1
// SPDX-License-Identifier: GPL-2.0
2
/*
3
 * linux/ipc/util.c
4
 * Copyright (C) 1992 Krishna Balasubramanian
5
 *
6
 * Sep 1997 - Call suser() last after "normal" permission checks so we
7
 *            get BSD style process accounting right.
8
 *            Occurs in several places in the IPC code.
9
 *            Chris Evans, <[email protected]>
10
 * Nov 1999 - ipc helper functions, unified SMP locking
11
 *	      Manfred Spraul <[email protected]>
12
 * Oct 2002 - One lock per IPC id. RCU ipc_free for lock-free grow_ary().
13
 *            Mingming Cao <[email protected]>
14
 * Mar 2006 - support for audit of ipc object properties
15
 *            Dustin Kirkland <[email protected]>
16
 * Jun 2006 - namespaces ssupport
17
 *            OpenVZ, SWsoft Inc.
18
 *            Pavel Emelianov <[email protected]>
19
 *
20
 * General sysv ipc locking scheme:
21
 *	rcu_read_lock()
22
 *          obtain the ipc object (kern_ipc_perm) by looking up the id in an idr
23
 *	    tree.
24
 *	    - perform initial checks (capabilities, auditing and permission,
25
 *	      etc).
26
 *	    - perform read-only operations, such as INFO command, that
27
 *	      do not demand atomicity
28
 *	      acquire the ipc lock (kern_ipc_perm.lock) through
29
 *	      ipc_lock_object()
30
 *		- perform read-only operations that demand atomicity,
31
 *		  such as STAT command.
32
 *		- perform data updates, such as SET, RMID commands and
33
 *		  mechanism-specific operations (semop/semtimedop,
34
 *		  msgsnd/msgrcv, shmat/shmdt).
35
 *	    drop the ipc lock, through ipc_unlock_object().
36
 *	rcu_read_unlock()
37
 *
38
 *  The ids->rwsem must be taken when:
39
 *	- creating, removing and iterating the existing entries in ipc
40
 *	  identifier sets.
41
 *	- iterating through files under /proc/sysvipc/
42
 *
43
 *  Note that sems have a special fast path that avoids kern_ipc_perm.lock -
44
 *  see sem_lock().
45
 */
46

47
#include <linux/mm.h>
48
#include <linux/shm.h>
49
#include <linux/init.h>
50
#include <linux/msg.h>
51
#include <linux/vmalloc.h>
52
#include <linux/slab.h>
53
#include <linux/notifier.h>
54
#include <linux/capability.h>
55
#include <linux/highuid.h>
56
#include <linux/security.h>
57
#include <linux/rcupdate.h>
58
#include <linux/workqueue.h>
59
#include <linux/seq_file.h>
60
#include <linux/proc_fs.h>
61
#include <linux/audit.h>
62
#include <linux/nsproxy.h>
63
#include <linux/rwsem.h>
64
#include <linux/memory.h>
65
#include <linux/ipc_namespace.h>
66
#include <linux/rhashtable.h>
67
#include <linux/log2.h>
68

69
#include <asm/unistd.h>
70

71
#include "util.h"
72

73
struct ipc_proc_iface {
74
	const char *path;
75
	const char *header;
76
	int ids;
77
	int (*show)(struct seq_file *, void *);
78
};
79

80
/**
81
 * ipc_init - initialise ipc subsystem
82
 *
83
 * The various sysv ipc resources (semaphores, messages and shared
84
 * memory) are initialised.
85
 *
86
 * A callback routine is registered into the memory hotplug notifier
87
 * chain: since msgmni scales to lowmem this callback routine will be
88
 * called upon successful memory add / remove to recompute msmgni.
89
 */
90
static int __init ipc_init(void)
91
{
92
	proc_mkdir("sysvipc", NULL);
93
	sem_init();
94
	msg_init();
95
	shm_init();
96

97
	return 0;
98
}
99
device_initcall(ipc_init);
100

101
static const struct rhashtable_params ipc_kht_params = {
102
	.head_offset		= offsetof(struct kern_ipc_perm, khtnode),
103
	.key_offset		= offsetof(struct kern_ipc_perm, key),
104
	.key_len		= sizeof_field(struct kern_ipc_perm, key),
105
	.automatic_shrinking	= true,
106
};
107

108
/**
109
 * ipc_init_ids	- initialise ipc identifiers
110
 * @ids: ipc identifier set
111
 *
112
 * Set up the sequence range to use for the ipc identifier range (limited
113
 * below ipc_mni) then initialise the keys hashtable and ids idr.
114
 */
115
void ipc_init_ids(struct ipc_ids *ids)
116
{
117
	ids->in_use = 0;
118
	ids->seq = 0;
119
	init_rwsem(&ids->rwsem);
120
	rhashtable_init(&ids->key_ht, &ipc_kht_params);
121
	idr_init(&ids->ipcs_idr);
122
	ids->max_idx = -1;
123
	ids->last_idx = -1;
124
#ifdef CONFIG_CHECKPOINT_RESTORE
125
	ids->next_id = -1;
126
#endif
127
}
128

129
#ifdef CONFIG_PROC_FS
130
static const struct proc_ops sysvipc_proc_ops;
131
/**
132
 * ipc_init_proc_interface -  create a proc interface for sysipc types using a seq_file interface.
133
 * @path: Path in procfs
134
 * @header: Banner to be printed at the beginning of the file.
135
 * @ids: ipc id table to iterate.
136
 * @show: show routine.
137
 */
138
void __init ipc_init_proc_interface(const char *path, const char *header,
139
		int ids, int (*show)(struct seq_file *, void *))
140
{
141
	struct proc_dir_entry *pde;
142
	struct ipc_proc_iface *iface;
143

144
	iface = kmalloc(sizeof(*iface), GFP_KERNEL);
145
	if (!iface)
146
		return;
147
	iface->path	= path;
148
	iface->header	= header;
149
	iface->ids	= ids;
150
	iface->show	= show;
151

152
	pde = proc_create_data(path,
153
			       S_IRUGO,        /* world readable */
154
			       NULL,           /* parent dir */
155
			       &sysvipc_proc_ops,
156
			       iface);
157
	if (!pde)
158
		kfree(iface);
159
}
160
#endif
161

162
/**
163
 * ipc_findkey	- find a key in an ipc identifier set
164
 * @ids: ipc identifier set
165
 * @key: key to find
166
 *
167
 * Returns the locked pointer to the ipc structure if found or NULL
168
 * otherwise. If key is found ipc points to the owning ipc structure
169
 *
170
 * Called with writer ipc_ids.rwsem held.
171
 */
172
static struct kern_ipc_perm *ipc_findkey(struct ipc_ids *ids, key_t key)
173
{
174
	struct kern_ipc_perm *ipcp;
175

176
	ipcp = rhashtable_lookup_fast(&ids->key_ht, &key,
177
					      ipc_kht_params);
178
	if (!ipcp)
179
		return NULL;
180

181
	rcu_read_lock();
182
	ipc_lock_object(ipcp);
183
	return ipcp;
184
}
185

186
/*
187
 * Insert new IPC object into idr tree, and set sequence number and id
188
 * in the correct order.
189
 * Especially:
190
 * - the sequence number must be set before inserting the object into the idr,
191
 *   because the sequence number is accessed without a lock.
192
 * - the id can/must be set after inserting the object into the idr.
193
 *   All accesses must be done after getting kern_ipc_perm.lock.
194
 *
195
 * The caller must own kern_ipc_perm.lock.of the new object.
196
 * On error, the function returns a (negative) error code.
197
 *
198
 * To conserve sequence number space, especially with extended ipc_mni,
199
 * the sequence number is incremented only when the returned ID is less than
200
 * the last one.
201
 */
202
static inline int ipc_idr_alloc(struct ipc_ids *ids, struct kern_ipc_perm *new)
203
{
204
	int idx, next_id = -1;
205

206
#ifdef CONFIG_CHECKPOINT_RESTORE
207
	next_id = ids->next_id;
208
	ids->next_id = -1;
209
#endif
210

211
	/*
212
	 * As soon as a new object is inserted into the idr,
213
	 * ipc_obtain_object_idr() or ipc_obtain_object_check() can find it,
214
	 * and the lockless preparations for ipc operations can start.
215
	 * This means especially: permission checks, audit calls, allocation
216
	 * of undo structures, ...
217
	 *
218
	 * Thus the object must be fully initialized, and if something fails,
219
	 * then the full tear-down sequence must be followed.
220
	 * (i.e.: set new->deleted, reduce refcount, call_rcu())
221
	 */
222

223
	if (next_id < 0) { /* !CHECKPOINT_RESTORE or next_id is unset */
224
		int max_idx;
225

226
		max_idx = max(ids->in_use*3/2, ipc_min_cycle);
227
		max_idx = min(max_idx, ipc_mni);
228

229
		/* allocate the idx, with a NULL struct kern_ipc_perm */
230
		idx = idr_alloc_cyclic(&ids->ipcs_idr, NULL, 0, max_idx,
231
					GFP_NOWAIT);
232

233
		if (idx >= 0) {
234
			/*
235
			 * idx got allocated successfully.
236
			 * Now calculate the sequence number and set the
237
			 * pointer for real.
238
			 */
239
			if (idx <= ids->last_idx) {
240
				ids->seq++;
241
				if (ids->seq >= ipcid_seq_max())
242
					ids->seq = 0;
243
			}
244
			ids->last_idx = idx;
245

246
			new->seq = ids->seq;
247
			/* no need for smp_wmb(), this is done
248
			 * inside idr_replace, as part of
249
			 * rcu_assign_pointer
250
			 */
251
			idr_replace(&ids->ipcs_idr, new, idx);
252
		}
253
	} else {
254
		new->seq = ipcid_to_seqx(next_id);
255
		idx = idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id),
256
				0, GFP_NOWAIT);
257
	}
258
	if (idx >= 0)
259
		new->id = (new->seq << ipcmni_seq_shift()) + idx;
260
	return idx;
261
}
262

263
/**
264
 * ipc_addid - add an ipc identifier
265
 * @ids: ipc identifier set
266
 * @new: new ipc permission set
267
 * @limit: limit for the number of used ids
268
 *
269
 * Add an entry 'new' to the ipc ids idr. The permissions object is
270
 * initialised and the first free entry is set up and the index assigned
271
 * is returned. The 'new' entry is returned in a locked state on success.
272
 *
273
 * On failure the entry is not locked and a negative err-code is returned.
274
 * The caller must use ipc_rcu_putref() to free the identifier.
275
 *
276
 * Called with writer ipc_ids.rwsem held.
277
 */
278
int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int limit)
279
{
280
	kuid_t euid;
281
	kgid_t egid;
282
	int idx, err;
283

284
	/* 1) Initialize the refcount so that ipc_rcu_putref works */
285
	refcount_set(&new->refcount, 1);
286

287
	if (limit > ipc_mni)
288
		limit = ipc_mni;
289

290
	if (ids->in_use >= limit)
291
		return -ENOSPC;
292

293
	idr_preload(GFP_KERNEL);
294

295
	spin_lock_init(&new->lock);
296
	rcu_read_lock();
297
	spin_lock(&new->lock);
298

299
	current_euid_egid(&euid, &egid);
300
	new->cuid = new->uid = euid;
301
	new->gid = new->cgid = egid;
302

303
	new->deleted = false;
304

305
	idx = ipc_idr_alloc(ids, new);
306
	idr_preload_end();
307

308
	if (idx >= 0 && new->key != IPC_PRIVATE) {
309
		err = rhashtable_insert_fast(&ids->key_ht, &new->khtnode,
310
					     ipc_kht_params);
311
		if (err < 0) {
312
			idr_remove(&ids->ipcs_idr, idx);
313
			idx = err;
314
		}
315
	}
316
	if (idx < 0) {
317
		new->deleted = true;
318
		spin_unlock(&new->lock);
319
		rcu_read_unlock();
320
		return idx;
321
	}
322

323
	ids->in_use++;
324
	if (idx > ids->max_idx)
325
		ids->max_idx = idx;
326
	return idx;
327
}
328

329
/**
330
 * ipcget_new -	create a new ipc object
331
 * @ns: ipc namespace
332
 * @ids: ipc identifier set
333
 * @ops: the actual creation routine to call
334
 * @params: its parameters
335
 *
336
 * This routine is called by sys_msgget, sys_semget() and sys_shmget()
337
 * when the key is IPC_PRIVATE.
338
 */
339
static int ipcget_new(struct ipc_namespace *ns, struct ipc_ids *ids,
340
		const struct ipc_ops *ops, struct ipc_params *params)
341
{
342
	int err;
343

344
	down_write(&ids->rwsem);
345
	err = ops->getnew(ns, params);
346
	up_write(&ids->rwsem);
347
	return err;
348
}
349

350
/**
351
 * ipc_check_perms - check security and permissions for an ipc object
352
 * @ns: ipc namespace
353
 * @ipcp: ipc permission set
354
 * @ops: the actual security routine to call
355
 * @params: its parameters
356
 *
357
 * This routine is called by sys_msgget(), sys_semget() and sys_shmget()
358
 * when the key is not IPC_PRIVATE and that key already exists in the
359
 * ds IDR.
360
 *
361
 * On success, the ipc id is returned.
362
 *
363
 * It is called with ipc_ids.rwsem and ipcp->lock held.
364
 */
365
static int ipc_check_perms(struct ipc_namespace *ns,
366
			   struct kern_ipc_perm *ipcp,
367
			   const struct ipc_ops *ops,
368
			   struct ipc_params *params)
369
{
370
	int err;
371

372
	if (ipcperms(ns, ipcp, params->flg))
373
		err = -EACCES;
374
	else {
375
		err = ops->associate(ipcp, params->flg);
376
		if (!err)
377
			err = ipcp->id;
378
	}
379

380
	return err;
381
}
382

383
/**
384
 * ipcget_public - get an ipc object or create a new one
385
 * @ns: ipc namespace
386
 * @ids: ipc identifier set
387
 * @ops: the actual creation routine to call
388
 * @params: its parameters
389
 *
390
 * This routine is called by sys_msgget, sys_semget() and sys_shmget()
391
 * when the key is not IPC_PRIVATE.
392
 * It adds a new entry if the key is not found and does some permission
393
 * / security checkings if the key is found.
394
 *
395
 * On success, the ipc id is returned.
396
 */
397
static int ipcget_public(struct ipc_namespace *ns, struct ipc_ids *ids,
398
		const struct ipc_ops *ops, struct ipc_params *params)
399
{
400
	struct kern_ipc_perm *ipcp;
401
	int flg = params->flg;
402
	int err;
403

404
	/*
405
	 * Take the lock as a writer since we are potentially going to add
406
	 * a new entry + read locks are not "upgradable"
407
	 */
408
	down_write(&ids->rwsem);
409
	ipcp = ipc_findkey(ids, params->key);
410
	if (ipcp == NULL) {
411
		/* key not used */
412
		if (!(flg & IPC_CREAT))
413
			err = -ENOENT;
414
		else
415
			err = ops->getnew(ns, params);
416
	} else {
417
		/* ipc object has been locked by ipc_findkey() */
418

419
		if (flg & IPC_CREAT && flg & IPC_EXCL)
420
			err = -EEXIST;
421
		else {
422
			err = 0;
423
			if (ops->more_checks)
424
				err = ops->more_checks(ipcp, params);
425
			if (!err)
426
				/*
427
				 * ipc_check_perms returns the IPC id on
428
				 * success
429
				 */
430
				err = ipc_check_perms(ns, ipcp, ops, params);
431
		}
432
		ipc_unlock(ipcp);
433
	}
434
	up_write(&ids->rwsem);
435

436
	return err;
437
}
438

439
/**
440
 * ipc_kht_remove - remove an ipc from the key hashtable
441
 * @ids: ipc identifier set
442
 * @ipcp: ipc perm structure containing the key to remove
443
 *
444
 * ipc_ids.rwsem (as a writer) and the spinlock for this ID are held
445
 * before this function is called, and remain locked on the exit.
446
 */
447
static void ipc_kht_remove(struct ipc_ids *ids, struct kern_ipc_perm *ipcp)
448
{
449
	if (ipcp->key != IPC_PRIVATE)
450
		WARN_ON_ONCE(rhashtable_remove_fast(&ids->key_ht, &ipcp->khtnode,
451
				       ipc_kht_params));
452
}
453

454
/**
455
 * ipc_search_maxidx - search for the highest assigned index
456
 * @ids: ipc identifier set
457
 * @limit: known upper limit for highest assigned index
458
 *
459
 * The function determines the highest assigned index in @ids. It is intended
460
 * to be called when ids->max_idx needs to be updated.
461
 * Updating ids->max_idx is necessary when the current highest index ipc
462
 * object is deleted.
463
 * If no ipc object is allocated, then -1 is returned.
464
 *
465
 * ipc_ids.rwsem needs to be held by the caller.
466
 */
467
static int ipc_search_maxidx(struct ipc_ids *ids, int limit)
468
{
469
	int tmpidx;
470
	int i;
471
	int retval;
472

473
	i = ilog2(limit+1);
474

475
	retval = 0;
476
	for (; i >= 0; i--) {
477
		tmpidx = retval | (1<<i);
478
		/*
479
		 * "0" is a possible index value, thus search using
480
		 * e.g. 15,7,3,1,0 instead of 16,8,4,2,1.
481
		 */
482
		tmpidx = tmpidx-1;
483
		if (idr_get_next(&ids->ipcs_idr, &tmpidx))
484
			retval |= (1<<i);
485
	}
486
	return retval - 1;
487
}
488

489
/**
490
 * ipc_rmid - remove an ipc identifier
491
 * @ids: ipc identifier set
492
 * @ipcp: ipc perm structure containing the identifier to remove
493
 *
494
 * ipc_ids.rwsem (as a writer) and the spinlock for this ID are held
495
 * before this function is called, and remain locked on the exit.
496
 */
497
void ipc_rmid(struct ipc_ids *ids, struct kern_ipc_perm *ipcp)
498
{
499
	int idx = ipcid_to_idx(ipcp->id);
500

501
	WARN_ON_ONCE(idr_remove(&ids->ipcs_idr, idx) != ipcp);
502
	ipc_kht_remove(ids, ipcp);
503
	ids->in_use--;
504
	ipcp->deleted = true;
505

506
	if (unlikely(idx == ids->max_idx)) {
507
		idx = ids->max_idx-1;
508
		if (idx >= 0)
509
			idx = ipc_search_maxidx(ids, idx);
510
		ids->max_idx = idx;
511
	}
512
}
513

514
/**
515
 * ipc_set_key_private - switch the key of an existing ipc to IPC_PRIVATE
516
 * @ids: ipc identifier set
517
 * @ipcp: ipc perm structure containing the key to modify
518
 *
519
 * ipc_ids.rwsem (as a writer) and the spinlock for this ID are held
520
 * before this function is called, and remain locked on the exit.
521
 */
522
void ipc_set_key_private(struct ipc_ids *ids, struct kern_ipc_perm *ipcp)
523
{
524
	ipc_kht_remove(ids, ipcp);
525
	ipcp->key = IPC_PRIVATE;
526
}
527

528
bool ipc_rcu_getref(struct kern_ipc_perm *ptr)
529
{
530
	return refcount_inc_not_zero(&ptr->refcount);
531
}
532

533
void ipc_rcu_putref(struct kern_ipc_perm *ptr,
534
			void (*func)(struct rcu_head *head))
535
{
536
	if (!refcount_dec_and_test(&ptr->refcount))
537
		return;
538

539
	call_rcu(&ptr->rcu, func);
540
}
541

542
/**
543
 * ipcperms - check ipc permissions
544
 * @ns: ipc namespace
545
 * @ipcp: ipc permission set
546
 * @flag: desired permission set
547
 *
548
 * Check user, group, other permissions for access
549
 * to ipc resources. return 0 if allowed
550
 *
551
 * @flag will most probably be 0 or ``S_...UGO`` from <linux/stat.h>
552
 */
553
int ipcperms(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, short flag)
554
{
555
	kuid_t euid = current_euid();
556
	int requested_mode, granted_mode;
557

558
	audit_ipc_obj(ipcp);
559
	requested_mode = (flag >> 6) | (flag >> 3) | flag;
560
	granted_mode = ipcp->mode;
561
	if (uid_eq(euid, ipcp->cuid) ||
562
	    uid_eq(euid, ipcp->uid))
563
		granted_mode >>= 6;
564
	else if (in_group_p(ipcp->cgid) || in_group_p(ipcp->gid))
565
		granted_mode >>= 3;
566
	/* is there some bit set in requested_mode but not in granted_mode? */
567
	if ((requested_mode & ~granted_mode & 0007) &&
568
	    !ns_capable(ns->user_ns, CAP_IPC_OWNER))
569
		return -1;
570

571
	return security_ipc_permission(ipcp, flag);
572
}
573

574
/*
575
 * Functions to convert between the kern_ipc_perm structure and the
576
 * old/new ipc_perm structures
577
 */
578

579
/**
580
 * kernel_to_ipc64_perm	- convert kernel ipc permissions to user
581
 * @in: kernel permissions
582
 * @out: new style ipc permissions
583
 *
584
 * Turn the kernel object @in into a set of permissions descriptions
585
 * for returning to userspace (@out).
586
 */
587
void kernel_to_ipc64_perm(struct kern_ipc_perm *in, struct ipc64_perm *out)
588
{
589
	out->key	= in->key;
590
	out->uid	= from_kuid_munged(current_user_ns(), in->uid);
591
	out->gid	= from_kgid_munged(current_user_ns(), in->gid);
592
	out->cuid	= from_kuid_munged(current_user_ns(), in->cuid);
593
	out->cgid	= from_kgid_munged(current_user_ns(), in->cgid);
594
	out->mode	= in->mode;
595
	out->seq	= in->seq;
596
}
597

598
/**
599
 * ipc64_perm_to_ipc_perm - convert new ipc permissions to old
600
 * @in: new style ipc permissions
601
 * @out: old style ipc permissions
602
 *
603
 * Turn the new style permissions object @in into a compatibility
604
 * object and store it into the @out pointer.
605
 */
606
void ipc64_perm_to_ipc_perm(struct ipc64_perm *in, struct ipc_perm *out)
607
{
608
	out->key	= in->key;
609
	SET_UID(out->uid, in->uid);
610
	SET_GID(out->gid, in->gid);
611
	SET_UID(out->cuid, in->cuid);
612
	SET_GID(out->cgid, in->cgid);
613
	out->mode	= in->mode;
614
	out->seq	= in->seq;
615
}
616

617
/**
618
 * ipc_obtain_object_idr - Look for an id in the ipc ids idr and
619
 *   return associated ipc object.
620
 * @ids: ipc identifier set
621
 * @id: ipc id to look for
622
 *
623
 * Call inside the RCU critical section.
624
 * The ipc object is *not* locked on exit.
625
 */
626
struct kern_ipc_perm *ipc_obtain_object_idr(struct ipc_ids *ids, int id)
627
{
628
	struct kern_ipc_perm *out;
629
	int idx = ipcid_to_idx(id);
630

631
	out = idr_find(&ids->ipcs_idr, idx);
632
	if (!out)
633
		return ERR_PTR(-EINVAL);
634

635
	return out;
636
}
637

638
/**
639
 * ipc_obtain_object_check - Similar to ipc_obtain_object_idr() but
640
 *   also checks the ipc object sequence number.
641
 * @ids: ipc identifier set
642
 * @id: ipc id to look for
643
 *
644
 * Call inside the RCU critical section.
645
 * The ipc object is *not* locked on exit.
646
 */
647
struct kern_ipc_perm *ipc_obtain_object_check(struct ipc_ids *ids, int id)
648
{
649
	struct kern_ipc_perm *out = ipc_obtain_object_idr(ids, id);
650

651
	if (IS_ERR(out))
652
		goto out;
653

654
	if (ipc_checkid(out, id))
655
		return ERR_PTR(-EINVAL);
656
out:
657
	return out;
658
}
659

660
/**
661
 * ipcget - Common sys_*get() code
662
 * @ns: namespace
663
 * @ids: ipc identifier set
664
 * @ops: operations to be called on ipc object creation, permission checks
665
 *       and further checks
666
 * @params: the parameters needed by the previous operations.
667
 *
668
 * Common routine called by sys_msgget(), sys_semget() and sys_shmget().
669
 */
670
int ipcget(struct ipc_namespace *ns, struct ipc_ids *ids,
671
			const struct ipc_ops *ops, struct ipc_params *params)
672
{
673
	if (params->key == IPC_PRIVATE)
674
		return ipcget_new(ns, ids, ops, params);
675
	else
676
		return ipcget_public(ns, ids, ops, params);
677
}
678

679
/**
680
 * ipc_update_perm - update the permissions of an ipc object
681
 * @in:  the permission given as input.
682
 * @out: the permission of the ipc to set.
683
 */
684
int ipc_update_perm(struct ipc64_perm *in, struct kern_ipc_perm *out)
685
{
686
	kuid_t uid = make_kuid(current_user_ns(), in->uid);
687
	kgid_t gid = make_kgid(current_user_ns(), in->gid);
688
	if (!uid_valid(uid) || !gid_valid(gid))
689
		return -EINVAL;
690

691
	out->uid = uid;
692
	out->gid = gid;
693
	out->mode = (out->mode & ~S_IRWXUGO)
694
		| (in->mode & S_IRWXUGO);
695

696
	return 0;
697
}
698

699
/**
700
 * ipcctl_obtain_check - retrieve an ipc object and check permissions
701
 * @ns:  ipc namespace
702
 * @ids:  the table of ids where to look for the ipc
703
 * @id:   the id of the ipc to retrieve
704
 * @cmd:  the cmd to check
705
 * @perm: the permission to set
706
 * @extra_perm: one extra permission parameter used by msq
707
 *
708
 * This function does some common audit and permissions check for some IPC_XXX
709
 * cmd and is called from semctl_down, shmctl_down and msgctl_down.
710
 *
711
 * It:
712
 *   - retrieves the ipc object with the given id in the given table.
713
 *   - performs some audit and permission check, depending on the given cmd
714
 *   - returns a pointer to the ipc object or otherwise, the corresponding
715
 *     error.
716
 *
717
 * Call holding the both the rwsem and the rcu read lock.
718
 */
719
struct kern_ipc_perm *ipcctl_obtain_check(struct ipc_namespace *ns,
720
					struct ipc_ids *ids, int id, int cmd,
721
					struct ipc64_perm *perm, int extra_perm)
722
{
723
	kuid_t euid;
724
	int err = -EPERM;
725
	struct kern_ipc_perm *ipcp;
726

727
	ipcp = ipc_obtain_object_check(ids, id);
728
	if (IS_ERR(ipcp)) {
729
		err = PTR_ERR(ipcp);
730
		goto err;
731
	}
732

733
	audit_ipc_obj(ipcp);
734
	if (cmd == IPC_SET)
735
		audit_ipc_set_perm(extra_perm, perm->uid,
736
				   perm->gid, perm->mode);
737

738
	euid = current_euid();
739
	if (uid_eq(euid, ipcp->cuid) || uid_eq(euid, ipcp->uid)  ||
740
	    ns_capable(ns->user_ns, CAP_SYS_ADMIN))
741
		return ipcp; /* successful lookup */
742
err:
743
	return ERR_PTR(err);
744
}
745

746
#ifdef CONFIG_ARCH_WANT_IPC_PARSE_VERSION
747

748

749
/**
750
 * ipc_parse_version - ipc call version
751
 * @cmd: pointer to command
752
 *
753
 * Return IPC_64 for new style IPC and IPC_OLD for old style IPC.
754
 * The @cmd value is turned from an encoding command and version into
755
 * just the command code.
756
 */
757
int ipc_parse_version(int *cmd)
758
{
759
	if (*cmd & IPC_64) {
760
		*cmd ^= IPC_64;
761
		return IPC_64;
762
	} else {
763
		return IPC_OLD;
764
	}
765
}
766

767
#endif /* CONFIG_ARCH_WANT_IPC_PARSE_VERSION */
768

769
#ifdef CONFIG_PROC_FS
770
struct ipc_proc_iter {
771
	struct ipc_namespace *ns;
772
	struct pid_namespace *pid_ns;
773
	struct ipc_proc_iface *iface;
774
};
775

776
struct pid_namespace *ipc_seq_pid_ns(struct seq_file *s)
777
{
778
	struct ipc_proc_iter *iter = s->private;
779
	return iter->pid_ns;
780
}
781

782
/**
783
 * sysvipc_find_ipc - Find and lock the ipc structure based on seq pos
784
 * @ids: ipc identifier set
785
 * @pos: expected position
786
 *
787
 * The function finds an ipc structure, based on the sequence file
788
 * position @pos. If there is no ipc structure at position @pos, then
789
 * the successor is selected.
790
 * If a structure is found, then it is locked (both rcu_read_lock() and
791
 * ipc_lock_object()) and  @pos is set to the position needed to locate
792
 * the found ipc structure.
793
 * If nothing is found (i.e. EOF), @pos is not modified.
794
 *
795
 * The function returns the found ipc structure, or NULL at EOF.
796
 */
797
static struct kern_ipc_perm *sysvipc_find_ipc(struct ipc_ids *ids, loff_t *pos)
798
{
799
	int tmpidx;
800
	struct kern_ipc_perm *ipc;
801

802
	/* convert from position to idr index -> "-1" */
803
	tmpidx = *pos - 1;
804

805
	ipc = idr_get_next(&ids->ipcs_idr, &tmpidx);
806
	if (ipc != NULL) {
807
		rcu_read_lock();
808
		ipc_lock_object(ipc);
809

810
		/* convert from idr index to position  -> "+1" */
811
		*pos = tmpidx + 1;
812
	}
813
	return ipc;
814
}
815

816
static void *sysvipc_proc_next(struct seq_file *s, void *it, loff_t *pos)
817
{
818
	struct ipc_proc_iter *iter = s->private;
819
	struct ipc_proc_iface *iface = iter->iface;
820
	struct kern_ipc_perm *ipc = it;
821

822
	/* If we had an ipc id locked before, unlock it */
823
	if (ipc && ipc != SEQ_START_TOKEN)
824
		ipc_unlock(ipc);
825

826
	/* Next -> search for *pos+1 */
827
	(*pos)++;
828
	return sysvipc_find_ipc(&iter->ns->ids[iface->ids], pos);
829
}
830

831
/*
832
 * File positions: pos 0 -> header, pos n -> ipc idx = n - 1.
833
 * SeqFile iterator: iterator value locked ipc pointer or SEQ_TOKEN_START.
834
 */
835
static void *sysvipc_proc_start(struct seq_file *s, loff_t *pos)
836
{
837
	struct ipc_proc_iter *iter = s->private;
838
	struct ipc_proc_iface *iface = iter->iface;
839
	struct ipc_ids *ids;
840

841
	ids = &iter->ns->ids[iface->ids];
842

843
	/*
844
	 * Take the lock - this will be released by the corresponding
845
	 * call to stop().
846
	 */
847
	down_read(&ids->rwsem);
848

849
	/* pos < 0 is invalid */
850
	if (*pos < 0)
851
		return NULL;
852

853
	/* pos == 0 means header */
854
	if (*pos == 0)
855
		return SEQ_START_TOKEN;
856

857
	/* Otherwise return the correct ipc structure */
858
	return sysvipc_find_ipc(ids, pos);
859
}
860

861
static void sysvipc_proc_stop(struct seq_file *s, void *it)
862
{
863
	struct kern_ipc_perm *ipc = it;
864
	struct ipc_proc_iter *iter = s->private;
865
	struct ipc_proc_iface *iface = iter->iface;
866
	struct ipc_ids *ids;
867

868
	/* If we had a locked structure, release it */
869
	if (ipc && ipc != SEQ_START_TOKEN)
870
		ipc_unlock(ipc);
871

872
	ids = &iter->ns->ids[iface->ids];
873
	/* Release the lock we took in start() */
874
	up_read(&ids->rwsem);
875
}
876

877
static int sysvipc_proc_show(struct seq_file *s, void *it)
878
{
879
	struct ipc_proc_iter *iter = s->private;
880
	struct ipc_proc_iface *iface = iter->iface;
881

882
	if (it == SEQ_START_TOKEN) {
883
		seq_puts(s, iface->header);
884
		return 0;
885
	}
886

887
	return iface->show(s, it);
888
}
889

890
static const struct seq_operations sysvipc_proc_seqops = {
891
	.start = sysvipc_proc_start,
892
	.stop  = sysvipc_proc_stop,
893
	.next  = sysvipc_proc_next,
894
	.show  = sysvipc_proc_show,
895
};
896

897
static int sysvipc_proc_open(struct inode *inode, struct file *file)
898
{
899
	struct ipc_proc_iter *iter;
900

901
	iter = __seq_open_private(file, &sysvipc_proc_seqops, sizeof(*iter));
902
	if (!iter)
903
		return -ENOMEM;
904

905
	iter->iface = pde_data(inode);
906
	iter->ns    = get_ipc_ns(current->nsproxy->ipc_ns);
907
	iter->pid_ns = get_pid_ns(task_active_pid_ns(current));
908

909
	return 0;
910
}
911

912
static int sysvipc_proc_release(struct inode *inode, struct file *file)
913
{
914
	struct seq_file *seq = file->private_data;
915
	struct ipc_proc_iter *iter = seq->private;
916
	put_ipc_ns(iter->ns);
917
	put_pid_ns(iter->pid_ns);
918
	return seq_release_private(inode, file);
919
}
920

921
static const struct proc_ops sysvipc_proc_ops = {
922
	.proc_flags	= PROC_ENTRY_PERMANENT,
923
	.proc_open	= sysvipc_proc_open,
924
	.proc_read	= seq_read,
925
	.proc_lseek	= seq_lseek,
926
	.proc_release	= sysvipc_proc_release,
927
};
928
#endif /* CONFIG_PROC_FS */
929

930