xref: /kernel/linux/linux-5.10/net/core/scm.c (revision 8c2ecf20) 
1// SPDX-License-Identifier: GPL-2.0-or-later
2/* scm.c - Socket level control messages processing.
3 *
4 * Author:	Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
5 *              Alignment and value checking mods by Craig Metz
6 */
7
8#include <linux/module.h>
9#include <linux/signal.h>
10#include <linux/capability.h>
11#include <linux/errno.h>
12#include <linux/sched.h>
13#include <linux/sched/user.h>
14#include <linux/mm.h>
15#include <linux/kernel.h>
16#include <linux/stat.h>
17#include <linux/socket.h>
18#include <linux/file.h>
19#include <linux/fcntl.h>
20#include <linux/net.h>
21#include <linux/interrupt.h>
22#include <linux/netdevice.h>
23#include <linux/security.h>
24#include <linux/pid_namespace.h>
25#include <linux/pid.h>
26#include <linux/nsproxy.h>
27#include <linux/slab.h>
28#include <linux/errqueue.h>
29#include <linux/io_uring.h>
30
31#include <linux/uaccess.h>
32
33#include <net/protocol.h>
34#include <linux/skbuff.h>
35#include <net/sock.h>
36#include <net/compat.h>
37#include <net/scm.h>
38#include <net/cls_cgroup.h>
39
40
41/*
42 *	Only allow a user to send credentials, that they could set with
43 *	setu(g)id.
44 */
45
46static __inline__ int scm_check_creds(struct ucred *creds)
47{
48	const struct cred *cred = current_cred();
49	kuid_t uid = make_kuid(cred->user_ns, creds->uid);
50	kgid_t gid = make_kgid(cred->user_ns, creds->gid);
51
52	if (!uid_valid(uid) || !gid_valid(gid))
53		return -EINVAL;
54
55	if ((creds->pid == task_tgid_vnr(current) ||
56	     ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
57	    ((uid_eq(uid, cred->uid)   || uid_eq(uid, cred->euid) ||
58	      uid_eq(uid, cred->suid)) || ns_capable(cred->user_ns, CAP_SETUID)) &&
59	    ((gid_eq(gid, cred->gid)   || gid_eq(gid, cred->egid) ||
60	      gid_eq(gid, cred->sgid)) || ns_capable(cred->user_ns, CAP_SETGID))) {
61	       return 0;
62	}
63	return -EPERM;
64}
65
66static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
67{
68	int *fdp = (int*)CMSG_DATA(cmsg);
69	struct scm_fp_list *fpl = *fplp;
70	struct file **fpp;
71	int i, num;
72
73	num = (cmsg->cmsg_len - sizeof(struct cmsghdr))/sizeof(int);
74
75	if (num <= 0)
76		return 0;
77
78	if (num > SCM_MAX_FD)
79		return -EINVAL;
80
81	if (!fpl)
82	{
83		fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL);
84		if (!fpl)
85			return -ENOMEM;
86		*fplp = fpl;
87		fpl->count = 0;
88		fpl->max = SCM_MAX_FD;
89		fpl->user = NULL;
90	}
91	fpp = &fpl->fp[fpl->count];
92
93	if (fpl->count + num > fpl->max)
94		return -EINVAL;
95
96	/*
97	 *	Verify the descriptors and increment the usage count.
98	 */
99
100	for (i=0; i< num; i++)
101	{
102		int fd = fdp[i];
103		struct file *file;
104
105		if (fd < 0 || !(file = fget_raw(fd)))
106			return -EBADF;
107		/* don't allow io_uring files */
108		if (io_uring_get_socket(file)) {
109			fput(file);
110			return -EINVAL;
111		}
112		*fpp++ = file;
113		fpl->count++;
114	}
115
116	if (!fpl->user)
117		fpl->user = get_uid(current_user());
118
119	return num;
120}
121
122void __scm_destroy(struct scm_cookie *scm)
123{
124	struct scm_fp_list *fpl = scm->fp;
125	int i;
126
127	if (fpl) {
128		scm->fp = NULL;
129		for (i=fpl->count-1; i>=0; i--)
130			fput(fpl->fp[i]);
131		free_uid(fpl->user);
132		kfree(fpl);
133	}
134}
135EXPORT_SYMBOL(__scm_destroy);
136
137int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
138{
139	struct cmsghdr *cmsg;
140	int err;
141
142	for_each_cmsghdr(cmsg, msg) {
143		err = -EINVAL;
144
145		/* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
146		/* The first check was omitted in <= 2.2.5. The reasoning was
147		   that parser checks cmsg_len in any case, so that
148		   additional check would be work duplication.
149		   But if cmsg_level is not SOL_SOCKET, we do not check
150		   for too short ancillary data object at all! Oops.
151		   OK, let's add it...
152		 */
153		if (!CMSG_OK(msg, cmsg))
154			goto error;
155
156		if (cmsg->cmsg_level != SOL_SOCKET)
157			continue;
158
159		switch (cmsg->cmsg_type)
160		{
161		case SCM_RIGHTS:
162			if (!sock->ops || sock->ops->family != PF_UNIX)
163				goto error;
164			err=scm_fp_copy(cmsg, &p->fp);
165			if (err<0)
166				goto error;
167			break;
168		case SCM_CREDENTIALS:
169		{
170			struct ucred creds;
171			kuid_t uid;
172			kgid_t gid;
173			if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
174				goto error;
175			memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred));
176			err = scm_check_creds(&creds);
177			if (err)
178				goto error;
179
180			p->creds.pid = creds.pid;
181			if (!p->pid || pid_vnr(p->pid) != creds.pid) {
182				struct pid *pid;
183				err = -ESRCH;
184				pid = find_get_pid(creds.pid);
185				if (!pid)
186					goto error;
187				put_pid(p->pid);
188				p->pid = pid;
189			}
190
191			err = -EINVAL;
192			uid = make_kuid(current_user_ns(), creds.uid);
193			gid = make_kgid(current_user_ns(), creds.gid);
194			if (!uid_valid(uid) || !gid_valid(gid))
195				goto error;
196
197			p->creds.uid = uid;
198			p->creds.gid = gid;
199			break;
200		}
201		default:
202			goto error;
203		}
204	}
205
206	if (p->fp && !p->fp->count)
207	{
208		kfree(p->fp);
209		p->fp = NULL;
210	}
211	return 0;
212
213error:
214	scm_destroy(p);
215	return err;
216}
217EXPORT_SYMBOL(__scm_send);
218
219int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
220{
221	int cmlen = CMSG_LEN(len);
222
223	if (msg->msg_flags & MSG_CMSG_COMPAT)
224		return put_cmsg_compat(msg, level, type, len, data);
225
226	if (!msg->msg_control || msg->msg_controllen < sizeof(struct cmsghdr)) {
227		msg->msg_flags |= MSG_CTRUNC;
228		return 0; /* XXX: return error? check spec. */
229	}
230	if (msg->msg_controllen < cmlen) {
231		msg->msg_flags |= MSG_CTRUNC;
232		cmlen = msg->msg_controllen;
233	}
234
235	if (msg->msg_control_is_user) {
236		struct cmsghdr __user *cm = msg->msg_control_user;
237		struct cmsghdr cmhdr;
238
239		cmhdr.cmsg_level = level;
240		cmhdr.cmsg_type = type;
241		cmhdr.cmsg_len = cmlen;
242		if (copy_to_user(cm, &cmhdr, sizeof cmhdr) ||
243		    copy_to_user(CMSG_USER_DATA(cm), data, cmlen - sizeof(*cm)))
244			return -EFAULT;
245	} else {
246		struct cmsghdr *cm = msg->msg_control;
247
248		cm->cmsg_level = level;
249		cm->cmsg_type = type;
250		cm->cmsg_len = cmlen;
251		memcpy(CMSG_DATA(cm), data, cmlen - sizeof(*cm));
252	}
253
254	cmlen = min(CMSG_SPACE(len), msg->msg_controllen);
255	msg->msg_control += cmlen;
256	msg->msg_controllen -= cmlen;
257	return 0;
258}
259EXPORT_SYMBOL(put_cmsg);
260
261void put_cmsg_scm_timestamping64(struct msghdr *msg, struct scm_timestamping_internal *tss_internal)
262{
263	struct scm_timestamping64 tss;
264	int i;
265
266	for (i = 0; i < ARRAY_SIZE(tss.ts); i++) {
267		tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
268		tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
269	}
270
271	put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_NEW, sizeof(tss), &tss);
272}
273EXPORT_SYMBOL(put_cmsg_scm_timestamping64);
274
275void put_cmsg_scm_timestamping(struct msghdr *msg, struct scm_timestamping_internal *tss_internal)
276{
277	struct scm_timestamping tss;
278	int i;
279
280	for (i = 0; i < ARRAY_SIZE(tss.ts); i++) {
281		tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
282		tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
283	}
284
285	put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_OLD, sizeof(tss), &tss);
286}
287EXPORT_SYMBOL(put_cmsg_scm_timestamping);
288
289static int scm_max_fds(struct msghdr *msg)
290{
291	if (msg->msg_controllen <= sizeof(struct cmsghdr))
292		return 0;
293	return (msg->msg_controllen - sizeof(struct cmsghdr)) / sizeof(int);
294}
295
296void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
297{
298	struct cmsghdr __user *cm =
299		(__force struct cmsghdr __user *)msg->msg_control;
300	unsigned int o_flags = (msg->msg_flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0;
301	int fdmax = min_t(int, scm_max_fds(msg), scm->fp->count);
302	int __user *cmsg_data = CMSG_USER_DATA(cm);
303	int err = 0, i;
304
305	/* no use for FD passing from kernel space callers */
306	if (WARN_ON_ONCE(!msg->msg_control_is_user))
307		return;
308
309	if (msg->msg_flags & MSG_CMSG_COMPAT) {
310		scm_detach_fds_compat(msg, scm);
311		return;
312	}
313
314	for (i = 0; i < fdmax; i++) {
315		err = receive_fd_user(scm->fp->fp[i], cmsg_data + i, o_flags);
316		if (err < 0)
317			break;
318	}
319
320	if (i > 0) {
321		int cmlen = CMSG_LEN(i * sizeof(int));
322
323		err = put_user(SOL_SOCKET, &cm->cmsg_level);
324		if (!err)
325			err = put_user(SCM_RIGHTS, &cm->cmsg_type);
326		if (!err)
327			err = put_user(cmlen, &cm->cmsg_len);
328		if (!err) {
329			cmlen = CMSG_SPACE(i * sizeof(int));
330			if (msg->msg_controllen < cmlen)
331				cmlen = msg->msg_controllen;
332			msg->msg_control += cmlen;
333			msg->msg_controllen -= cmlen;
334		}
335	}
336
337	if (i < scm->fp->count || (scm->fp->count && fdmax <= 0))
338		msg->msg_flags |= MSG_CTRUNC;
339
340	/*
341	 * All of the files that fit in the message have had their usage counts
342	 * incremented, so we just free the list.
343	 */
344	__scm_destroy(scm);
345}
346EXPORT_SYMBOL(scm_detach_fds);
347
348struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
349{
350	struct scm_fp_list *new_fpl;
351	int i;
352
353	if (!fpl)
354		return NULL;
355
356	new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
357			  GFP_KERNEL);
358	if (new_fpl) {
359		for (i = 0; i < fpl->count; i++)
360			get_file(fpl->fp[i]);
361		new_fpl->max = new_fpl->count;
362		new_fpl->user = get_uid(fpl->user);
363	}
364	return new_fpl;
365}
366EXPORT_SYMBOL(scm_fp_dup);
367