]> git.proxmox.com Git - mirror_lxc.git/blob - src/lxc/af_unix.c
projects / mirror_lxc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #3947 from blenk92/fix-missing-seccomp
[mirror_lxc.git] / src / lxc / af_unix.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #ifndef _GNU_SOURCE
4 #define _GNU_SOURCE 1
5 #endif
6 #include <errno.h>
7 #include <fcntl.h>
8 #include <stddef.h>
9 #include <stdio.h>
10 #include <stdlib.h>
11 #include <string.h>
12 #include <unistd.h>
13 #include <sys/socket.h>
14 #include <sys/syscall.h>
15 #include <sys/un.h>
16
17 #include "af_unix.h"
18 #include "config.h"
19 #include "log.h"
20 #include "macro.h"
21 #include "memory_utils.h"
22 #include "process_utils.h"
23 #include "utils.h"
24
25 #ifndef HAVE_STRLCPY
26 #include "include/strlcpy.h"
27 #endif
28
29 lxc_log_define(af_unix, lxc);
30
31 static ssize_t lxc_abstract_unix_set_sockaddr(struct sockaddr_un *addr,
32 const char *path)
33 {
34 size_t len;
35
36 if (!addr || !path)
37 return ret_errno(EINVAL);
38
39 /* Clear address structure */
40 memset(addr, 0, sizeof(*addr));
41
42 addr->sun_family = AF_UNIX;
43
44 len = strlen(&path[1]);
45
46 /* do not enforce \0-termination */
47 if (len >= INT_MAX || len >= sizeof(addr->sun_path))
48 return ret_errno(ENAMETOOLONG);
49
50 /* do not enforce \0-termination */
51 memcpy(&addr->sun_path[1], &path[1], len);
52 return len;
53 }
54
55 int lxc_abstract_unix_open(const char *path, int type, int flags)
56 {
57 __do_close int fd = -EBADF;
58 int ret;
59 ssize_t len;
60 struct sockaddr_un addr;
61
62 fd = socket(PF_UNIX, type | SOCK_CLOEXEC, 0);
63 if (fd < 0)
64 return -1;
65
66 if (!path)
67 return move_fd(fd);
68
69 len = lxc_abstract_unix_set_sockaddr(&addr, path);
70 if (len < 0)
71 return -1;
72
73 ret = bind(fd, (struct sockaddr *)&addr,
74 offsetof(struct sockaddr_un, sun_path) + len + 1);
75 if (ret < 0)
76 return -1;
77
78 if (type == SOCK_STREAM) {
79 ret = listen(fd, 100);
80 if (ret < 0)
81 return -1;
82 }
83
84 return move_fd(fd);
85 }
86
87 void lxc_abstract_unix_close(int fd)
88 {
89 close(fd);
90 }
91
92 int lxc_abstract_unix_connect(const char *path)
93 {
94 __do_close int fd = -EBADF;
95 int ret;
96 ssize_t len;
97 struct sockaddr_un addr;
98
99 fd = socket(PF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
100 if (fd < 0)
101 return -1;
102
103 len = lxc_abstract_unix_set_sockaddr(&addr, path);
104 if (len < 0)
105 return -1;
106
107 ret = connect(fd, (struct sockaddr *)&addr,
108 offsetof(struct sockaddr_un, sun_path) + len + 1);
109 if (ret < 0)
110 return -1;
111
112 return move_fd(fd);
113 }
114
115 int lxc_abstract_unix_send_fds_iov(int fd, const int *sendfds, int num_sendfds,
116 struct iovec *const iov, size_t iovlen)
117 {
118 __do_free char *cmsgbuf = NULL;
119 int ret;
120 struct msghdr msg = {};
121 struct cmsghdr *cmsg = NULL;
122 size_t cmsgbufsize = CMSG_SPACE(num_sendfds * sizeof(int));
123
124 if (num_sendfds <= 0)
125 return ret_errno(EINVAL);
126
127 cmsgbuf = malloc(cmsgbufsize);
128 if (!cmsgbuf)
129 return ret_errno(-ENOMEM);
130
131 msg.msg_control = cmsgbuf;
132 msg.msg_controllen = cmsgbufsize;
133
134 cmsg = CMSG_FIRSTHDR(&msg);
135 cmsg->cmsg_level = SOL_SOCKET;
136 cmsg->cmsg_type = SCM_RIGHTS;
137 cmsg->cmsg_len = CMSG_LEN(num_sendfds * sizeof(int));
138
139 msg.msg_controllen = cmsg->cmsg_len;
140
141 memcpy(CMSG_DATA(cmsg), sendfds, num_sendfds * sizeof(int));
142
143 msg.msg_iov = iov;
144 msg.msg_iovlen = iovlen;
145
146 do {
147 ret = sendmsg(fd, &msg, MSG_NOSIGNAL);
148 } while (ret < 0 && errno == EINTR);
149
150 return ret;
151 }
152
153 int lxc_abstract_unix_send_fds(int fd, const int *sendfds, int num_sendfds,
154 void *data, size_t size)
155 {
156 char buf[1] = {};
157 struct iovec iov = {
158 .iov_base = data ? data : buf,
159 .iov_len = data ? size : sizeof(buf),
160 };
161 return lxc_abstract_unix_send_fds_iov(fd, sendfds, num_sendfds, &iov, 1);
162 }
163
164 int lxc_unix_send_fds(int fd, int *sendfds, int num_sendfds, void *data,
165 size_t size)
166 {
167 return lxc_abstract_unix_send_fds(fd, sendfds, num_sendfds, data, size);
168 }
169
170 int __lxc_abstract_unix_send_two_fds(int fd, int fd_first, int fd_second,
171 void *data, size_t size)
172 {
173 int fd_send[2] = {
174 fd_first,
175 fd_second,
176 };
177 return lxc_abstract_unix_send_fds(fd, fd_send, 2, data, size);
178 }
179
180 static ssize_t lxc_abstract_unix_recv_fds_iov(int fd,
181 struct unix_fds *ret_fds,
182 struct iovec *ret_iov,
183 size_t size_ret_iov)
184 {
185 __do_free char *cmsgbuf = NULL;
186 ssize_t ret;
187 struct msghdr msg = {};
188 struct cmsghdr *cmsg = NULL;
189 size_t cmsgbufsize = CMSG_SPACE(sizeof(struct ucred)) +
190 CMSG_SPACE(ret_fds->fd_count_max * sizeof(int));
191
192 if (ret_fds->flags & ~UNIX_FDS_ACCEPT_MASK)
193 return ret_errno(EINVAL);
194
195 if (hweight32((ret_fds->flags & ~UNIX_FDS_ACCEPT_NONE)) > 1)
196 return ret_errno(EINVAL);
197
198 if (ret_fds->fd_count_max >= KERNEL_SCM_MAX_FD)
199 return ret_errno(EINVAL);
200
201 if (ret_fds->fd_count_ret != 0)
202 return ret_errno(EINVAL);
203
204 cmsgbuf = zalloc(cmsgbufsize);
205 if (!cmsgbuf)
206 return ret_errno(ENOMEM);
207
208 msg.msg_control = cmsgbuf;
209 msg.msg_controllen = cmsgbufsize;
210
211 msg.msg_iov = ret_iov;
212 msg.msg_iovlen = size_ret_iov;
213
214 again:
215 ret = recvmsg(fd, &msg, MSG_CMSG_CLOEXEC);
216 if (ret < 0) {
217 if (errno == EINTR)
218 goto again;
219
220 return syserror("Failed to receive response");
221 }
222 if (ret == 0)
223 return 0;
224
225 /* If SO_PASSCRED is set we will always get a ucred message. */
226 for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
227 if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
228 __u32 idx;
229 /*
230 * This causes some compilers to complain about
231 * increased alignment requirements but I haven't found
232 * a better way to deal with this yet. Suggestions
233 * welcome!
234 */
235 #pragma GCC diagnostic push
236 #pragma GCC diagnostic ignored "-Wcast-align"
237 int *fds_raw = (int *)CMSG_DATA(cmsg);
238 #pragma GCC diagnostic pop
239 __u32 num_raw = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int);
240
241 /*
242 * We received an insane amount of file descriptors
243 * which exceeds the kernel limit we know about so
244 * close them and return an error.
245 */
246 if (num_raw >= KERNEL_SCM_MAX_FD) {
247 for (idx = 0; idx < num_raw; idx++)
248 close(fds_raw[idx]);
249
250 return syserror_set(-EFBIG, "Received excessive number of file descriptors");
251 }
252
253 if (msg.msg_flags & MSG_CTRUNC) {
254 for (idx = 0; idx < num_raw; idx++)
255 close(fds_raw[idx]);
256
257 return syserror_set(-EFBIG, "Control message was truncated; closing all fds and rejecting incomplete message");
258 }
259
260 if (ret_fds->fd_count_max > num_raw) {
261 if (!(ret_fds->flags & UNIX_FDS_ACCEPT_LESS)) {
262 for (idx = 0; idx < num_raw; idx++)
263 close(fds_raw[idx]);
264
265 return syserror_set(-EINVAL, "Received fewer file descriptors than we expected %u != %u",
266 ret_fds->fd_count_max, num_raw);
267 }
268
269 /*
270 * Make sure any excess entries in the fd array
271 * are set to -EBADF so our cleanup functions
272 * can safely be called.
273 */
274 for (idx = num_raw; idx < ret_fds->fd_count_max; idx++)
275 ret_fds->fd[idx] = -EBADF;
276
277 ret_fds->flags |= UNIX_FDS_RECEIVED_LESS;
278 } else if (ret_fds->fd_count_max < num_raw) {
279 if (!(ret_fds->flags & UNIX_FDS_ACCEPT_MORE)) {
280 for (idx = 0; idx < num_raw; idx++)
281 close(fds_raw[idx]);
282
283 return syserror_set(-EINVAL, "Received more file descriptors than we expected %u != %u",
284 ret_fds->fd_count_max, num_raw);
285 }
286
287 /* Make sure we close any excess fds we received. */
288 for (idx = ret_fds->fd_count_max; idx < num_raw; idx++)
289 close(fds_raw[idx]);
290
291 /* Cap the number of received file descriptors. */
292 num_raw = ret_fds->fd_count_max;
293 ret_fds->flags |= UNIX_FDS_RECEIVED_MORE;
294 } else {
295 ret_fds->flags |= UNIX_FDS_RECEIVED_EXACT;
296 }
297
298 if (hweight32((ret_fds->flags & ~UNIX_FDS_ACCEPT_MASK)) > 1) {
299 for (idx = 0; idx < num_raw; idx++)
300 close(fds_raw[idx]);
301
302 return syserror_set(-EINVAL, "Invalid flag combination; closing to not risk leaking fds %u != %u",
303 ret_fds->fd_count_max, num_raw);
304 }
305
306 memcpy(ret_fds->fd, CMSG_DATA(cmsg), num_raw * sizeof(int));
307 ret_fds->fd_count_ret = num_raw;
308 break;
309 }
310 }
311
312 if (ret_fds->fd_count_ret == 0) {
313 ret_fds->flags |= UNIX_FDS_RECEIVED_NONE;
314
315 /* We expected to receive file descriptors. */
316 if ((ret_fds->flags & UNIX_FDS_ACCEPT_MASK) &&
317 !(ret_fds->flags & UNIX_FDS_ACCEPT_NONE))
318 return syserror_set(-EINVAL, "Received no file descriptors");
319 }
320
321 return ret;
322 }
323
324 ssize_t lxc_abstract_unix_recv_fds(int fd, struct unix_fds *ret_fds,
325 void *ret_data, size_t size_ret_data)
326 {
327 char buf[1] = {};
328 struct iovec iov = {
329 .iov_base = ret_data ? ret_data : buf,
330 .iov_len = ret_data ? size_ret_data : sizeof(buf),
331 };
332 ssize_t ret;
333
334 ret = lxc_abstract_unix_recv_fds_iov(fd, ret_fds, &iov, 1);
335 if (ret < 0)
336 return ret;
337
338 return ret;
339 }
340
341 ssize_t lxc_abstract_unix_recv_one_fd(int fd, int *ret_fd, void *ret_data,
342 size_t size_ret_data)
343 {
344 call_cleaner(put_unix_fds) struct unix_fds *fds = NULL;
345 char buf[1] = {};
346 struct iovec iov = {
347 .iov_base = ret_data ? ret_data : buf,
348 .iov_len = ret_data ? size_ret_data : sizeof(buf),
349 };
350 ssize_t ret;
351
352 fds = &(struct unix_fds){
353 .fd_count_max = 1,
354 };
355
356 ret = lxc_abstract_unix_recv_fds_iov(fd, fds, &iov, 1);
357 if (ret < 0)
358 return ret;
359
360 if (ret == 0)
361 return ret_errno(ENODATA);
362
363 if (fds->fd_count_ret != fds->fd_count_max)
364 *ret_fd = -EBADF;
365 else
366 *ret_fd = move_fd(fds->fd[0]);
367
368 return ret;
369 }
370
371 ssize_t __lxc_abstract_unix_recv_two_fds(int fd, int *fd_first, int *fd_second,
372 void *data, size_t size)
373 {
374 call_cleaner(put_unix_fds) struct unix_fds *fds = NULL;
375 char buf[1] = {};
376 struct iovec iov = {
377 .iov_base = data ?: buf,
378 .iov_len = size ?: sizeof(buf),
379 };
380 ssize_t ret;
381
382 fds = &(struct unix_fds){
383 .fd_count_max = 2,
384 };
385
386 ret = lxc_abstract_unix_recv_fds_iov(fd, fds, &iov, 1);
387 if (ret < 0)
388 return ret;
389
390 if (ret == 0)
391 return ret_errno(ENODATA);
392
393 if (fds->fd_count_ret != fds->fd_count_max) {
394 *fd_first = -EBADF;
395 *fd_second = -EBADF;
396 } else {
397 *fd_first = move_fd(fds->fd[0]);
398 *fd_second = move_fd(fds->fd[1]);
399 }
400
401 return 0;
402 }
403
404 int lxc_abstract_unix_send_credential(int fd, void *data, size_t size)
405 {
406 struct msghdr msg = {0};
407 struct iovec iov;
408 struct cmsghdr *cmsg;
409 struct ucred cred = {
410 .pid = lxc_raw_getpid(),
411 .uid = getuid(),
412 .gid = getgid(),
413 };
414 char cmsgbuf[CMSG_SPACE(sizeof(cred))] = {0};
415 char buf[1] = {0};
416
417 msg.msg_control = cmsgbuf;
418 msg.msg_controllen = sizeof(cmsgbuf);
419
420 cmsg = CMSG_FIRSTHDR(&msg);
421 cmsg->cmsg_len = CMSG_LEN(sizeof(struct ucred));
422 cmsg->cmsg_level = SOL_SOCKET;
423 cmsg->cmsg_type = SCM_CREDENTIALS;
424 memcpy(CMSG_DATA(cmsg), &cred, sizeof(cred));
425
426 msg.msg_name = NULL;
427 msg.msg_namelen = 0;
428
429 iov.iov_base = data ? data : buf;
430 iov.iov_len = data ? size : sizeof(buf);
431 msg.msg_iov = &iov;
432 msg.msg_iovlen = 1;
433
434 return sendmsg(fd, &msg, MSG_NOSIGNAL);
435 }
436
437 int lxc_abstract_unix_rcv_credential(int fd, void *data, size_t size)
438 {
439 struct msghdr msg = {0};
440 struct iovec iov;
441 struct cmsghdr *cmsg;
442 struct ucred cred;
443 int ret;
444 char cmsgbuf[CMSG_SPACE(sizeof(cred))] = {0};
445 char buf[1] = {0};
446
447 msg.msg_name = NULL;
448 msg.msg_namelen = 0;
449 msg.msg_control = cmsgbuf;
450 msg.msg_controllen = sizeof(cmsgbuf);
451
452 iov.iov_base = data ? data : buf;
453 iov.iov_len = data ? size : sizeof(buf);
454 msg.msg_iov = &iov;
455 msg.msg_iovlen = 1;
456
457 ret = recvmsg(fd, &msg, 0);
458 if (ret <= 0)
459 return ret;
460
461 cmsg = CMSG_FIRSTHDR(&msg);
462
463 if (cmsg && cmsg->cmsg_len == CMSG_LEN(sizeof(struct ucred)) &&
464 cmsg->cmsg_level == SOL_SOCKET &&
465 cmsg->cmsg_type == SCM_CREDENTIALS) {
466 memcpy(&cred, CMSG_DATA(cmsg), sizeof(cred));
467
468 if (cred.uid && (cred.uid != getuid() || cred.gid != getgid()))
469 return log_error_errno(-1, EACCES,
470 "Message denied for '%d/%d'",
471 cred.uid, cred.gid);
472 }
473
474 return ret;
475 }
476
477 int lxc_unix_sockaddr(struct sockaddr_un *ret, const char *path)
478 {
479 size_t len;
480
481 len = strlen(path);
482 if (len == 0)
483 return ret_set_errno(-1, EINVAL);
484 if (path[0] != '/' && path[0] != '@')
485 return ret_set_errno(-1, EINVAL);
486 if (path[1] == '\0')
487 return ret_set_errno(-1, EINVAL);
488
489 if (len + 1 > sizeof(ret->sun_path))
490 return ret_set_errno(-1, EINVAL);
491
492 *ret = (struct sockaddr_un){
493 .sun_family = AF_UNIX,
494 };
495
496 if (path[0] == '@') {
497 memcpy(ret->sun_path + 1, path + 1, len);
498 return (int)(offsetof(struct sockaddr_un, sun_path) + len);
499 }
500
501 memcpy(ret->sun_path, path, len + 1);
502 return (int)(offsetof(struct sockaddr_un, sun_path) + len + 1);
503 }
504
505 int lxc_unix_connect_type(struct sockaddr_un *addr, int type)
506 {
507 __do_close int fd = -EBADF;
508 int ret;
509 ssize_t len;
510
511 fd = socket(AF_UNIX, type | SOCK_CLOEXEC, 0);
512 if (fd < 0)
513 return log_error_errno(-1, errno,
514 "Failed to open new AF_UNIX socket");
515
516 if (addr->sun_path[0] == '\0')
517 len = strlen(&addr->sun_path[1]);
518 else
519 len = strlen(&addr->sun_path[0]);
520
521 ret = connect(fd, (struct sockaddr *)addr,
522 offsetof(struct sockaddr_un, sun_path) + len);
523 if (ret < 0)
524 return log_error_errno(-1, errno,
525 "Failed to bind new AF_UNIX socket");
526
527 return move_fd(fd);
528 }
529
530 int lxc_unix_connect(struct sockaddr_un *addr)
531 {
532 return lxc_unix_connect_type(addr, SOCK_STREAM);
533 }
534
535 int lxc_socket_set_timeout(int fd, int rcv_timeout, int snd_timeout)
536 {
537 struct timeval out = {0};
538 int ret;
539
540 out.tv_sec = snd_timeout;
541 ret = setsockopt(fd, SOL_SOCKET, SO_SNDTIMEO, (const void *)&out,
542 sizeof(out));
543 if (ret < 0)
544 return -1;
545
546 out.tv_sec = rcv_timeout;
547 ret = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (const void *)&out,
548 sizeof(out));
549 if (ret < 0)
550 return -1;
551
552 return 0;
553 }
LXC mirror