CRED: Wrap task credential accesses in the SYSV IPC subsystem

[safe/jmp/linux-2.6] / ipc / mqueue.c

diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index c0b26dc..abda599 100644 (file)
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -52,6 +52,14 @@
 #define HARD_MSGMAX    (131072/sizeof(void*))
 #define DFLT_MSGSIZEMAX 8192   /* max message size */
 
+/*
+ * Define the ranges various user-specified maximum values can
+ * be set to.
+ */
+#define MIN_MSGMAX     1               /* min value for msg_max */
+#define MAX_MSGMAX     HARD_MSGMAX     /* max value for msg_max */
+#define MIN_MSGSIZEMAX 128             /* min value for msgsize_max */
+#define MAX_MSGSIZEMAX (8192*128)      /* max value for msgsize_max */
 
 struct ext_wait_queue {                /* queue of sleeping tasks */
        struct task_struct *task;
@@ -109,8 +117,8 @@ static struct inode *mqueue_get_inode(struct super_block *sb, int mode,
        inode = new_inode(sb);
        if (inode) {
                inode->i_mode = mode;
-               inode->i_uid = current->fsuid;
-               inode->i_gid = current->fsgid;
+               inode->i_uid = current_fsuid();
+               inode->i_gid = current_fsgid();
                inode->i_blocks = 0;
                inode->i_mtime = inode->i_ctime = inode->i_atime =
                                CURRENT_TIME;
@@ -134,8 +142,8 @@ static struct inode *mqueue_get_inode(struct super_block *sb, int mode,
                        info->qsize = 0;
                        info->user = NULL;      /* set when all is ok */
                        memset(&info->attr, 0, sizeof(info->attr));
-                       info->attr.mq_maxmsg = DFLT_MSGMAX;
-                       info->attr.mq_msgsize = DFLT_MSGSIZEMAX;
+                       info->attr.mq_maxmsg = msg_max;
+                       info->attr.mq_msgsize = msgsize_max;
                        if (attr) {
                                info->attr.mq_maxmsg = attr->mq_maxmsg;
                                info->attr.mq_msgsize = attr->mq_msgsize;
@@ -207,7 +215,7 @@ static int mqueue_get_sb(struct file_system_type *fs_type,
        return get_sb_single(fs_type, flags, data, mqueue_fill_super, mnt);
 }
 
-static void init_once(struct kmem_cache *cachep, void *foo)
+static void init_once(void *foo)
 {
        struct mqueue_inode_info *p = (struct mqueue_inode_info *) foo;
 
@@ -314,15 +322,11 @@ static int mqueue_unlink(struct inode *dir, struct dentry *dentry)
 *      through std routines)
 */
 static ssize_t mqueue_read_file(struct file *filp, char __user *u_data,
-                               size_t count, loff_t * off)
+                               size_t count, loff_t *off)
 {
        struct mqueue_inode_info *info = MQUEUE_I(filp->f_path.dentry->d_inode);
        char buffer[FILENT_SIZE];
-       size_t slen;
-       loff_t o;
-
-       if (!count)
-               return 0;
+       ssize_t ret;
 
        spin_lock(&info->lock);
        snprintf(buffer, sizeof(buffer),
@@ -332,25 +336,17 @@ static ssize_t mqueue_read_file(struct file *filp, char __user *u_data,
                        (info->notify_owner &&
                         info->notify.sigev_notify == SIGEV_SIGNAL) ?
                                info->notify.sigev_signo : 0,
-                       pid_nr_ns(info->notify_owner,
-                               current->nsproxy->pid_ns));
+                       pid_vnr(info->notify_owner));
        spin_unlock(&info->lock);
        buffer[sizeof(buffer)-1] = '\0';
-       slen = strlen(buffer)+1;
 
-       o = *off;
-       if (o > slen)
-               return 0;
-
-       if (o + count > slen)
-               count = slen - o;
-
-       if (copy_to_user(u_data, buffer + o, count))
-               return -EFAULT;
+       ret = simple_read_from_buffer(u_data, count, off, buffer,
+                               strlen(buffer));
+       if (ret <= 0)
+               return ret;
 
-       *off = o + count;
        filp->f_path.dentry->d_inode->i_atime = filp->f_path.dentry->d_inode->i_ctime = CURRENT_TIME;
-       return count;
+       return ret;
 }
 
 static int mqueue_flush_file(struct file *filp, fl_owner_t id)
@@ -510,8 +506,8 @@ static void __do_notify(struct mqueue_inode_info *info)
                        sig_i.si_errno = 0;
                        sig_i.si_code = SI_MESGQ;
                        sig_i.si_value = info->notify.sigev_value;
-                       sig_i.si_pid = task_pid_vnr(current);
-                       sig_i.si_uid = current->uid;
+                       sig_i.si_pid = task_tgid_vnr(current);
+                       sig_i.si_uid = current_uid();
 
                        kill_pid_info(info->notify.sigev_signo,
                                      &sig_i, info->notify_owner);
@@ -599,6 +595,7 @@ static struct file *do_create(struct dentry *dir, struct dentry *dentry,
                        int oflag, mode_t mode, struct mq_attr __user *u_attr)
 {
        struct mq_attr attr;
+       struct file *result;
        int ret;
 
        if (u_attr) {
@@ -613,13 +610,24 @@ static struct file *do_create(struct dentry *dir, struct dentry *dentry,
        }
 
        mode &= ~current->fs->umask;
+       ret = mnt_want_write(mqueue_mnt);
+       if (ret)
+               goto out;
        ret = vfs_create(dir->d_inode, dentry, mode, NULL);
        dentry->d_fsdata = NULL;
        if (ret)
-               goto out;
-
-       return dentry_open(dentry, mqueue_mnt, oflag);
-
+               goto out_drop_write;
+
+       result = dentry_open(dentry, mqueue_mnt, oflag);
+       /*
+        * dentry_open() took a persistent mnt_want_write(),
+        * so we can now drop this one.
+        */
+       mnt_drop_write(mqueue_mnt);
+       return result;
+
+out_drop_write:
+       mnt_drop_write(mqueue_mnt);
 out:
        dput(dentry);
        mntput(mqueue_mnt);
@@ -638,7 +646,7 @@ static int oflag2acc[O_ACCMODE] = { MAY_READ, MAY_WRITE,
                return ERR_PTR(-EINVAL);
        }
 
-       if (permission(dentry->d_inode, oflag2acc[oflag & O_ACCMODE], NULL)) {
+       if (inode_permission(dentry->d_inode, oflag2acc[oflag & O_ACCMODE])) {
                dput(dentry);
                mntput(mqueue_mnt);
                return ERR_PTR(-EACCES);
@@ -662,7 +670,7 @@ asmlinkage long sys_mq_open(const char __user *u_name, int oflag, mode_t mode,
        if (IS_ERR(name = getname(u_name)))
                return PTR_ERR(name);
 
-       fd = get_unused_fd();
+       fd = get_unused_fd_flags(O_CLOEXEC);
        if (fd < 0)
                goto out_putname;
 
@@ -676,7 +684,7 @@ asmlinkage long sys_mq_open(const char __user *u_name, int oflag, mode_t mode,
 
        if (oflag & O_CREAT) {
                if (dentry->d_inode) {  /* entry already exists */
-                       audit_inode(name, dentry->d_inode);
+                       audit_inode(name, dentry);
                        error = -EEXIST;
                        if (oflag & O_EXCL)
                                goto out;
@@ -689,7 +697,7 @@ asmlinkage long sys_mq_open(const char __user *u_name, int oflag, mode_t mode,
                error = -ENOENT;
                if (!dentry->d_inode)
                        goto out;
-               audit_inode(name, dentry->d_inode);
+               audit_inode(name, dentry);
                filp = do_open(dentry, oflag);
        }
 
@@ -698,7 +706,6 @@ asmlinkage long sys_mq_open(const char __user *u_name, int oflag, mode_t mode,
                goto out_putfd;
        }
 
-       set_close_on_exec(fd, 1);
        fd_install(fd, filp);
        goto out_upsem;
 
@@ -743,8 +750,11 @@ asmlinkage long sys_mq_unlink(const char __user *u_name)
        inode = dentry->d_inode;
        if (inode)
                atomic_inc(&inode->i_count);
-
+       err = mnt_want_write(mqueue_mnt);
+       if (err)
+               goto out_err;
        err = vfs_unlink(dentry->d_parent->d_inode, dentry);
+       mnt_drop_write(mqueue_mnt);
 out_err:
        dput(dentry);
 
@@ -837,7 +847,7 @@ asmlinkage long sys_mq_timedsend(mqd_t mqdes, const char __user *u_msg_ptr,
        if (unlikely(filp->f_op != &mqueue_file_operations))
                goto out_fput;
        info = MQUEUE_I(inode);
-       audit_inode(NULL, inode);
+       audit_inode(NULL, filp->f_path.dentry);
 
        if (unlikely(!(filp->f_mode & FMODE_WRITE)))
                goto out_fput;
@@ -921,7 +931,7 @@ asmlinkage ssize_t sys_mq_timedreceive(mqd_t mqdes, char __user *u_msg_ptr,
        if (unlikely(filp->f_op != &mqueue_file_operations))
                goto out_fput;
        info = MQUEUE_I(inode);
-       audit_inode(NULL, inode);
+       audit_inode(NULL, filp->f_path.dentry);
 
        if (unlikely(!(filp->f_mode & FMODE_READ)))
                goto out_fput;
@@ -1010,6 +1020,8 @@ asmlinkage long sys_mq_notify(mqd_t mqdes,
                        return -EINVAL;
                }
                if (notification.sigev_notify == SIGEV_THREAD) {
+                       long timeo;
+
                        /* create the notify skb */
                        nc = alloc_skb(NOTIFY_COOKIE_LEN, GFP_KERNEL);
                        ret = -ENOMEM;
@@ -1038,8 +1050,8 @@ retry:
                                goto out;
                        }
 
-                       ret = netlink_attachskb(sock, nc, 0,
-                                       MAX_SCHEDULE_TIMEOUT, NULL);
+                       timeo = MAX_SCHEDULE_TIMEOUT;
+                       ret = netlink_attachskb(sock, nc, &timeo, NULL);
                        if (ret == 1)
                                goto retry;
                        if (ret) {
@@ -1136,8 +1148,10 @@ asmlinkage long sys_mq_getsetattr(mqd_t mqdes,
        omqstat.mq_flags = filp->f_flags & O_NONBLOCK;
        if (u_mqstat) {
                ret = audit_mq_getsetattr(mqdes, &mqstat);
-               if (ret != 0)
-                       goto out;
+               if (ret != 0) {
+                       spin_unlock(&info->lock);
+                       goto out_fput;
+               }
                if (mqstat.mq_flags & O_NONBLOCK)
                        filp->f_flags |= O_NONBLOCK;
                else
@@ -1185,11 +1199,11 @@ static struct file_system_type mqueue_fs_type = {
        .kill_sb = kill_litter_super,
 };
 
-static int msg_max_limit_min = DFLT_MSGMAX;
-static int msg_max_limit_max = HARD_MSGMAX;
+static int msg_max_limit_min = MIN_MSGMAX;
+static int msg_max_limit_max = MAX_MSGMAX;
 
-static int msg_maxsize_limit_min = DFLT_MSGSIZEMAX;
-static int msg_maxsize_limit_max = INT_MAX;
+static int msg_maxsize_limit_min = MIN_MSGSIZEMAX;
+static int msg_maxsize_limit_max = MAX_MSGSIZEMAX;
 
 static ctl_table mq_sysctls[] = {
        {