scm.c source code [linux/net/core/scm.c]

1	// SPDX-License-Identifier: GPL-2.0-or-later
2	/ scm.c - Socket level control messages processing.*
3	*
4	* Author: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
5	* Alignment and value checking mods by Craig Metz
6	*/
7
8	#include <linux/module.h>
9	#include <linux/signal.h>
10	#include <linux/capability.h>
11	#include <linux/errno.h>
12	#include <linux/sched.h>
13	#include <linux/sched/user.h>
14	#include <linux/mm.h>
15	#include <linux/kernel.h>
16	#include <linux/stat.h>
17	#include <linux/socket.h>
18	#include <linux/file.h>
19	#include <linux/fcntl.h>
20	#include <linux/net.h>
21	#include <linux/interrupt.h>
22	#include <linux/netdevice.h>
23	#include <linux/security.h>
24	#include <linux/pid_namespace.h>
25	#include <linux/pid.h>
26	#include <linux/nsproxy.h>
27	#include <linux/slab.h>
28	#include <linux/errqueue.h>
29	#include <linux/io_uring.h>
30
31	#include <linux/uaccess.h>
32
33	#include <net/protocol.h>
34	#include <linux/skbuff.h>
35	#include <net/sock.h>
36	#include <net/compat.h>
37	#include <net/scm.h>
38	#include <net/cls_cgroup.h>
39	#include <net/af_unix.h>
40
41
42	/*
43	* Only allow a user to send credentials, that they could set with
44	* setu(g)id.
45	*/
46
47	static __inline__ int scm_check_creds(struct ucred *creds)
48	{
49	const struct cred *cred = current_cred();
50	kuid_t uid = make_kuid(from: cred->user_ns, uid: creds->uid);
51	kgid_t gid = make_kgid(from: cred->user_ns, gid: creds->gid);
52
53	if (!uid_valid(uid) \|\| !gid_valid(gid))
54	return -EINVAL;
55
56	if ((creds->pid == task_tgid_vnr(current) \|\|
57	ns_capable(ns: task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
58	((uid_eq(left: uid, right: cred->uid) \|\| uid_eq(left: uid, right: cred->euid) \|\|
59	uid_eq(left: uid, right: cred->suid)) \|\| ns_capable(ns: cred->user_ns, CAP_SETUID)) &&
60	((gid_eq(left: gid, right: cred->gid) \|\| gid_eq(left: gid, right: cred->egid) \|\|
61	gid_eq(left: gid, right: cred->sgid)) \|\| ns_capable(ns: cred->user_ns, CAP_SETGID))) {
62	return `0`;
63	}
64	return -EPERM;
65	}
66
67	static int scm_fp_copy(struct cmsghdr cmsg, struct* scm_fp_list **fplp)
68	{
69	int fdp = (int**)CMSG_DATA(cmsg);
70	struct scm_fp_list fpl = fplp;
71	struct file **fpp;
72	int i, num;
73
74	num = (cmsg->cmsg_len - sizeof(struct cmsghdr))/sizeof(int);
75
76	if (num <= `0`)
77	return `0`;
78
79	if (num > SCM_MAX_FD)
80	return -EINVAL;
81
82	if (!fpl)
83	{
84	fpl = kmalloc(size: sizeof(struct scm_fp_list), GFP_KERNEL_ACCOUNT);
85	if (!fpl)
86	return -ENOMEM;
87	*fplp = fpl;
88	fpl->count = `0`;
89	fpl->count_unix = `0`;
90	fpl->max = SCM_MAX_FD;
91	fpl->user = NULL;
92	}
93	fpp = &fpl->fp[fpl->count];
94
95	if (fpl->count + num > fpl->max)
96	return -EINVAL;
97
98	/*
99	* Verify the descriptors and increment the usage count.
100	*/
101
102	for (i=`0`; i< num; i++)
103	{
104	int fd = fdp[i];
105	struct file *file;
106
107	if (fd < `0` \|\| !(file = fget_raw(fd)))
108	return -EBADF;
109	/ don't allow io_uring files /
110	if (io_is_uring_fops(file)) {
111	fput(file);
112	return -EINVAL;
113	}
114	if (unix_get_socket(filp: file))
115	fpl->count_unix++;
116
117	*fpp++ = file;
118	fpl->count++;
119	}
120
121	if (!fpl->user)
122	fpl->user = get_uid(current_user());
123
124	return num;
125	}
126
127	void __scm_destroy(struct scm_cookie *scm)
128	{
129	struct scm_fp_list *fpl = scm->fp;
130	int i;
131
132	if (fpl) {
133	scm->fp = NULL;
134	for (i=fpl->count-`1`; i>=`0`; i--)
135	fput(fpl->fp[i]);
136	free_uid(fpl->user);
137	kfree(objp: fpl);
138	}
139	}
140	EXPORT_SYMBOL(__scm_destroy);
141
142	int __scm_send(struct socket sock, struct* msghdr msg, struct* scm_cookie *p)
143	{
144	const struct proto_ops *ops = READ_ONCE(sock->ops);
145	struct cmsghdr *cmsg;
146	int err;
147
148	for_each_cmsghdr(cmsg, msg) {
149	err = -EINVAL;
150
151	/ Verify that cmsg_len is at least sizeof(struct cmsghdr) /
152	/ The first check was omitted in <= 2.2.5. The reasoning was*
153	that parser checks cmsg_len in any case, so that
154	additional check would be work duplication.
155	But if cmsg_level is not SOL_SOCKET, we do not check
156	for too short ancillary data object at all! Oops.
157	OK, let's add it...
158	*/
159	if (!CMSG_OK(msg, cmsg))
160	goto error;
161
162	if (cmsg->cmsg_level != SOL_SOCKET)
163	continue;
164
165	switch (cmsg->cmsg_type)
166	{
167	case SCM_RIGHTS:
168	if (!ops \|\| ops->family != PF_UNIX)
169	goto error;
170	err=scm_fp_copy(cmsg, fplp: &p->fp);
171	if (err<`0`)
172	goto error;
173	break;
174	case SCM_CREDENTIALS:
175	{
176	struct ucred creds;
177	kuid_t uid;
178	kgid_t gid;
179	if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
180	goto error;
181	memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred));
182	err = scm_check_creds(creds: &creds);
183	if (err)
184	goto error;
185
186	p->creds.pid = creds.pid;
187	if (!p->pid \|\| pid_vnr(pid: p->pid) != creds.pid) {
188	struct pid *pid;
189	err = -ESRCH;
190	pid = find_get_pid(nr: creds.pid);
191	if (!pid)
192	goto error;
193	put_pid(pid: p->pid);
194	p->pid = pid;
195	}
196
197	err = -EINVAL;
198	uid = make_kuid(current_user_ns(), uid: creds.uid);
199	gid = make_kgid(current_user_ns(), gid: creds.gid);
200	if (!uid_valid(uid) \|\| !gid_valid(gid))
201	goto error;
202
203	p->creds.uid = uid;
204	p->creds.gid = gid;
205	break;
206	}
207	default:
208	goto error;
209	}
210	}
211
212	if (p->fp && !p->fp->count)
213	{
214	kfree(objp: p->fp);
215	p->fp = NULL;
216	}
217	return `0`;
218
219	error:
220	scm_destroy(scm: p);
221	return err;
222	}
223	EXPORT_SYMBOL(__scm_send);
224
225	int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
226	{
227	int cmlen = CMSG_LEN(len);
228
229	if (msg->msg_flags & MSG_CMSG_COMPAT)
230	return put_cmsg_compat(msg, level, type, len, data);
231
232	if (!msg->msg_control \|\| msg->msg_controllen < sizeof(struct cmsghdr)) {
233	msg->msg_flags \|= MSG_CTRUNC;
234	return `0`; / XXX: return error? check spec. /
235	}
236	if (msg->msg_controllen < cmlen) {
237	msg->msg_flags \|= MSG_CTRUNC;
238	cmlen = msg->msg_controllen;
239	}
240
241	if (msg->msg_control_is_user) {
242	struct cmsghdr __user *cm = msg->msg_control_user;
243
244	check_object_size(ptr: data, n: cmlen - sizeof(*cm), to_user: true);
245
246	if (!user_write_access_begin(cm, cmlen))
247	goto efault;
248
249	unsafe_put_user(cmlen, &cm->cmsg_len, efault_end);
250	unsafe_put_user(level, &cm->cmsg_level, efault_end);
251	unsafe_put_user(type, &cm->cmsg_type, efault_end);
252	unsafe_copy_to_user(CMSG_USER_DATA(cm), data,
253	cmlen - sizeof(*cm), efault_end);
254	user_write_access_end();
255	} else {
256	struct cmsghdr *cm = msg->msg_control;
257
258	cm->cmsg_level = level;
259	cm->cmsg_type = type;
260	cm->cmsg_len = cmlen;
261	memcpy(CMSG_DATA(cm), data, cmlen - sizeof(*cm));
262	}
263
264	cmlen = min(CMSG_SPACE(len), msg->msg_controllen);
265	if (msg->msg_control_is_user)
266	msg->msg_control_user += cmlen;
267	else
268	msg->msg_control += cmlen;
269	msg->msg_controllen -= cmlen;
270	return `0`;
271
272	efault_end:
273	user_write_access_end();
274	efault:
275	return -EFAULT;
276	}
277	EXPORT_SYMBOL(put_cmsg);
278
279	void put_cmsg_scm_timestamping64(struct msghdr msg, struct* scm_timestamping_internal *tss_internal)
280	{
281	struct scm_timestamping64 tss;
282	int i;
283
284	for (i = `0`; i < ARRAY_SIZE(tss.ts); i++) {
285	tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
286	tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
287	}
288
289	put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_NEW, sizeof(tss), &tss);
290	}
291	EXPORT_SYMBOL(put_cmsg_scm_timestamping64);
292
293	void put_cmsg_scm_timestamping(struct msghdr msg, struct* scm_timestamping_internal *tss_internal)
294	{
295	struct scm_timestamping tss;
296	int i;
297
298	for (i = `0`; i < ARRAY_SIZE(tss.ts); i++) {
299	tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
300	tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
301	}
302
303	put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_OLD, sizeof(tss), &tss);
304	}
305	EXPORT_SYMBOL(put_cmsg_scm_timestamping);
306
307	static int scm_max_fds(struct msghdr *msg)
308	{
309	if (msg->msg_controllen <= sizeof(struct cmsghdr))
310	return `0`;
311	return (msg->msg_controllen - sizeof(struct cmsghdr)) / sizeof(int);
312	}
313
314	void scm_detach_fds(struct msghdr msg, struct* scm_cookie *scm)
315	{
316	struct cmsghdr __user *cm =
317	(__force struct cmsghdr __user *)msg->msg_control_user;
318	unsigned int o_flags = (msg->msg_flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : `0`;
319	int fdmax = min_t(int, scm_max_fds(msg), scm->fp->count);
320	int __user *cmsg_data = CMSG_USER_DATA(cm);
321	int err = `0`, i;
322
323	/ no use for FD passing from kernel space callers /
324	if (WARN_ON_ONCE(!msg->msg_control_is_user))
325	return;
326
327	if (msg->msg_flags & MSG_CMSG_COMPAT) {
328	scm_detach_fds_compat(msg, scm);
329	return;
330	}
331
332	for (i = `0`; i < fdmax; i++) {
333	err = scm_recv_one_fd(f: scm->fp->fp[i], ufd: cmsg_data + i, flags: o_flags);
334	if (err < `0`)
335	break;
336	}
337
338	if (i > `0`) {
339	int cmlen = CMSG_LEN(i * sizeof(int));
340
341	err = put_user(SOL_SOCKET, &cm->cmsg_level);
342	if (!err)
343	err = put_user(SCM_RIGHTS, &cm->cmsg_type);
344	if (!err)
345	err = put_user(cmlen, &cm->cmsg_len);
346	if (!err) {
347	cmlen = CMSG_SPACE(i * sizeof(int));
348	if (msg->msg_controllen < cmlen)
349	cmlen = msg->msg_controllen;
350	msg->msg_control_user += cmlen;
351	msg->msg_controllen -= cmlen;
352	}
353	}
354
355	if (i < scm->fp->count \|\| (scm->fp->count && fdmax <= `0`))
356	msg->msg_flags \|= MSG_CTRUNC;
357
358	/*
359	* All of the files that fit in the message have had their usage counts
360	* incremented, so we just free the list.
361	*/
362	__scm_destroy(scm);
363	}
364	EXPORT_SYMBOL(scm_detach_fds);
365
366	struct scm_fp_list scm_fp_dup(struct* scm_fp_list *fpl)
367	{
368	struct scm_fp_list *new_fpl;
369	int i;
370
371	if (!fpl)
372	return NULL;
373
374	new_fpl = kmemdup(p: fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
375	GFP_KERNEL_ACCOUNT);
376	if (new_fpl) {
377	for (i = `0`; i < fpl->count; i++)
378	get_file(f: fpl->fp[i]);
379	new_fpl->max = new_fpl->count;
380	new_fpl->user = get_uid(u: fpl->user);
381	}
382	return new_fpl;
383	}
384	EXPORT_SYMBOL(scm_fp_dup);
385

source code of linux/net/core/scm.c