search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
crypto: arm64/aes-blk - add a non-SIMD fallback for synchronous CTR
[linux-stable.git] / kernel / groups.c
blob434f6665f187d817cdfc00b928cfd84d33eae258
1 /*
2 * Supplementary group IDs
3 */
4 #include <linux/cred.h>
5 #include <linux/export.h>
6 #include <linux/slab.h>
7 #include <linux/security.h>
8 #include <linux/sort.h>
9 #include <linux/syscalls.h>
10 #include <linux/user_namespace.h>
11 #include <linux/vmalloc.h>
12 #include <linux/uaccess.h>
13
14 struct group_info *groups_alloc(int gidsetsize)
15 {
16 struct group_info *gi;
17 unsigned int len;
18
19 len = sizeof(struct group_info) + sizeof(kgid_t) * gidsetsize;
20 gi = kmalloc(len, GFP_KERNEL_ACCOUNT|__GFP_NOWARN|__GFP_NORETRY);
21 if (!gi)
22 gi = __vmalloc(len, GFP_KERNEL_ACCOUNT, PAGE_KERNEL);
23 if (!gi)
24 return NULL;
25
26 atomic_set(&gi->usage, 1);
27 gi->ngroups = gidsetsize;
28 return gi;
29 }
30
31 EXPORT_SYMBOL(groups_alloc);
32
33 void groups_free(struct group_info *group_info)
34 {
35 kvfree(group_info);
36 }
37
38 EXPORT_SYMBOL(groups_free);
39
40 /* export the group_info to a user-space array */
41 static int groups_to_user(gid_t __user *grouplist,
42 const struct group_info *group_info)
43 {
44 struct user_namespace *user_ns = current_user_ns();
45 int i;
46 unsigned int count = group_info->ngroups;
47
48 for (i = 0; i < count; i++) {
49 gid_t gid;
50 gid = from_kgid_munged(user_ns, group_info->gid[i]);
51 if (put_user(gid, grouplist+i))
52 return -EFAULT;
53 }
54 return 0;
55 }
56
57 /* fill a group_info from a user-space array - it must be allocated already */
58 static int groups_from_user(struct group_info *group_info,
59 gid_t __user *grouplist)
60 {
61 struct user_namespace *user_ns = current_user_ns();
62 int i;
63 unsigned int count = group_info->ngroups;
64
65 for (i = 0; i < count; i++) {
66 gid_t gid;
67 kgid_t kgid;
68 if (get_user(gid, grouplist+i))
69 return -EFAULT;
70
71 kgid = make_kgid(user_ns, gid);
72 if (!gid_valid(kgid))
73 return -EINVAL;
74
75 group_info->gid[i] = kgid;
76 }
77 return 0;
78 }
79
80 static int gid_cmp(const void *_a, const void *_b)
81 {
82 kgid_t a = *(kgid_t *)_a;
83 kgid_t b = *(kgid_t *)_b;
84
85 return gid_gt(a, b) - gid_lt(a, b);
86 }
87
88 static void groups_sort(struct group_info *group_info)
89 {
90 sort(group_info->gid, group_info->ngroups, sizeof(*group_info->gid),
91 gid_cmp, NULL);
92 }
93
94 /* a simple bsearch */
95 int groups_search(const struct group_info *group_info, kgid_t grp)
96 {
97 unsigned int left, right;
98
99 if (!group_info)
100 return 0;
101
102 left = 0;
103 right = group_info->ngroups;
104 while (left < right) {
105 unsigned int mid = (left+right)/2;
106 if (gid_gt(grp, group_info->gid[mid]))
107 left = mid + 1;
108 else if (gid_lt(grp, group_info->gid[mid]))
109 right = mid;
110 else
111 return 1;
112 }
113 return 0;
114 }
115
116 /**
117 * set_groups - Change a group subscription in a set of credentials
118 * @new: The newly prepared set of credentials to alter
119 * @group_info: The group list to install
120 */
121 void set_groups(struct cred *new, struct group_info *group_info)
122 {
123 put_group_info(new->group_info);
124 groups_sort(group_info);
125 get_group_info(group_info);
126 new->group_info = group_info;
127 }
128
129 EXPORT_SYMBOL(set_groups);
130
131 /**
132 * set_current_groups - Change current's group subscription
133 * @group_info: The group list to impose
134 *
135 * Validate a group subscription and, if valid, impose it upon current's task
136 * security record.
137 */
138 int set_current_groups(struct group_info *group_info)
139 {
140 struct cred *new;
141
142 new = prepare_creds();
143 if (!new)
144 return -ENOMEM;
145
146 set_groups(new, group_info);
147 return commit_creds(new);
148 }
149
150 EXPORT_SYMBOL(set_current_groups);
151
152 SYSCALL_DEFINE2(getgroups, int, gidsetsize, gid_t __user *, grouplist)
153 {
154 const struct cred *cred = current_cred();
155 int i;
156
157 if (gidsetsize < 0)
158 return -EINVAL;
159
160 /* no need to grab task_lock here; it cannot change */
161 i = cred->group_info->ngroups;
162 if (gidsetsize) {
163 if (i > gidsetsize) {
164 i = -EINVAL;
165 goto out;
166 }
167 if (groups_to_user(grouplist, cred->group_info)) {
168 i = -EFAULT;
169 goto out;
170 }
171 }
172 out:
173 return i;
174 }
175
176 bool may_setgroups(void)
177 {
178 struct user_namespace *user_ns = current_user_ns();
179
180 return ns_capable(user_ns, CAP_SETGID) &&
181 userns_may_setgroups(user_ns);
182 }
183
184 /*
185 * SMP: Our groups are copy-on-write. We can set them safely
186 * without another task interfering.
187 */
188
189 SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist)
190 {
191 struct group_info *group_info;
192 int retval;
193
194 if (!may_setgroups())
195 return -EPERM;
196 if ((unsigned)gidsetsize > NGROUPS_MAX)
197 return -EINVAL;
198
199 group_info = groups_alloc(gidsetsize);
200 if (!group_info)
201 return -ENOMEM;
202 retval = groups_from_user(group_info, grouplist);
203 if (retval) {
204 put_group_info(group_info);
205 return retval;
206 }
207
208 retval = set_current_groups(group_info);
209 put_group_info(group_info);
210
211 return retval;
212 }
213
214 /*
215 * Check whether we're fsgid/egid or in the supplemental group..
216 */
217 int in_group_p(kgid_t grp)
218 {
219 const struct cred *cred = current_cred();
220 int retval = 1;
221
222 if (!gid_eq(grp, cred->fsgid))
223 retval = groups_search(cred->group_info, grp);
224 return retval;
225 }
226
227 EXPORT_SYMBOL(in_group_p);
228
229 int in_egroup_p(kgid_t grp)
230 {
231 const struct cred *cred = current_cred();
232 int retval = 1;
233
234 if (!gid_eq(grp, cred->egid))
235 retval = groups_search(cred->group_info, grp);
236 return retval;
237 }
238
239 EXPORT_SYMBOL(in_egroup_p);
Linux kernel stable tree