net/core/scm.c

   1 // SPDX-License-Identifier: GPL-2.0-or-later
   2 /* scm.c - Socket level control messages processing.
   3  *
   4  * Author:      Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
   5  *              Alignment and value checking mods by Craig Metz
   6  */
   7
   8 #include <linux/module.h>
   9 #include <linux/signal.h>
  10 #include <linux/capability.h>
  11 #include <linux/errno.h>
  12 #include <linux/sched.h>
  13 #include <linux/sched/user.h>
  14 #include <linux/mm.h>
  15 #include <linux/kernel.h>
  16 #include <linux/stat.h>
  17 #include <linux/socket.h>
  18 #include <linux/file.h>
  19 #include <linux/fcntl.h>
  20 #include <linux/net.h>
  21 #include <linux/interrupt.h>
  22 #include <linux/netdevice.h>
  23 #include <linux/security.h>
  24 #include <linux/pid_namespace.h>
  25 #include <linux/pid.h>
  26 #include <linux/nsproxy.h>
  27 #include <linux/slab.h>
  28 #include <linux/errqueue.h>
  29 #include <linux/io_uring.h>
  30
  31 #include <linux/uaccess.h>
  32
  33 #include <net/protocol.h>
  34 #include <linux/skbuff.h>
  35 #include <net/sock.h>
  36 #include <net/compat.h>
  37 #include <net/scm.h>
  38 #include <net/cls_cgroup.h>
  39 #include <net/af_unix.h>
  40
  41
  42 /*
  43  *      Only allow a user to send credentials, that they could set with
  44  *      setu(g)id.
  45  */
  46
  47 static __inline__ int scm_check_creds(struct ucred *creds)
  48 {
  49         const struct cred *cred = current_cred();
  50         kuid_t uid = make_kuid(cred->user_ns, creds->uid);
  51         kgid_t gid = make_kgid(cred->user_ns, creds->gid);
  52
  53         if (!uid_valid(uid) || !gid_valid(gid))
  54                 return -EINVAL;
  55
  56         if ((creds->pid == task_tgid_vnr(current) ||
  57              ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
  58             ((uid_eq(uid, cred->uid)   || uid_eq(uid, cred->euid) ||
  59               uid_eq(uid, cred->suid)) || ns_capable(cred->user_ns, CAP_SETUID)) &&
  60             ((gid_eq(gid, cred->gid)   || gid_eq(gid, cred->egid) ||
  61               gid_eq(gid, cred->sgid)) || ns_capable(cred->user_ns, CAP_SETGID))) {
  62                return 0;
  63         }
  64         return -EPERM;
  65 }
  66
  67 static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
  68 {
  69         int *fdp = (int*)CMSG_DATA(cmsg);
  70         struct scm_fp_list *fpl = *fplp;
  71         struct file **fpp;
  72         int i, num;
  73
  74         num = (cmsg->cmsg_len - sizeof(struct cmsghdr))/sizeof(int);
  75
  76         if (num <= 0)
  77                 return 0;
  78
  79         if (num > SCM_MAX_FD)
  80                 return -EINVAL;
  81
  82         if (!fpl)
  83         {
  84                 fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL_ACCOUNT);
  85                 if (!fpl)
  86                         return -ENOMEM;
  87                 *fplp = fpl;
  88                 fpl->count = 0;
  89                 fpl->count_unix = 0;
  90                 fpl->max = SCM_MAX_FD;
  91                 fpl->user = NULL;
  92         }
  93         fpp = &fpl->fp[fpl->count];
  94
  95         if (fpl->count + num > fpl->max)
  96                 return -EINVAL;
  97
  98         /*
  99          *      Verify the descriptors and increment the usage count.
 100          */
 101
 102         for (i=0; i< num; i++)
 103         {
 104                 int fd = fdp[i];
 105                 struct file *file;
 106
 107                 if (fd < 0 || !(file = fget_raw(fd)))
 108                         return -EBADF;
 109                 /* don't allow io_uring files */
 110                 if (io_is_uring_fops(file)) {
 111                         fput(file);
 112                         return -EINVAL;
 113                 }
 114                 if (unix_get_socket(file))
 115                         fpl->count_unix++;
 116
 117                 *fpp++ = file;
 118                 fpl->count++;
 119         }
 120
 121         if (!fpl->user)
 122                 fpl->user = get_uid(current_user());
 123
 124         return num;
 125 }
 126
 127 void __scm_destroy(struct scm_cookie *scm)
 128 {
 129         struct scm_fp_list *fpl = scm->fp;
 130         int i;
 131
 132         if (fpl) {
 133                 scm->fp = NULL;
 134                 for (i=fpl->count-1; i>=0; i--)
 135                         fput(fpl->fp[i]);
 136                 free_uid(fpl->user);
 137                 kfree(fpl);
 138         }
 139 }
 140 EXPORT_SYMBOL(__scm_destroy);
 141
 142 int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
 143 {
 144         const struct proto_ops *ops = READ_ONCE(sock->ops);
 145         struct cmsghdr *cmsg;
 146         int err;
 147
 148         for_each_cmsghdr(cmsg, msg) {
 149                 err = -EINVAL;
 150
 151                 /* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
 152                 /* The first check was omitted in <= 2.2.5. The reasoning was
 153                    that parser checks cmsg_len in any case, so that
 154                    additional check would be work duplication.
 155                    But if cmsg_level is not SOL_SOCKET, we do not check
 156                    for too short ancillary data object at all! Oops.
 157                    OK, let's add it...
 158                  */
 159                 if (!CMSG_OK(msg, cmsg))
 160                         goto error;
 161
 162                 if (cmsg->cmsg_level != SOL_SOCKET)
 163                         continue;
 164
 165                 switch (cmsg->cmsg_type)
 166                 {
 167                 case SCM_RIGHTS:
 168                         if (!ops || ops->family != PF_UNIX)
 169                                 goto error;
 170                         err=scm_fp_copy(cmsg, &p->fp);
 171                         if (err<0)
 172                                 goto error;
 173                         break;
 174                 case SCM_CREDENTIALS:
 175                 {
 176                         struct ucred creds;
 177                         kuid_t uid;
 178                         kgid_t gid;
 179                         if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
 180                                 goto error;
 181                         memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred));
 182                         err = scm_check_creds(&creds);
 183                         if (err)
 184                                 goto error;
 185
 186                         p->creds.pid = creds.pid;
 187                         if (!p->pid || pid_vnr(p->pid) != creds.pid) {
 188                                 struct pid *pid;
 189                                 err = -ESRCH;
 190                                 pid = find_get_pid(creds.pid);
 191                                 if (!pid)
 192                                         goto error;
 193                                 put_pid(p->pid);
 194                                 p->pid = pid;
 195                         }
 196
 197                         err = -EINVAL;
 198                         uid = make_kuid(current_user_ns(), creds.uid);
 199                         gid = make_kgid(current_user_ns(), creds.gid);
 200                         if (!uid_valid(uid) || !gid_valid(gid))
 201                                 goto error;
 202
 203                         p->creds.uid = uid;
 204                         p->creds.gid = gid;
 205                         break;
 206                 }
 207                 default:
 208                         goto error;
 209                 }
 210         }
 211
 212         if (p->fp && !p->fp->count)
 213         {
 214                 kfree(p->fp);
 215                 p->fp = NULL;
 216         }
 217         return 0;
 218
 219 error:
 220         scm_destroy(p);
 221         return err;
 222 }
 223 EXPORT_SYMBOL(__scm_send);
 224
 225 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
 226 {
 227         int cmlen = CMSG_LEN(len);
 228
 229         if (msg->msg_flags & MSG_CMSG_COMPAT)
 230                 return put_cmsg_compat(msg, level, type, len, data);
 231
 232         if (!msg->msg_control || msg->msg_controllen < sizeof(struct cmsghdr)) {
 233                 msg->msg_flags |= MSG_CTRUNC;
 234                 return 0; /* XXX: return error? check spec. */
 235         }
 236         if (msg->msg_controllen < cmlen) {
 237                 msg->msg_flags |= MSG_CTRUNC;
 238                 cmlen = msg->msg_controllen;
 239         }
 240
 241         if (msg->msg_control_is_user) {
 242                 struct cmsghdr __user *cm = msg->msg_control_user;
 243
 244                 check_object_size(data, cmlen - sizeof(*cm), true);
 245
 246                 if (!user_write_access_begin(cm, cmlen))
 247                         goto efault;
 248
 249                 unsafe_put_user(cmlen, &cm->cmsg_len, efault_end);
 250                 unsafe_put_user(level, &cm->cmsg_level, efault_end);
 251                 unsafe_put_user(type, &cm->cmsg_type, efault_end);
 252                 unsafe_copy_to_user(CMSG_USER_DATA(cm), data,
 253                                     cmlen - sizeof(*cm), efault_end);
 254                 user_write_access_end();
 255         } else {
 256                 struct cmsghdr *cm = msg->msg_control;
 257
 258                 cm->cmsg_level = level;
 259                 cm->cmsg_type = type;
 260                 cm->cmsg_len = cmlen;
 261                 memcpy(CMSG_DATA(cm), data, cmlen - sizeof(*cm));
 262         }
 263
 264         cmlen = min(CMSG_SPACE(len), msg->msg_controllen);
 265         if (msg->msg_control_is_user)
 266                 msg->msg_control_user += cmlen;
 267         else
 268                 msg->msg_control += cmlen;
 269         msg->msg_controllen -= cmlen;
 270         return 0;
 271
 272 efault_end:
 273         user_write_access_end();
 274 efault:
 275         return -EFAULT;
 276 }
 277 EXPORT_SYMBOL(put_cmsg);
 278
 279 void put_cmsg_scm_timestamping64(struct msghdr *msg, struct scm_timestamping_internal *tss_internal)
 280 {
 281         struct scm_timestamping64 tss;
 282         int i;
 283
 284         for (i = 0; i < ARRAY_SIZE(tss.ts); i++) {
 285                 tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
 286                 tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
 287         }
 288
 289         put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_NEW, sizeof(tss), &tss);
 290 }
 291 EXPORT_SYMBOL(put_cmsg_scm_timestamping64);
 292
 293 void put_cmsg_scm_timestamping(struct msghdr *msg, struct scm_timestamping_internal *tss_internal)
 294 {
 295         struct scm_timestamping tss;
 296         int i;
 297
 298         for (i = 0; i < ARRAY_SIZE(tss.ts); i++) {
 299                 tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
 300                 tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
 301         }
 302
 303         put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_OLD, sizeof(tss), &tss);
 304 }
 305 EXPORT_SYMBOL(put_cmsg_scm_timestamping);
 306
 307 static int scm_max_fds(struct msghdr *msg)
 308 {
 309         if (msg->msg_controllen <= sizeof(struct cmsghdr))
 310                 return 0;
 311         return (msg->msg_controllen - sizeof(struct cmsghdr)) / sizeof(int);
 312 }
 313
 314 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
 315 {
 316         struct cmsghdr __user *cm =
 317                 (__force struct cmsghdr __user *)msg->msg_control_user;
 318         unsigned int o_flags = (msg->msg_flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0;
 319         int fdmax = min_t(int, scm_max_fds(msg), scm->fp->count);
 320         int __user *cmsg_data = CMSG_USER_DATA(cm);
 321         int err = 0, i;
 322
 323         /* no use for FD passing from kernel space callers */
 324         if (WARN_ON_ONCE(!msg->msg_control_is_user))
 325                 return;
 326
 327         if (msg->msg_flags & MSG_CMSG_COMPAT) {
 328                 scm_detach_fds_compat(msg, scm);
 329                 return;
 330         }
 331
 332         for (i = 0; i < fdmax; i++) {
 333                 err = scm_recv_one_fd(scm->fp->fp[i], cmsg_data + i, o_flags);
 334                 if (err < 0)
 335                         break;
 336         }
 337
 338         if (i > 0) {
 339                 int cmlen = CMSG_LEN(i * sizeof(int));
 340
 341                 err = put_user(SOL_SOCKET, &cm->cmsg_level);
 342                 if (!err)
 343                         err = put_user(SCM_RIGHTS, &cm->cmsg_type);
 344                 if (!err)
 345                         err = put_user(cmlen, &cm->cmsg_len);
 346                 if (!err) {
 347                         cmlen = CMSG_SPACE(i * sizeof(int));
 348                         if (msg->msg_controllen < cmlen)
 349                                 cmlen = msg->msg_controllen;
 350                         msg->msg_control_user += cmlen;
 351                         msg->msg_controllen -= cmlen;
 352                 }
 353         }
 354
 355         if (i < scm->fp->count || (scm->fp->count && fdmax <= 0))
 356                 msg->msg_flags |= MSG_CTRUNC;
 357
 358         /*
 359          * All of the files that fit in the message have had their usage counts
 360          * incremented, so we just free the list.
 361          */
 362         __scm_destroy(scm);
 363 }
 364 EXPORT_SYMBOL(scm_detach_fds);
 365
 366 struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
 367 {
 368         struct scm_fp_list *new_fpl;
 369         int i;
 370
 371         if (!fpl)
 372                 return NULL;
 373
 374         new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
 375                           GFP_KERNEL_ACCOUNT);
 376         if (new_fpl) {
 377                 for (i = 0; i < fpl->count; i++)
 378                         get_file(fpl->fp[i]);
 379                 new_fpl->max = new_fpl->count;
 380                 new_fpl->user = get_uid(fpl->user);
 381         }
 382         return new_fpl;
 383 }
 384 EXPORT_SYMBOL(scm_fp_dup);