1
/*
2
 * linux/ipc/util.c
3
 * Copyright (C) 1992 Krishna Balasubramanian
4
 *
5
 * Sep 1997 - Call suser() last after "normal" permission checks so we
6
 *            get BSD style process accounting right.
7
 *            Occurs in several places in the IPC code.
8
 *            Chris Evans, <[email protected]>
9
 * Nov 1999 - ipc helper functions, unified SMP locking
10
 *	      Manfred Spraul <[email protected]>
11
 * Oct 2002 - One lock per IPC id. RCU ipc_free for lock-free grow_ary().
12
 *            Mingming Cao <[email protected]>
13
 * Mar 2006 - support for audit of ipc object properties
14
 *            Dustin Kirkland <[email protected]>
15
 * Jun 2006 - namespaces ssupport
16
 *            OpenVZ, SWsoft Inc.
17
 *            Pavel Emelianov <[email protected]>
18
 */
19

20
#include <linux/mm.h>
21
#include <linux/shm.h>
22
#include <linux/init.h>
23
#include <linux/msg.h>
24
#include <linux/vmalloc.h>
25
#include <linux/slab.h>
26
#include <linux/capability.h>
27
#include <linux/highuid.h>
28
#include <linux/security.h>
29
#include <linux/rcupdate.h>
30
#include <linux/workqueue.h>
31
#include <linux/seq_file.h>
32
#include <linux/proc_fs.h>
33
#include <linux/audit.h>
34
#include <linux/nsproxy.h>
35
#include <linux/rwsem.h>
36
#include <linux/memory.h>
37
#include <linux/ipc_namespace.h>
38

39
#include <asm/unistd.h>
40

41
#include "util.h"
42

43
struct ipc_proc_iface {
44
	const char *path;
45
	const char *header;
46
	int ids;
47
	int (*show)(struct seq_file *, void *);
48
};
49

50
#ifdef CONFIG_MEMORY_HOTPLUG
51

52
static void ipc_memory_notifier(struct work_struct *work)
53
{
54
	ipcns_notify(IPCNS_MEMCHANGED);
55
}
56

57
static DECLARE_WORK(ipc_memory_wq, ipc_memory_notifier);
58

59

60
static int ipc_memory_callback(struct notifier_block *self,
61
				unsigned long action, void *arg)
62
{
63
	switch (action) {
64
	case MEM_ONLINE:    /* memory successfully brought online */
65
	case MEM_OFFLINE:   /* or offline: it's time to recompute msgmni */
66
		/*
67
		 * This is done by invoking the ipcns notifier chain with the
68
		 * IPC_MEMCHANGED event.
69
		 * In order not to keep the lock on the hotplug memory chain
70
		 * for too long, queue a work item that will, when waken up,
71
		 * activate the ipcns notification chain.
72
		 * No need to keep several ipc work items on the queue.
73
		 */
74
		if (!work_pending(&ipc_memory_wq))
75
			schedule_work(&ipc_memory_wq);
76
		break;
77
	case MEM_GOING_ONLINE:
78
	case MEM_GOING_OFFLINE:
79
	case MEM_CANCEL_ONLINE:
80
	case MEM_CANCEL_OFFLINE:
81
	default:
82
		break;
83
	}
84

85
	return NOTIFY_OK;
86
}
87

88
#endif /* CONFIG_MEMORY_HOTPLUG */
89

90
/**
91
 *	ipc_init	-	initialise IPC subsystem
92
 *
93
 *	The various system5 IPC resources (semaphores, messages and shared
94
 *	memory) are initialised
95
 *	A callback routine is registered into the memory hotplug notifier
96
 *	chain: since msgmni scales to lowmem this callback routine will be
97
 *	called upon successful memory add / remove to recompute msmgni.
98
 */
99
 
100
static int __init ipc_init(void)
101
{
102
	sem_init();
103
	msg_init();
104
	shm_init();
105
	hotplug_memory_notifier(ipc_memory_callback, IPC_CALLBACK_PRI);
106
	register_ipcns_notifier(&init_ipc_ns);
107
	return 0;
108
}
109
__initcall(ipc_init);
110

111
/**
112
 *	ipc_init_ids		-	initialise IPC identifiers
113
 *	@ids: Identifier set
114
 *
115
 *	Set up the sequence range to use for the ipc identifier range (limited
116
 *	below IPCMNI) then initialise the ids idr.
117
 */
118
 
119
void ipc_init_ids(struct ipc_ids *ids)
120
{
121
	init_rwsem(&ids->rw_mutex);
122

123
	ids->in_use = 0;
124
	ids->seq = 0;
125
	{
126
		int seq_limit = INT_MAX/SEQ_MULTIPLIER;
127
		if (seq_limit > USHRT_MAX)
128
			ids->seq_max = USHRT_MAX;
129
		 else
130
		 	ids->seq_max = seq_limit;
131
	}
132

133
	idr_init(&ids->ipcs_idr);
134
}
135

136
#ifdef CONFIG_PROC_FS
137
static const struct file_operations sysvipc_proc_fops;
138
/**
139
 *	ipc_init_proc_interface	-  Create a proc interface for sysipc types using a seq_file interface.
140
 *	@path: Path in procfs
141
 *	@header: Banner to be printed at the beginning of the file.
142
 *	@ids: ipc id table to iterate.
143
 *	@show: show routine.
144
 */
145
void __init ipc_init_proc_interface(const char *path, const char *header,
146
		int ids, int (*show)(struct seq_file *, void *))
147
{
148
	struct proc_dir_entry *pde;
149
	struct ipc_proc_iface *iface;
150

151
	iface = kmalloc(sizeof(*iface), GFP_KERNEL);
152
	if (!iface)
153
		return;
154
	iface->path	= path;
155
	iface->header	= header;
156
	iface->ids	= ids;
157
	iface->show	= show;
158

159
	pde = proc_create_data(path,
160
			       S_IRUGO,        /* world readable */
161
			       NULL,           /* parent dir */
162
			       &sysvipc_proc_fops,
163
			       iface);
164
	if (!pde) {
165
		kfree(iface);
166
	}
167
}
168
#endif
169

170
/**
171
 *	ipc_findkey	-	find a key in an ipc identifier set	
172
 *	@ids: Identifier set
173
 *	@key: The key to find
174
 *	
175
 *	Requires ipc_ids.rw_mutex locked.
176
 *	Returns the LOCKED pointer to the ipc structure if found or NULL
177
 *	if not.
178
 *	If key is found ipc points to the owning ipc structure
179
 */
180
 
181
static struct kern_ipc_perm *ipc_findkey(struct ipc_ids *ids, key_t key)
182
{
183
	struct kern_ipc_perm *ipc;
184
	int next_id;
185
	int total;
186

187
	for (total = 0, next_id = 0; total < ids->in_use; next_id++) {
188
		ipc = idr_find(&ids->ipcs_idr, next_id);
189

190
		if (ipc == NULL)
191
			continue;
192

193
		if (ipc->key != key) {
194
			total++;
195
			continue;
196
		}
197

198
		ipc_lock_by_ptr(ipc);
199
		return ipc;
200
	}
201

202
	return NULL;
203
}
204

205
/**
206
 *	ipc_get_maxid 	-	get the last assigned id
207
 *	@ids: IPC identifier set
208
 *
209
 *	Called with ipc_ids.rw_mutex held.
210
 */
211

212
int ipc_get_maxid(struct ipc_ids *ids)
213
{
214
	struct kern_ipc_perm *ipc;
215
	int max_id = -1;
216
	int total, id;
217

218
	if (ids->in_use == 0)
219
		return -1;
220

221
	if (ids->in_use == IPCMNI)
222
		return IPCMNI - 1;
223

224
	/* Look for the last assigned id */
225
	total = 0;
226
	for (id = 0; id < IPCMNI && total < ids->in_use; id++) {
227
		ipc = idr_find(&ids->ipcs_idr, id);
228
		if (ipc != NULL) {
229
			max_id = id;
230
			total++;
231
		}
232
	}
233
	return max_id;
234
}
235

236
/**
237
 *	ipc_addid 	-	add an IPC identifier
238
 *	@ids: IPC identifier set
239
 *	@new: new IPC permission set
240
 *	@size: limit for the number of used ids
241
 *
242
 *	Add an entry 'new' to the IPC ids idr. The permissions object is
243
 *	initialised and the first free entry is set up and the id assigned
244
 *	is returned. The 'new' entry is returned in a locked state on success.
245
 *	On failure the entry is not locked and a negative err-code is returned.
246
 *
247
 *	Called with ipc_ids.rw_mutex held as a writer.
248
 */
249
 
250
int ipc_addid(struct ipc_ids* ids, struct kern_ipc_perm* new, int size)
251
{
252
	uid_t euid;
253
	gid_t egid;
254
	int id, err;
255

256
	if (size > IPCMNI)
257
		size = IPCMNI;
258

259
	if (ids->in_use >= size)
260
		return -ENOSPC;
261

262
	spin_lock_init(&new->lock);
263
	new->deleted = 0;
264
	rcu_read_lock();
265
	spin_lock(&new->lock);
266

267
	err = idr_get_new(&ids->ipcs_idr, new, &id);
268
	if (err) {
269
		spin_unlock(&new->lock);
270
		rcu_read_unlock();
271
		return err;
272
	}
273

274
	ids->in_use++;
275

276
	current_euid_egid(&euid, &egid);
277
	new->cuid = new->uid = euid;
278
	new->gid = new->cgid = egid;
279

280
	new->seq = ids->seq++;
281
	if(ids->seq > ids->seq_max)
282
		ids->seq = 0;
283

284
	new->id = ipc_buildid(id, new->seq);
285
	return id;
286
}
287

288
/**
289
 *	ipcget_new	-	create a new ipc object
290
 *	@ns: namespace
291
 *	@ids: IPC identifer set
292
 *	@ops: the actual creation routine to call
293
 *	@params: its parameters
294
 *
295
 *	This routine is called by sys_msgget, sys_semget() and sys_shmget()
296
 *	when the key is IPC_PRIVATE.
297
 */
298
static int ipcget_new(struct ipc_namespace *ns, struct ipc_ids *ids,
299
		struct ipc_ops *ops, struct ipc_params *params)
300
{
301
	int err;
302
retry:
303
	err = idr_pre_get(&ids->ipcs_idr, GFP_KERNEL);
304

305
	if (!err)
306
		return -ENOMEM;
307

308
	down_write(&ids->rw_mutex);
309
	err = ops->getnew(ns, params);
310
	up_write(&ids->rw_mutex);
311

312
	if (err == -EAGAIN)
313
		goto retry;
314

315
	return err;
316
}
317

318
/**
319
 *	ipc_check_perms	-	check security and permissions for an IPC
320
 *	@ns: IPC namespace
321
 *	@ipcp: ipc permission set
322
 *	@ops: the actual security routine to call
323
 *	@params: its parameters
324
 *
325
 *	This routine is called by sys_msgget(), sys_semget() and sys_shmget()
326
 *      when the key is not IPC_PRIVATE and that key already exists in the
327
 *      ids IDR.
328
 *
329
 *	On success, the IPC id is returned.
330
 *
331
 *	It is called with ipc_ids.rw_mutex and ipcp->lock held.
332
 */
333
static int ipc_check_perms(struct ipc_namespace *ns,
334
			   struct kern_ipc_perm *ipcp,
335
			   struct ipc_ops *ops,
336
			   struct ipc_params *params)
337
{
338
	int err;
339

340
	if (ipcperms(ns, ipcp, params->flg))
341
		err = -EACCES;
342
	else {
343
		err = ops->associate(ipcp, params->flg);
344
		if (!err)
345
			err = ipcp->id;
346
	}
347

348
	return err;
349
}
350

351
/**
352
 *	ipcget_public	-	get an ipc object or create a new one
353
 *	@ns: namespace
354
 *	@ids: IPC identifer set
355
 *	@ops: the actual creation routine to call
356
 *	@params: its parameters
357
 *
358
 *	This routine is called by sys_msgget, sys_semget() and sys_shmget()
359
 *	when the key is not IPC_PRIVATE.
360
 *	It adds a new entry if the key is not found and does some permission
361
 *      / security checkings if the key is found.
362
 *
363
 *	On success, the ipc id is returned.
364
 */
365
static int ipcget_public(struct ipc_namespace *ns, struct ipc_ids *ids,
366
		struct ipc_ops *ops, struct ipc_params *params)
367
{
368
	struct kern_ipc_perm *ipcp;
369
	int flg = params->flg;
370
	int err;
371
retry:
372
	err = idr_pre_get(&ids->ipcs_idr, GFP_KERNEL);
373

374
	/*
375
	 * Take the lock as a writer since we are potentially going to add
376
	 * a new entry + read locks are not "upgradable"
377
	 */
378
	down_write(&ids->rw_mutex);
379
	ipcp = ipc_findkey(ids, params->key);
380
	if (ipcp == NULL) {
381
		/* key not used */
382
		if (!(flg & IPC_CREAT))
383
			err = -ENOENT;
384
		else if (!err)
385
			err = -ENOMEM;
386
		else
387
			err = ops->getnew(ns, params);
388
	} else {
389
		/* ipc object has been locked by ipc_findkey() */
390

391
		if (flg & IPC_CREAT && flg & IPC_EXCL)
392
			err = -EEXIST;
393
		else {
394
			err = 0;
395
			if (ops->more_checks)
396
				err = ops->more_checks(ipcp, params);
397
			if (!err)
398
				/*
399
				 * ipc_check_perms returns the IPC id on
400
				 * success
401
				 */
402
				err = ipc_check_perms(ns, ipcp, ops, params);
403
		}
404
		ipc_unlock(ipcp);
405
	}
406
	up_write(&ids->rw_mutex);
407

408
	if (err == -EAGAIN)
409
		goto retry;
410

411
	return err;
412
}
413

414

415
/**
416
 *	ipc_rmid	-	remove an IPC identifier
417
 *	@ids: IPC identifier set
418
 *	@ipcp: ipc perm structure containing the identifier to remove
419
 *
420
 *	ipc_ids.rw_mutex (as a writer) and the spinlock for this ID are held
421
 *	before this function is called, and remain locked on the exit.
422
 */
423
 
424
void ipc_rmid(struct ipc_ids *ids, struct kern_ipc_perm *ipcp)
425
{
426
	int lid = ipcid_to_idx(ipcp->id);
427

428
	idr_remove(&ids->ipcs_idr, lid);
429

430
	ids->in_use--;
431

432
	ipcp->deleted = 1;
433

434
	return;
435
}
436

437
/**
438
 *	ipc_alloc	-	allocate ipc space
439
 *	@size: size desired
440
 *
441
 *	Allocate memory from the appropriate pools and return a pointer to it.
442
 *	NULL is returned if the allocation fails
443
 */
444
 
445
void* ipc_alloc(int size)
446
{
447
	void* out;
448
	if(size > PAGE_SIZE)
449
		out = vmalloc(size);
450
	else
451
		out = kmalloc(size, GFP_KERNEL);
452
	return out;
453
}
454

455
/**
456
 *	ipc_free        -       free ipc space
457
 *	@ptr: pointer returned by ipc_alloc
458
 *	@size: size of block
459
 *
460
 *	Free a block created with ipc_alloc(). The caller must know the size
461
 *	used in the allocation call.
462
 */
463

464
void ipc_free(void* ptr, int size)
465
{
466
	if(size > PAGE_SIZE)
467
		vfree(ptr);
468
	else
469
		kfree(ptr);
470
}
471

472
/*
473
 * rcu allocations:
474
 * There are three headers that are prepended to the actual allocation:
475
 * - during use: ipc_rcu_hdr.
476
 * - during the rcu grace period: ipc_rcu_grace.
477
 * - [only if vmalloc]: ipc_rcu_sched.
478
 * Their lifetime doesn't overlap, thus the headers share the same memory.
479
 * Unlike a normal union, they are right-aligned, thus some container_of
480
 * forward/backward casting is necessary:
481
 */
482
struct ipc_rcu_hdr
483
{
484
	int refcount;
485
	int is_vmalloc;
486
	void *data[0];
487
};
488

489

490
struct ipc_rcu_grace
491
{
492
	struct rcu_head rcu;
493
	/* "void *" makes sure alignment of following data is sane. */
494
	void *data[0];
495
};
496

497
struct ipc_rcu_sched
498
{
499
	struct work_struct work;
500
	/* "void *" makes sure alignment of following data is sane. */
501
	void *data[0];
502
};
503

504
#define HDRLEN_KMALLOC		(sizeof(struct ipc_rcu_grace) > sizeof(struct ipc_rcu_hdr) ? \
505
					sizeof(struct ipc_rcu_grace) : sizeof(struct ipc_rcu_hdr))
506
#define HDRLEN_VMALLOC		(sizeof(struct ipc_rcu_sched) > HDRLEN_KMALLOC ? \
507
					sizeof(struct ipc_rcu_sched) : HDRLEN_KMALLOC)
508

509
static inline int rcu_use_vmalloc(int size)
510
{
511
	/* Too big for a single page? */
512
	if (HDRLEN_KMALLOC + size > PAGE_SIZE)
513
		return 1;
514
	return 0;
515
}
516

517
/**
518
 *	ipc_rcu_alloc	-	allocate ipc and rcu space 
519
 *	@size: size desired
520
 *
521
 *	Allocate memory for the rcu header structure +  the object.
522
 *	Returns the pointer to the object.
523
 *	NULL is returned if the allocation fails. 
524
 */
525
 
526
void* ipc_rcu_alloc(int size)
527
{
528
	void* out;
529
	/* 
530
	 * We prepend the allocation with the rcu struct, and
531
	 * workqueue if necessary (for vmalloc). 
532
	 */
533
	if (rcu_use_vmalloc(size)) {
534
		out = vmalloc(HDRLEN_VMALLOC + size);
535
		if (out) {
536
			out += HDRLEN_VMALLOC;
537
			container_of(out, struct ipc_rcu_hdr, data)->is_vmalloc = 1;
538
			container_of(out, struct ipc_rcu_hdr, data)->refcount = 1;
539
		}
540
	} else {
541
		out = kmalloc(HDRLEN_KMALLOC + size, GFP_KERNEL);
542
		if (out) {
543
			out += HDRLEN_KMALLOC;
544
			container_of(out, struct ipc_rcu_hdr, data)->is_vmalloc = 0;
545
			container_of(out, struct ipc_rcu_hdr, data)->refcount = 1;
546
		}
547
	}
548

549
	return out;
550
}
551

552
void ipc_rcu_getref(void *ptr)
553
{
554
	container_of(ptr, struct ipc_rcu_hdr, data)->refcount++;
555
}
556

557
static void ipc_do_vfree(struct work_struct *work)
558
{
559
	vfree(container_of(work, struct ipc_rcu_sched, work));
560
}
561

562
/**
563
 * ipc_schedule_free - free ipc + rcu space
564
 * @head: RCU callback structure for queued work
565
 * 
566
 * Since RCU callback function is called in bh,
567
 * we need to defer the vfree to schedule_work().
568
 */
569
static void ipc_schedule_free(struct rcu_head *head)
570
{
571
	struct ipc_rcu_grace *grace;
572
	struct ipc_rcu_sched *sched;
573

574
	grace = container_of(head, struct ipc_rcu_grace, rcu);
575
	sched = container_of(&(grace->data[0]), struct ipc_rcu_sched,
576
				data[0]);
577

578
	INIT_WORK(&sched->work, ipc_do_vfree);
579
	schedule_work(&sched->work);
580
}
581

582
/**
583
 * ipc_immediate_free - free ipc + rcu space
584
 * @head: RCU callback structure that contains pointer to be freed
585
 *
586
 * Free from the RCU callback context.
587
 */
588
static void ipc_immediate_free(struct rcu_head *head)
589
{
590
	struct ipc_rcu_grace *free =
591
		container_of(head, struct ipc_rcu_grace, rcu);
592
	kfree(free);
593
}
594

595
void ipc_rcu_putref(void *ptr)
596
{
597
	if (--container_of(ptr, struct ipc_rcu_hdr, data)->refcount > 0)
598
		return;
599

600
	if (container_of(ptr, struct ipc_rcu_hdr, data)->is_vmalloc) {
601
		call_rcu(&container_of(ptr, struct ipc_rcu_grace, data)->rcu,
602
				ipc_schedule_free);
603
	} else {
604
		call_rcu(&container_of(ptr, struct ipc_rcu_grace, data)->rcu,
605
				ipc_immediate_free);
606
	}
607
}
608

609
/**
610
 *	ipcperms	-	check IPC permissions
611
 *	@ns: IPC namespace
612
 *	@ipcp: IPC permission set
613
 *	@flag: desired permission set.
614
 *
615
 *	Check user, group, other permissions for access
616
 *	to ipc resources. return 0 if allowed
617
 *
618
 * 	@flag will most probably be 0 or S_...UGO from <linux/stat.h>
619
 */
620
 
621
int ipcperms(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, short flag)
622
{
623
	uid_t euid = current_euid();
624
	int requested_mode, granted_mode;
625

626
	audit_ipc_obj(ipcp);
627
	requested_mode = (flag >> 6) | (flag >> 3) | flag;
628
	granted_mode = ipcp->mode;
629
	if (euid == ipcp->cuid ||
630
	    euid == ipcp->uid)
631
		granted_mode >>= 6;
632
	else if (in_group_p(ipcp->cgid) || in_group_p(ipcp->gid))
633
		granted_mode >>= 3;
634
	/* is there some bit set in requested_mode but not in granted_mode? */
635
	if ((requested_mode & ~granted_mode & 0007) && 
636
	    !ns_capable(ns->user_ns, CAP_IPC_OWNER))
637
		return -1;
638

639
	return security_ipc_permission(ipcp, flag);
640
}
641

642
/*
643
 * Functions to convert between the kern_ipc_perm structure and the
644
 * old/new ipc_perm structures
645
 */
646

647
/**
648
 *	kernel_to_ipc64_perm	-	convert kernel ipc permissions to user
649
 *	@in: kernel permissions
650
 *	@out: new style IPC permissions
651
 *
652
 *	Turn the kernel object @in into a set of permissions descriptions
653
 *	for returning to userspace (@out).
654
 */
655
 
656

657
void kernel_to_ipc64_perm (struct kern_ipc_perm *in, struct ipc64_perm *out)
658
{
659
	out->key	= in->key;
660
	out->uid	= in->uid;
661
	out->gid	= in->gid;
662
	out->cuid	= in->cuid;
663
	out->cgid	= in->cgid;
664
	out->mode	= in->mode;
665
	out->seq	= in->seq;
666
}
667

668
/**
669
 *	ipc64_perm_to_ipc_perm	-	convert new ipc permissions to old
670
 *	@in: new style IPC permissions
671
 *	@out: old style IPC permissions
672
 *
673
 *	Turn the new style permissions object @in into a compatibility
674
 *	object and store it into the @out pointer.
675
 */
676
 
677
void ipc64_perm_to_ipc_perm (struct ipc64_perm *in, struct ipc_perm *out)
678
{
679
	out->key	= in->key;
680
	SET_UID(out->uid, in->uid);
681
	SET_GID(out->gid, in->gid);
682
	SET_UID(out->cuid, in->cuid);
683
	SET_GID(out->cgid, in->cgid);
684
	out->mode	= in->mode;
685
	out->seq	= in->seq;
686
}
687

688
/**
689
 * ipc_lock - Lock an ipc structure without rw_mutex held
690
 * @ids: IPC identifier set
691
 * @id: ipc id to look for
692
 *
693
 * Look for an id in the ipc ids idr and lock the associated ipc object.
694
 *
695
 * The ipc object is locked on exit.
696
 */
697

698
struct kern_ipc_perm *ipc_lock(struct ipc_ids *ids, int id)
699
{
700
	struct kern_ipc_perm *out;
701
	int lid = ipcid_to_idx(id);
702

703
	rcu_read_lock();
704
	out = idr_find(&ids->ipcs_idr, lid);
705
	if (out == NULL) {
706
		rcu_read_unlock();
707
		return ERR_PTR(-EINVAL);
708
	}
709

710
	spin_lock(&out->lock);
711
	
712
	/* ipc_rmid() may have already freed the ID while ipc_lock
713
	 * was spinning: here verify that the structure is still valid
714
	 */
715
	if (out->deleted) {
716
		spin_unlock(&out->lock);
717
		rcu_read_unlock();
718
		return ERR_PTR(-EINVAL);
719
	}
720

721
	return out;
722
}
723

724
struct kern_ipc_perm *ipc_lock_check(struct ipc_ids *ids, int id)
725
{
726
	struct kern_ipc_perm *out;
727

728
	out = ipc_lock(ids, id);
729
	if (IS_ERR(out))
730
		return out;
731

732
	if (ipc_checkid(out, id)) {
733
		ipc_unlock(out);
734
		return ERR_PTR(-EIDRM);
735
	}
736

737
	return out;
738
}
739

740
/**
741
 * ipcget - Common sys_*get() code
742
 * @ns : namsepace
743
 * @ids : IPC identifier set
744
 * @ops : operations to be called on ipc object creation, permission checks
745
 *        and further checks
746
 * @params : the parameters needed by the previous operations.
747
 *
748
 * Common routine called by sys_msgget(), sys_semget() and sys_shmget().
749
 */
750
int ipcget(struct ipc_namespace *ns, struct ipc_ids *ids,
751
			struct ipc_ops *ops, struct ipc_params *params)
752
{
753
	if (params->key == IPC_PRIVATE)
754
		return ipcget_new(ns, ids, ops, params);
755
	else
756
		return ipcget_public(ns, ids, ops, params);
757
}
758

759
/**
760
 * ipc_update_perm - update the permissions of an IPC.
761
 * @in:  the permission given as input.
762
 * @out: the permission of the ipc to set.
763
 */
764
void ipc_update_perm(struct ipc64_perm *in, struct kern_ipc_perm *out)
765
{
766
	out->uid = in->uid;
767
	out->gid = in->gid;
768
	out->mode = (out->mode & ~S_IRWXUGO)
769
		| (in->mode & S_IRWXUGO);
770
}
771

772
/**
773
 * ipcctl_pre_down - retrieve an ipc and check permissions for some IPC_XXX cmd
774
 * @ns:  the ipc namespace
775
 * @ids:  the table of ids where to look for the ipc
776
 * @id:   the id of the ipc to retrieve
777
 * @cmd:  the cmd to check
778
 * @perm: the permission to set
779
 * @extra_perm: one extra permission parameter used by msq
780
 *
781
 * This function does some common audit and permissions check for some IPC_XXX
782
 * cmd and is called from semctl_down, shmctl_down and msgctl_down.
783
 * It must be called without any lock held and
784
 *  - retrieves the ipc with the given id in the given table.
785
 *  - performs some audit and permission check, depending on the given cmd
786
 *  - returns the ipc with both ipc and rw_mutex locks held in case of success
787
 *    or an err-code without any lock held otherwise.
788
 */
789
struct kern_ipc_perm *ipcctl_pre_down(struct ipc_namespace *ns,
790
				      struct ipc_ids *ids, int id, int cmd,
791
				      struct ipc64_perm *perm, int extra_perm)
792
{
793
	struct kern_ipc_perm *ipcp;
794
	uid_t euid;
795
	int err;
796

797
	down_write(&ids->rw_mutex);
798
	ipcp = ipc_lock_check(ids, id);
799
	if (IS_ERR(ipcp)) {
800
		err = PTR_ERR(ipcp);
801
		goto out_up;
802
	}
803

804
	audit_ipc_obj(ipcp);
805
	if (cmd == IPC_SET)
806
		audit_ipc_set_perm(extra_perm, perm->uid,
807
					 perm->gid, perm->mode);
808

809
	euid = current_euid();
810
	if (euid == ipcp->cuid || euid == ipcp->uid  ||
811
	    ns_capable(ns->user_ns, CAP_SYS_ADMIN))
812
		return ipcp;
813

814
	err = -EPERM;
815
	ipc_unlock(ipcp);
816
out_up:
817
	up_write(&ids->rw_mutex);
818
	return ERR_PTR(err);
819
}
820

821
#ifdef __ARCH_WANT_IPC_PARSE_VERSION
822

823

824
/**
825
 *	ipc_parse_version	-	IPC call version
826
 *	@cmd: pointer to command
827
 *
828
 *	Return IPC_64 for new style IPC and IPC_OLD for old style IPC. 
829
 *	The @cmd value is turned from an encoding command and version into
830
 *	just the command code.
831
 */
832
 
833
int ipc_parse_version (int *cmd)
834
{
835
	if (*cmd & IPC_64) {
836
		*cmd ^= IPC_64;
837
		return IPC_64;
838
	} else {
839
		return IPC_OLD;
840
	}
841
}
842

843
#endif /* __ARCH_WANT_IPC_PARSE_VERSION */
844

845
#ifdef CONFIG_PROC_FS
846
struct ipc_proc_iter {
847
	struct ipc_namespace *ns;
848
	struct ipc_proc_iface *iface;
849
};
850

851
/*
852
 * This routine locks the ipc structure found at least at position pos.
853
 */
854
static struct kern_ipc_perm *sysvipc_find_ipc(struct ipc_ids *ids, loff_t pos,
855
					      loff_t *new_pos)
856
{
857
	struct kern_ipc_perm *ipc;
858
	int total, id;
859

860
	total = 0;
861
	for (id = 0; id < pos && total < ids->in_use; id++) {
862
		ipc = idr_find(&ids->ipcs_idr, id);
863
		if (ipc != NULL)
864
			total++;
865
	}
866

867
	if (total >= ids->in_use)
868
		return NULL;
869

870
	for ( ; pos < IPCMNI; pos++) {
871
		ipc = idr_find(&ids->ipcs_idr, pos);
872
		if (ipc != NULL) {
873
			*new_pos = pos + 1;
874
			ipc_lock_by_ptr(ipc);
875
			return ipc;
876
		}
877
	}
878

879
	/* Out of range - return NULL to terminate iteration */
880
	return NULL;
881
}
882

883
static void *sysvipc_proc_next(struct seq_file *s, void *it, loff_t *pos)
884
{
885
	struct ipc_proc_iter *iter = s->private;
886
	struct ipc_proc_iface *iface = iter->iface;
887
	struct kern_ipc_perm *ipc = it;
888

889
	/* If we had an ipc id locked before, unlock it */
890
	if (ipc && ipc != SEQ_START_TOKEN)
891
		ipc_unlock(ipc);
892

893
	return sysvipc_find_ipc(&iter->ns->ids[iface->ids], *pos, pos);
894
}
895

896
/*
897
 * File positions: pos 0 -> header, pos n -> ipc id = n - 1.
898
 * SeqFile iterator: iterator value locked ipc pointer or SEQ_TOKEN_START.
899
 */
900
static void *sysvipc_proc_start(struct seq_file *s, loff_t *pos)
901
{
902
	struct ipc_proc_iter *iter = s->private;
903
	struct ipc_proc_iface *iface = iter->iface;
904
	struct ipc_ids *ids;
905

906
	ids = &iter->ns->ids[iface->ids];
907

908
	/*
909
	 * Take the lock - this will be released by the corresponding
910
	 * call to stop().
911
	 */
912
	down_read(&ids->rw_mutex);
913

914
	/* pos < 0 is invalid */
915
	if (*pos < 0)
916
		return NULL;
917

918
	/* pos == 0 means header */
919
	if (*pos == 0)
920
		return SEQ_START_TOKEN;
921

922
	/* Find the (pos-1)th ipc */
923
	return sysvipc_find_ipc(ids, *pos - 1, pos);
924
}
925

926
static void sysvipc_proc_stop(struct seq_file *s, void *it)
927
{
928
	struct kern_ipc_perm *ipc = it;
929
	struct ipc_proc_iter *iter = s->private;
930
	struct ipc_proc_iface *iface = iter->iface;
931
	struct ipc_ids *ids;
932

933
	/* If we had a locked structure, release it */
934
	if (ipc && ipc != SEQ_START_TOKEN)
935
		ipc_unlock(ipc);
936

937
	ids = &iter->ns->ids[iface->ids];
938
	/* Release the lock we took in start() */
939
	up_read(&ids->rw_mutex);
940
}
941

942
static int sysvipc_proc_show(struct seq_file *s, void *it)
943
{
944
	struct ipc_proc_iter *iter = s->private;
945
	struct ipc_proc_iface *iface = iter->iface;
946

947
	if (it == SEQ_START_TOKEN)
948
		return seq_puts(s, iface->header);
949

950
	return iface->show(s, it);
951
}
952

953
static const struct seq_operations sysvipc_proc_seqops = {
954
	.start = sysvipc_proc_start,
955
	.stop  = sysvipc_proc_stop,
956
	.next  = sysvipc_proc_next,
957
	.show  = sysvipc_proc_show,
958
};
959

960
static int sysvipc_proc_open(struct inode *inode, struct file *file)
961
{
962
	int ret;
963
	struct seq_file *seq;
964
	struct ipc_proc_iter *iter;
965

966
	ret = -ENOMEM;
967
	iter = kmalloc(sizeof(*iter), GFP_KERNEL);
968
	if (!iter)
969
		goto out;
970

971
	ret = seq_open(file, &sysvipc_proc_seqops);
972
	if (ret)
973
		goto out_kfree;
974

975
	seq = file->private_data;
976
	seq->private = iter;
977

978
	iter->iface = PDE(inode)->data;
979
	iter->ns    = get_ipc_ns(current->nsproxy->ipc_ns);
980
out:
981
	return ret;
982
out_kfree:
983
	kfree(iter);
984
	goto out;
985
}
986

987
static int sysvipc_proc_release(struct inode *inode, struct file *file)
988
{
989
	struct seq_file *seq = file->private_data;
990
	struct ipc_proc_iter *iter = seq->private;
991
	put_ipc_ns(iter->ns);
992
	return seq_release_private(inode, file);
993
}
994

995
static const struct file_operations sysvipc_proc_fops = {
996
	.open    = sysvipc_proc_open,
997
	.read    = seq_read,
998
	.llseek  = seq_lseek,
999
	.release = sysvipc_proc_release,
1000
};
1001
#endif /* CONFIG_PROC_FS */
1002

1003