Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | /* scm.c - Socket level control messages processing. |
| 2 | * |
| 3 | * Author: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru> |
| 4 | * Alignment and value checking mods by Craig Metz |
| 5 | * |
| 6 | * This program is free software; you can redistribute it and/or |
| 7 | * modify it under the terms of the GNU General Public License |
| 8 | * as published by the Free Software Foundation; either version |
| 9 | * 2 of the License, or (at your option) any later version. |
| 10 | */ |
| 11 | |
| 12 | #include <linux/module.h> |
| 13 | #include <linux/signal.h> |
Randy Dunlap | 4fc268d | 2006-01-11 12:17:47 -0800 | [diff] [blame] | 14 | #include <linux/capability.h> |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 15 | #include <linux/errno.h> |
| 16 | #include <linux/sched.h> |
| 17 | #include <linux/mm.h> |
| 18 | #include <linux/kernel.h> |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 19 | #include <linux/stat.h> |
| 20 | #include <linux/socket.h> |
| 21 | #include <linux/file.h> |
| 22 | #include <linux/fcntl.h> |
| 23 | #include <linux/net.h> |
| 24 | #include <linux/interrupt.h> |
| 25 | #include <linux/netdevice.h> |
| 26 | #include <linux/security.h> |
| 27 | |
| 28 | #include <asm/system.h> |
| 29 | #include <asm/uaccess.h> |
| 30 | |
| 31 | #include <net/protocol.h> |
| 32 | #include <linux/skbuff.h> |
| 33 | #include <net/sock.h> |
| 34 | #include <net/compat.h> |
| 35 | #include <net/scm.h> |
| 36 | |
| 37 | |
| 38 | /* |
| 39 | * Only allow a user to send credentials, that they could set with |
| 40 | * setu(g)id. |
| 41 | */ |
| 42 | |
| 43 | static __inline__ int scm_check_creds(struct ucred *creds) |
| 44 | { |
| 45 | if ((creds->pid == current->tgid || capable(CAP_SYS_ADMIN)) && |
| 46 | ((creds->uid == current->uid || creds->uid == current->euid || |
| 47 | creds->uid == current->suid) || capable(CAP_SETUID)) && |
| 48 | ((creds->gid == current->gid || creds->gid == current->egid || |
| 49 | creds->gid == current->sgid) || capable(CAP_SETGID))) { |
| 50 | return 0; |
| 51 | } |
| 52 | return -EPERM; |
| 53 | } |
| 54 | |
| 55 | static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) |
| 56 | { |
| 57 | int *fdp = (int*)CMSG_DATA(cmsg); |
| 58 | struct scm_fp_list *fpl = *fplp; |
| 59 | struct file **fpp; |
| 60 | int i, num; |
| 61 | |
| 62 | num = (cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr)))/sizeof(int); |
| 63 | |
| 64 | if (num <= 0) |
| 65 | return 0; |
| 66 | |
| 67 | if (num > SCM_MAX_FD) |
| 68 | return -EINVAL; |
| 69 | |
| 70 | if (!fpl) |
| 71 | { |
| 72 | fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL); |
| 73 | if (!fpl) |
| 74 | return -ENOMEM; |
| 75 | *fplp = fpl; |
| 76 | fpl->count = 0; |
| 77 | } |
| 78 | fpp = &fpl->fp[fpl->count]; |
| 79 | |
| 80 | if (fpl->count + num > SCM_MAX_FD) |
| 81 | return -EINVAL; |
| 82 | |
| 83 | /* |
| 84 | * Verify the descriptors and increment the usage count. |
| 85 | */ |
| 86 | |
| 87 | for (i=0; i< num; i++) |
| 88 | { |
| 89 | int fd = fdp[i]; |
| 90 | struct file *file; |
| 91 | |
| 92 | if (fd < 0 || !(file = fget(fd))) |
| 93 | return -EBADF; |
| 94 | *fpp++ = file; |
| 95 | fpl->count++; |
| 96 | } |
| 97 | return num; |
| 98 | } |
| 99 | |
| 100 | void __scm_destroy(struct scm_cookie *scm) |
| 101 | { |
| 102 | struct scm_fp_list *fpl = scm->fp; |
| 103 | int i; |
| 104 | |
| 105 | if (fpl) { |
| 106 | scm->fp = NULL; |
| 107 | for (i=fpl->count-1; i>=0; i--) |
| 108 | fput(fpl->fp[i]); |
| 109 | kfree(fpl); |
| 110 | } |
| 111 | } |
| 112 | |
| 113 | int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p) |
| 114 | { |
| 115 | struct cmsghdr *cmsg; |
| 116 | int err; |
| 117 | |
| 118 | for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) |
| 119 | { |
| 120 | err = -EINVAL; |
| 121 | |
| 122 | /* Verify that cmsg_len is at least sizeof(struct cmsghdr) */ |
| 123 | /* The first check was omitted in <= 2.2.5. The reasoning was |
| 124 | that parser checks cmsg_len in any case, so that |
| 125 | additional check would be work duplication. |
| 126 | But if cmsg_level is not SOL_SOCKET, we do not check |
| 127 | for too short ancillary data object at all! Oops. |
| 128 | OK, let's add it... |
| 129 | */ |
| 130 | if (!CMSG_OK(msg, cmsg)) |
| 131 | goto error; |
| 132 | |
| 133 | if (cmsg->cmsg_level != SOL_SOCKET) |
| 134 | continue; |
| 135 | |
| 136 | switch (cmsg->cmsg_type) |
| 137 | { |
| 138 | case SCM_RIGHTS: |
| 139 | err=scm_fp_copy(cmsg, &p->fp); |
| 140 | if (err<0) |
| 141 | goto error; |
| 142 | break; |
| 143 | case SCM_CREDENTIALS: |
| 144 | if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred))) |
| 145 | goto error; |
| 146 | memcpy(&p->creds, CMSG_DATA(cmsg), sizeof(struct ucred)); |
| 147 | err = scm_check_creds(&p->creds); |
| 148 | if (err) |
| 149 | goto error; |
| 150 | break; |
| 151 | default: |
| 152 | goto error; |
| 153 | } |
| 154 | } |
| 155 | |
| 156 | if (p->fp && !p->fp->count) |
| 157 | { |
| 158 | kfree(p->fp); |
| 159 | p->fp = NULL; |
| 160 | } |
| 161 | return 0; |
| 162 | |
| 163 | error: |
| 164 | scm_destroy(p); |
| 165 | return err; |
| 166 | } |
| 167 | |
| 168 | int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data) |
| 169 | { |
| 170 | struct cmsghdr __user *cm = (struct cmsghdr __user *)msg->msg_control; |
| 171 | struct cmsghdr cmhdr; |
| 172 | int cmlen = CMSG_LEN(len); |
| 173 | int err; |
| 174 | |
| 175 | if (MSG_CMSG_COMPAT & msg->msg_flags) |
| 176 | return put_cmsg_compat(msg, level, type, len, data); |
| 177 | |
| 178 | if (cm==NULL || msg->msg_controllen < sizeof(*cm)) { |
| 179 | msg->msg_flags |= MSG_CTRUNC; |
| 180 | return 0; /* XXX: return error? check spec. */ |
| 181 | } |
| 182 | if (msg->msg_controllen < cmlen) { |
| 183 | msg->msg_flags |= MSG_CTRUNC; |
| 184 | cmlen = msg->msg_controllen; |
| 185 | } |
| 186 | cmhdr.cmsg_level = level; |
| 187 | cmhdr.cmsg_type = type; |
| 188 | cmhdr.cmsg_len = cmlen; |
| 189 | |
| 190 | err = -EFAULT; |
| 191 | if (copy_to_user(cm, &cmhdr, sizeof cmhdr)) |
| 192 | goto out; |
| 193 | if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr))) |
| 194 | goto out; |
| 195 | cmlen = CMSG_SPACE(len); |
| 196 | msg->msg_control += cmlen; |
| 197 | msg->msg_controllen -= cmlen; |
| 198 | err = 0; |
| 199 | out: |
| 200 | return err; |
| 201 | } |
| 202 | |
| 203 | void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm) |
| 204 | { |
| 205 | struct cmsghdr __user *cm = (struct cmsghdr __user*)msg->msg_control; |
| 206 | |
| 207 | int fdmax = 0; |
| 208 | int fdnum = scm->fp->count; |
| 209 | struct file **fp = scm->fp->fp; |
| 210 | int __user *cmfptr; |
| 211 | int err = 0, i; |
| 212 | |
| 213 | if (MSG_CMSG_COMPAT & msg->msg_flags) { |
| 214 | scm_detach_fds_compat(msg, scm); |
| 215 | return; |
| 216 | } |
| 217 | |
| 218 | if (msg->msg_controllen > sizeof(struct cmsghdr)) |
| 219 | fdmax = ((msg->msg_controllen - sizeof(struct cmsghdr)) |
| 220 | / sizeof(int)); |
| 221 | |
| 222 | if (fdnum < fdmax) |
| 223 | fdmax = fdnum; |
| 224 | |
| 225 | for (i=0, cmfptr=(int __user *)CMSG_DATA(cm); i<fdmax; i++, cmfptr++) |
| 226 | { |
| 227 | int new_fd; |
| 228 | err = security_file_receive(fp[i]); |
| 229 | if (err) |
| 230 | break; |
| 231 | err = get_unused_fd(); |
| 232 | if (err < 0) |
| 233 | break; |
| 234 | new_fd = err; |
| 235 | err = put_user(new_fd, cmfptr); |
| 236 | if (err) { |
| 237 | put_unused_fd(new_fd); |
| 238 | break; |
| 239 | } |
| 240 | /* Bump the usage count and install the file. */ |
| 241 | get_file(fp[i]); |
| 242 | fd_install(new_fd, fp[i]); |
| 243 | } |
| 244 | |
| 245 | if (i > 0) |
| 246 | { |
| 247 | int cmlen = CMSG_LEN(i*sizeof(int)); |
| 248 | if (!err) |
| 249 | err = put_user(SOL_SOCKET, &cm->cmsg_level); |
| 250 | if (!err) |
| 251 | err = put_user(SCM_RIGHTS, &cm->cmsg_type); |
| 252 | if (!err) |
| 253 | err = put_user(cmlen, &cm->cmsg_len); |
| 254 | if (!err) { |
| 255 | cmlen = CMSG_SPACE(i*sizeof(int)); |
| 256 | msg->msg_control += cmlen; |
| 257 | msg->msg_controllen -= cmlen; |
| 258 | } |
| 259 | } |
| 260 | if (i < fdnum || (fdnum && fdmax <= 0)) |
| 261 | msg->msg_flags |= MSG_CTRUNC; |
| 262 | |
| 263 | /* |
| 264 | * All of the files that fit in the message have had their |
| 265 | * usage counts incremented, so we just free the list. |
| 266 | */ |
| 267 | __scm_destroy(scm); |
| 268 | } |
| 269 | |
| 270 | struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl) |
| 271 | { |
| 272 | struct scm_fp_list *new_fpl; |
| 273 | int i; |
| 274 | |
| 275 | if (!fpl) |
| 276 | return NULL; |
| 277 | |
| 278 | new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL); |
| 279 | if (new_fpl) { |
| 280 | for (i=fpl->count-1; i>=0; i--) |
| 281 | get_file(fpl->fp[i]); |
| 282 | memcpy(new_fpl, fpl, sizeof(*fpl)); |
| 283 | } |
| 284 | return new_fpl; |
| 285 | } |
| 286 | |
| 287 | EXPORT_SYMBOL(__scm_destroy); |
| 288 | EXPORT_SYMBOL(__scm_send); |
| 289 | EXPORT_SYMBOL(put_cmsg); |
| 290 | EXPORT_SYMBOL(scm_detach_fds); |
| 291 | EXPORT_SYMBOL(scm_fp_dup); |