d84f4f992c
Inaugurate copy-on-write credentials management. This uses RCU to manage the credentials pointer in the task_struct with respect to accesses by other tasks. A process may only modify its own credentials, and so does not need locking to access or modify its own credentials. A mutex (cred_replace_mutex) is added to the task_struct to control the effect of PTRACE_ATTACHED on credential calculations, particularly with respect to execve(). With this patch, the contents of an active credentials struct may not be changed directly; rather a new set of credentials must be prepared, modified and committed using something like the following sequence of events: struct cred *new = prepare_creds(); int ret = blah(new); if (ret < 0) { abort_creds(new); return ret; } return commit_creds(new); There are some exceptions to this rule: the keyrings pointed to by the active credentials may be instantiated - keyrings violate the COW rule as managing COW keyrings is tricky, given that it is possible for a task to directly alter the keys in a keyring in use by another task. To help enforce this, various pointers to sets of credentials, such as those in the task_struct, are declared const. The purpose of this is compile-time discouragement of altering credentials through those pointers. Once a set of credentials has been made public through one of these pointers, it may not be modified, except under special circumstances: (1) Its reference count may incremented and decremented. (2) The keyrings to which it points may be modified, but not replaced. The only safe way to modify anything else is to create a replacement and commit using the functions described in Documentation/credentials.txt (which will be added by a later patch). This patch and the preceding patches have been tested with the LTP SELinux testsuite. This patch makes several logical sets of alteration: (1) execve(). This now prepares and commits credentials in various places in the security code rather than altering the current creds directly. (2) Temporary credential overrides. do_coredump() and sys_faccessat() now prepare their own credentials and temporarily override the ones currently on the acting thread, whilst preventing interference from other threads by holding cred_replace_mutex on the thread being dumped. This will be replaced in a future patch by something that hands down the credentials directly to the functions being called, rather than altering the task's objective credentials. (3) LSM interface. A number of functions have been changed, added or removed: (*) security_capset_check(), ->capset_check() (*) security_capset_set(), ->capset_set() Removed in favour of security_capset(). (*) security_capset(), ->capset() New. This is passed a pointer to the new creds, a pointer to the old creds and the proposed capability sets. It should fill in the new creds or return an error. All pointers, barring the pointer to the new creds, are now const. (*) security_bprm_apply_creds(), ->bprm_apply_creds() Changed; now returns a value, which will cause the process to be killed if it's an error. (*) security_task_alloc(), ->task_alloc_security() Removed in favour of security_prepare_creds(). (*) security_cred_free(), ->cred_free() New. Free security data attached to cred->security. (*) security_prepare_creds(), ->cred_prepare() New. Duplicate any security data attached to cred->security. (*) security_commit_creds(), ->cred_commit() New. Apply any security effects for the upcoming installation of new security by commit_creds(). (*) security_task_post_setuid(), ->task_post_setuid() Removed in favour of security_task_fix_setuid(). (*) security_task_fix_setuid(), ->task_fix_setuid() Fix up the proposed new credentials for setuid(). This is used by cap_set_fix_setuid() to implicitly adjust capabilities in line with setuid() changes. Changes are made to the new credentials, rather than the task itself as in security_task_post_setuid(). (*) security_task_reparent_to_init(), ->task_reparent_to_init() Removed. Instead the task being reparented to init is referred directly to init's credentials. NOTE! This results in the loss of some state: SELinux's osid no longer records the sid of the thread that forked it. (*) security_key_alloc(), ->key_alloc() (*) security_key_permission(), ->key_permission() Changed. These now take cred pointers rather than task pointers to refer to the security context. (4) sys_capset(). This has been simplified and uses less locking. The LSM functions it calls have been merged. (5) reparent_to_kthreadd(). This gives the current thread the same credentials as init by simply using commit_thread() to point that way. (6) __sigqueue_alloc() and switch_uid() __sigqueue_alloc() can't stop the target task from changing its creds beneath it, so this function gets a reference to the currently applicable user_struct which it then passes into the sigqueue struct it returns if successful. switch_uid() is now called from commit_creds(), and possibly should be folded into that. commit_creds() should take care of protecting __sigqueue_alloc(). (7) [sg]et[ug]id() and co and [sg]et_current_groups. The set functions now all use prepare_creds(), commit_creds() and abort_creds() to build and check a new set of credentials before applying it. security_task_set[ug]id() is called inside the prepared section. This guarantees that nothing else will affect the creds until we've finished. The calling of set_dumpable() has been moved into commit_creds(). Much of the functionality of set_user() has been moved into commit_creds(). The get functions all simply access the data directly. (8) security_task_prctl() and cap_task_prctl(). security_task_prctl() has been modified to return -ENOSYS if it doesn't want to handle a function, or otherwise return the return value directly rather than through an argument. Additionally, cap_task_prctl() now prepares a new set of credentials, even if it doesn't end up using it. (9) Keyrings. A number of changes have been made to the keyrings code: (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have all been dropped and built in to the credentials functions directly. They may want separating out again later. (b) key_alloc() and search_process_keyrings() now take a cred pointer rather than a task pointer to specify the security context. (c) copy_creds() gives a new thread within the same thread group a new thread keyring if its parent had one, otherwise it discards the thread keyring. (d) The authorisation key now points directly to the credentials to extend the search into rather pointing to the task that carries them. (e) Installing thread, process or session keyrings causes a new set of credentials to be created, even though it's not strictly necessary for process or session keyrings (they're shared). (10) Usermode helper. The usermode helper code now carries a cred struct pointer in its subprocess_info struct instead of a new session keyring pointer. This set of credentials is derived from init_cred and installed on the new process after it has been cloned. call_usermodehelper_setup() allocates the new credentials and call_usermodehelper_freeinfo() discards them if they haven't been used. A special cred function (prepare_usermodeinfo_creds()) is provided specifically for call_usermodehelper_setup() to call. call_usermodehelper_setkeys() adjusts the credentials to sport the supplied keyring as the new session keyring. (11) SELinux. SELinux has a number of changes, in addition to those to support the LSM interface changes mentioned above: (a) selinux_setprocattr() no longer does its check for whether the current ptracer can access processes with the new SID inside the lock that covers getting the ptracer's SID. Whilst this lock ensures that the check is done with the ptracer pinned, the result is only valid until the lock is released, so there's no point doing it inside the lock. (12) is_single_threaded(). This function has been extracted from selinux_setprocattr() and put into a file of its own in the lib/ directory as join_session_keyring() now wants to use it too. The code in SELinux just checked to see whether a task shared mm_structs with other tasks (CLONE_VM), but that isn't good enough. We really want to know if they're part of the same thread group (CLONE_THREAD). (13) nfsd. The NFS server daemon now has to use the COW credentials to set the credentials it is going to use. It really needs to pass the credentials down to the functions it calls, but it can't do that until other patches in this series have been applied. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: James Morris <jmorris@namei.org>
1883 lines
42 KiB
C
1883 lines
42 KiB
C
/*
|
|
* linux/kernel/sys.c
|
|
*
|
|
* Copyright (C) 1991, 1992 Linus Torvalds
|
|
*/
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/mm.h>
|
|
#include <linux/utsname.h>
|
|
#include <linux/mman.h>
|
|
#include <linux/smp_lock.h>
|
|
#include <linux/notifier.h>
|
|
#include <linux/reboot.h>
|
|
#include <linux/prctl.h>
|
|
#include <linux/highuid.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/resource.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/kexec.h>
|
|
#include <linux/workqueue.h>
|
|
#include <linux/capability.h>
|
|
#include <linux/device.h>
|
|
#include <linux/key.h>
|
|
#include <linux/times.h>
|
|
#include <linux/posix-timers.h>
|
|
#include <linux/security.h>
|
|
#include <linux/dcookies.h>
|
|
#include <linux/suspend.h>
|
|
#include <linux/tty.h>
|
|
#include <linux/signal.h>
|
|
#include <linux/cn_proc.h>
|
|
#include <linux/getcpu.h>
|
|
#include <linux/task_io_accounting_ops.h>
|
|
#include <linux/seccomp.h>
|
|
#include <linux/cpu.h>
|
|
|
|
#include <linux/compat.h>
|
|
#include <linux/syscalls.h>
|
|
#include <linux/kprobes.h>
|
|
#include <linux/user_namespace.h>
|
|
|
|
#include <asm/uaccess.h>
|
|
#include <asm/io.h>
|
|
#include <asm/unistd.h>
|
|
|
|
#ifndef SET_UNALIGN_CTL
|
|
# define SET_UNALIGN_CTL(a,b) (-EINVAL)
|
|
#endif
|
|
#ifndef GET_UNALIGN_CTL
|
|
# define GET_UNALIGN_CTL(a,b) (-EINVAL)
|
|
#endif
|
|
#ifndef SET_FPEMU_CTL
|
|
# define SET_FPEMU_CTL(a,b) (-EINVAL)
|
|
#endif
|
|
#ifndef GET_FPEMU_CTL
|
|
# define GET_FPEMU_CTL(a,b) (-EINVAL)
|
|
#endif
|
|
#ifndef SET_FPEXC_CTL
|
|
# define SET_FPEXC_CTL(a,b) (-EINVAL)
|
|
#endif
|
|
#ifndef GET_FPEXC_CTL
|
|
# define GET_FPEXC_CTL(a,b) (-EINVAL)
|
|
#endif
|
|
#ifndef GET_ENDIAN
|
|
# define GET_ENDIAN(a,b) (-EINVAL)
|
|
#endif
|
|
#ifndef SET_ENDIAN
|
|
# define SET_ENDIAN(a,b) (-EINVAL)
|
|
#endif
|
|
#ifndef GET_TSC_CTL
|
|
# define GET_TSC_CTL(a) (-EINVAL)
|
|
#endif
|
|
#ifndef SET_TSC_CTL
|
|
# define SET_TSC_CTL(a) (-EINVAL)
|
|
#endif
|
|
|
|
/*
|
|
* this is where the system-wide overflow UID and GID are defined, for
|
|
* architectures that now have 32-bit UID/GID but didn't in the past
|
|
*/
|
|
|
|
int overflowuid = DEFAULT_OVERFLOWUID;
|
|
int overflowgid = DEFAULT_OVERFLOWGID;
|
|
|
|
#ifdef CONFIG_UID16
|
|
EXPORT_SYMBOL(overflowuid);
|
|
EXPORT_SYMBOL(overflowgid);
|
|
#endif
|
|
|
|
/*
|
|
* the same as above, but for filesystems which can only store a 16-bit
|
|
* UID and GID. as such, this is needed on all architectures
|
|
*/
|
|
|
|
int fs_overflowuid = DEFAULT_FS_OVERFLOWUID;
|
|
int fs_overflowgid = DEFAULT_FS_OVERFLOWUID;
|
|
|
|
EXPORT_SYMBOL(fs_overflowuid);
|
|
EXPORT_SYMBOL(fs_overflowgid);
|
|
|
|
/*
|
|
* this indicates whether you can reboot with ctrl-alt-del: the default is yes
|
|
*/
|
|
|
|
int C_A_D = 1;
|
|
struct pid *cad_pid;
|
|
EXPORT_SYMBOL(cad_pid);
|
|
|
|
/*
|
|
* If set, this is used for preparing the system to power off.
|
|
*/
|
|
|
|
void (*pm_power_off_prepare)(void);
|
|
|
|
/*
|
|
* set the priority of a task
|
|
* - the caller must hold the RCU read lock
|
|
*/
|
|
static int set_one_prio(struct task_struct *p, int niceval, int error)
|
|
{
|
|
const struct cred *cred = current_cred(), *pcred = __task_cred(p);
|
|
int no_nice;
|
|
|
|
if (pcred->uid != cred->euid &&
|
|
pcred->euid != cred->euid && !capable(CAP_SYS_NICE)) {
|
|
error = -EPERM;
|
|
goto out;
|
|
}
|
|
if (niceval < task_nice(p) && !can_nice(p, niceval)) {
|
|
error = -EACCES;
|
|
goto out;
|
|
}
|
|
no_nice = security_task_setnice(p, niceval);
|
|
if (no_nice) {
|
|
error = no_nice;
|
|
goto out;
|
|
}
|
|
if (error == -ESRCH)
|
|
error = 0;
|
|
set_user_nice(p, niceval);
|
|
out:
|
|
return error;
|
|
}
|
|
|
|
asmlinkage long sys_setpriority(int which, int who, int niceval)
|
|
{
|
|
struct task_struct *g, *p;
|
|
struct user_struct *user;
|
|
const struct cred *cred = current_cred();
|
|
int error = -EINVAL;
|
|
struct pid *pgrp;
|
|
|
|
if (which > PRIO_USER || which < PRIO_PROCESS)
|
|
goto out;
|
|
|
|
/* normalize: avoid signed division (rounding problems) */
|
|
error = -ESRCH;
|
|
if (niceval < -20)
|
|
niceval = -20;
|
|
if (niceval > 19)
|
|
niceval = 19;
|
|
|
|
read_lock(&tasklist_lock);
|
|
switch (which) {
|
|
case PRIO_PROCESS:
|
|
if (who)
|
|
p = find_task_by_vpid(who);
|
|
else
|
|
p = current;
|
|
if (p)
|
|
error = set_one_prio(p, niceval, error);
|
|
break;
|
|
case PRIO_PGRP:
|
|
if (who)
|
|
pgrp = find_vpid(who);
|
|
else
|
|
pgrp = task_pgrp(current);
|
|
do_each_pid_thread(pgrp, PIDTYPE_PGID, p) {
|
|
error = set_one_prio(p, niceval, error);
|
|
} while_each_pid_thread(pgrp, PIDTYPE_PGID, p);
|
|
break;
|
|
case PRIO_USER:
|
|
user = (struct user_struct *) cred->user;
|
|
if (!who)
|
|
who = cred->uid;
|
|
else if ((who != cred->uid) &&
|
|
!(user = find_user(who)))
|
|
goto out_unlock; /* No processes for this user */
|
|
|
|
do_each_thread(g, p)
|
|
if (__task_cred(p)->uid == who)
|
|
error = set_one_prio(p, niceval, error);
|
|
while_each_thread(g, p);
|
|
if (who != cred->uid)
|
|
free_uid(user); /* For find_user() */
|
|
break;
|
|
}
|
|
out_unlock:
|
|
read_unlock(&tasklist_lock);
|
|
out:
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* Ugh. To avoid negative return values, "getpriority()" will
|
|
* not return the normal nice-value, but a negated value that
|
|
* has been offset by 20 (ie it returns 40..1 instead of -20..19)
|
|
* to stay compatible.
|
|
*/
|
|
asmlinkage long sys_getpriority(int which, int who)
|
|
{
|
|
struct task_struct *g, *p;
|
|
struct user_struct *user;
|
|
const struct cred *cred = current_cred();
|
|
long niceval, retval = -ESRCH;
|
|
struct pid *pgrp;
|
|
|
|
if (which > PRIO_USER || which < PRIO_PROCESS)
|
|
return -EINVAL;
|
|
|
|
read_lock(&tasklist_lock);
|
|
switch (which) {
|
|
case PRIO_PROCESS:
|
|
if (who)
|
|
p = find_task_by_vpid(who);
|
|
else
|
|
p = current;
|
|
if (p) {
|
|
niceval = 20 - task_nice(p);
|
|
if (niceval > retval)
|
|
retval = niceval;
|
|
}
|
|
break;
|
|
case PRIO_PGRP:
|
|
if (who)
|
|
pgrp = find_vpid(who);
|
|
else
|
|
pgrp = task_pgrp(current);
|
|
do_each_pid_thread(pgrp, PIDTYPE_PGID, p) {
|
|
niceval = 20 - task_nice(p);
|
|
if (niceval > retval)
|
|
retval = niceval;
|
|
} while_each_pid_thread(pgrp, PIDTYPE_PGID, p);
|
|
break;
|
|
case PRIO_USER:
|
|
user = (struct user_struct *) cred->user;
|
|
if (!who)
|
|
who = cred->uid;
|
|
else if ((who != cred->uid) &&
|
|
!(user = find_user(who)))
|
|
goto out_unlock; /* No processes for this user */
|
|
|
|
do_each_thread(g, p)
|
|
if (__task_cred(p)->uid == who) {
|
|
niceval = 20 - task_nice(p);
|
|
if (niceval > retval)
|
|
retval = niceval;
|
|
}
|
|
while_each_thread(g, p);
|
|
if (who != cred->uid)
|
|
free_uid(user); /* for find_user() */
|
|
break;
|
|
}
|
|
out_unlock:
|
|
read_unlock(&tasklist_lock);
|
|
|
|
return retval;
|
|
}
|
|
|
|
/**
|
|
* emergency_restart - reboot the system
|
|
*
|
|
* Without shutting down any hardware or taking any locks
|
|
* reboot the system. This is called when we know we are in
|
|
* trouble so this is our best effort to reboot. This is
|
|
* safe to call in interrupt context.
|
|
*/
|
|
void emergency_restart(void)
|
|
{
|
|
machine_emergency_restart();
|
|
}
|
|
EXPORT_SYMBOL_GPL(emergency_restart);
|
|
|
|
void kernel_restart_prepare(char *cmd)
|
|
{
|
|
blocking_notifier_call_chain(&reboot_notifier_list, SYS_RESTART, cmd);
|
|
system_state = SYSTEM_RESTART;
|
|
device_shutdown();
|
|
sysdev_shutdown();
|
|
}
|
|
|
|
/**
|
|
* kernel_restart - reboot the system
|
|
* @cmd: pointer to buffer containing command to execute for restart
|
|
* or %NULL
|
|
*
|
|
* Shutdown everything and perform a clean reboot.
|
|
* This is not safe to call in interrupt context.
|
|
*/
|
|
void kernel_restart(char *cmd)
|
|
{
|
|
kernel_restart_prepare(cmd);
|
|
if (!cmd)
|
|
printk(KERN_EMERG "Restarting system.\n");
|
|
else
|
|
printk(KERN_EMERG "Restarting system with command '%s'.\n", cmd);
|
|
machine_restart(cmd);
|
|
}
|
|
EXPORT_SYMBOL_GPL(kernel_restart);
|
|
|
|
static void kernel_shutdown_prepare(enum system_states state)
|
|
{
|
|
blocking_notifier_call_chain(&reboot_notifier_list,
|
|
(state == SYSTEM_HALT)?SYS_HALT:SYS_POWER_OFF, NULL);
|
|
system_state = state;
|
|
device_shutdown();
|
|
}
|
|
/**
|
|
* kernel_halt - halt the system
|
|
*
|
|
* Shutdown everything and perform a clean system halt.
|
|
*/
|
|
void kernel_halt(void)
|
|
{
|
|
kernel_shutdown_prepare(SYSTEM_HALT);
|
|
sysdev_shutdown();
|
|
printk(KERN_EMERG "System halted.\n");
|
|
machine_halt();
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(kernel_halt);
|
|
|
|
/**
|
|
* kernel_power_off - power_off the system
|
|
*
|
|
* Shutdown everything and perform a clean system power_off.
|
|
*/
|
|
void kernel_power_off(void)
|
|
{
|
|
kernel_shutdown_prepare(SYSTEM_POWER_OFF);
|
|
if (pm_power_off_prepare)
|
|
pm_power_off_prepare();
|
|
disable_nonboot_cpus();
|
|
sysdev_shutdown();
|
|
printk(KERN_EMERG "Power down.\n");
|
|
machine_power_off();
|
|
}
|
|
EXPORT_SYMBOL_GPL(kernel_power_off);
|
|
/*
|
|
* Reboot system call: for obvious reasons only root may call it,
|
|
* and even root needs to set up some magic numbers in the registers
|
|
* so that some mistake won't make this reboot the whole machine.
|
|
* You can also set the meaning of the ctrl-alt-del-key here.
|
|
*
|
|
* reboot doesn't sync: do that yourself before calling this.
|
|
*/
|
|
asmlinkage long sys_reboot(int magic1, int magic2, unsigned int cmd, void __user * arg)
|
|
{
|
|
char buffer[256];
|
|
|
|
/* We only trust the superuser with rebooting the system. */
|
|
if (!capable(CAP_SYS_BOOT))
|
|
return -EPERM;
|
|
|
|
/* For safety, we require "magic" arguments. */
|
|
if (magic1 != LINUX_REBOOT_MAGIC1 ||
|
|
(magic2 != LINUX_REBOOT_MAGIC2 &&
|
|
magic2 != LINUX_REBOOT_MAGIC2A &&
|
|
magic2 != LINUX_REBOOT_MAGIC2B &&
|
|
magic2 != LINUX_REBOOT_MAGIC2C))
|
|
return -EINVAL;
|
|
|
|
/* Instead of trying to make the power_off code look like
|
|
* halt when pm_power_off is not set do it the easy way.
|
|
*/
|
|
if ((cmd == LINUX_REBOOT_CMD_POWER_OFF) && !pm_power_off)
|
|
cmd = LINUX_REBOOT_CMD_HALT;
|
|
|
|
lock_kernel();
|
|
switch (cmd) {
|
|
case LINUX_REBOOT_CMD_RESTART:
|
|
kernel_restart(NULL);
|
|
break;
|
|
|
|
case LINUX_REBOOT_CMD_CAD_ON:
|
|
C_A_D = 1;
|
|
break;
|
|
|
|
case LINUX_REBOOT_CMD_CAD_OFF:
|
|
C_A_D = 0;
|
|
break;
|
|
|
|
case LINUX_REBOOT_CMD_HALT:
|
|
kernel_halt();
|
|
unlock_kernel();
|
|
do_exit(0);
|
|
break;
|
|
|
|
case LINUX_REBOOT_CMD_POWER_OFF:
|
|
kernel_power_off();
|
|
unlock_kernel();
|
|
do_exit(0);
|
|
break;
|
|
|
|
case LINUX_REBOOT_CMD_RESTART2:
|
|
if (strncpy_from_user(&buffer[0], arg, sizeof(buffer) - 1) < 0) {
|
|
unlock_kernel();
|
|
return -EFAULT;
|
|
}
|
|
buffer[sizeof(buffer) - 1] = '\0';
|
|
|
|
kernel_restart(buffer);
|
|
break;
|
|
|
|
#ifdef CONFIG_KEXEC
|
|
case LINUX_REBOOT_CMD_KEXEC:
|
|
{
|
|
int ret;
|
|
ret = kernel_kexec();
|
|
unlock_kernel();
|
|
return ret;
|
|
}
|
|
#endif
|
|
|
|
#ifdef CONFIG_HIBERNATION
|
|
case LINUX_REBOOT_CMD_SW_SUSPEND:
|
|
{
|
|
int ret = hibernate();
|
|
unlock_kernel();
|
|
return ret;
|
|
}
|
|
#endif
|
|
|
|
default:
|
|
unlock_kernel();
|
|
return -EINVAL;
|
|
}
|
|
unlock_kernel();
|
|
return 0;
|
|
}
|
|
|
|
static void deferred_cad(struct work_struct *dummy)
|
|
{
|
|
kernel_restart(NULL);
|
|
}
|
|
|
|
/*
|
|
* This function gets called by ctrl-alt-del - ie the keyboard interrupt.
|
|
* As it's called within an interrupt, it may NOT sync: the only choice
|
|
* is whether to reboot at once, or just ignore the ctrl-alt-del.
|
|
*/
|
|
void ctrl_alt_del(void)
|
|
{
|
|
static DECLARE_WORK(cad_work, deferred_cad);
|
|
|
|
if (C_A_D)
|
|
schedule_work(&cad_work);
|
|
else
|
|
kill_cad_pid(SIGINT, 1);
|
|
}
|
|
|
|
/*
|
|
* Unprivileged users may change the real gid to the effective gid
|
|
* or vice versa. (BSD-style)
|
|
*
|
|
* If you set the real gid at all, or set the effective gid to a value not
|
|
* equal to the real gid, then the saved gid is set to the new effective gid.
|
|
*
|
|
* This makes it possible for a setgid program to completely drop its
|
|
* privileges, which is often a useful assertion to make when you are doing
|
|
* a security audit over a program.
|
|
*
|
|
* The general idea is that a program which uses just setregid() will be
|
|
* 100% compatible with BSD. A program which uses just setgid() will be
|
|
* 100% compatible with POSIX with saved IDs.
|
|
*
|
|
* SMP: There are not races, the GIDs are checked only by filesystem
|
|
* operations (as far as semantic preservation is concerned).
|
|
*/
|
|
asmlinkage long sys_setregid(gid_t rgid, gid_t egid)
|
|
{
|
|
const struct cred *old;
|
|
struct cred *new;
|
|
int retval;
|
|
|
|
new = prepare_creds();
|
|
if (!new)
|
|
return -ENOMEM;
|
|
old = current_cred();
|
|
|
|
retval = security_task_setgid(rgid, egid, (gid_t)-1, LSM_SETID_RE);
|
|
if (retval)
|
|
goto error;
|
|
|
|
retval = -EPERM;
|
|
if (rgid != (gid_t) -1) {
|
|
if (old->gid == rgid ||
|
|
old->egid == rgid ||
|
|
capable(CAP_SETGID))
|
|
new->gid = rgid;
|
|
else
|
|
goto error;
|
|
}
|
|
if (egid != (gid_t) -1) {
|
|
if (old->gid == egid ||
|
|
old->egid == egid ||
|
|
old->sgid == egid ||
|
|
capable(CAP_SETGID))
|
|
new->egid = egid;
|
|
else
|
|
goto error;
|
|
}
|
|
|
|
if (rgid != (gid_t) -1 ||
|
|
(egid != (gid_t) -1 && egid != old->gid))
|
|
new->sgid = new->egid;
|
|
new->fsgid = new->egid;
|
|
|
|
return commit_creds(new);
|
|
|
|
error:
|
|
abort_creds(new);
|
|
return retval;
|
|
}
|
|
|
|
/*
|
|
* setgid() is implemented like SysV w/ SAVED_IDS
|
|
*
|
|
* SMP: Same implicit races as above.
|
|
*/
|
|
asmlinkage long sys_setgid(gid_t gid)
|
|
{
|
|
const struct cred *old;
|
|
struct cred *new;
|
|
int retval;
|
|
|
|
new = prepare_creds();
|
|
if (!new)
|
|
return -ENOMEM;
|
|
old = current_cred();
|
|
|
|
retval = security_task_setgid(gid, (gid_t)-1, (gid_t)-1, LSM_SETID_ID);
|
|
if (retval)
|
|
goto error;
|
|
|
|
retval = -EPERM;
|
|
if (capable(CAP_SETGID))
|
|
new->gid = new->egid = new->sgid = new->fsgid = gid;
|
|
else if (gid == old->gid || gid == old->sgid)
|
|
new->egid = new->fsgid = gid;
|
|
else
|
|
goto error;
|
|
|
|
return commit_creds(new);
|
|
|
|
error:
|
|
abort_creds(new);
|
|
return retval;
|
|
}
|
|
|
|
/*
|
|
* change the user struct in a credentials set to match the new UID
|
|
*/
|
|
static int set_user(struct cred *new)
|
|
{
|
|
struct user_struct *new_user;
|
|
|
|
new_user = alloc_uid(current->nsproxy->user_ns, new->uid);
|
|
if (!new_user)
|
|
return -EAGAIN;
|
|
|
|
if (atomic_read(&new_user->processes) >=
|
|
current->signal->rlim[RLIMIT_NPROC].rlim_cur &&
|
|
new_user != current->nsproxy->user_ns->root_user) {
|
|
free_uid(new_user);
|
|
return -EAGAIN;
|
|
}
|
|
|
|
free_uid(new->user);
|
|
new->user = new_user;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Unprivileged users may change the real uid to the effective uid
|
|
* or vice versa. (BSD-style)
|
|
*
|
|
* If you set the real uid at all, or set the effective uid to a value not
|
|
* equal to the real uid, then the saved uid is set to the new effective uid.
|
|
*
|
|
* This makes it possible for a setuid program to completely drop its
|
|
* privileges, which is often a useful assertion to make when you are doing
|
|
* a security audit over a program.
|
|
*
|
|
* The general idea is that a program which uses just setreuid() will be
|
|
* 100% compatible with BSD. A program which uses just setuid() will be
|
|
* 100% compatible with POSIX with saved IDs.
|
|
*/
|
|
asmlinkage long sys_setreuid(uid_t ruid, uid_t euid)
|
|
{
|
|
const struct cred *old;
|
|
struct cred *new;
|
|
int retval;
|
|
|
|
new = prepare_creds();
|
|
if (!new)
|
|
return -ENOMEM;
|
|
old = current_cred();
|
|
|
|
retval = security_task_setuid(ruid, euid, (uid_t)-1, LSM_SETID_RE);
|
|
if (retval)
|
|
goto error;
|
|
|
|
retval = -EPERM;
|
|
if (ruid != (uid_t) -1) {
|
|
new->uid = ruid;
|
|
if (old->uid != ruid &&
|
|
old->euid != ruid &&
|
|
!capable(CAP_SETUID))
|
|
goto error;
|
|
}
|
|
|
|
if (euid != (uid_t) -1) {
|
|
new->euid = euid;
|
|
if (old->uid != euid &&
|
|
old->euid != euid &&
|
|
old->suid != euid &&
|
|
!capable(CAP_SETUID))
|
|
goto error;
|
|
}
|
|
|
|
retval = -EAGAIN;
|
|
if (new->uid != old->uid && set_user(new) < 0)
|
|
goto error;
|
|
|
|
if (ruid != (uid_t) -1 ||
|
|
(euid != (uid_t) -1 && euid != old->uid))
|
|
new->suid = new->euid;
|
|
new->fsuid = new->euid;
|
|
|
|
retval = security_task_fix_setuid(new, old, LSM_SETID_RE);
|
|
if (retval < 0)
|
|
goto error;
|
|
|
|
return commit_creds(new);
|
|
|
|
error:
|
|
abort_creds(new);
|
|
return retval;
|
|
}
|
|
|
|
/*
|
|
* setuid() is implemented like SysV with SAVED_IDS
|
|
*
|
|
* Note that SAVED_ID's is deficient in that a setuid root program
|
|
* like sendmail, for example, cannot set its uid to be a normal
|
|
* user and then switch back, because if you're root, setuid() sets
|
|
* the saved uid too. If you don't like this, blame the bright people
|
|
* in the POSIX committee and/or USG. Note that the BSD-style setreuid()
|
|
* will allow a root program to temporarily drop privileges and be able to
|
|
* regain them by swapping the real and effective uid.
|
|
*/
|
|
asmlinkage long sys_setuid(uid_t uid)
|
|
{
|
|
const struct cred *old;
|
|
struct cred *new;
|
|
int retval;
|
|
|
|
new = prepare_creds();
|
|
if (!new)
|
|
return -ENOMEM;
|
|
old = current_cred();
|
|
|
|
retval = security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_ID);
|
|
if (retval)
|
|
goto error;
|
|
|
|
retval = -EPERM;
|
|
if (capable(CAP_SETUID)) {
|
|
new->suid = new->uid = uid;
|
|
if (uid != old->uid && set_user(new) < 0) {
|
|
retval = -EAGAIN;
|
|
goto error;
|
|
}
|
|
} else if (uid != old->uid && uid != new->suid) {
|
|
goto error;
|
|
}
|
|
|
|
new->fsuid = new->euid = uid;
|
|
|
|
retval = security_task_fix_setuid(new, old, LSM_SETID_ID);
|
|
if (retval < 0)
|
|
goto error;
|
|
|
|
return commit_creds(new);
|
|
|
|
error:
|
|
abort_creds(new);
|
|
return retval;
|
|
}
|
|
|
|
|
|
/*
|
|
* This function implements a generic ability to update ruid, euid,
|
|
* and suid. This allows you to implement the 4.4 compatible seteuid().
|
|
*/
|
|
asmlinkage long sys_setresuid(uid_t ruid, uid_t euid, uid_t suid)
|
|
{
|
|
const struct cred *old;
|
|
struct cred *new;
|
|
int retval;
|
|
|
|
new = prepare_creds();
|
|
if (!new)
|
|
return -ENOMEM;
|
|
|
|
retval = security_task_setuid(ruid, euid, suid, LSM_SETID_RES);
|
|
if (retval)
|
|
goto error;
|
|
old = current_cred();
|
|
|
|
retval = -EPERM;
|
|
if (!capable(CAP_SETUID)) {
|
|
if (ruid != (uid_t) -1 && ruid != old->uid &&
|
|
ruid != old->euid && ruid != old->suid)
|
|
goto error;
|
|
if (euid != (uid_t) -1 && euid != old->uid &&
|
|
euid != old->euid && euid != old->suid)
|
|
goto error;
|
|
if (suid != (uid_t) -1 && suid != old->uid &&
|
|
suid != old->euid && suid != old->suid)
|
|
goto error;
|
|
}
|
|
|
|
retval = -EAGAIN;
|
|
if (ruid != (uid_t) -1) {
|
|
new->uid = ruid;
|
|
if (ruid != old->uid && set_user(new) < 0)
|
|
goto error;
|
|
}
|
|
if (euid != (uid_t) -1)
|
|
new->euid = euid;
|
|
if (suid != (uid_t) -1)
|
|
new->suid = suid;
|
|
new->fsuid = new->euid;
|
|
|
|
retval = security_task_fix_setuid(new, old, LSM_SETID_RES);
|
|
if (retval < 0)
|
|
goto error;
|
|
|
|
return commit_creds(new);
|
|
|
|
error:
|
|
abort_creds(new);
|
|
return retval;
|
|
}
|
|
|
|
asmlinkage long sys_getresuid(uid_t __user *ruid, uid_t __user *euid, uid_t __user *suid)
|
|
{
|
|
const struct cred *cred = current_cred();
|
|
int retval;
|
|
|
|
if (!(retval = put_user(cred->uid, ruid)) &&
|
|
!(retval = put_user(cred->euid, euid)))
|
|
retval = put_user(cred->suid, suid);
|
|
|
|
return retval;
|
|
}
|
|
|
|
/*
|
|
* Same as above, but for rgid, egid, sgid.
|
|
*/
|
|
asmlinkage long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
|
|
{
|
|
const struct cred *old;
|
|
struct cred *new;
|
|
int retval;
|
|
|
|
new = prepare_creds();
|
|
if (!new)
|
|
return -ENOMEM;
|
|
old = current_cred();
|
|
|
|
retval = security_task_setgid(rgid, egid, sgid, LSM_SETID_RES);
|
|
if (retval)
|
|
goto error;
|
|
|
|
retval = -EPERM;
|
|
if (!capable(CAP_SETGID)) {
|
|
if (rgid != (gid_t) -1 && rgid != old->gid &&
|
|
rgid != old->egid && rgid != old->sgid)
|
|
goto error;
|
|
if (egid != (gid_t) -1 && egid != old->gid &&
|
|
egid != old->egid && egid != old->sgid)
|
|
goto error;
|
|
if (sgid != (gid_t) -1 && sgid != old->gid &&
|
|
sgid != old->egid && sgid != old->sgid)
|
|
goto error;
|
|
}
|
|
|
|
if (rgid != (gid_t) -1)
|
|
new->gid = rgid;
|
|
if (egid != (gid_t) -1)
|
|
new->egid = egid;
|
|
if (sgid != (gid_t) -1)
|
|
new->sgid = sgid;
|
|
new->fsgid = new->egid;
|
|
|
|
return commit_creds(new);
|
|
|
|
error:
|
|
abort_creds(new);
|
|
return retval;
|
|
}
|
|
|
|
asmlinkage long sys_getresgid(gid_t __user *rgid, gid_t __user *egid, gid_t __user *sgid)
|
|
{
|
|
const struct cred *cred = current_cred();
|
|
int retval;
|
|
|
|
if (!(retval = put_user(cred->gid, rgid)) &&
|
|
!(retval = put_user(cred->egid, egid)))
|
|
retval = put_user(cred->sgid, sgid);
|
|
|
|
return retval;
|
|
}
|
|
|
|
|
|
/*
|
|
* "setfsuid()" sets the fsuid - the uid used for filesystem checks. This
|
|
* is used for "access()" and for the NFS daemon (letting nfsd stay at
|
|
* whatever uid it wants to). It normally shadows "euid", except when
|
|
* explicitly set by setfsuid() or for access..
|
|
*/
|
|
asmlinkage long sys_setfsuid(uid_t uid)
|
|
{
|
|
const struct cred *old;
|
|
struct cred *new;
|
|
uid_t old_fsuid;
|
|
|
|
new = prepare_creds();
|
|
if (!new)
|
|
return current_fsuid();
|
|
old = current_cred();
|
|
old_fsuid = old->fsuid;
|
|
|
|
if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0)
|
|
goto error;
|
|
|
|
if (uid == old->uid || uid == old->euid ||
|
|
uid == old->suid || uid == old->fsuid ||
|
|
capable(CAP_SETUID)) {
|
|
if (uid != old_fsuid) {
|
|
new->fsuid = uid;
|
|
if (security_task_fix_setuid(new, old, LSM_SETID_FS) == 0)
|
|
goto change_okay;
|
|
}
|
|
}
|
|
|
|
error:
|
|
abort_creds(new);
|
|
return old_fsuid;
|
|
|
|
change_okay:
|
|
commit_creds(new);
|
|
return old_fsuid;
|
|
}
|
|
|
|
/*
|
|
* Samma på svenska..
|
|
*/
|
|
asmlinkage long sys_setfsgid(gid_t gid)
|
|
{
|
|
const struct cred *old;
|
|
struct cred *new;
|
|
gid_t old_fsgid;
|
|
|
|
new = prepare_creds();
|
|
if (!new)
|
|
return current_fsgid();
|
|
old = current_cred();
|
|
old_fsgid = old->fsgid;
|
|
|
|
if (security_task_setgid(gid, (gid_t)-1, (gid_t)-1, LSM_SETID_FS))
|
|
goto error;
|
|
|
|
if (gid == old->gid || gid == old->egid ||
|
|
gid == old->sgid || gid == old->fsgid ||
|
|
capable(CAP_SETGID)) {
|
|
if (gid != old_fsgid) {
|
|
new->fsgid = gid;
|
|
goto change_okay;
|
|
}
|
|
}
|
|
|
|
error:
|
|
abort_creds(new);
|
|
return old_fsgid;
|
|
|
|
change_okay:
|
|
commit_creds(new);
|
|
return old_fsgid;
|
|
}
|
|
|
|
void do_sys_times(struct tms *tms)
|
|
{
|
|
struct task_cputime cputime;
|
|
cputime_t cutime, cstime;
|
|
|
|
spin_lock_irq(¤t->sighand->siglock);
|
|
thread_group_cputime(current, &cputime);
|
|
cutime = current->signal->cutime;
|
|
cstime = current->signal->cstime;
|
|
spin_unlock_irq(¤t->sighand->siglock);
|
|
tms->tms_utime = cputime_to_clock_t(cputime.utime);
|
|
tms->tms_stime = cputime_to_clock_t(cputime.stime);
|
|
tms->tms_cutime = cputime_to_clock_t(cutime);
|
|
tms->tms_cstime = cputime_to_clock_t(cstime);
|
|
}
|
|
|
|
asmlinkage long sys_times(struct tms __user * tbuf)
|
|
{
|
|
if (tbuf) {
|
|
struct tms tmp;
|
|
|
|
do_sys_times(&tmp);
|
|
if (copy_to_user(tbuf, &tmp, sizeof(struct tms)))
|
|
return -EFAULT;
|
|
}
|
|
return (long) jiffies_64_to_clock_t(get_jiffies_64());
|
|
}
|
|
|
|
/*
|
|
* This needs some heavy checking ...
|
|
* I just haven't the stomach for it. I also don't fully
|
|
* understand sessions/pgrp etc. Let somebody who does explain it.
|
|
*
|
|
* OK, I think I have the protection semantics right.... this is really
|
|
* only important on a multi-user system anyway, to make sure one user
|
|
* can't send a signal to a process owned by another. -TYT, 12/12/91
|
|
*
|
|
* Auch. Had to add the 'did_exec' flag to conform completely to POSIX.
|
|
* LBT 04.03.94
|
|
*/
|
|
asmlinkage long sys_setpgid(pid_t pid, pid_t pgid)
|
|
{
|
|
struct task_struct *p;
|
|
struct task_struct *group_leader = current->group_leader;
|
|
struct pid *pgrp;
|
|
int err;
|
|
|
|
if (!pid)
|
|
pid = task_pid_vnr(group_leader);
|
|
if (!pgid)
|
|
pgid = pid;
|
|
if (pgid < 0)
|
|
return -EINVAL;
|
|
|
|
/* From this point forward we keep holding onto the tasklist lock
|
|
* so that our parent does not change from under us. -DaveM
|
|
*/
|
|
write_lock_irq(&tasklist_lock);
|
|
|
|
err = -ESRCH;
|
|
p = find_task_by_vpid(pid);
|
|
if (!p)
|
|
goto out;
|
|
|
|
err = -EINVAL;
|
|
if (!thread_group_leader(p))
|
|
goto out;
|
|
|
|
if (same_thread_group(p->real_parent, group_leader)) {
|
|
err = -EPERM;
|
|
if (task_session(p) != task_session(group_leader))
|
|
goto out;
|
|
err = -EACCES;
|
|
if (p->did_exec)
|
|
goto out;
|
|
} else {
|
|
err = -ESRCH;
|
|
if (p != group_leader)
|
|
goto out;
|
|
}
|
|
|
|
err = -EPERM;
|
|
if (p->signal->leader)
|
|
goto out;
|
|
|
|
pgrp = task_pid(p);
|
|
if (pgid != pid) {
|
|
struct task_struct *g;
|
|
|
|
pgrp = find_vpid(pgid);
|
|
g = pid_task(pgrp, PIDTYPE_PGID);
|
|
if (!g || task_session(g) != task_session(group_leader))
|
|
goto out;
|
|
}
|
|
|
|
err = security_task_setpgid(p, pgid);
|
|
if (err)
|
|
goto out;
|
|
|
|
if (task_pgrp(p) != pgrp) {
|
|
change_pid(p, PIDTYPE_PGID, pgrp);
|
|
set_task_pgrp(p, pid_nr(pgrp));
|
|
}
|
|
|
|
err = 0;
|
|
out:
|
|
/* All paths lead to here, thus we are safe. -DaveM */
|
|
write_unlock_irq(&tasklist_lock);
|
|
return err;
|
|
}
|
|
|
|
asmlinkage long sys_getpgid(pid_t pid)
|
|
{
|
|
struct task_struct *p;
|
|
struct pid *grp;
|
|
int retval;
|
|
|
|
rcu_read_lock();
|
|
if (!pid)
|
|
grp = task_pgrp(current);
|
|
else {
|
|
retval = -ESRCH;
|
|
p = find_task_by_vpid(pid);
|
|
if (!p)
|
|
goto out;
|
|
grp = task_pgrp(p);
|
|
if (!grp)
|
|
goto out;
|
|
|
|
retval = security_task_getpgid(p);
|
|
if (retval)
|
|
goto out;
|
|
}
|
|
retval = pid_vnr(grp);
|
|
out:
|
|
rcu_read_unlock();
|
|
return retval;
|
|
}
|
|
|
|
#ifdef __ARCH_WANT_SYS_GETPGRP
|
|
|
|
asmlinkage long sys_getpgrp(void)
|
|
{
|
|
return sys_getpgid(0);
|
|
}
|
|
|
|
#endif
|
|
|
|
asmlinkage long sys_getsid(pid_t pid)
|
|
{
|
|
struct task_struct *p;
|
|
struct pid *sid;
|
|
int retval;
|
|
|
|
rcu_read_lock();
|
|
if (!pid)
|
|
sid = task_session(current);
|
|
else {
|
|
retval = -ESRCH;
|
|
p = find_task_by_vpid(pid);
|
|
if (!p)
|
|
goto out;
|
|
sid = task_session(p);
|
|
if (!sid)
|
|
goto out;
|
|
|
|
retval = security_task_getsid(p);
|
|
if (retval)
|
|
goto out;
|
|
}
|
|
retval = pid_vnr(sid);
|
|
out:
|
|
rcu_read_unlock();
|
|
return retval;
|
|
}
|
|
|
|
asmlinkage long sys_setsid(void)
|
|
{
|
|
struct task_struct *group_leader = current->group_leader;
|
|
struct pid *sid = task_pid(group_leader);
|
|
pid_t session = pid_vnr(sid);
|
|
int err = -EPERM;
|
|
|
|
write_lock_irq(&tasklist_lock);
|
|
/* Fail if I am already a session leader */
|
|
if (group_leader->signal->leader)
|
|
goto out;
|
|
|
|
/* Fail if a process group id already exists that equals the
|
|
* proposed session id.
|
|
*/
|
|
if (pid_task(sid, PIDTYPE_PGID))
|
|
goto out;
|
|
|
|
group_leader->signal->leader = 1;
|
|
__set_special_pids(sid);
|
|
|
|
proc_clear_tty(group_leader);
|
|
|
|
err = session;
|
|
out:
|
|
write_unlock_irq(&tasklist_lock);
|
|
return err;
|
|
}
|
|
|
|
/*
|
|
* Supplementary group IDs
|
|
*/
|
|
|
|
/* init to 2 - one for init_task, one to ensure it is never freed */
|
|
struct group_info init_groups = { .usage = ATOMIC_INIT(2) };
|
|
|
|
struct group_info *groups_alloc(int gidsetsize)
|
|
{
|
|
struct group_info *group_info;
|
|
int nblocks;
|
|
int i;
|
|
|
|
nblocks = (gidsetsize + NGROUPS_PER_BLOCK - 1) / NGROUPS_PER_BLOCK;
|
|
/* Make sure we always allocate at least one indirect block pointer */
|
|
nblocks = nblocks ? : 1;
|
|
group_info = kmalloc(sizeof(*group_info) + nblocks*sizeof(gid_t *), GFP_USER);
|
|
if (!group_info)
|
|
return NULL;
|
|
group_info->ngroups = gidsetsize;
|
|
group_info->nblocks = nblocks;
|
|
atomic_set(&group_info->usage, 1);
|
|
|
|
if (gidsetsize <= NGROUPS_SMALL)
|
|
group_info->blocks[0] = group_info->small_block;
|
|
else {
|
|
for (i = 0; i < nblocks; i++) {
|
|
gid_t *b;
|
|
b = (void *)__get_free_page(GFP_USER);
|
|
if (!b)
|
|
goto out_undo_partial_alloc;
|
|
group_info->blocks[i] = b;
|
|
}
|
|
}
|
|
return group_info;
|
|
|
|
out_undo_partial_alloc:
|
|
while (--i >= 0) {
|
|
free_page((unsigned long)group_info->blocks[i]);
|
|
}
|
|
kfree(group_info);
|
|
return NULL;
|
|
}
|
|
|
|
EXPORT_SYMBOL(groups_alloc);
|
|
|
|
void groups_free(struct group_info *group_info)
|
|
{
|
|
if (group_info->blocks[0] != group_info->small_block) {
|
|
int i;
|
|
for (i = 0; i < group_info->nblocks; i++)
|
|
free_page((unsigned long)group_info->blocks[i]);
|
|
}
|
|
kfree(group_info);
|
|
}
|
|
|
|
EXPORT_SYMBOL(groups_free);
|
|
|
|
/* export the group_info to a user-space array */
|
|
static int groups_to_user(gid_t __user *grouplist,
|
|
const struct group_info *group_info)
|
|
{
|
|
int i;
|
|
unsigned int count = group_info->ngroups;
|
|
|
|
for (i = 0; i < group_info->nblocks; i++) {
|
|
unsigned int cp_count = min(NGROUPS_PER_BLOCK, count);
|
|
unsigned int len = cp_count * sizeof(*grouplist);
|
|
|
|
if (copy_to_user(grouplist, group_info->blocks[i], len))
|
|
return -EFAULT;
|
|
|
|
grouplist += NGROUPS_PER_BLOCK;
|
|
count -= cp_count;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/* fill a group_info from a user-space array - it must be allocated already */
|
|
static int groups_from_user(struct group_info *group_info,
|
|
gid_t __user *grouplist)
|
|
{
|
|
int i;
|
|
unsigned int count = group_info->ngroups;
|
|
|
|
for (i = 0; i < group_info->nblocks; i++) {
|
|
unsigned int cp_count = min(NGROUPS_PER_BLOCK, count);
|
|
unsigned int len = cp_count * sizeof(*grouplist);
|
|
|
|
if (copy_from_user(group_info->blocks[i], grouplist, len))
|
|
return -EFAULT;
|
|
|
|
grouplist += NGROUPS_PER_BLOCK;
|
|
count -= cp_count;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/* a simple Shell sort */
|
|
static void groups_sort(struct group_info *group_info)
|
|
{
|
|
int base, max, stride;
|
|
int gidsetsize = group_info->ngroups;
|
|
|
|
for (stride = 1; stride < gidsetsize; stride = 3 * stride + 1)
|
|
; /* nothing */
|
|
stride /= 3;
|
|
|
|
while (stride) {
|
|
max = gidsetsize - stride;
|
|
for (base = 0; base < max; base++) {
|
|
int left = base;
|
|
int right = left + stride;
|
|
gid_t tmp = GROUP_AT(group_info, right);
|
|
|
|
while (left >= 0 && GROUP_AT(group_info, left) > tmp) {
|
|
GROUP_AT(group_info, right) =
|
|
GROUP_AT(group_info, left);
|
|
right = left;
|
|
left -= stride;
|
|
}
|
|
GROUP_AT(group_info, right) = tmp;
|
|
}
|
|
stride /= 3;
|
|
}
|
|
}
|
|
|
|
/* a simple bsearch */
|
|
int groups_search(const struct group_info *group_info, gid_t grp)
|
|
{
|
|
unsigned int left, right;
|
|
|
|
if (!group_info)
|
|
return 0;
|
|
|
|
left = 0;
|
|
right = group_info->ngroups;
|
|
while (left < right) {
|
|
unsigned int mid = (left+right)/2;
|
|
int cmp = grp - GROUP_AT(group_info, mid);
|
|
if (cmp > 0)
|
|
left = mid + 1;
|
|
else if (cmp < 0)
|
|
right = mid;
|
|
else
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* set_groups - Change a group subscription in a set of credentials
|
|
* @new: The newly prepared set of credentials to alter
|
|
* @group_info: The group list to install
|
|
*
|
|
* Validate a group subscription and, if valid, insert it into a set
|
|
* of credentials.
|
|
*/
|
|
int set_groups(struct cred *new, struct group_info *group_info)
|
|
{
|
|
int retval;
|
|
|
|
retval = security_task_setgroups(group_info);
|
|
if (retval)
|
|
return retval;
|
|
|
|
put_group_info(new->group_info);
|
|
groups_sort(group_info);
|
|
get_group_info(group_info);
|
|
new->group_info = group_info;
|
|
return 0;
|
|
}
|
|
|
|
EXPORT_SYMBOL(set_groups);
|
|
|
|
/**
|
|
* set_current_groups - Change current's group subscription
|
|
* @group_info: The group list to impose
|
|
*
|
|
* Validate a group subscription and, if valid, impose it upon current's task
|
|
* security record.
|
|
*/
|
|
int set_current_groups(struct group_info *group_info)
|
|
{
|
|
struct cred *new;
|
|
int ret;
|
|
|
|
new = prepare_creds();
|
|
if (!new)
|
|
return -ENOMEM;
|
|
|
|
ret = set_groups(new, group_info);
|
|
if (ret < 0) {
|
|
abort_creds(new);
|
|
return ret;
|
|
}
|
|
|
|
return commit_creds(new);
|
|
}
|
|
|
|
EXPORT_SYMBOL(set_current_groups);
|
|
|
|
asmlinkage long sys_getgroups(int gidsetsize, gid_t __user *grouplist)
|
|
{
|
|
const struct cred *cred = current_cred();
|
|
int i;
|
|
|
|
if (gidsetsize < 0)
|
|
return -EINVAL;
|
|
|
|
/* no need to grab task_lock here; it cannot change */
|
|
i = cred->group_info->ngroups;
|
|
if (gidsetsize) {
|
|
if (i > gidsetsize) {
|
|
i = -EINVAL;
|
|
goto out;
|
|
}
|
|
if (groups_to_user(grouplist, cred->group_info)) {
|
|
i = -EFAULT;
|
|
goto out;
|
|
}
|
|
}
|
|
out:
|
|
return i;
|
|
}
|
|
|
|
/*
|
|
* SMP: Our groups are copy-on-write. We can set them safely
|
|
* without another task interfering.
|
|
*/
|
|
|
|
asmlinkage long sys_setgroups(int gidsetsize, gid_t __user *grouplist)
|
|
{
|
|
struct group_info *group_info;
|
|
int retval;
|
|
|
|
if (!capable(CAP_SETGID))
|
|
return -EPERM;
|
|
if ((unsigned)gidsetsize > NGROUPS_MAX)
|
|
return -EINVAL;
|
|
|
|
group_info = groups_alloc(gidsetsize);
|
|
if (!group_info)
|
|
return -ENOMEM;
|
|
retval = groups_from_user(group_info, grouplist);
|
|
if (retval) {
|
|
put_group_info(group_info);
|
|
return retval;
|
|
}
|
|
|
|
retval = set_current_groups(group_info);
|
|
put_group_info(group_info);
|
|
|
|
return retval;
|
|
}
|
|
|
|
/*
|
|
* Check whether we're fsgid/egid or in the supplemental group..
|
|
*/
|
|
int in_group_p(gid_t grp)
|
|
{
|
|
const struct cred *cred = current_cred();
|
|
int retval = 1;
|
|
|
|
if (grp != cred->fsgid)
|
|
retval = groups_search(cred->group_info, grp);
|
|
return retval;
|
|
}
|
|
|
|
EXPORT_SYMBOL(in_group_p);
|
|
|
|
int in_egroup_p(gid_t grp)
|
|
{
|
|
const struct cred *cred = current_cred();
|
|
int retval = 1;
|
|
|
|
if (grp != cred->egid)
|
|
retval = groups_search(cred->group_info, grp);
|
|
return retval;
|
|
}
|
|
|
|
EXPORT_SYMBOL(in_egroup_p);
|
|
|
|
DECLARE_RWSEM(uts_sem);
|
|
|
|
asmlinkage long sys_newuname(struct new_utsname __user * name)
|
|
{
|
|
int errno = 0;
|
|
|
|
down_read(&uts_sem);
|
|
if (copy_to_user(name, utsname(), sizeof *name))
|
|
errno = -EFAULT;
|
|
up_read(&uts_sem);
|
|
return errno;
|
|
}
|
|
|
|
asmlinkage long sys_sethostname(char __user *name, int len)
|
|
{
|
|
int errno;
|
|
char tmp[__NEW_UTS_LEN];
|
|
|
|
if (!capable(CAP_SYS_ADMIN))
|
|
return -EPERM;
|
|
if (len < 0 || len > __NEW_UTS_LEN)
|
|
return -EINVAL;
|
|
down_write(&uts_sem);
|
|
errno = -EFAULT;
|
|
if (!copy_from_user(tmp, name, len)) {
|
|
struct new_utsname *u = utsname();
|
|
|
|
memcpy(u->nodename, tmp, len);
|
|
memset(u->nodename + len, 0, sizeof(u->nodename) - len);
|
|
errno = 0;
|
|
}
|
|
up_write(&uts_sem);
|
|
return errno;
|
|
}
|
|
|
|
#ifdef __ARCH_WANT_SYS_GETHOSTNAME
|
|
|
|
asmlinkage long sys_gethostname(char __user *name, int len)
|
|
{
|
|
int i, errno;
|
|
struct new_utsname *u;
|
|
|
|
if (len < 0)
|
|
return -EINVAL;
|
|
down_read(&uts_sem);
|
|
u = utsname();
|
|
i = 1 + strlen(u->nodename);
|
|
if (i > len)
|
|
i = len;
|
|
errno = 0;
|
|
if (copy_to_user(name, u->nodename, i))
|
|
errno = -EFAULT;
|
|
up_read(&uts_sem);
|
|
return errno;
|
|
}
|
|
|
|
#endif
|
|
|
|
/*
|
|
* Only setdomainname; getdomainname can be implemented by calling
|
|
* uname()
|
|
*/
|
|
asmlinkage long sys_setdomainname(char __user *name, int len)
|
|
{
|
|
int errno;
|
|
char tmp[__NEW_UTS_LEN];
|
|
|
|
if (!capable(CAP_SYS_ADMIN))
|
|
return -EPERM;
|
|
if (len < 0 || len > __NEW_UTS_LEN)
|
|
return -EINVAL;
|
|
|
|
down_write(&uts_sem);
|
|
errno = -EFAULT;
|
|
if (!copy_from_user(tmp, name, len)) {
|
|
struct new_utsname *u = utsname();
|
|
|
|
memcpy(u->domainname, tmp, len);
|
|
memset(u->domainname + len, 0, sizeof(u->domainname) - len);
|
|
errno = 0;
|
|
}
|
|
up_write(&uts_sem);
|
|
return errno;
|
|
}
|
|
|
|
asmlinkage long sys_getrlimit(unsigned int resource, struct rlimit __user *rlim)
|
|
{
|
|
if (resource >= RLIM_NLIMITS)
|
|
return -EINVAL;
|
|
else {
|
|
struct rlimit value;
|
|
task_lock(current->group_leader);
|
|
value = current->signal->rlim[resource];
|
|
task_unlock(current->group_leader);
|
|
return copy_to_user(rlim, &value, sizeof(*rlim)) ? -EFAULT : 0;
|
|
}
|
|
}
|
|
|
|
#ifdef __ARCH_WANT_SYS_OLD_GETRLIMIT
|
|
|
|
/*
|
|
* Back compatibility for getrlimit. Needed for some apps.
|
|
*/
|
|
|
|
asmlinkage long sys_old_getrlimit(unsigned int resource, struct rlimit __user *rlim)
|
|
{
|
|
struct rlimit x;
|
|
if (resource >= RLIM_NLIMITS)
|
|
return -EINVAL;
|
|
|
|
task_lock(current->group_leader);
|
|
x = current->signal->rlim[resource];
|
|
task_unlock(current->group_leader);
|
|
if (x.rlim_cur > 0x7FFFFFFF)
|
|
x.rlim_cur = 0x7FFFFFFF;
|
|
if (x.rlim_max > 0x7FFFFFFF)
|
|
x.rlim_max = 0x7FFFFFFF;
|
|
return copy_to_user(rlim, &x, sizeof(x))?-EFAULT:0;
|
|
}
|
|
|
|
#endif
|
|
|
|
asmlinkage long sys_setrlimit(unsigned int resource, struct rlimit __user *rlim)
|
|
{
|
|
struct rlimit new_rlim, *old_rlim;
|
|
int retval;
|
|
|
|
if (resource >= RLIM_NLIMITS)
|
|
return -EINVAL;
|
|
if (copy_from_user(&new_rlim, rlim, sizeof(*rlim)))
|
|
return -EFAULT;
|
|
old_rlim = current->signal->rlim + resource;
|
|
if ((new_rlim.rlim_max > old_rlim->rlim_max) &&
|
|
!capable(CAP_SYS_RESOURCE))
|
|
return -EPERM;
|
|
|
|
if (resource == RLIMIT_NOFILE) {
|
|
if (new_rlim.rlim_max == RLIM_INFINITY)
|
|
new_rlim.rlim_max = sysctl_nr_open;
|
|
if (new_rlim.rlim_cur == RLIM_INFINITY)
|
|
new_rlim.rlim_cur = sysctl_nr_open;
|
|
if (new_rlim.rlim_max > sysctl_nr_open)
|
|
return -EPERM;
|
|
}
|
|
|
|
if (new_rlim.rlim_cur > new_rlim.rlim_max)
|
|
return -EINVAL;
|
|
|
|
retval = security_task_setrlimit(resource, &new_rlim);
|
|
if (retval)
|
|
return retval;
|
|
|
|
if (resource == RLIMIT_CPU && new_rlim.rlim_cur == 0) {
|
|
/*
|
|
* The caller is asking for an immediate RLIMIT_CPU
|
|
* expiry. But we use the zero value to mean "it was
|
|
* never set". So let's cheat and make it one second
|
|
* instead
|
|
*/
|
|
new_rlim.rlim_cur = 1;
|
|
}
|
|
|
|
task_lock(current->group_leader);
|
|
*old_rlim = new_rlim;
|
|
task_unlock(current->group_leader);
|
|
|
|
if (resource != RLIMIT_CPU)
|
|
goto out;
|
|
|
|
/*
|
|
* RLIMIT_CPU handling. Note that the kernel fails to return an error
|
|
* code if it rejected the user's attempt to set RLIMIT_CPU. This is a
|
|
* very long-standing error, and fixing it now risks breakage of
|
|
* applications, so we live with it
|
|
*/
|
|
if (new_rlim.rlim_cur == RLIM_INFINITY)
|
|
goto out;
|
|
|
|
update_rlimit_cpu(new_rlim.rlim_cur);
|
|
out:
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* It would make sense to put struct rusage in the task_struct,
|
|
* except that would make the task_struct be *really big*. After
|
|
* task_struct gets moved into malloc'ed memory, it would
|
|
* make sense to do this. It will make moving the rest of the information
|
|
* a lot simpler! (Which we're not doing right now because we're not
|
|
* measuring them yet).
|
|
*
|
|
* When sampling multiple threads for RUSAGE_SELF, under SMP we might have
|
|
* races with threads incrementing their own counters. But since word
|
|
* reads are atomic, we either get new values or old values and we don't
|
|
* care which for the sums. We always take the siglock to protect reading
|
|
* the c* fields from p->signal from races with exit.c updating those
|
|
* fields when reaping, so a sample either gets all the additions of a
|
|
* given child after it's reaped, or none so this sample is before reaping.
|
|
*
|
|
* Locking:
|
|
* We need to take the siglock for CHILDEREN, SELF and BOTH
|
|
* for the cases current multithreaded, non-current single threaded
|
|
* non-current multithreaded. Thread traversal is now safe with
|
|
* the siglock held.
|
|
* Strictly speaking, we donot need to take the siglock if we are current and
|
|
* single threaded, as no one else can take our signal_struct away, no one
|
|
* else can reap the children to update signal->c* counters, and no one else
|
|
* can race with the signal-> fields. If we do not take any lock, the
|
|
* signal-> fields could be read out of order while another thread was just
|
|
* exiting. So we should place a read memory barrier when we avoid the lock.
|
|
* On the writer side, write memory barrier is implied in __exit_signal
|
|
* as __exit_signal releases the siglock spinlock after updating the signal->
|
|
* fields. But we don't do this yet to keep things simple.
|
|
*
|
|
*/
|
|
|
|
static void accumulate_thread_rusage(struct task_struct *t, struct rusage *r)
|
|
{
|
|
r->ru_nvcsw += t->nvcsw;
|
|
r->ru_nivcsw += t->nivcsw;
|
|
r->ru_minflt += t->min_flt;
|
|
r->ru_majflt += t->maj_flt;
|
|
r->ru_inblock += task_io_get_inblock(t);
|
|
r->ru_oublock += task_io_get_oublock(t);
|
|
}
|
|
|
|
static void k_getrusage(struct task_struct *p, int who, struct rusage *r)
|
|
{
|
|
struct task_struct *t;
|
|
unsigned long flags;
|
|
cputime_t utime, stime;
|
|
struct task_cputime cputime;
|
|
|
|
memset((char *) r, 0, sizeof *r);
|
|
utime = stime = cputime_zero;
|
|
|
|
if (who == RUSAGE_THREAD) {
|
|
accumulate_thread_rusage(p, r);
|
|
goto out;
|
|
}
|
|
|
|
if (!lock_task_sighand(p, &flags))
|
|
return;
|
|
|
|
switch (who) {
|
|
case RUSAGE_BOTH:
|
|
case RUSAGE_CHILDREN:
|
|
utime = p->signal->cutime;
|
|
stime = p->signal->cstime;
|
|
r->ru_nvcsw = p->signal->cnvcsw;
|
|
r->ru_nivcsw = p->signal->cnivcsw;
|
|
r->ru_minflt = p->signal->cmin_flt;
|
|
r->ru_majflt = p->signal->cmaj_flt;
|
|
r->ru_inblock = p->signal->cinblock;
|
|
r->ru_oublock = p->signal->coublock;
|
|
|
|
if (who == RUSAGE_CHILDREN)
|
|
break;
|
|
|
|
case RUSAGE_SELF:
|
|
thread_group_cputime(p, &cputime);
|
|
utime = cputime_add(utime, cputime.utime);
|
|
stime = cputime_add(stime, cputime.stime);
|
|
r->ru_nvcsw += p->signal->nvcsw;
|
|
r->ru_nivcsw += p->signal->nivcsw;
|
|
r->ru_minflt += p->signal->min_flt;
|
|
r->ru_majflt += p->signal->maj_flt;
|
|
r->ru_inblock += p->signal->inblock;
|
|
r->ru_oublock += p->signal->oublock;
|
|
t = p;
|
|
do {
|
|
accumulate_thread_rusage(t, r);
|
|
t = next_thread(t);
|
|
} while (t != p);
|
|
break;
|
|
|
|
default:
|
|
BUG();
|
|
}
|
|
unlock_task_sighand(p, &flags);
|
|
|
|
out:
|
|
cputime_to_timeval(utime, &r->ru_utime);
|
|
cputime_to_timeval(stime, &r->ru_stime);
|
|
}
|
|
|
|
int getrusage(struct task_struct *p, int who, struct rusage __user *ru)
|
|
{
|
|
struct rusage r;
|
|
k_getrusage(p, who, &r);
|
|
return copy_to_user(ru, &r, sizeof(r)) ? -EFAULT : 0;
|
|
}
|
|
|
|
asmlinkage long sys_getrusage(int who, struct rusage __user *ru)
|
|
{
|
|
if (who != RUSAGE_SELF && who != RUSAGE_CHILDREN &&
|
|
who != RUSAGE_THREAD)
|
|
return -EINVAL;
|
|
return getrusage(current, who, ru);
|
|
}
|
|
|
|
asmlinkage long sys_umask(int mask)
|
|
{
|
|
mask = xchg(¤t->fs->umask, mask & S_IRWXUGO);
|
|
return mask;
|
|
}
|
|
|
|
asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3,
|
|
unsigned long arg4, unsigned long arg5)
|
|
{
|
|
struct task_struct *me = current;
|
|
unsigned char comm[sizeof(me->comm)];
|
|
long error;
|
|
|
|
error = security_task_prctl(option, arg2, arg3, arg4, arg5);
|
|
if (error != -ENOSYS)
|
|
return error;
|
|
|
|
error = 0;
|
|
switch (option) {
|
|
case PR_SET_PDEATHSIG:
|
|
if (!valid_signal(arg2)) {
|
|
error = -EINVAL;
|
|
break;
|
|
}
|
|
me->pdeath_signal = arg2;
|
|
error = 0;
|
|
break;
|
|
case PR_GET_PDEATHSIG:
|
|
error = put_user(me->pdeath_signal, (int __user *)arg2);
|
|
break;
|
|
case PR_GET_DUMPABLE:
|
|
error = get_dumpable(me->mm);
|
|
break;
|
|
case PR_SET_DUMPABLE:
|
|
if (arg2 < 0 || arg2 > 1) {
|
|
error = -EINVAL;
|
|
break;
|
|
}
|
|
set_dumpable(me->mm, arg2);
|
|
error = 0;
|
|
break;
|
|
|
|
case PR_SET_UNALIGN:
|
|
error = SET_UNALIGN_CTL(me, arg2);
|
|
break;
|
|
case PR_GET_UNALIGN:
|
|
error = GET_UNALIGN_CTL(me, arg2);
|
|
break;
|
|
case PR_SET_FPEMU:
|
|
error = SET_FPEMU_CTL(me, arg2);
|
|
break;
|
|
case PR_GET_FPEMU:
|
|
error = GET_FPEMU_CTL(me, arg2);
|
|
break;
|
|
case PR_SET_FPEXC:
|
|
error = SET_FPEXC_CTL(me, arg2);
|
|
break;
|
|
case PR_GET_FPEXC:
|
|
error = GET_FPEXC_CTL(me, arg2);
|
|
break;
|
|
case PR_GET_TIMING:
|
|
error = PR_TIMING_STATISTICAL;
|
|
break;
|
|
case PR_SET_TIMING:
|
|
if (arg2 != PR_TIMING_STATISTICAL)
|
|
error = -EINVAL;
|
|
else
|
|
error = 0;
|
|
break;
|
|
|
|
case PR_SET_NAME:
|
|
comm[sizeof(me->comm)-1] = 0;
|
|
if (strncpy_from_user(comm, (char __user *)arg2,
|
|
sizeof(me->comm) - 1) < 0)
|
|
return -EFAULT;
|
|
set_task_comm(me, comm);
|
|
return 0;
|
|
case PR_GET_NAME:
|
|
get_task_comm(comm, me);
|
|
if (copy_to_user((char __user *)arg2, comm,
|
|
sizeof(comm)))
|
|
return -EFAULT;
|
|
return 0;
|
|
case PR_GET_ENDIAN:
|
|
error = GET_ENDIAN(me, arg2);
|
|
break;
|
|
case PR_SET_ENDIAN:
|
|
error = SET_ENDIAN(me, arg2);
|
|
break;
|
|
|
|
case PR_GET_SECCOMP:
|
|
error = prctl_get_seccomp();
|
|
break;
|
|
case PR_SET_SECCOMP:
|
|
error = prctl_set_seccomp(arg2);
|
|
break;
|
|
case PR_GET_TSC:
|
|
error = GET_TSC_CTL(arg2);
|
|
break;
|
|
case PR_SET_TSC:
|
|
error = SET_TSC_CTL(arg2);
|
|
break;
|
|
case PR_GET_TIMERSLACK:
|
|
error = current->timer_slack_ns;
|
|
break;
|
|
case PR_SET_TIMERSLACK:
|
|
if (arg2 <= 0)
|
|
current->timer_slack_ns =
|
|
current->default_timer_slack_ns;
|
|
else
|
|
current->timer_slack_ns = arg2;
|
|
error = 0;
|
|
break;
|
|
default:
|
|
error = -EINVAL;
|
|
break;
|
|
}
|
|
return error;
|
|
}
|
|
|
|
asmlinkage long sys_getcpu(unsigned __user *cpup, unsigned __user *nodep,
|
|
struct getcpu_cache __user *unused)
|
|
{
|
|
int err = 0;
|
|
int cpu = raw_smp_processor_id();
|
|
if (cpup)
|
|
err |= put_user(cpu, cpup);
|
|
if (nodep)
|
|
err |= put_user(cpu_to_node(cpu), nodep);
|
|
return err ? -EFAULT : 0;
|
|
}
|
|
|
|
char poweroff_cmd[POWEROFF_CMD_PATH_LEN] = "/sbin/poweroff";
|
|
|
|
static void argv_cleanup(char **argv, char **envp)
|
|
{
|
|
argv_free(argv);
|
|
}
|
|
|
|
/**
|
|
* orderly_poweroff - Trigger an orderly system poweroff
|
|
* @force: force poweroff if command execution fails
|
|
*
|
|
* This may be called from any context to trigger a system shutdown.
|
|
* If the orderly shutdown fails, it will force an immediate shutdown.
|
|
*/
|
|
int orderly_poweroff(bool force)
|
|
{
|
|
int argc;
|
|
char **argv = argv_split(GFP_ATOMIC, poweroff_cmd, &argc);
|
|
static char *envp[] = {
|
|
"HOME=/",
|
|
"PATH=/sbin:/bin:/usr/sbin:/usr/bin",
|
|
NULL
|
|
};
|
|
int ret = -ENOMEM;
|
|
struct subprocess_info *info;
|
|
|
|
if (argv == NULL) {
|
|
printk(KERN_WARNING "%s failed to allocate memory for \"%s\"\n",
|
|
__func__, poweroff_cmd);
|
|
goto out;
|
|
}
|
|
|
|
info = call_usermodehelper_setup(argv[0], argv, envp, GFP_ATOMIC);
|
|
if (info == NULL) {
|
|
argv_free(argv);
|
|
goto out;
|
|
}
|
|
|
|
call_usermodehelper_setcleanup(info, argv_cleanup);
|
|
|
|
ret = call_usermodehelper_exec(info, UMH_NO_WAIT);
|
|
|
|
out:
|
|
if (ret && force) {
|
|
printk(KERN_WARNING "Failed to start orderly shutdown: "
|
|
"forcing the issue\n");
|
|
|
|
/* I guess this should try to kick off some daemon to
|
|
sync and poweroff asap. Or not even bother syncing
|
|
if we're doing an emergency shutdown? */
|
|
emergency_sync();
|
|
kernel_power_off();
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL_GPL(orderly_poweroff);
|