xref: /linux/net/core/scm.c (revision c02ce1735b150cf7c3b43790b48e23dcd17c0d46)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* scm.c - Socket level control messages processing.
3  *
4  * Author:	Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
5  *              Alignment and value checking mods by Craig Metz
6  */
7 
8 #include <linux/module.h>
9 #include <linux/signal.h>
10 #include <linux/capability.h>
11 #include <linux/errno.h>
12 #include <linux/sched.h>
13 #include <linux/sched/user.h>
14 #include <linux/mm.h>
15 #include <linux/kernel.h>
16 #include <linux/stat.h>
17 #include <linux/socket.h>
18 #include <linux/file.h>
19 #include <linux/fcntl.h>
20 #include <linux/net.h>
21 #include <linux/interrupt.h>
22 #include <linux/netdevice.h>
23 #include <linux/security.h>
24 #include <linux/pid_namespace.h>
25 #include <linux/pid.h>
26 #include <linux/nsproxy.h>
27 #include <linux/slab.h>
28 #include <linux/errqueue.h>
29 #include <linux/io_uring.h>
30 
31 #include <linux/uaccess.h>
32 
33 #include <net/protocol.h>
34 #include <linux/skbuff.h>
35 #include <net/sock.h>
36 #include <net/compat.h>
37 #include <net/scm.h>
38 #include <net/cls_cgroup.h>
39 #include <net/af_unix.h>
40 
41 
42 /*
43  *	Only allow a user to send credentials, that they could set with
44  *	setu(g)id.
45  */
46 
47 static __inline__ int scm_check_creds(struct ucred *creds)
48 {
49 	const struct cred *cred = current_cred();
50 	kuid_t uid = make_kuid(cred->user_ns, creds->uid);
51 	kgid_t gid = make_kgid(cred->user_ns, creds->gid);
52 
53 	if (!uid_valid(uid) || !gid_valid(gid))
54 		return -EINVAL;
55 
56 	if ((creds->pid == task_tgid_vnr(current) ||
57 	     ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
58 	    ((uid_eq(uid, cred->uid)   || uid_eq(uid, cred->euid) ||
59 	      uid_eq(uid, cred->suid)) || ns_capable(cred->user_ns, CAP_SETUID)) &&
60 	    ((gid_eq(gid, cred->gid)   || gid_eq(gid, cred->egid) ||
61 	      gid_eq(gid, cred->sgid)) || ns_capable(cred->user_ns, CAP_SETGID))) {
62 	       return 0;
63 	}
64 	return -EPERM;
65 }
66 
67 static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
68 {
69 	int *fdp = (int*)CMSG_DATA(cmsg);
70 	struct scm_fp_list *fpl = *fplp;
71 	struct file **fpp;
72 	int i, num;
73 
74 	num = (cmsg->cmsg_len - sizeof(struct cmsghdr))/sizeof(int);
75 
76 	if (num <= 0)
77 		return 0;
78 
79 	if (num > SCM_MAX_FD)
80 		return -EINVAL;
81 
82 	if (!fpl)
83 	{
84 		fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL_ACCOUNT);
85 		if (!fpl)
86 			return -ENOMEM;
87 		*fplp = fpl;
88 		fpl->count = 0;
89 		fpl->count_unix = 0;
90 		fpl->max = SCM_MAX_FD;
91 		fpl->user = NULL;
92 	}
93 	fpp = &fpl->fp[fpl->count];
94 
95 	if (fpl->count + num > fpl->max)
96 		return -EINVAL;
97 
98 	/*
99 	 *	Verify the descriptors and increment the usage count.
100 	 */
101 
102 	for (i=0; i< num; i++)
103 	{
104 		int fd = fdp[i];
105 		struct file *file;
106 
107 		if (fd < 0 || !(file = fget_raw(fd)))
108 			return -EBADF;
109 		/* don't allow io_uring files */
110 		if (io_is_uring_fops(file)) {
111 			fput(file);
112 			return -EINVAL;
113 		}
114 		if (unix_get_socket(file))
115 			fpl->count_unix++;
116 
117 		*fpp++ = file;
118 		fpl->count++;
119 	}
120 
121 	if (!fpl->user)
122 		fpl->user = get_uid(current_user());
123 
124 	return num;
125 }
126 
127 void __scm_destroy(struct scm_cookie *scm)
128 {
129 	struct scm_fp_list *fpl = scm->fp;
130 	int i;
131 
132 	if (fpl) {
133 		scm->fp = NULL;
134 		for (i=fpl->count-1; i>=0; i--)
135 			fput(fpl->fp[i]);
136 		free_uid(fpl->user);
137 		kfree(fpl);
138 	}
139 }
140 EXPORT_SYMBOL(__scm_destroy);
141 
142 int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
143 {
144 	const struct proto_ops *ops = READ_ONCE(sock->ops);
145 	struct cmsghdr *cmsg;
146 	int err;
147 
148 	for_each_cmsghdr(cmsg, msg) {
149 		err = -EINVAL;
150 
151 		/* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
152 		/* The first check was omitted in <= 2.2.5. The reasoning was
153 		   that parser checks cmsg_len in any case, so that
154 		   additional check would be work duplication.
155 		   But if cmsg_level is not SOL_SOCKET, we do not check
156 		   for too short ancillary data object at all! Oops.
157 		   OK, let's add it...
158 		 */
159 		if (!CMSG_OK(msg, cmsg))
160 			goto error;
161 
162 		if (cmsg->cmsg_level != SOL_SOCKET)
163 			continue;
164 
165 		switch (cmsg->cmsg_type)
166 		{
167 		case SCM_RIGHTS:
168 			if (!ops || ops->family != PF_UNIX)
169 				goto error;
170 			err=scm_fp_copy(cmsg, &p->fp);
171 			if (err<0)
172 				goto error;
173 			break;
174 		case SCM_CREDENTIALS:
175 		{
176 			struct ucred creds;
177 			kuid_t uid;
178 			kgid_t gid;
179 			if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
180 				goto error;
181 			memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred));
182 			err = scm_check_creds(&creds);
183 			if (err)
184 				goto error;
185 
186 			p->creds.pid = creds.pid;
187 			if (!p->pid || pid_vnr(p->pid) != creds.pid) {
188 				struct pid *pid;
189 				err = -ESRCH;
190 				pid = find_get_pid(creds.pid);
191 				if (!pid)
192 					goto error;
193 				put_pid(p->pid);
194 				p->pid = pid;
195 			}
196 
197 			err = -EINVAL;
198 			uid = make_kuid(current_user_ns(), creds.uid);
199 			gid = make_kgid(current_user_ns(), creds.gid);
200 			if (!uid_valid(uid) || !gid_valid(gid))
201 				goto error;
202 
203 			p->creds.uid = uid;
204 			p->creds.gid = gid;
205 			break;
206 		}
207 		default:
208 			goto error;
209 		}
210 	}
211 
212 	if (p->fp && !p->fp->count)
213 	{
214 		kfree(p->fp);
215 		p->fp = NULL;
216 	}
217 	return 0;
218 
219 error:
220 	scm_destroy(p);
221 	return err;
222 }
223 EXPORT_SYMBOL(__scm_send);
224 
225 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
226 {
227 	int cmlen = CMSG_LEN(len);
228 
229 	if (msg->msg_flags & MSG_CMSG_COMPAT)
230 		return put_cmsg_compat(msg, level, type, len, data);
231 
232 	if (!msg->msg_control || msg->msg_controllen < sizeof(struct cmsghdr)) {
233 		msg->msg_flags |= MSG_CTRUNC;
234 		return 0; /* XXX: return error? check spec. */
235 	}
236 	if (msg->msg_controllen < cmlen) {
237 		msg->msg_flags |= MSG_CTRUNC;
238 		cmlen = msg->msg_controllen;
239 	}
240 
241 	if (msg->msg_control_is_user) {
242 		struct cmsghdr __user *cm = msg->msg_control_user;
243 
244 		check_object_size(data, cmlen - sizeof(*cm), true);
245 
246 		if (!user_write_access_begin(cm, cmlen))
247 			goto efault;
248 
249 		unsafe_put_user(cmlen, &cm->cmsg_len, efault_end);
250 		unsafe_put_user(level, &cm->cmsg_level, efault_end);
251 		unsafe_put_user(type, &cm->cmsg_type, efault_end);
252 		unsafe_copy_to_user(CMSG_USER_DATA(cm), data,
253 				    cmlen - sizeof(*cm), efault_end);
254 		user_write_access_end();
255 	} else {
256 		struct cmsghdr *cm = msg->msg_control;
257 
258 		cm->cmsg_level = level;
259 		cm->cmsg_type = type;
260 		cm->cmsg_len = cmlen;
261 		memcpy(CMSG_DATA(cm), data, cmlen - sizeof(*cm));
262 	}
263 
264 	cmlen = min(CMSG_SPACE(len), msg->msg_controllen);
265 	if (msg->msg_control_is_user)
266 		msg->msg_control_user += cmlen;
267 	else
268 		msg->msg_control += cmlen;
269 	msg->msg_controllen -= cmlen;
270 	return 0;
271 
272 efault_end:
273 	user_write_access_end();
274 efault:
275 	return -EFAULT;
276 }
277 EXPORT_SYMBOL(put_cmsg);
278 
279 void put_cmsg_scm_timestamping64(struct msghdr *msg, struct scm_timestamping_internal *tss_internal)
280 {
281 	struct scm_timestamping64 tss;
282 	int i;
283 
284 	for (i = 0; i < ARRAY_SIZE(tss.ts); i++) {
285 		tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
286 		tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
287 	}
288 
289 	put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_NEW, sizeof(tss), &tss);
290 }
291 EXPORT_SYMBOL(put_cmsg_scm_timestamping64);
292 
293 void put_cmsg_scm_timestamping(struct msghdr *msg, struct scm_timestamping_internal *tss_internal)
294 {
295 	struct scm_timestamping tss;
296 	int i;
297 
298 	for (i = 0; i < ARRAY_SIZE(tss.ts); i++) {
299 		tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
300 		tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
301 	}
302 
303 	put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_OLD, sizeof(tss), &tss);
304 }
305 EXPORT_SYMBOL(put_cmsg_scm_timestamping);
306 
307 static int scm_max_fds(struct msghdr *msg)
308 {
309 	if (msg->msg_controllen <= sizeof(struct cmsghdr))
310 		return 0;
311 	return (msg->msg_controllen - sizeof(struct cmsghdr)) / sizeof(int);
312 }
313 
314 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
315 {
316 	struct cmsghdr __user *cm =
317 		(__force struct cmsghdr __user *)msg->msg_control_user;
318 	unsigned int o_flags = (msg->msg_flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0;
319 	int fdmax = min_t(int, scm_max_fds(msg), scm->fp->count);
320 	int __user *cmsg_data = CMSG_USER_DATA(cm);
321 	int err = 0, i;
322 
323 	/* no use for FD passing from kernel space callers */
324 	if (WARN_ON_ONCE(!msg->msg_control_is_user))
325 		return;
326 
327 	if (msg->msg_flags & MSG_CMSG_COMPAT) {
328 		scm_detach_fds_compat(msg, scm);
329 		return;
330 	}
331 
332 	for (i = 0; i < fdmax; i++) {
333 		err = scm_recv_one_fd(scm->fp->fp[i], cmsg_data + i, o_flags);
334 		if (err < 0)
335 			break;
336 	}
337 
338 	if (i > 0) {
339 		int cmlen = CMSG_LEN(i * sizeof(int));
340 
341 		err = put_user(SOL_SOCKET, &cm->cmsg_level);
342 		if (!err)
343 			err = put_user(SCM_RIGHTS, &cm->cmsg_type);
344 		if (!err)
345 			err = put_user(cmlen, &cm->cmsg_len);
346 		if (!err) {
347 			cmlen = CMSG_SPACE(i * sizeof(int));
348 			if (msg->msg_controllen < cmlen)
349 				cmlen = msg->msg_controllen;
350 			msg->msg_control_user += cmlen;
351 			msg->msg_controllen -= cmlen;
352 		}
353 	}
354 
355 	if (i < scm->fp->count || (scm->fp->count && fdmax <= 0))
356 		msg->msg_flags |= MSG_CTRUNC;
357 
358 	/*
359 	 * All of the files that fit in the message have had their usage counts
360 	 * incremented, so we just free the list.
361 	 */
362 	__scm_destroy(scm);
363 }
364 EXPORT_SYMBOL(scm_detach_fds);
365 
366 struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
367 {
368 	struct scm_fp_list *new_fpl;
369 	int i;
370 
371 	if (!fpl)
372 		return NULL;
373 
374 	new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
375 			  GFP_KERNEL_ACCOUNT);
376 	if (new_fpl) {
377 		for (i = 0; i < fpl->count; i++)
378 			get_file(fpl->fp[i]);
379 		new_fpl->max = new_fpl->count;
380 		new_fpl->user = get_uid(fpl->user);
381 	}
382 	return new_fpl;
383 }
384 EXPORT_SYMBOL(scm_fp_dup);
385