diff options
author | Eric W. Biederman <ebiederm@xmission.com> | 2010-06-12 23:30:14 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-06-16 17:55:55 -0400 |
commit | 109f6e39fa07c48f580125f531f46cb7c245b528 (patch) | |
tree | 9ec97679c227394a44ebede5768f92d970cea6eb /net/unix | |
parent | 3f551f9436c05a3b5eccdd6e94733df5bb98d2a5 (diff) |
af_unix: Allow SO_PEERCRED to work across namespaces.
Use struct pid and struct cred to store the peer credentials on struct
sock. This gives enough information to convert the peer credential
information to a value relative to whatever namespace the socket is in
at the time.
This removes nasty surprises when using SO_PEERCRED on socket
connetions where the processes on either side are in different pid and
user namespaces.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Acked-by: Daniel Lezcano <daniel.lezcano@free.fr>
Acked-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/unix')
-rw-r--r-- | net/unix/af_unix.c | 37 |
1 files changed, 28 insertions, 9 deletions
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index fef2cc5e9d2b..e1f1349fae86 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c | |||
@@ -450,11 +450,31 @@ static int unix_release_sock(struct sock *sk, int embrion) | |||
450 | return 0; | 450 | return 0; |
451 | } | 451 | } |
452 | 452 | ||
453 | static void init_peercred(struct sock *sk) | ||
454 | { | ||
455 | put_pid(sk->sk_peer_pid); | ||
456 | if (sk->sk_peer_cred) | ||
457 | put_cred(sk->sk_peer_cred); | ||
458 | sk->sk_peer_pid = get_pid(task_tgid(current)); | ||
459 | sk->sk_peer_cred = get_current_cred(); | ||
460 | } | ||
461 | |||
462 | static void copy_peercred(struct sock *sk, struct sock *peersk) | ||
463 | { | ||
464 | put_pid(sk->sk_peer_pid); | ||
465 | if (sk->sk_peer_cred) | ||
466 | put_cred(sk->sk_peer_cred); | ||
467 | sk->sk_peer_pid = get_pid(peersk->sk_peer_pid); | ||
468 | sk->sk_peer_cred = get_cred(peersk->sk_peer_cred); | ||
469 | } | ||
470 | |||
453 | static int unix_listen(struct socket *sock, int backlog) | 471 | static int unix_listen(struct socket *sock, int backlog) |
454 | { | 472 | { |
455 | int err; | 473 | int err; |
456 | struct sock *sk = sock->sk; | 474 | struct sock *sk = sock->sk; |
457 | struct unix_sock *u = unix_sk(sk); | 475 | struct unix_sock *u = unix_sk(sk); |
476 | struct pid *old_pid = NULL; | ||
477 | const struct cred *old_cred = NULL; | ||
458 | 478 | ||
459 | err = -EOPNOTSUPP; | 479 | err = -EOPNOTSUPP; |
460 | if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET) | 480 | if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET) |
@@ -470,12 +490,14 @@ static int unix_listen(struct socket *sock, int backlog) | |||
470 | sk->sk_max_ack_backlog = backlog; | 490 | sk->sk_max_ack_backlog = backlog; |
471 | sk->sk_state = TCP_LISTEN; | 491 | sk->sk_state = TCP_LISTEN; |
472 | /* set credentials so connect can copy them */ | 492 | /* set credentials so connect can copy them */ |
473 | sk->sk_peercred.pid = task_tgid_vnr(current); | 493 | init_peercred(sk); |
474 | current_euid_egid(&sk->sk_peercred.uid, &sk->sk_peercred.gid); | ||
475 | err = 0; | 494 | err = 0; |
476 | 495 | ||
477 | out_unlock: | 496 | out_unlock: |
478 | unix_state_unlock(sk); | 497 | unix_state_unlock(sk); |
498 | put_pid(old_pid); | ||
499 | if (old_cred) | ||
500 | put_cred(old_cred); | ||
479 | out: | 501 | out: |
480 | return err; | 502 | return err; |
481 | } | 503 | } |
@@ -1140,8 +1162,7 @@ restart: | |||
1140 | unix_peer(newsk) = sk; | 1162 | unix_peer(newsk) = sk; |
1141 | newsk->sk_state = TCP_ESTABLISHED; | 1163 | newsk->sk_state = TCP_ESTABLISHED; |
1142 | newsk->sk_type = sk->sk_type; | 1164 | newsk->sk_type = sk->sk_type; |
1143 | newsk->sk_peercred.pid = task_tgid_vnr(current); | 1165 | init_peercred(newsk); |
1144 | current_euid_egid(&newsk->sk_peercred.uid, &newsk->sk_peercred.gid); | ||
1145 | newu = unix_sk(newsk); | 1166 | newu = unix_sk(newsk); |
1146 | newsk->sk_wq = &newu->peer_wq; | 1167 | newsk->sk_wq = &newu->peer_wq; |
1147 | otheru = unix_sk(other); | 1168 | otheru = unix_sk(other); |
@@ -1157,7 +1178,7 @@ restart: | |||
1157 | } | 1178 | } |
1158 | 1179 | ||
1159 | /* Set credentials */ | 1180 | /* Set credentials */ |
1160 | sk->sk_peercred = other->sk_peercred; | 1181 | copy_peercred(sk, other); |
1161 | 1182 | ||
1162 | sock->state = SS_CONNECTED; | 1183 | sock->state = SS_CONNECTED; |
1163 | sk->sk_state = TCP_ESTABLISHED; | 1184 | sk->sk_state = TCP_ESTABLISHED; |
@@ -1199,10 +1220,8 @@ static int unix_socketpair(struct socket *socka, struct socket *sockb) | |||
1199 | sock_hold(skb); | 1220 | sock_hold(skb); |
1200 | unix_peer(ska) = skb; | 1221 | unix_peer(ska) = skb; |
1201 | unix_peer(skb) = ska; | 1222 | unix_peer(skb) = ska; |
1202 | ska->sk_peercred.pid = skb->sk_peercred.pid = task_tgid_vnr(current); | 1223 | init_peercred(ska); |
1203 | current_euid_egid(&skb->sk_peercred.uid, &skb->sk_peercred.gid); | 1224 | init_peercred(skb); |
1204 | ska->sk_peercred.uid = skb->sk_peercred.uid; | ||
1205 | ska->sk_peercred.gid = skb->sk_peercred.gid; | ||
1206 | 1225 | ||
1207 | if (ska->sk_type != SOCK_DGRAM) { | 1226 | if (ska->sk_type != SOCK_DGRAM) { |
1208 | ska->sk_state = TCP_ESTABLISHED; | 1227 | ska->sk_state = TCP_ESTABLISHED; |