1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 *  Copyright (C) 2007
4 *
5 *  Author: Eric Biederman <ebiederm@xmision.com>
6 */
7
8#include <linux/module.h>
9#include <linux/ipc.h>
10#include <linux/nsproxy.h>
11#include <linux/sysctl.h>
12#include <linux/uaccess.h>
13#include <linux/capability.h>
14#include <linux/ipc_namespace.h>
15#include <linux/msg.h>
16#include <linux/slab.h>
17#include <linux/cred.h>
18#include "util.h"
19
20static int proc_ipc_dointvec_minmax_orphans(struct ctl_table *table, int write,
21		void *buffer, size_t *lenp, loff_t *ppos)
22{
23	struct ipc_namespace *ns =
24		container_of(table->data, struct ipc_namespace, shm_rmid_forced);
25	int err;
26
27	err = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
28
29	if (err < 0)
30		return err;
31	if (ns->shm_rmid_forced)
32		shm_destroy_orphaned(ns);
33	return err;
34}
35
36static int proc_ipc_auto_msgmni(struct ctl_table *table, int write,
37		void *buffer, size_t *lenp, loff_t *ppos)
38{
39	struct ctl_table ipc_table;
40	int dummy = 0;
41
42	memcpy(&ipc_table, table, sizeof(ipc_table));
43	ipc_table.data = &dummy;
44
45	if (write)
46		pr_info_once("writing to auto_msgmni has no effect");
47
48	return proc_dointvec_minmax(&ipc_table, write, buffer, lenp, ppos);
49}
50
51static int proc_ipc_sem_dointvec(struct ctl_table *table, int write,
52	void *buffer, size_t *lenp, loff_t *ppos)
53{
54	struct ipc_namespace *ns =
55		container_of(table->data, struct ipc_namespace, sem_ctls);
56	int ret, semmni;
57
58	semmni = ns->sem_ctls[3];
59	ret = proc_dointvec(table, write, buffer, lenp, ppos);
60
61	if (!ret)
62		ret = sem_check_semmni(ns);
63
64	/*
65	 * Reset the semmni value if an error happens.
66	 */
67	if (ret)
68		ns->sem_ctls[3] = semmni;
69	return ret;
70}
71
72int ipc_mni = IPCMNI;
73int ipc_mni_shift = IPCMNI_SHIFT;
74int ipc_min_cycle = RADIX_TREE_MAP_SIZE;
75
76static struct ctl_table ipc_sysctls[] = {
77	{
78		.procname	= "shmmax",
79		.data		= &init_ipc_ns.shm_ctlmax,
80		.maxlen		= sizeof(init_ipc_ns.shm_ctlmax),
81		.mode		= 0644,
82		.proc_handler	= proc_doulongvec_minmax,
83	},
84	{
85		.procname	= "shmall",
86		.data		= &init_ipc_ns.shm_ctlall,
87		.maxlen		= sizeof(init_ipc_ns.shm_ctlall),
88		.mode		= 0644,
89		.proc_handler	= proc_doulongvec_minmax,
90	},
91	{
92		.procname	= "shmmni",
93		.data		= &init_ipc_ns.shm_ctlmni,
94		.maxlen		= sizeof(init_ipc_ns.shm_ctlmni),
95		.mode		= 0644,
96		.proc_handler	= proc_dointvec_minmax,
97		.extra1		= SYSCTL_ZERO,
98		.extra2		= &ipc_mni,
99	},
100	{
101		.procname	= "shm_rmid_forced",
102		.data		= &init_ipc_ns.shm_rmid_forced,
103		.maxlen		= sizeof(init_ipc_ns.shm_rmid_forced),
104		.mode		= 0644,
105		.proc_handler	= proc_ipc_dointvec_minmax_orphans,
106		.extra1		= SYSCTL_ZERO,
107		.extra2		= SYSCTL_ONE,
108	},
109	{
110		.procname	= "msgmax",
111		.data		= &init_ipc_ns.msg_ctlmax,
112		.maxlen		= sizeof(init_ipc_ns.msg_ctlmax),
113		.mode		= 0644,
114		.proc_handler	= proc_dointvec_minmax,
115		.extra1		= SYSCTL_ZERO,
116		.extra2		= SYSCTL_INT_MAX,
117	},
118	{
119		.procname	= "msgmni",
120		.data		= &init_ipc_ns.msg_ctlmni,
121		.maxlen		= sizeof(init_ipc_ns.msg_ctlmni),
122		.mode		= 0644,
123		.proc_handler	= proc_dointvec_minmax,
124		.extra1		= SYSCTL_ZERO,
125		.extra2		= &ipc_mni,
126	},
127	{
128		.procname	= "auto_msgmni",
129		.data		= NULL,
130		.maxlen		= sizeof(int),
131		.mode		= 0644,
132		.proc_handler	= proc_ipc_auto_msgmni,
133		.extra1		= SYSCTL_ZERO,
134		.extra2		= SYSCTL_ONE,
135	},
136	{
137		.procname	=  "msgmnb",
138		.data		= &init_ipc_ns.msg_ctlmnb,
139		.maxlen		= sizeof(init_ipc_ns.msg_ctlmnb),
140		.mode		= 0644,
141		.proc_handler	= proc_dointvec_minmax,
142		.extra1		= SYSCTL_ZERO,
143		.extra2		= SYSCTL_INT_MAX,
144	},
145	{
146		.procname	= "sem",
147		.data		= &init_ipc_ns.sem_ctls,
148		.maxlen		= 4*sizeof(int),
149		.mode		= 0644,
150		.proc_handler	= proc_ipc_sem_dointvec,
151	},
152#ifdef CONFIG_CHECKPOINT_RESTORE
153	{
154		.procname	= "sem_next_id",
155		.data		= &init_ipc_ns.ids[IPC_SEM_IDS].next_id,
156		.maxlen		= sizeof(init_ipc_ns.ids[IPC_SEM_IDS].next_id),
157		.mode		= 0444,
158		.proc_handler	= proc_dointvec_minmax,
159		.extra1		= SYSCTL_ZERO,
160		.extra2		= SYSCTL_INT_MAX,
161	},
162	{
163		.procname	= "msg_next_id",
164		.data		= &init_ipc_ns.ids[IPC_MSG_IDS].next_id,
165		.maxlen		= sizeof(init_ipc_ns.ids[IPC_MSG_IDS].next_id),
166		.mode		= 0444,
167		.proc_handler	= proc_dointvec_minmax,
168		.extra1		= SYSCTL_ZERO,
169		.extra2		= SYSCTL_INT_MAX,
170	},
171	{
172		.procname	= "shm_next_id",
173		.data		= &init_ipc_ns.ids[IPC_SHM_IDS].next_id,
174		.maxlen		= sizeof(init_ipc_ns.ids[IPC_SHM_IDS].next_id),
175		.mode		= 0444,
176		.proc_handler	= proc_dointvec_minmax,
177		.extra1		= SYSCTL_ZERO,
178		.extra2		= SYSCTL_INT_MAX,
179	},
180#endif
181	{}
182};
183
184static struct ctl_table_set *set_lookup(struct ctl_table_root *root)
185{
186	return &current->nsproxy->ipc_ns->ipc_set;
187}
188
189static int set_is_seen(struct ctl_table_set *set)
190{
191	return &current->nsproxy->ipc_ns->ipc_set == set;
192}
193
194static void ipc_set_ownership(struct ctl_table_header *head,
195			      struct ctl_table *table,
196			      kuid_t *uid, kgid_t *gid)
197{
198	struct ipc_namespace *ns =
199		container_of(head->set, struct ipc_namespace, ipc_set);
200
201	kuid_t ns_root_uid = make_kuid(ns->user_ns, 0);
202	kgid_t ns_root_gid = make_kgid(ns->user_ns, 0);
203
204	*uid = uid_valid(ns_root_uid) ? ns_root_uid : GLOBAL_ROOT_UID;
205	*gid = gid_valid(ns_root_gid) ? ns_root_gid : GLOBAL_ROOT_GID;
206}
207
208static int ipc_permissions(struct ctl_table_header *head, struct ctl_table *table)
209{
210	int mode = table->mode;
211
212#ifdef CONFIG_CHECKPOINT_RESTORE
213	struct ipc_namespace *ns =
214		container_of(head->set, struct ipc_namespace, ipc_set);
215
216	if (((table->data == &ns->ids[IPC_SEM_IDS].next_id) ||
217	     (table->data == &ns->ids[IPC_MSG_IDS].next_id) ||
218	     (table->data == &ns->ids[IPC_SHM_IDS].next_id)) &&
219	    checkpoint_restore_ns_capable(ns->user_ns))
220		mode = 0666;
221	else
222#endif
223	{
224		kuid_t ns_root_uid;
225		kgid_t ns_root_gid;
226
227		ipc_set_ownership(head, table, &ns_root_uid, &ns_root_gid);
228
229		if (uid_eq(current_euid(), ns_root_uid))
230			mode >>= 6;
231
232		else if (in_egroup_p(ns_root_gid))
233			mode >>= 3;
234	}
235
236	mode &= 7;
237
238	return (mode << 6) | (mode << 3) | mode;
239}
240
241static struct ctl_table_root set_root = {
242	.lookup = set_lookup,
243	.permissions = ipc_permissions,
244	.set_ownership = ipc_set_ownership,
245};
246
247bool setup_ipc_sysctls(struct ipc_namespace *ns)
248{
249	struct ctl_table *tbl;
250
251	setup_sysctl_set(&ns->ipc_set, &set_root, set_is_seen);
252
253	tbl = kmemdup(ipc_sysctls, sizeof(ipc_sysctls), GFP_KERNEL);
254	if (tbl) {
255		int i;
256
257		for (i = 0; i < ARRAY_SIZE(ipc_sysctls); i++) {
258			if (tbl[i].data == &init_ipc_ns.shm_ctlmax)
259				tbl[i].data = &ns->shm_ctlmax;
260
261			else if (tbl[i].data == &init_ipc_ns.shm_ctlall)
262				tbl[i].data = &ns->shm_ctlall;
263
264			else if (tbl[i].data == &init_ipc_ns.shm_ctlmni)
265				tbl[i].data = &ns->shm_ctlmni;
266
267			else if (tbl[i].data == &init_ipc_ns.shm_rmid_forced)
268				tbl[i].data = &ns->shm_rmid_forced;
269
270			else if (tbl[i].data == &init_ipc_ns.msg_ctlmax)
271				tbl[i].data = &ns->msg_ctlmax;
272
273			else if (tbl[i].data == &init_ipc_ns.msg_ctlmni)
274				tbl[i].data = &ns->msg_ctlmni;
275
276			else if (tbl[i].data == &init_ipc_ns.msg_ctlmnb)
277				tbl[i].data = &ns->msg_ctlmnb;
278
279			else if (tbl[i].data == &init_ipc_ns.sem_ctls)
280				tbl[i].data = &ns->sem_ctls;
281#ifdef CONFIG_CHECKPOINT_RESTORE
282			else if (tbl[i].data == &init_ipc_ns.ids[IPC_SEM_IDS].next_id)
283				tbl[i].data = &ns->ids[IPC_SEM_IDS].next_id;
284
285			else if (tbl[i].data == &init_ipc_ns.ids[IPC_MSG_IDS].next_id)
286				tbl[i].data = &ns->ids[IPC_MSG_IDS].next_id;
287
288			else if (tbl[i].data == &init_ipc_ns.ids[IPC_SHM_IDS].next_id)
289				tbl[i].data = &ns->ids[IPC_SHM_IDS].next_id;
290#endif
291			else
292				tbl[i].data = NULL;
293		}
294
295		ns->ipc_sysctls = __register_sysctl_table(&ns->ipc_set, "kernel", tbl,
296							  ARRAY_SIZE(ipc_sysctls));
297	}
298	if (!ns->ipc_sysctls) {
299		kfree(tbl);
300		retire_sysctl_set(&ns->ipc_set);
301		return false;
302	}
303
304	return true;
305}
306
307void retire_ipc_sysctls(struct ipc_namespace *ns)
308{
309	struct ctl_table *tbl;
310
311	tbl = ns->ipc_sysctls->ctl_table_arg;
312	unregister_sysctl_table(ns->ipc_sysctls);
313	retire_sysctl_set(&ns->ipc_set);
314	kfree(tbl);
315}
316
317static int __init ipc_sysctl_init(void)
318{
319	if (!setup_ipc_sysctls(&init_ipc_ns)) {
320		pr_warn("ipc sysctl registration failed\n");
321		return -ENOMEM;
322	}
323	return 0;
324}
325
326device_initcall(ipc_sysctl_init);
327
328static int __init ipc_mni_extend(char *str)
329{
330	ipc_mni = IPCMNI_EXTEND;
331	ipc_mni_shift = IPCMNI_EXTEND_SHIFT;
332	ipc_min_cycle = IPCMNI_EXTEND_MIN_CYCLE;
333	pr_info("IPCMNI extended to %d.\n", ipc_mni);
334	return 0;
335}
336early_param("ipcmni_extend", ipc_mni_extend);
337