projects / linux.git / blame
| Commit | Line | Data |
|---|---|---|
| b2441318 | 1 | /* SPDX-License-Identifier: GPL-2.0 */ |
| 1da177e4 LT |
2 | #ifndef __LINUX_NET_SCM_H |
| 3 | #define __LINUX_NET_SCM_H | |
| 4 | ||
| 5 | #include <linux/limits.h> | |
| 6 | #include <linux/net.h> | |
| 5b825c3a | 7 | #include <linux/cred.h> |
| dc49c1f9 | 8 | #include <linux/security.h> |
| b488893a PE |
9 | #include <linux/pid.h> |
| 10 | #include <linux/nsproxy.h> | |
| 7a36094d | 11 | #include <linux/sched/signal.h> |
| 1da177e4 LT |
12 | |
| 13 | /* Well, we should have at least one descriptor open | |
| 14 | * to accept passed FDs 8) | |
| 15 | */ | |
| bba14de9 | 16 | #define SCM_MAX_FD 253 |
| 1da177e4 | 17 | |
| dbe9a417 EB |
18 | struct scm_creds { |
| 19 | u32 pid; | |
| 20 | kuid_t uid; | |
| 21 | kgid_t gid; | |
| 22 | }; | |
| 23 | ||
| fd2c3ef7 | 24 | struct scm_fp_list { |
| bba14de9 ED |
25 | short count; |
| 26 | short max; | |
| 415e3d3e | 27 | struct user_struct *user; |
| f8d570a4 | 28 | struct file *fp[SCM_MAX_FD]; |
| 1da177e4 LT |
29 | }; |
| 30 | ||
| fd2c3ef7 | 31 | struct scm_cookie { |
| 257b5358 | 32 | struct pid *pid; /* Skb credentials */ |
| 1da177e4 | 33 | struct scm_fp_list *fp; /* Passed files */ |
| dbe9a417 | 34 | struct scm_creds creds; /* Skb credentials */ |
| 877ce7c1 | 35 | #ifdef CONFIG_SECURITY_NETWORK |
| dc49c1f9 | 36 | u32 secid; /* Passed security ID */ |
| 877ce7c1 | 37 | #endif |
| 1da177e4 LT |
38 | }; |
| 39 | ||
| 8153ff5c JP |
40 | void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm); |
| 41 | void scm_detach_fds_compat(struct msghdr *msg, struct scm_cookie *scm); | |
| 42 | int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm); | |
| 43 | void __scm_destroy(struct scm_cookie *scm); | |
| 44 | struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl); | |
| 1da177e4 | 45 | |
| dc49c1f9 CZ |
46 | #ifdef CONFIG_SECURITY_NETWORK |
| 47 | static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm) | |
| 48 | { | |
| 49 | security_socket_getpeersec_dgram(sock, NULL, &scm->secid); | |
| 50 | } | |
| 51 | #else | |
| 52 | static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm) | |
| 53 | { } | |
| 54 | #endif /* CONFIG_SECURITY_NETWORK */ | |
| 55 | ||
| 257b5358 | 56 | static __inline__ void scm_set_cred(struct scm_cookie *scm, |
| 6b0ee8c0 | 57 | struct pid *pid, kuid_t uid, kgid_t gid) |
| 257b5358 EB |
58 | { |
| 59 | scm->pid = get_pid(pid); | |
| dbe9a417 | 60 | scm->creds.pid = pid_vnr(pid); |
| 6b0ee8c0 EB |
61 | scm->creds.uid = uid; |
| 62 | scm->creds.gid = gid; | |
| 257b5358 EB |
63 | } |
| 64 | ||
| 65 | static __inline__ void scm_destroy_cred(struct scm_cookie *scm) | |
| 66 | { | |
| 67 | put_pid(scm->pid); | |
| 68 | scm->pid = NULL; | |
| 257b5358 EB |
69 | } |
| 70 | ||
| 1da177e4 LT |
71 | static __inline__ void scm_destroy(struct scm_cookie *scm) |
| 72 | { | |
| 257b5358 | 73 | scm_destroy_cred(scm); |
| 2a6c8c79 | 74 | if (scm->fp) |
| 1da177e4 LT |
75 | __scm_destroy(scm); |
| 76 | } | |
| 77 | ||
| 78 | static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, | |
| e0e3cea4 | 79 | struct scm_cookie *scm, bool forcecreds) |
| 1da177e4 | 80 | { |
| 16e57262 | 81 | memset(scm, 0, sizeof(*scm)); |
| 6b0ee8c0 EB |
82 | scm->creds.uid = INVALID_UID; |
| 83 | scm->creds.gid = INVALID_GID; | |
| e0e3cea4 | 84 | if (forcecreds) |
| 6e0895c2 | 85 | scm_set_cred(scm, task_tgid(current), current_uid(), current_gid()); |
| dc49c1f9 | 86 | unix_get_peersec_dgram(sock, scm); |
| 1da177e4 LT |
87 | if (msg->msg_controllen <= 0) |
| 88 | return 0; | |
| 89 | return __scm_send(sock, msg, scm); | |
| 90 | } | |
| 91 | ||
| 877ce7c1 CZ |
92 | #ifdef CONFIG_SECURITY_NETWORK |
| 93 | static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) | |
| 94 | { | |
| dc49c1f9 CZ |
95 | char *secdata; |
| 96 | u32 seclen; | |
| 97 | int err; | |
| 98 | ||
| 99 | if (test_bit(SOCK_PASSSEC, &sock->flags)) { | |
| 100 | err = security_secid_to_secctx(scm->secid, &secdata, &seclen); | |
| 101 | ||
| 102 | if (!err) { | |
| 103 | put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); | |
| 104 | security_release_secctx(secdata, seclen); | |
| 105 | } | |
| 106 | } | |
| 877ce7c1 CZ |
107 | } |
| 108 | #else | |
| 109 | static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) | |
| 110 | { } | |
| 111 | #endif /* CONFIG_SECURITY_NETWORK */ | |
| 112 | ||
| 1da177e4 LT |
113 | static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg, |
| 114 | struct scm_cookie *scm, int flags) | |
| 115 | { | |
| fd2c3ef7 | 116 | if (!msg->msg_control) { |
| 1da177e4 LT |
117 | if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp) |
| 118 | msg->msg_flags |= MSG_CTRUNC; | |
| f78a5fda | 119 | scm_destroy(scm); |
| 1da177e4 LT |
120 | return; |
| 121 | } | |
| 122 | ||
| dbe9a417 EB |
123 | if (test_bit(SOCK_PASSCRED, &sock->flags)) { |
| 124 | struct user_namespace *current_ns = current_user_ns(); | |
| 125 | struct ucred ucreds = { | |
| 126 | .pid = scm->creds.pid, | |
| 127 | .uid = from_kuid_munged(current_ns, scm->creds.uid), | |
| 128 | .gid = from_kgid_munged(current_ns, scm->creds.gid), | |
| 129 | }; | |
| 130 | put_cmsg(msg, SOL_SOCKET, SCM_CREDENTIALS, sizeof(ucreds), &ucreds); | |
| 131 | } | |
| 1da177e4 | 132 | |
| f78a5fda DM |
133 | scm_destroy_cred(scm); |
| 134 | ||
| 877ce7c1 CZ |
135 | scm_passec(sock, msg, scm); |
| 136 | ||
| 1da177e4 LT |
137 | if (!scm->fp) |
| 138 | return; | |
| 139 | ||
| 140 | scm_detach_fds(msg, scm); | |
| 141 | } | |
| 142 | ||
| 143 | ||
| 144 | #endif /* __LINUX_NET_SCM_H */ | |
| 145 |