]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | #ifndef __LINUX_NET_SCM_H |
2 | #define __LINUX_NET_SCM_H | |
3 | ||
4 | #include <linux/limits.h> | |
5 | #include <linux/net.h> | |
5b825c3a | 6 | #include <linux/cred.h> |
dc49c1f9 | 7 | #include <linux/security.h> |
b488893a PE |
8 | #include <linux/pid.h> |
9 | #include <linux/nsproxy.h> | |
1da177e4 LT |
10 | |
11 | /* Well, we should have at least one descriptor open | |
12 | * to accept passed FDs 8) | |
13 | */ | |
bba14de9 | 14 | #define SCM_MAX_FD 253 |
1da177e4 | 15 | |
dbe9a417 EB |
16 | struct scm_creds { |
17 | u32 pid; | |
18 | kuid_t uid; | |
19 | kgid_t gid; | |
20 | }; | |
21 | ||
fd2c3ef7 | 22 | struct scm_fp_list { |
bba14de9 ED |
23 | short count; |
24 | short max; | |
415e3d3e | 25 | struct user_struct *user; |
f8d570a4 | 26 | struct file *fp[SCM_MAX_FD]; |
1da177e4 LT |
27 | }; |
28 | ||
fd2c3ef7 | 29 | struct scm_cookie { |
257b5358 | 30 | struct pid *pid; /* Skb credentials */ |
1da177e4 | 31 | struct scm_fp_list *fp; /* Passed files */ |
dbe9a417 | 32 | struct scm_creds creds; /* Skb credentials */ |
877ce7c1 | 33 | #ifdef CONFIG_SECURITY_NETWORK |
dc49c1f9 | 34 | u32 secid; /* Passed security ID */ |
877ce7c1 | 35 | #endif |
1da177e4 LT |
36 | }; |
37 | ||
8153ff5c JP |
38 | void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm); |
39 | void scm_detach_fds_compat(struct msghdr *msg, struct scm_cookie *scm); | |
40 | int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm); | |
41 | void __scm_destroy(struct scm_cookie *scm); | |
42 | struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl); | |
1da177e4 | 43 | |
dc49c1f9 CZ |
44 | #ifdef CONFIG_SECURITY_NETWORK |
45 | static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm) | |
46 | { | |
47 | security_socket_getpeersec_dgram(sock, NULL, &scm->secid); | |
48 | } | |
49 | #else | |
50 | static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm) | |
51 | { } | |
52 | #endif /* CONFIG_SECURITY_NETWORK */ | |
53 | ||
257b5358 | 54 | static __inline__ void scm_set_cred(struct scm_cookie *scm, |
6b0ee8c0 | 55 | struct pid *pid, kuid_t uid, kgid_t gid) |
257b5358 EB |
56 | { |
57 | scm->pid = get_pid(pid); | |
dbe9a417 | 58 | scm->creds.pid = pid_vnr(pid); |
6b0ee8c0 EB |
59 | scm->creds.uid = uid; |
60 | scm->creds.gid = gid; | |
257b5358 EB |
61 | } |
62 | ||
63 | static __inline__ void scm_destroy_cred(struct scm_cookie *scm) | |
64 | { | |
65 | put_pid(scm->pid); | |
66 | scm->pid = NULL; | |
257b5358 EB |
67 | } |
68 | ||
1da177e4 LT |
69 | static __inline__ void scm_destroy(struct scm_cookie *scm) |
70 | { | |
257b5358 | 71 | scm_destroy_cred(scm); |
2a6c8c79 | 72 | if (scm->fp) |
1da177e4 LT |
73 | __scm_destroy(scm); |
74 | } | |
75 | ||
76 | static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, | |
e0e3cea4 | 77 | struct scm_cookie *scm, bool forcecreds) |
1da177e4 | 78 | { |
16e57262 | 79 | memset(scm, 0, sizeof(*scm)); |
6b0ee8c0 EB |
80 | scm->creds.uid = INVALID_UID; |
81 | scm->creds.gid = INVALID_GID; | |
e0e3cea4 | 82 | if (forcecreds) |
6e0895c2 | 83 | scm_set_cred(scm, task_tgid(current), current_uid(), current_gid()); |
dc49c1f9 | 84 | unix_get_peersec_dgram(sock, scm); |
1da177e4 LT |
85 | if (msg->msg_controllen <= 0) |
86 | return 0; | |
87 | return __scm_send(sock, msg, scm); | |
88 | } | |
89 | ||
877ce7c1 CZ |
90 | #ifdef CONFIG_SECURITY_NETWORK |
91 | static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) | |
92 | { | |
dc49c1f9 CZ |
93 | char *secdata; |
94 | u32 seclen; | |
95 | int err; | |
96 | ||
97 | if (test_bit(SOCK_PASSSEC, &sock->flags)) { | |
98 | err = security_secid_to_secctx(scm->secid, &secdata, &seclen); | |
99 | ||
100 | if (!err) { | |
101 | put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); | |
102 | security_release_secctx(secdata, seclen); | |
103 | } | |
104 | } | |
877ce7c1 CZ |
105 | } |
106 | #else | |
107 | static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) | |
108 | { } | |
109 | #endif /* CONFIG_SECURITY_NETWORK */ | |
110 | ||
1da177e4 LT |
111 | static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg, |
112 | struct scm_cookie *scm, int flags) | |
113 | { | |
fd2c3ef7 | 114 | if (!msg->msg_control) { |
1da177e4 LT |
115 | if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp) |
116 | msg->msg_flags |= MSG_CTRUNC; | |
f78a5fda | 117 | scm_destroy(scm); |
1da177e4 LT |
118 | return; |
119 | } | |
120 | ||
dbe9a417 EB |
121 | if (test_bit(SOCK_PASSCRED, &sock->flags)) { |
122 | struct user_namespace *current_ns = current_user_ns(); | |
123 | struct ucred ucreds = { | |
124 | .pid = scm->creds.pid, | |
125 | .uid = from_kuid_munged(current_ns, scm->creds.uid), | |
126 | .gid = from_kgid_munged(current_ns, scm->creds.gid), | |
127 | }; | |
128 | put_cmsg(msg, SOL_SOCKET, SCM_CREDENTIALS, sizeof(ucreds), &ucreds); | |
129 | } | |
1da177e4 | 130 | |
f78a5fda DM |
131 | scm_destroy_cred(scm); |
132 | ||
877ce7c1 CZ |
133 | scm_passec(sock, msg, scm); |
134 | ||
1da177e4 LT |
135 | if (!scm->fp) |
136 | return; | |
137 | ||
138 | scm_detach_fds(msg, scm); | |
139 | } | |
140 | ||
141 | ||
142 | #endif /* __LINUX_NET_SCM_H */ | |
143 |