diff options
Diffstat (limited to 'net/unix/af_unix.c')
| -rw-r--r-- | net/unix/af_unix.c | 104 | 
1 files changed, 47 insertions, 57 deletions
| diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 59a64b2ced6e..2e2e9997a68e 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -807,6 +807,11 @@ static void copy_peercred(struct sock *sk, struct sock *peersk)  	spin_unlock(&sk->sk_peer_lock);  } +static bool unix_may_passcred(const struct sock *sk) +{ +	return sk->sk_scm_credentials || sk->sk_scm_pidfd; +} +  static int unix_listen(struct socket *sock, int backlog)  {  	int err; @@ -997,13 +1002,6 @@ static void unix_close(struct sock *sk, long timeout)  	 */  } -static void unix_unhash(struct sock *sk) -{ -	/* Nothing to do here, unix socket does not need a ->unhash(). -	 * This is merely for sockmap. -	 */ -} -  static bool unix_bpf_bypass_getsockopt(int level, int optname)  {  	if (level == SOL_SOCKET) { @@ -1034,7 +1032,6 @@ struct proto unix_stream_proto = {  	.owner			= THIS_MODULE,  	.obj_size		= sizeof(struct unix_sock),  	.close			= unix_close, -	.unhash			= unix_unhash,  	.bpf_bypass_getsockopt	= unix_bpf_bypass_getsockopt,  #ifdef CONFIG_BPF_SYSCALL  	.psock_update_sk_prot	= unix_stream_bpf_update_proto, @@ -1065,6 +1062,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern,  	sock_init_data(sock, sk); +	sk->sk_scm_rights	= 1;  	sk->sk_hash		= unix_unbound_hash(sk);  	sk->sk_allocation	= GFP_KERNEL_ACCOUNT;  	sk->sk_write_space	= unix_write_space; @@ -1492,9 +1490,7 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,  		if (err)  			goto out; -		if ((test_bit(SOCK_PASSCRED, &sock->flags) || -		     test_bit(SOCK_PASSPIDFD, &sock->flags)) && -		    !READ_ONCE(unix_sk(sk)->addr)) { +		if (unix_may_passcred(sk) && !READ_ONCE(unix_sk(sk)->addr)) {  			err = unix_autobind(sk);  			if (err)  				goto out; @@ -1613,9 +1609,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,  	if (err)  		goto out; -	if ((test_bit(SOCK_PASSCRED, &sock->flags) || -	     test_bit(SOCK_PASSPIDFD, &sock->flags)) && -	    !READ_ONCE(u->addr)) { +	if (unix_may_passcred(sk) && !READ_ONCE(u->addr)) {  		err = unix_autobind(sk);  		if (err)  			goto out; @@ -1711,10 +1705,12 @@ restart:  	/* The way is open! Fastly set all the necessary fields... */  	sock_hold(sk); -	unix_peer(newsk)	= sk; -	newsk->sk_state		= TCP_ESTABLISHED; -	newsk->sk_type		= sk->sk_type; +	unix_peer(newsk) = sk; +	newsk->sk_state = TCP_ESTABLISHED; +	newsk->sk_type = sk->sk_type; +	newsk->sk_scm_recv_flags = other->sk_scm_recv_flags;  	init_peercred(newsk, &peercred); +  	newu = unix_sk(newsk);  	newu->listener = other;  	RCU_INIT_POINTER(newsk->sk_wq, &newu->peer_wq); @@ -1808,17 +1804,6 @@ static int unix_socketpair(struct socket *socka, struct socket *sockb)  	return 0;  } -static void unix_sock_inherit_flags(const struct socket *old, -				    struct socket *new) -{ -	if (test_bit(SOCK_PASSCRED, &old->flags)) -		set_bit(SOCK_PASSCRED, &new->flags); -	if (test_bit(SOCK_PASSPIDFD, &old->flags)) -		set_bit(SOCK_PASSPIDFD, &new->flags); -	if (test_bit(SOCK_PASSSEC, &old->flags)) -		set_bit(SOCK_PASSSEC, &new->flags); -} -  static int unix_accept(struct socket *sock, struct socket *newsock,  		       struct proto_accept_arg *arg)  { @@ -1855,7 +1840,6 @@ static int unix_accept(struct socket *sock, struct socket *newsock,  	unix_state_lock(tsk);  	unix_update_edges(unix_sk(tsk));  	newsock->state = SS_CONNECTED; -	unix_sock_inherit_flags(sock, newsock);  	sock_graft(tsk, newsock);  	unix_state_unlock(tsk);  	return 0; @@ -1964,7 +1948,7 @@ static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool sen  {  	int err = 0; -	UNIXCB(skb).pid  = get_pid(scm->pid); +	UNIXCB(skb).pid = get_pid(scm->pid);  	UNIXCB(skb).uid = scm->creds.uid;  	UNIXCB(skb).gid = scm->creds.gid;  	UNIXCB(skb).fp = NULL; @@ -1976,28 +1960,19 @@ static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool sen  	return err;  } -static bool unix_passcred_enabled(const struct socket *sock, -				  const struct sock *other) -{ -	return test_bit(SOCK_PASSCRED, &sock->flags) || -	       test_bit(SOCK_PASSPIDFD, &sock->flags) || -	       !other->sk_socket || -	       test_bit(SOCK_PASSCRED, &other->sk_socket->flags) || -	       test_bit(SOCK_PASSPIDFD, &other->sk_socket->flags); -} -  /*   * Some apps rely on write() giving SCM_CREDENTIALS   * We include credentials if source or destination socket   * asserted SOCK_PASSCRED.   */ -static void maybe_add_creds(struct sk_buff *skb, const struct socket *sock, -			    const struct sock *other) +static void unix_maybe_add_creds(struct sk_buff *skb, const struct sock *sk, +				 const struct sock *other)  {  	if (UNIXCB(skb).pid)  		return; -	if (unix_passcred_enabled(sock, other)) { -		UNIXCB(skb).pid  = get_pid(task_tgid(current)); + +	if (unix_may_passcred(sk) || unix_may_passcred(other)) { +		UNIXCB(skb).pid = get_pid(task_tgid(current));  		current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid);  	}  } @@ -2073,9 +2048,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,  			goto out;  	} -	if ((test_bit(SOCK_PASSCRED, &sock->flags) || -	     test_bit(SOCK_PASSPIDFD, &sock->flags)) && -	    !READ_ONCE(u->addr)) { +	if (unix_may_passcred(sk) && !READ_ONCE(u->addr)) {  		err = unix_autobind(sk);  		if (err)  			goto out; @@ -2192,6 +2165,11 @@ restart_locked:  		goto out_unlock;  	} +	if (UNIXCB(skb).fp && !other->sk_scm_rights) { +		err = -EPERM; +		goto out_unlock; +	} +  	if (sk->sk_type != SOCK_SEQPACKET) {  		err = security_unix_may_send(sk->sk_socket, other->sk_socket);  		if (err) @@ -2238,7 +2216,8 @@ restart_locked:  	if (sock_flag(other, SOCK_RCVTSTAMP))  		__net_timestamp(skb); -	maybe_add_creds(skb, sock, other); + +	unix_maybe_add_creds(skb, sk, other);  	scm_stat_add(other, skb);  	skb_queue_tail(&other->sk_receive_queue, skb);  	unix_state_unlock(other); @@ -2266,14 +2245,14 @@ out:  #define UNIX_SKB_FRAGS_SZ (PAGE_SIZE << get_order(32768))  #if IS_ENABLED(CONFIG_AF_UNIX_OOB) -static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other, +static int queue_oob(struct sock *sk, struct msghdr *msg, struct sock *other,  		     struct scm_cookie *scm, bool fds_sent)  {  	struct unix_sock *ousk = unix_sk(other);  	struct sk_buff *skb;  	int err; -	skb = sock_alloc_send_skb(sock->sk, 1, msg->msg_flags & MSG_DONTWAIT, &err); +	skb = sock_alloc_send_skb(sk, 1, msg->msg_flags & MSG_DONTWAIT, &err);  	if (!skb)  		return err; @@ -2292,12 +2271,16 @@ static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other  	if (sock_flag(other, SOCK_DEAD) ||  	    (other->sk_shutdown & RCV_SHUTDOWN)) { -		unix_state_unlock(other);  		err = -EPIPE; -		goto out; +		goto out_unlock;  	} -	maybe_add_creds(skb, sock, other); +	if (UNIXCB(skb).fp && !other->sk_scm_rights) { +		err = -EPERM; +		goto out_unlock; +	} + +	unix_maybe_add_creds(skb, sk, other);  	scm_stat_add(other, skb);  	spin_lock(&other->sk_receive_queue.lock); @@ -2310,6 +2293,8 @@ static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other  	other->sk_data_ready(other);  	return 0; +out_unlock: +	unix_state_unlock(other);  out:  	consume_skb(skb);  	return err; @@ -2413,7 +2398,13 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg,  		    (other->sk_shutdown & RCV_SHUTDOWN))  			goto out_pipe_unlock; -		maybe_add_creds(skb, sock, other); +		if (UNIXCB(skb).fp && !other->sk_scm_rights) { +			unix_state_unlock(other); +			err = -EPERM; +			goto out_free; +		} + +		unix_maybe_add_creds(skb, sk, other);  		scm_stat_add(other, skb);  		skb_queue_tail(&other->sk_receive_queue, skb);  		unix_state_unlock(other); @@ -2423,7 +2414,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg,  #if IS_ENABLED(CONFIG_AF_UNIX_OOB)  	if (msg->msg_flags & MSG_OOB) { -		err = queue_oob(sock, msg, other, &scm, fds_sent); +		err = queue_oob(sk, msg, other, &scm, fds_sent);  		if (err)  			goto out_err;  		sent++; @@ -2945,8 +2936,7 @@ unlock:  			/* Never glue messages from different writers */  			if (!unix_skb_scm_eq(skb, &scm))  				break; -		} else if (test_bit(SOCK_PASSCRED, &sock->flags) || -			   test_bit(SOCK_PASSPIDFD, &sock->flags)) { +		} else if (unix_may_passcred(sk)) {  			/* Copy credentials */  			scm_set_cred(&scm, UNIXCB(skb).pid, UNIXCB(skb).uid, UNIXCB(skb).gid);  			unix_set_secdata(&scm, skb); | 
