c7c4591db6
Pull namespace changes from Eric Biederman: "This is an assorted mishmash of small cleanups, enhancements and bug fixes. The major theme is user namespace mount restrictions. nsown_capable is killed as it encourages not thinking about details that need to be considered. A very hard to hit pid namespace exiting bug was finally tracked and fixed. A couple of cleanups to the basic namespace infrastructure. Finally there is an enhancement that makes per user namespace capabilities usable as capabilities, and an enhancement that allows the per userns root to nice other processes in the user namespace" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: userns: Kill nsown_capable it makes the wrong thing easy capabilities: allow nice if we are privileged pidns: Don't have unshare(CLONE_NEWPID) imply CLONE_THREAD userns: Allow PR_CAPBSET_DROP in a user namespace. namespaces: Simplify copy_namespaces so it is clear what is going on. pidns: Fix hang in zap_pid_ns_processes by sending a potentially extra wakeup sysfs: Restrict mounting sysfs userns: Better restrictions on when proc and sysfs can be mounted vfs: Don't copy mount bind mounts of /proc/<pid>/ns/mnt between namespaces kernel/nsproxy.c: Improving a snippet of code. proc: Restrict mounting the proc filesystem vfs: Lock in place mounts from more privileged users
342 lines
7.6 KiB
C
342 lines
7.6 KiB
C
/* scm.c - Socket level control messages processing.
|
|
*
|
|
* Author: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
|
|
* Alignment and value checking mods by Craig Metz
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the License, or (at your option) any later version.
|
|
*/
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/signal.h>
|
|
#include <linux/capability.h>
|
|
#include <linux/errno.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/mm.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/stat.h>
|
|
#include <linux/socket.h>
|
|
#include <linux/file.h>
|
|
#include <linux/fcntl.h>
|
|
#include <linux/net.h>
|
|
#include <linux/interrupt.h>
|
|
#include <linux/netdevice.h>
|
|
#include <linux/security.h>
|
|
#include <linux/pid_namespace.h>
|
|
#include <linux/pid.h>
|
|
#include <linux/nsproxy.h>
|
|
#include <linux/slab.h>
|
|
|
|
#include <asm/uaccess.h>
|
|
|
|
#include <net/protocol.h>
|
|
#include <linux/skbuff.h>
|
|
#include <net/sock.h>
|
|
#include <net/compat.h>
|
|
#include <net/scm.h>
|
|
#include <net/cls_cgroup.h>
|
|
|
|
|
|
/*
|
|
* Only allow a user to send credentials, that they could set with
|
|
* setu(g)id.
|
|
*/
|
|
|
|
static __inline__ int scm_check_creds(struct ucred *creds)
|
|
{
|
|
const struct cred *cred = current_cred();
|
|
kuid_t uid = make_kuid(cred->user_ns, creds->uid);
|
|
kgid_t gid = make_kgid(cred->user_ns, creds->gid);
|
|
|
|
if (!uid_valid(uid) || !gid_valid(gid))
|
|
return -EINVAL;
|
|
|
|
if ((creds->pid == task_tgid_vnr(current) ||
|
|
ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
|
|
((uid_eq(uid, cred->uid) || uid_eq(uid, cred->euid) ||
|
|
uid_eq(uid, cred->suid)) || ns_capable(cred->user_ns, CAP_SETUID)) &&
|
|
((gid_eq(gid, cred->gid) || gid_eq(gid, cred->egid) ||
|
|
gid_eq(gid, cred->sgid)) || ns_capable(cred->user_ns, CAP_SETGID))) {
|
|
return 0;
|
|
}
|
|
return -EPERM;
|
|
}
|
|
|
|
static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
|
|
{
|
|
int *fdp = (int*)CMSG_DATA(cmsg);
|
|
struct scm_fp_list *fpl = *fplp;
|
|
struct file **fpp;
|
|
int i, num;
|
|
|
|
num = (cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr)))/sizeof(int);
|
|
|
|
if (num <= 0)
|
|
return 0;
|
|
|
|
if (num > SCM_MAX_FD)
|
|
return -EINVAL;
|
|
|
|
if (!fpl)
|
|
{
|
|
fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL);
|
|
if (!fpl)
|
|
return -ENOMEM;
|
|
*fplp = fpl;
|
|
fpl->count = 0;
|
|
fpl->max = SCM_MAX_FD;
|
|
}
|
|
fpp = &fpl->fp[fpl->count];
|
|
|
|
if (fpl->count + num > fpl->max)
|
|
return -EINVAL;
|
|
|
|
/*
|
|
* Verify the descriptors and increment the usage count.
|
|
*/
|
|
|
|
for (i=0; i< num; i++)
|
|
{
|
|
int fd = fdp[i];
|
|
struct file *file;
|
|
|
|
if (fd < 0 || !(file = fget_raw(fd)))
|
|
return -EBADF;
|
|
*fpp++ = file;
|
|
fpl->count++;
|
|
}
|
|
return num;
|
|
}
|
|
|
|
void __scm_destroy(struct scm_cookie *scm)
|
|
{
|
|
struct scm_fp_list *fpl = scm->fp;
|
|
int i;
|
|
|
|
if (fpl) {
|
|
scm->fp = NULL;
|
|
for (i=fpl->count-1; i>=0; i--)
|
|
fput(fpl->fp[i]);
|
|
kfree(fpl);
|
|
}
|
|
}
|
|
EXPORT_SYMBOL(__scm_destroy);
|
|
|
|
int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
|
|
{
|
|
struct cmsghdr *cmsg;
|
|
int err;
|
|
|
|
for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg))
|
|
{
|
|
err = -EINVAL;
|
|
|
|
/* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
|
|
/* The first check was omitted in <= 2.2.5. The reasoning was
|
|
that parser checks cmsg_len in any case, so that
|
|
additional check would be work duplication.
|
|
But if cmsg_level is not SOL_SOCKET, we do not check
|
|
for too short ancillary data object at all! Oops.
|
|
OK, let's add it...
|
|
*/
|
|
if (!CMSG_OK(msg, cmsg))
|
|
goto error;
|
|
|
|
if (cmsg->cmsg_level != SOL_SOCKET)
|
|
continue;
|
|
|
|
switch (cmsg->cmsg_type)
|
|
{
|
|
case SCM_RIGHTS:
|
|
if (!sock->ops || sock->ops->family != PF_UNIX)
|
|
goto error;
|
|
err=scm_fp_copy(cmsg, &p->fp);
|
|
if (err<0)
|
|
goto error;
|
|
break;
|
|
case SCM_CREDENTIALS:
|
|
{
|
|
struct ucred creds;
|
|
kuid_t uid;
|
|
kgid_t gid;
|
|
if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
|
|
goto error;
|
|
memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred));
|
|
err = scm_check_creds(&creds);
|
|
if (err)
|
|
goto error;
|
|
|
|
p->creds.pid = creds.pid;
|
|
if (!p->pid || pid_vnr(p->pid) != creds.pid) {
|
|
struct pid *pid;
|
|
err = -ESRCH;
|
|
pid = find_get_pid(creds.pid);
|
|
if (!pid)
|
|
goto error;
|
|
put_pid(p->pid);
|
|
p->pid = pid;
|
|
}
|
|
|
|
err = -EINVAL;
|
|
uid = make_kuid(current_user_ns(), creds.uid);
|
|
gid = make_kgid(current_user_ns(), creds.gid);
|
|
if (!uid_valid(uid) || !gid_valid(gid))
|
|
goto error;
|
|
|
|
p->creds.uid = uid;
|
|
p->creds.gid = gid;
|
|
break;
|
|
}
|
|
default:
|
|
goto error;
|
|
}
|
|
}
|
|
|
|
if (p->fp && !p->fp->count)
|
|
{
|
|
kfree(p->fp);
|
|
p->fp = NULL;
|
|
}
|
|
return 0;
|
|
|
|
error:
|
|
scm_destroy(p);
|
|
return err;
|
|
}
|
|
EXPORT_SYMBOL(__scm_send);
|
|
|
|
int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
|
|
{
|
|
struct cmsghdr __user *cm
|
|
= (__force struct cmsghdr __user *)msg->msg_control;
|
|
struct cmsghdr cmhdr;
|
|
int cmlen = CMSG_LEN(len);
|
|
int err;
|
|
|
|
if (MSG_CMSG_COMPAT & msg->msg_flags)
|
|
return put_cmsg_compat(msg, level, type, len, data);
|
|
|
|
if (cm==NULL || msg->msg_controllen < sizeof(*cm)) {
|
|
msg->msg_flags |= MSG_CTRUNC;
|
|
return 0; /* XXX: return error? check spec. */
|
|
}
|
|
if (msg->msg_controllen < cmlen) {
|
|
msg->msg_flags |= MSG_CTRUNC;
|
|
cmlen = msg->msg_controllen;
|
|
}
|
|
cmhdr.cmsg_level = level;
|
|
cmhdr.cmsg_type = type;
|
|
cmhdr.cmsg_len = cmlen;
|
|
|
|
err = -EFAULT;
|
|
if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
|
|
goto out;
|
|
if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
|
|
goto out;
|
|
cmlen = CMSG_SPACE(len);
|
|
if (msg->msg_controllen < cmlen)
|
|
cmlen = msg->msg_controllen;
|
|
msg->msg_control += cmlen;
|
|
msg->msg_controllen -= cmlen;
|
|
err = 0;
|
|
out:
|
|
return err;
|
|
}
|
|
EXPORT_SYMBOL(put_cmsg);
|
|
|
|
void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
|
|
{
|
|
struct cmsghdr __user *cm
|
|
= (__force struct cmsghdr __user*)msg->msg_control;
|
|
|
|
int fdmax = 0;
|
|
int fdnum = scm->fp->count;
|
|
struct file **fp = scm->fp->fp;
|
|
int __user *cmfptr;
|
|
int err = 0, i;
|
|
|
|
if (MSG_CMSG_COMPAT & msg->msg_flags) {
|
|
scm_detach_fds_compat(msg, scm);
|
|
return;
|
|
}
|
|
|
|
if (msg->msg_controllen > sizeof(struct cmsghdr))
|
|
fdmax = ((msg->msg_controllen - sizeof(struct cmsghdr))
|
|
/ sizeof(int));
|
|
|
|
if (fdnum < fdmax)
|
|
fdmax = fdnum;
|
|
|
|
for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
|
|
i++, cmfptr++)
|
|
{
|
|
struct socket *sock;
|
|
int new_fd;
|
|
err = security_file_receive(fp[i]);
|
|
if (err)
|
|
break;
|
|
err = get_unused_fd_flags(MSG_CMSG_CLOEXEC & msg->msg_flags
|
|
? O_CLOEXEC : 0);
|
|
if (err < 0)
|
|
break;
|
|
new_fd = err;
|
|
err = put_user(new_fd, cmfptr);
|
|
if (err) {
|
|
put_unused_fd(new_fd);
|
|
break;
|
|
}
|
|
/* Bump the usage count and install the file. */
|
|
sock = sock_from_file(fp[i], &err);
|
|
if (sock) {
|
|
sock_update_netprioidx(sock->sk);
|
|
sock_update_classid(sock->sk);
|
|
}
|
|
fd_install(new_fd, get_file(fp[i]));
|
|
}
|
|
|
|
if (i > 0)
|
|
{
|
|
int cmlen = CMSG_LEN(i*sizeof(int));
|
|
err = put_user(SOL_SOCKET, &cm->cmsg_level);
|
|
if (!err)
|
|
err = put_user(SCM_RIGHTS, &cm->cmsg_type);
|
|
if (!err)
|
|
err = put_user(cmlen, &cm->cmsg_len);
|
|
if (!err) {
|
|
cmlen = CMSG_SPACE(i*sizeof(int));
|
|
msg->msg_control += cmlen;
|
|
msg->msg_controllen -= cmlen;
|
|
}
|
|
}
|
|
if (i < fdnum || (fdnum && fdmax <= 0))
|
|
msg->msg_flags |= MSG_CTRUNC;
|
|
|
|
/*
|
|
* All of the files that fit in the message have had their
|
|
* usage counts incremented, so we just free the list.
|
|
*/
|
|
__scm_destroy(scm);
|
|
}
|
|
EXPORT_SYMBOL(scm_detach_fds);
|
|
|
|
struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
|
|
{
|
|
struct scm_fp_list *new_fpl;
|
|
int i;
|
|
|
|
if (!fpl)
|
|
return NULL;
|
|
|
|
new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
|
|
GFP_KERNEL);
|
|
if (new_fpl) {
|
|
for (i = 0; i < fpl->count; i++)
|
|
get_file(fpl->fp[i]);
|
|
new_fpl->max = new_fpl->count;
|
|
}
|
|
return new_fpl;
|
|
}
|
|
EXPORT_SYMBOL(scm_fp_dup);
|