[net-next-2.6.git] / net / core / scm.c

/* scm.c - Socket level control messages processing.
 *
 * Author:	Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
 *              Alignment and value checking mods by Craig Metz
 *
 *		This program is free software; you can redistribute it and/or
 *		modify it under the terms of the GNU General Public License
 *		as published by the Free Software Foundation; either version
 *		2 of the License, or (at your option) any later version.
 */

#include <linux/module.h>
#include <linux/signal.h>
#include <linux/errno.h>
#include <linux/sched.h>
#include <linux/mm.h>
#include <linux/kernel.h>
#include <linux/stat.h>
#include <linux/socket.h>
#include <linux/file.h>
#include <linux/fcntl.h>
#include <linux/net.h>
#include <linux/interrupt.h>
#include <linux/netdevice.h>
#include <linux/security.h>

#include <asm/system.h>
#include <asm/uaccess.h>

#include <net/protocol.h>
#include <linux/skbuff.h>
#include <net/sock.h>
#include <net/compat.h>
#include <net/scm.h>


/*
 *	Only allow a user to send credentials, that they could set with 
 *	setu(g)id.
 */

static __inline__ int scm_check_creds(struct ucred *creds)
{
	if ((creds->pid == current->tgid || capable(CAP_SYS_ADMIN)) &&
	    ((creds->uid == current->uid || creds->uid == current->euid ||
	      creds->uid == current->suid) || capable(CAP_SETUID)) &&
	    ((creds->gid == current->gid || creds->gid == current->egid ||
	      creds->gid == current->sgid) || capable(CAP_SETGID))) {
	       return 0;
	}
	return -EPERM;
}

static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
{
	int *fdp = (int*)CMSG_DATA(cmsg);
	struct scm_fp_list *fpl = *fplp;
	struct file **fpp;
	int i, num;

	num = (cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr)))/sizeof(int);

	if (num <= 0)
		return 0;

	if (num > SCM_MAX_FD)
		return -EINVAL;

	if (!fpl)
	{
		fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL);
		if (!fpl)
			return -ENOMEM;
		*fplp = fpl;
		fpl->count = 0;
	}
	fpp = &fpl->fp[fpl->count];

	if (fpl->count + num > SCM_MAX_FD)
		return -EINVAL;
	
	/*
	 *	Verify the descriptors and increment the usage count.
	 */
	 
	for (i=0; i< num; i++)
	{
		int fd = fdp[i];
		struct file *file;

		if (fd < 0 || !(file = fget(fd)))
			return -EBADF;
		*fpp++ = file;
		fpl->count++;
	}
	return num;
}

void __scm_destroy(struct scm_cookie *scm)
{
	struct scm_fp_list *fpl = scm->fp;
	int i;

	if (fpl) {
		scm->fp = NULL;
		for (i=fpl->count-1; i>=0; i--)
			fput(fpl->fp[i]);
		kfree(fpl);
	}
}

int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
{
	struct cmsghdr *cmsg;
	int err;

	for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg))
	{
		err = -EINVAL;

		/* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
		/* The first check was omitted in <= 2.2.5. The reasoning was
		   that parser checks cmsg_len in any case, so that
		   additional check would be work duplication.
		   But if cmsg_level is not SOL_SOCKET, we do not check 
		   for too short ancillary data object at all! Oops.
		   OK, let's add it...
		 */
		if (!CMSG_OK(msg, cmsg))
			goto error;

		if (cmsg->cmsg_level != SOL_SOCKET)
			continue;

		switch (cmsg->cmsg_type)
		{
		case SCM_RIGHTS:
			err=scm_fp_copy(cmsg, &p->fp);
			if (err<0)
				goto error;
			break;
		case SCM_CREDENTIALS:
			if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
				goto error;
			memcpy(&p->creds, CMSG_DATA(cmsg), sizeof(struct ucred));
			err = scm_check_creds(&p->creds);
			if (err)
				goto error;
			break;
		default:
			goto error;
		}
	}

	if (p->fp && !p->fp->count)
	{
		kfree(p->fp);
		p->fp = NULL;
	}
	return 0;
	
error:
	scm_destroy(p);
	return err;
}

int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
{
	struct cmsghdr __user *cm = (struct cmsghdr __user *)msg->msg_control;
	struct cmsghdr cmhdr;
	int cmlen = CMSG_LEN(len);
	int err;

	if (MSG_CMSG_COMPAT & msg->msg_flags)
		return put_cmsg_compat(msg, level, type, len, data);

	if (cm==NULL || msg->msg_controllen < sizeof(*cm)) {
		msg->msg_flags |= MSG_CTRUNC;
		return 0; /* XXX: return error? check spec. */
	}
	if (msg->msg_controllen < cmlen) {
		msg->msg_flags |= MSG_CTRUNC;
		cmlen = msg->msg_controllen;
	}
	cmhdr.cmsg_level = level;
	cmhdr.cmsg_type = type;
	cmhdr.cmsg_len = cmlen;

	err = -EFAULT;
	if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
		goto out; 
	if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
		goto out;
	cmlen = CMSG_SPACE(len);
	msg->msg_control += cmlen;
	msg->msg_controllen -= cmlen;
	err = 0;
out:
	return err;
}

void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
{
	struct cmsghdr __user *cm = (struct cmsghdr __user*)msg->msg_control;

	int fdmax = 0;
	int fdnum = scm->fp->count;
	struct file **fp = scm->fp->fp;
	int __user *cmfptr;
	int err = 0, i;

	if (MSG_CMSG_COMPAT & msg->msg_flags) {
		scm_detach_fds_compat(msg, scm);
		return;
	}

	if (msg->msg_controllen > sizeof(struct cmsghdr))
		fdmax = ((msg->msg_controllen - sizeof(struct cmsghdr))
			 / sizeof(int));

	if (fdnum < fdmax)
		fdmax = fdnum;

	for (i=0, cmfptr=(int __user *)CMSG_DATA(cm); i<fdmax; i++, cmfptr++)
	{
		int new_fd;
		err = security_file_receive(fp[i]);
		if (err)
			break;
		err = get_unused_fd();
		if (err < 0)
			break;
		new_fd = err;
		err = put_user(new_fd, cmfptr);
		if (err) {
			put_unused_fd(new_fd);
			break;
		}
		/* Bump the usage count and install the file. */
		get_file(fp[i]);
		fd_install(new_fd, fp[i]);
	}

	if (i > 0)
	{
		int cmlen = CMSG_LEN(i*sizeof(int));
		if (!err)
			err = put_user(SOL_SOCKET, &cm->cmsg_level);
		if (!err)
			err = put_user(SCM_RIGHTS, &cm->cmsg_type);
		if (!err)
			err = put_user(cmlen, &cm->cmsg_len);
		if (!err) {
			cmlen = CMSG_SPACE(i*sizeof(int));
			msg->msg_control += cmlen;
			msg->msg_controllen -= cmlen;
		}
	}
	if (i < fdnum || (fdnum && fdmax <= 0))
		msg->msg_flags |= MSG_CTRUNC;

	/*
	 * All of the files that fit in the message have had their
	 * usage counts incremented, so we just free the list.
	 */
	__scm_destroy(scm);
}

struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
{
	struct scm_fp_list *new_fpl;
	int i;

	if (!fpl)
		return NULL;

	new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL);
	if (new_fpl) {
		for (i=fpl->count-1; i>=0; i--)
			get_file(fpl->fp[i]);
		memcpy(new_fpl, fpl, sizeof(*fpl));
	}
	return new_fpl;
}

EXPORT_SYMBOL(__scm_destroy);
EXPORT_SYMBOL(__scm_send);
EXPORT_SYMBOL(put_cmsg);
EXPORT_SYMBOL(scm_detach_fds);
EXPORT_SYMBOL(scm_fp_dup);
Commit	Line	Data
1da177e4 LT	1	/* scm.c - Socket level control messages processing.
	2	*
	3	* Author: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
	4	* Alignment and value checking mods by Craig Metz
	5	*
	6	* This program is free software; you can redistribute it and/or
	7	* modify it under the terms of the GNU General Public License
	8	* as published by the Free Software Foundation; either version
	9	* 2 of the License, or (at your option) any later version.
	10	*/
	11
	12	#include <linux/module.h>
	13	#include <linux/signal.h>
	14	#include <linux/errno.h>
	15	#include <linux/sched.h>
	16	#include <linux/mm.h>
	17	#include <linux/kernel.h>
1da177e4 LT	18	#include <linux/stat.h>
	19	#include <linux/socket.h>
	20	#include <linux/file.h>
	21	#include <linux/fcntl.h>
	22	#include <linux/net.h>
	23	#include <linux/interrupt.h>
	24	#include <linux/netdevice.h>
	25	#include <linux/security.h>
	26
	27	#include <asm/system.h>
	28	#include <asm/uaccess.h>
	29
	30	#include <net/protocol.h>
	31	#include <linux/skbuff.h>
	32	#include <net/sock.h>
	33	#include <net/compat.h>
	34	#include <net/scm.h>
	35
	36
	37	/*
	38	* Only allow a user to send credentials, that they could set with
	39	* setu(g)id.
	40	*/
	41
	42	static __inline__ int scm_check_creds(struct ucred *creds)
	43	{
	44	if ((creds->pid == current->tgid \|\| capable(CAP_SYS_ADMIN)) &&
	45	((creds->uid == current->uid \|\| creds->uid == current->euid \|\|
	46	creds->uid == current->suid) \|\| capable(CAP_SETUID)) &&
	47	((creds->gid == current->gid \|\| creds->gid == current->egid \|\|
	48	creds->gid == current->sgid) \|\| capable(CAP_SETGID))) {
	49	return 0;
	50	}
	51	return -EPERM;
	52	}
	53
	54	static int scm_fp_copy(struct cmsghdr cmsg, struct scm_fp_list *fplp)
	55	{
	56	int fdp = (int)CMSG_DATA(cmsg);
	57	struct scm_fp_list fpl = fplp;
	58	struct file **fpp;
	59	int i, num;
	60
	61	num = (cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr)))/sizeof(int);
	62
	63	if (num <= 0)
	64	return 0;
	65
	66	if (num > SCM_MAX_FD)
	67	return -EINVAL;
	68
	69	if (!fpl)
	70	{
	71	fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL);
	72	if (!fpl)
	73	return -ENOMEM;
	74	*fplp = fpl;
	75	fpl->count = 0;
	76	}
	77	fpp = &fpl->fp[fpl->count];
	78
	79	if (fpl->count + num > SCM_MAX_FD)
	80	return -EINVAL;
	81
82	/*
83	* Verify the descriptors and increment the usage count.
84	*/
85
86	for (i=0; i< num; i++)
87	{
88	int fd = fdp[i];
89	struct file *file;
90
91	if (fd < 0 \|\| !(file = fget(fd)))
92	return -EBADF;
93	*fpp++ = file;
94	fpl->count++;
95	}
96	return num;
97	}
98
99	void __scm_destroy(struct scm_cookie *scm)
100	{
101	struct scm_fp_list *fpl = scm->fp;
102	int i;
103
104	if (fpl) {
105	scm->fp = NULL;
106	for (i=fpl->count-1; i>=0; i--)
107	fput(fpl->fp[i]);
108	kfree(fpl);
109	}
110	}
111
112	int __scm_send(struct socket sock, struct msghdr msg, struct scm_cookie *p)
113	{
114	struct cmsghdr *cmsg;
115	int err;
116
117	for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg))
118	{
119	err = -EINVAL;
120
121	/* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
122	/* The first check was omitted in <= 2.2.5. The reasoning was
123	that parser checks cmsg_len in any case, so that
124	additional check would be work duplication.
125	But if cmsg_level is not SOL_SOCKET, we do not check
126	for too short ancillary data object at all! Oops.
127	OK, let's add it...
128	*/
129	if (!CMSG_OK(msg, cmsg))
130	goto error;
131
132	if (cmsg->cmsg_level != SOL_SOCKET)
133	continue;
134
135	switch (cmsg->cmsg_type)
136	{
137	case SCM_RIGHTS:
138	err=scm_fp_copy(cmsg, &p->fp);
139	if (err<0)
140	goto error;
141	break;
142	case SCM_CREDENTIALS:
143	if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
144	goto error;
145	memcpy(&p->creds, CMSG_DATA(cmsg), sizeof(struct ucred));
146	err = scm_check_creds(&p->creds);
147	if (err)
148	goto error;
149	break;
150	default:
151	goto error;
152	}
153	}
154
155	if (p->fp && !p->fp->count)
156	{
157	kfree(p->fp);
158	p->fp = NULL;
159	}
160	return 0;
161
162	error:
163	scm_destroy(p);
164	return err;
165	}
166
167	int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
168	{
169	struct cmsghdr __user cm = (struct cmsghdr __user )msg->msg_control;
170	struct cmsghdr cmhdr;
171	int cmlen = CMSG_LEN(len);
172	int err;
173
174	if (MSG_CMSG_COMPAT & msg->msg_flags)
175	return put_cmsg_compat(msg, level, type, len, data);
176
177	if (cm==NULL \|\| msg->msg_controllen < sizeof(*cm)) {
178	msg->msg_flags \|= MSG_CTRUNC;
179	return 0; /* XXX: return error? check spec. */
180	}
181	if (msg->msg_controllen < cmlen) {
182	msg->msg_flags \|= MSG_CTRUNC;
183	cmlen = msg->msg_controllen;
184	}
185	cmhdr.cmsg_level = level;
186	cmhdr.cmsg_type = type;
187	cmhdr.cmsg_len = cmlen;
188
189	err = -EFAULT;
190	if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
191	goto out;
192	if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
193	goto out;
194	cmlen = CMSG_SPACE(len);
195	msg->msg_control += cmlen;
196	msg->msg_controllen -= cmlen;
197	err = 0;
198	out:
199	return err;
200	}
201
202	void scm_detach_fds(struct msghdr msg, struct scm_cookie scm)
203	{
204	struct cmsghdr __user cm = (struct cmsghdr __user)msg->msg_control;
205
206	int fdmax = 0;
207	int fdnum = scm->fp->count;
208	struct file **fp = scm->fp->fp;
209	int __user *cmfptr;
210	int err = 0, i;
211
212	if (MSG_CMSG_COMPAT & msg->msg_flags) {
213	scm_detach_fds_compat(msg, scm);
214	return;
215	}
216
217	if (msg->msg_controllen > sizeof(struct cmsghdr))
218	fdmax = ((msg->msg_controllen - sizeof(struct cmsghdr))
219	/ sizeof(int));
220
221	if (fdnum < fdmax)
222	fdmax = fdnum;
223
224	for (i=0, cmfptr=(int __user *)CMSG_DATA(cm); i<fdmax; i++, cmfptr++)
225	{
226	int new_fd;
227	err = security_file_receive(fp[i]);
228	if (err)
229	break;
230	err = get_unused_fd();
231	if (err < 0)
232	break;
233	new_fd = err;
234	err = put_user(new_fd, cmfptr);
235	if (err) {
236	put_unused_fd(new_fd);
237	break;
238	}
239	/* Bump the usage count and install the file. */
240	get_file(fp[i]);
241	fd_install(new_fd, fp[i]);
242	}
243
244	if (i > 0)
245	{
246	int cmlen = CMSG_LEN(i*sizeof(int));
247	if (!err)
248	err = put_user(SOL_SOCKET, &cm->cmsg_level);
249	if (!err)
250	err = put_user(SCM_RIGHTS, &cm->cmsg_type);
251	if (!err)
252	err = put_user(cmlen, &cm->cmsg_len);
253	if (!err) {
254	cmlen = CMSG_SPACE(i*sizeof(int));
255	msg->msg_control += cmlen;
256	msg->msg_controllen -= cmlen;
257	}
258	}
259	if (i < fdnum \|\| (fdnum && fdmax <= 0))
260	msg->msg_flags \|= MSG_CTRUNC;
261
262	/*
263	* All of the files that fit in the message have had their
264	* usage counts incremented, so we just free the list.
265	*/
266	__scm_destroy(scm);
267	}
268
269	struct scm_fp_list scm_fp_dup(struct scm_fp_list fpl)
270	{
271	struct scm_fp_list *new_fpl;
272	int i;
273
274	if (!fpl)
275	return NULL;
276
277	new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL);
278	if (new_fpl) {
279	for (i=fpl->count-1; i>=0; i--)
280	get_file(fpl->fp[i]);
281	memcpy(new_fpl, fpl, sizeof(*fpl));
282	}
283	return new_fpl;
284	}
285
286	EXPORT_SYMBOL(__scm_destroy);
287	EXPORT_SYMBOL(__scm_send);
288	EXPORT_SYMBOL(put_cmsg);
289	EXPORT_SYMBOL(scm_detach_fds);
290	EXPORT_SYMBOL(scm_fp_dup);