scm.h 3.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143
  1. #ifndef __LINUX_NET_SCM_H
  2. #define __LINUX_NET_SCM_H
  3. #include <linux/limits.h>
  4. #include <linux/net.h>
  5. #include <linux/security.h>
  6. #include <linux/pid.h>
  7. #include <linux/nsproxy.h>
  8. /* Well, we should have at least one descriptor open
  9. * to accept passed FDs 8)
  10. */
  11. #define SCM_MAX_FD 253
  12. struct scm_creds {
  13. u32 pid;
  14. kuid_t uid;
  15. kgid_t gid;
  16. };
  17. struct scm_fp_list {
  18. short count;
  19. short max;
  20. struct user_struct *user;
  21. struct file *fp[SCM_MAX_FD];
  22. };
  23. struct scm_cookie {
  24. struct pid *pid; /* Skb credentials */
  25. struct scm_fp_list *fp; /* Passed files */
  26. struct scm_creds creds; /* Skb credentials */
  27. #ifdef CONFIG_SECURITY_NETWORK
  28. u32 secid; /* Passed security ID */
  29. #endif
  30. };
  31. void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm);
  32. void scm_detach_fds_compat(struct msghdr *msg, struct scm_cookie *scm);
  33. int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm);
  34. void __scm_destroy(struct scm_cookie *scm);
  35. struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl);
  36. #ifdef CONFIG_SECURITY_NETWORK
  37. static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm)
  38. {
  39. security_socket_getpeersec_dgram(sock, NULL, &scm->secid);
  40. }
  41. #else
  42. static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm)
  43. { }
  44. #endif /* CONFIG_SECURITY_NETWORK */
  45. static __inline__ void scm_set_cred(struct scm_cookie *scm,
  46. struct pid *pid, kuid_t uid, kgid_t gid)
  47. {
  48. scm->pid = get_pid(pid);
  49. scm->creds.pid = pid_vnr(pid);
  50. scm->creds.uid = uid;
  51. scm->creds.gid = gid;
  52. }
  53. static __inline__ void scm_destroy_cred(struct scm_cookie *scm)
  54. {
  55. put_pid(scm->pid);
  56. scm->pid = NULL;
  57. }
  58. static __inline__ void scm_destroy(struct scm_cookie *scm)
  59. {
  60. scm_destroy_cred(scm);
  61. if (scm->fp)
  62. __scm_destroy(scm);
  63. }
  64. static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
  65. struct scm_cookie *scm, bool forcecreds)
  66. {
  67. memset(scm, 0, sizeof(*scm));
  68. scm->creds.uid = INVALID_UID;
  69. scm->creds.gid = INVALID_GID;
  70. if (forcecreds)
  71. scm_set_cred(scm, task_tgid(current), current_uid(), current_gid());
  72. unix_get_peersec_dgram(sock, scm);
  73. if (msg->msg_controllen <= 0)
  74. return 0;
  75. return __scm_send(sock, msg, scm);
  76. }
  77. #ifdef CONFIG_SECURITY_NETWORK
  78. static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm)
  79. {
  80. char *secdata;
  81. u32 seclen;
  82. int err;
  83. if (test_bit(SOCK_PASSSEC, &sock->flags)) {
  84. err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
  85. if (!err) {
  86. put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
  87. security_release_secctx(secdata, seclen);
  88. }
  89. }
  90. }
  91. #else
  92. static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm)
  93. { }
  94. #endif /* CONFIG_SECURITY_NETWORK */
  95. static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg,
  96. struct scm_cookie *scm, int flags)
  97. {
  98. if (!msg->msg_control) {
  99. if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp)
  100. msg->msg_flags |= MSG_CTRUNC;
  101. scm_destroy(scm);
  102. return;
  103. }
  104. if (test_bit(SOCK_PASSCRED, &sock->flags)) {
  105. struct user_namespace *current_ns = current_user_ns();
  106. struct ucred ucreds = {
  107. .pid = scm->creds.pid,
  108. .uid = from_kuid_munged(current_ns, scm->creds.uid),
  109. .gid = from_kgid_munged(current_ns, scm->creds.gid),
  110. };
  111. put_cmsg(msg, SOL_SOCKET, SCM_CREDENTIALS, sizeof(ucreds), &ucreds);
  112. }
  113. scm_destroy_cred(scm);
  114. scm_passec(sock, msg, scm);
  115. if (!scm->fp)
  116. return;
  117. scm_detach_fds(msg, scm);
  118. }
  119. #endif /* __LINUX_NET_SCM_H */