EINVAL; |
139 | |
140 | /* Verify that cmsg_len is at least sizeof(struct cmsghdr) */ |
141 | /* The first check was omitted in <= 2.2.5. The reasoning was |
142 | that parser checks cmsg_len in any case, so that |
143 | additional check would be work duplication. |
144 | But if cmsg_level is not SOL_SOCKET, we do not check |
145 | for too short ancillary data object at all! Oops. |
146 | OK, let's add it... |
147 | */ |
148 | if (!CMSG_OK(msg, cmsg)) |
149 | goto error; |
150 | |
151 | if (cmsg->cmsg_level != SOL_SOCKET) |
152 | continue; |
153 | |
154 | switch (cmsg->cmsg_type) |
155 | { |
156 | case SCM_RIGHTS: |
157 | if (!ops || ops->family != PF_UNIX) |
158 | goto error; |
159 | err=scm_fp_copy(cmsg, fplp: &p->fp); |
160 | if (err<0) |
161 | goto error; |
162 | break; |
163 | case SCM_CREDENTIALS: |
164 | { |
165 | struct ucred creds; |
166 | kuid_t uid; |
167 | kgid_t gid; |
168 | if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred))) |
169 | goto error; |
170 | memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred)); |
171 | err = scm_check_creds(creds: &creds); |
172 | if (err) |
173 | goto error; |
174 | |
175 | p->creds.pid = creds.pid; |
176 | if (!p->pid || pid_vnr(pid: p->pid) != creds.pid) { |
177 | struct pid *pid; |
178 | err = -ESRCH; |
179 | pid = find_get_pid(nr: creds.pid); |
180 | if (!pid) |
181 | goto error; |
182 | put_pid(pid: p->pid); |
183 | p->pid = pid; |
184 | } |
185 | |
186 | err = -EINVAL; |
187 | uid = make_kuid(current_user_ns(), uid: creds.uid); |
188 | gid = make_kgid(current_user_ns(), gid: creds.gid); |
189 | if (!uid_valid(uid) || !gid_valid(gid)) |
190 | goto error; |
191 | |
192 | p->creds.uid = uid; |
193 | p->creds.gid = gid; |
194 | break; |
195 | } |
196 | default: |
197 | goto error; |
198 | } |
199 | } |
200 | |
201 | if (p->fp && !p->fp->count) |
202 | { |
203 | kfree(objp: p->fp); |
204 | p->fp = NULL; |
205 | } |
206 | return 0; |
207 | |
208 | error: |
209 | scm_destroy(scm: p); |
210 | return err; |
211 | } |
212 | EXPORT_SYMBOL(__scm_send); |
213 | |
214 | int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data) |
215 | { |
216 | int cmlen = CMSG_LEN(len); |
217 | |
218 | if (msg->msg_flags & MSG_CMSG_COMPAT) |
219 | return put_cmsg_compat(msg, level, type, len, data); |
220 | |
221 | if (!msg->msg_control || msg->msg_controllen < sizeof(struct cmsghdr)) { |
222 | msg->msg_flags |= MSG_CTRUNC; |
223 | return 0; /* XXX: return error? check spec. */ |
224 | } |
225 | if (msg->msg_controllen < cmlen) { |
226 | msg->msg_flags |= MSG_CTRUNC; |
227 | cmlen = msg->msg_controllen; |
228 | } |
229 | |
230 | if (msg->msg_control_is_user) { |
231 | struct cmsghdr __user *cm = msg->msg_control_user; |
232 | |
233 | check_object_size(ptr: data, n: cmlen - sizeof(*cm), to_user: true); |
234 | |
235 | if (!user_write_access_begin(cm, cmlen)) |
236 | goto efault; |
237 | |
238 | unsafe_put_user(cmlen, &cm->cmsg_len, efault_end); |
239 | unsafe_put_user(level, &cm->cmsg_level, efault_end); |
240 | unsafe_put_user(type, &cm->cmsg_type, efault_end); |
241 | unsafe_copy_to_user(CMSG_USER_DATA(cm), data, |
242 | cmlen - sizeof(*cm), efault_end); |
243 | user_write_access_end(); |
244 | } else { |
245 | struct cmsghdr *cm = msg->msg_control; |
246 | |
247 | cm->cmsg_level = level; |
248 | cm->cmsg_type = type; |
249 | cm->cmsg_len = cmlen; |
250 | memcpy(CMSG_DATA(cm), data, cmlen - sizeof(*cm)); |
251 | } |
252 | |
253 | cmlen = min(CMSG_SPACE(len), msg->msg_controllen); |
254 | if (msg->msg_control_is_user) |
255 | msg->msg_control_user += cmlen; |
256 | else |
257 | msg->msg_control += cmlen; |
258 | msg->msg_controllen -= cmlen; |
259 | return 0; |
260 | |
261 | efault_end: |
262 | user_write_access_end(); |
263 | efault: |
264 | return -EFAULT; |
265 | } |
266 | EXPORT_SYMBOL(put_cmsg); |
267 | |
268 | void put_cmsg_scm_timestamping64(struct msghdr *msg, struct scm_timestamping_internal *tss_internal) |
269 | { |
270 | struct scm_timestamping64 tss; |
271 | int i; |
272 | |
273 | for (i = 0; i < ARRAY_SIZE(tss.ts); i++) { |
274 | tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec; |
275 | tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec; |
276 | } |
277 | |
278 | put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_NEW, sizeof(tss), &tss); |
279 | } |
280 | EXPORT_SYMBOL(put_cmsg_scm_timestamping64); |
281 | |
282 | void put_cmsg_scm_timestamping(struct msghdr *msg, struct scm_timestamping_internal *tss_internal) |
283 | { |
284 | struct scm_timestamping tss; |
285 | int i; |
286 | |
287 | for (i = 0; i < ARRAY_SIZE(tss.ts); i++) { |
288 | tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec; |
289 | tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec; |
290 | } |
291 | |
292 | put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_OLD, sizeof(tss), &tss); |
293 | } |
294 | EXPORT_SYMBOL(put_cmsg_scm_timestamping); |
295 | |
296 | static int scm_max_fds(struct msghdr *msg) |
297 | { |
298 | if (msg->msg_controllen <= sizeof(struct cmsghdr)) |
299 | return 0; |
300 | return (msg->msg_controllen - sizeof(struct cmsghdr)) / sizeof(int); |
301 | } |
302 | |
303 | void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm) |
304 | { |
305 | struct cmsghdr __user *cm = |
306 | (__force struct cmsghdr __user *)msg->msg_control_user; |
307 | unsigned int o_flags = (msg->msg_flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0; |
308 | int fdmax = min_t(int, scm_max_fds(msg), scm->fp->count); |
309 | int __user *cmsg_data = CMSG_USER_DATA(cm); |
310 | int err = 0, i; |
311 | |
312 | /* no use for FD passing from kernel space callers */ |
313 | if (WARN_ON_ONCE(!msg->msg_control_is_user)) |
314 | return; |
315 | |
316 | if (msg->msg_flags & MSG_CMSG_COMPAT) { |
317 | scm_detach_fds_compat(msg, scm); |
318 | return; |
319 | } |
320 | |
321 | for (i = 0; i < fdmax; i++) { |
322 | err = receive_fd_user(file: scm->fp->fp[i], ufd: cmsg_data + i, o_flags); |
323 | if (err < 0) |
324 | break; |
325 | } |
326 | |
327 | if (i > 0) { |
328 | int cmlen = CMSG_LEN(i * sizeof(int)); |
329 | |
330 | err = put_user(SOL_SOCKET, &cm->cmsg_level); |
331 | if (!err) |
332 | err = put_user(SCM_RIGHTS, &cm->cmsg_type); |
333 | if (!err) |
334 | err = put_user(cmlen, &cm->cmsg_len); |
335 | if (!err) { |
336 | cmlen = CMSG_SPACE(i * sizeof(int)); |
337 | if (msg->msg_controllen < cmlen) |
338 | cmlen = msg->msg_controllen; |
339 | msg->msg_control_user += cmlen; |
340 | msg->msg_controllen -= cmlen; |
341 | } |
342 | } |
343 | |
344 | if (i < scm->fp->count || (scm->fp->count && fdmax <= 0)) |
345 | msg->msg_flags |= MSG_CTRUNC; |
346 | |
347 | /* |
348 | * All of the files that fit in the message have had their usage counts |
349 | * incremented, so we just free the list. |
350 | */ |
351 | __scm_destroy(scm); |
352 | } |
353 | EXPORT_SYMBOL(scm_detach_fds); |
354 | |
355 | struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl) |
356 | { |
357 | struct scm_fp_list *new_fpl; |
358 | int i; |
359 | |
360 | if (!fpl) |
361 | return NULL; |
362 | |
363 | new_fpl = kmemdup(p: fpl, offsetof(struct scm_fp_list, fp[fpl->count]), |
364 | GFP_KERNEL_ACCOUNT); |
365 | if (new_fpl) { |
366 | for (i = 0; i < fpl->count; i++) |
367 | get_file(f: fpl->fp[i]); |
368 | new_fpl->max = new_fpl->count; |
369 | new_fpl->user = get_uid(u: fpl->user); |
370 | } |
371 | return new_fpl; |
372 | } |
373 | EXPORT_SYMBOL(scm_fp_dup); |
374 | |