net/core/scm.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /* scm.c - Socket level control messages processing.
0003  *
0004  * Author:  Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
0005  *              Alignment and value checking mods by Craig Metz
0006  */
0007
0008 #include <linux/module.h>
0009 #include <linux/signal.h>
0010 #include <linux/capability.h>
0011 #include <linux/errno.h>
0012 #include <linux/sched.h>
0013 #include <linux/sched/user.h>
0014 #include <linux/mm.h>
0015 #include <linux/kernel.h>
0016 #include <linux/stat.h>
0017 #include <linux/socket.h>
0018 #include <linux/file.h>
0019 #include <linux/fcntl.h>
0020 #include <linux/net.h>
0021 #include <linux/interrupt.h>
0022 #include <linux/netdevice.h>
0023 #include <linux/security.h>
0024 #include <linux/pid_namespace.h>
0025 #include <linux/pid.h>
0026 #include <linux/nsproxy.h>
0027 #include <linux/slab.h>
0028 #include <linux/errqueue.h>
0029
0030 #include <linux/uaccess.h>
0031
0032 #include <net/protocol.h>
0033 #include <linux/skbuff.h>
0034 #include <net/sock.h>
0035 #include <net/compat.h>
0036 #include <net/scm.h>
0037 #include <net/cls_cgroup.h>
0038
0039
0040 /*
0041  *  Only allow a user to send credentials, that they could set with
0042  *  setu(g)id.
0043  */
0044
0045 static __inline__ int scm_check_creds(struct ucred *creds)
0046 {
0047     const struct cred *cred = current_cred();
0048     kuid_t uid = make_kuid(cred->user_ns, creds->uid);
0049     kgid_t gid = make_kgid(cred->user_ns, creds->gid);
0050
0051     if (!uid_valid(uid) || !gid_valid(gid))
0052         return -EINVAL;
0053
0054     if ((creds->pid == task_tgid_vnr(current) ||
0055          ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
0056         ((uid_eq(uid, cred->uid)   || uid_eq(uid, cred->euid) ||
0057           uid_eq(uid, cred->suid)) || ns_capable(cred->user_ns, CAP_SETUID)) &&
0058         ((gid_eq(gid, cred->gid)   || gid_eq(gid, cred->egid) ||
0059           gid_eq(gid, cred->sgid)) || ns_capable(cred->user_ns, CAP_SETGID))) {
0060            return 0;
0061     }
0062     return -EPERM;
0063 }
0064
0065 static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
0066 {
0067     int *fdp = (int*)CMSG_DATA(cmsg);
0068     struct scm_fp_list *fpl = *fplp;
0069     struct file **fpp;
0070     int i, num;
0071
0072     num = (cmsg->cmsg_len - sizeof(struct cmsghdr))/sizeof(int);
0073
0074     if (num <= 0)
0075         return 0;
0076
0077     if (num > SCM_MAX_FD)
0078         return -EINVAL;
0079
0080     if (!fpl)
0081     {
0082         fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL_ACCOUNT);
0083         if (!fpl)
0084             return -ENOMEM;
0085         *fplp = fpl;
0086         fpl->count = 0;
0087         fpl->max = SCM_MAX_FD;
0088         fpl->user = NULL;
0089     }
0090     fpp = &fpl->fp[fpl->count];
0091
0092     if (fpl->count + num > fpl->max)
0093         return -EINVAL;
0094
0095     /*
0096      *  Verify the descriptors and increment the usage count.
0097      */
0098
0099     for (i=0; i< num; i++)
0100     {
0101         int fd = fdp[i];
0102         struct file *file;
0103
0104         if (fd < 0 || !(file = fget_raw(fd)))
0105             return -EBADF;
0106         *fpp++ = file;
0107         fpl->count++;
0108     }
0109
0110     if (!fpl->user)
0111         fpl->user = get_uid(current_user());
0112
0113     return num;
0114 }
0115
0116 void __scm_destroy(struct scm_cookie *scm)
0117 {
0118     struct scm_fp_list *fpl = scm->fp;
0119     int i;
0120
0121     if (fpl) {
0122         scm->fp = NULL;
0123         for (i=fpl->count-1; i>=0; i--)
0124             fput(fpl->fp[i]);
0125         free_uid(fpl->user);
0126         kfree(fpl);
0127     }
0128 }
0129 EXPORT_SYMBOL(__scm_destroy);
0130
0131 int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
0132 {
0133     struct cmsghdr *cmsg;
0134     int err;
0135
0136     for_each_cmsghdr(cmsg, msg) {
0137         err = -EINVAL;
0138
0139         /* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
0140         /* The first check was omitted in <= 2.2.5. The reasoning was
0141            that parser checks cmsg_len in any case, so that
0142            additional check would be work duplication.
0143            But if cmsg_level is not SOL_SOCKET, we do not check
0144            for too short ancillary data object at all! Oops.
0145            OK, let's add it...
0146          */
0147         if (!CMSG_OK(msg, cmsg))
0148             goto error;
0149
0150         if (cmsg->cmsg_level != SOL_SOCKET)
0151             continue;
0152
0153         switch (cmsg->cmsg_type)
0154         {
0155         case SCM_RIGHTS:
0156             if (!sock->ops || sock->ops->family != PF_UNIX)
0157                 goto error;
0158             err=scm_fp_copy(cmsg, &p->fp);
0159             if (err<0)
0160                 goto error;
0161             break;
0162         case SCM_CREDENTIALS:
0163         {
0164             struct ucred creds;
0165             kuid_t uid;
0166             kgid_t gid;
0167             if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
0168                 goto error;
0169             memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred));
0170             err = scm_check_creds(&creds);
0171             if (err)
0172                 goto error;
0173
0174             p->creds.pid = creds.pid;
0175             if (!p->pid || pid_vnr(p->pid) != creds.pid) {
0176                 struct pid *pid;
0177                 err = -ESRCH;
0178                 pid = find_get_pid(creds.pid);
0179                 if (!pid)
0180                     goto error;
0181                 put_pid(p->pid);
0182                 p->pid = pid;
0183             }
0184
0185             err = -EINVAL;
0186             uid = make_kuid(current_user_ns(), creds.uid);
0187             gid = make_kgid(current_user_ns(), creds.gid);
0188             if (!uid_valid(uid) || !gid_valid(gid))
0189                 goto error;
0190
0191             p->creds.uid = uid;
0192             p->creds.gid = gid;
0193             break;
0194         }
0195         default:
0196             goto error;
0197         }
0198     }
0199
0200     if (p->fp && !p->fp->count)
0201     {
0202         kfree(p->fp);
0203         p->fp = NULL;
0204     }
0205     return 0;
0206
0207 error:
0208     scm_destroy(p);
0209     return err;
0210 }
0211 EXPORT_SYMBOL(__scm_send);
0212
0213 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
0214 {
0215     int cmlen = CMSG_LEN(len);
0216
0217     if (msg->msg_flags & MSG_CMSG_COMPAT)
0218         return put_cmsg_compat(msg, level, type, len, data);
0219
0220     if (!msg->msg_control || msg->msg_controllen < sizeof(struct cmsghdr)) {
0221         msg->msg_flags |= MSG_CTRUNC;
0222         return 0; /* XXX: return error? check spec. */
0223     }
0224     if (msg->msg_controllen < cmlen) {
0225         msg->msg_flags |= MSG_CTRUNC;
0226         cmlen = msg->msg_controllen;
0227     }
0228
0229     if (msg->msg_control_is_user) {
0230         struct cmsghdr __user *cm = msg->msg_control_user;
0231
0232         if (!user_write_access_begin(cm, cmlen))
0233             goto efault;
0234
0235         unsafe_put_user(cmlen, &cm->cmsg_len, efault_end);
0236         unsafe_put_user(level, &cm->cmsg_level, efault_end);
0237         unsafe_put_user(type, &cm->cmsg_type, efault_end);
0238         unsafe_copy_to_user(CMSG_USER_DATA(cm), data,
0239                     cmlen - sizeof(*cm), efault_end);
0240         user_write_access_end();
0241     } else {
0242         struct cmsghdr *cm = msg->msg_control;
0243
0244         cm->cmsg_level = level;
0245         cm->cmsg_type = type;
0246         cm->cmsg_len = cmlen;
0247         memcpy(CMSG_DATA(cm), data, cmlen - sizeof(*cm));
0248     }
0249
0250     cmlen = min(CMSG_SPACE(len), msg->msg_controllen);
0251     msg->msg_control += cmlen;
0252     msg->msg_controllen -= cmlen;
0253     return 0;
0254
0255 efault_end:
0256     user_write_access_end();
0257 efault:
0258     return -EFAULT;
0259 }
0260 EXPORT_SYMBOL(put_cmsg);
0261
0262 void put_cmsg_scm_timestamping64(struct msghdr *msg, struct scm_timestamping_internal *tss_internal)
0263 {
0264     struct scm_timestamping64 tss;
0265     int i;
0266
0267     for (i = 0; i < ARRAY_SIZE(tss.ts); i++) {
0268         tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
0269         tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
0270     }
0271
0272     put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_NEW, sizeof(tss), &tss);
0273 }
0274 EXPORT_SYMBOL(put_cmsg_scm_timestamping64);
0275
0276 void put_cmsg_scm_timestamping(struct msghdr *msg, struct scm_timestamping_internal *tss_internal)
0277 {
0278     struct scm_timestamping tss;
0279     int i;
0280
0281     for (i = 0; i < ARRAY_SIZE(tss.ts); i++) {
0282         tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
0283         tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
0284     }
0285
0286     put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_OLD, sizeof(tss), &tss);
0287 }
0288 EXPORT_SYMBOL(put_cmsg_scm_timestamping);
0289
0290 static int scm_max_fds(struct msghdr *msg)
0291 {
0292     if (msg->msg_controllen <= sizeof(struct cmsghdr))
0293         return 0;
0294     return (msg->msg_controllen - sizeof(struct cmsghdr)) / sizeof(int);
0295 }
0296
0297 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
0298 {
0299     struct cmsghdr __user *cm =
0300         (__force struct cmsghdr __user *)msg->msg_control;
0301     unsigned int o_flags = (msg->msg_flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0;
0302     int fdmax = min_t(int, scm_max_fds(msg), scm->fp->count);
0303     int __user *cmsg_data = CMSG_USER_DATA(cm);
0304     int err = 0, i;
0305
0306     /* no use for FD passing from kernel space callers */
0307     if (WARN_ON_ONCE(!msg->msg_control_is_user))
0308         return;
0309
0310     if (msg->msg_flags & MSG_CMSG_COMPAT) {
0311         scm_detach_fds_compat(msg, scm);
0312         return;
0313     }
0314
0315     for (i = 0; i < fdmax; i++) {
0316         err = receive_fd_user(scm->fp->fp[i], cmsg_data + i, o_flags);
0317         if (err < 0)
0318             break;
0319     }
0320
0321     if (i > 0) {
0322         int cmlen = CMSG_LEN(i * sizeof(int));
0323
0324         err = put_user(SOL_SOCKET, &cm->cmsg_level);
0325         if (!err)
0326             err = put_user(SCM_RIGHTS, &cm->cmsg_type);
0327         if (!err)
0328             err = put_user(cmlen, &cm->cmsg_len);
0329         if (!err) {
0330             cmlen = CMSG_SPACE(i * sizeof(int));
0331             if (msg->msg_controllen < cmlen)
0332                 cmlen = msg->msg_controllen;
0333             msg->msg_control += cmlen;
0334             msg->msg_controllen -= cmlen;
0335         }
0336     }
0337
0338     if (i < scm->fp->count || (scm->fp->count && fdmax <= 0))
0339         msg->msg_flags |= MSG_CTRUNC;
0340
0341     /*
0342      * All of the files that fit in the message have had their usage counts
0343      * incremented, so we just free the list.
0344      */
0345     __scm_destroy(scm);
0346 }
0347 EXPORT_SYMBOL(scm_detach_fds);
0348
0349 struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
0350 {
0351     struct scm_fp_list *new_fpl;
0352     int i;
0353
0354     if (!fpl)
0355         return NULL;
0356
0357     new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
0358               GFP_KERNEL_ACCOUNT);
0359     if (new_fpl) {
0360         for (i = 0; i < fpl->count; i++)
0361             get_file(fpl->fp[i]);
0362         new_fpl->max = new_fpl->count;
0363         new_fpl->user = get_uid(fpl->user);
0364     }
0365     return new_fpl;
0366 }
0367 EXPORT_SYMBOL(scm_fp_dup);