2 * Supplementary group IDs
4 #include <linux/cred.h>
5 #include <linux/export.h>
6 #include <linux/slab.h>
7 #include <linux/security.h>
8 #include <linux/syscalls.h>
9 #include <asm/uaccess.h>
11 /* init to 2 - one for init_task, one to ensure it is never freed */
12 struct group_info init_groups
= { .usage
= ATOMIC_INIT(2) };
14 struct group_info
*groups_alloc(int gidsetsize
)
16 struct group_info
*group_info
;
20 nblocks
= (gidsetsize
+ NGROUPS_PER_BLOCK
- 1) / NGROUPS_PER_BLOCK
;
21 /* Make sure we always allocate at least one indirect block pointer */
22 nblocks
= nblocks
? : 1;
23 group_info
= kmalloc(sizeof(*group_info
) + nblocks
*sizeof(gid_t
*), GFP_USER
);
26 group_info
->ngroups
= gidsetsize
;
27 group_info
->nblocks
= nblocks
;
28 atomic_set(&group_info
->usage
, 1);
30 if (gidsetsize
<= NGROUPS_SMALL
)
31 group_info
->blocks
[0] = group_info
->small_block
;
33 for (i
= 0; i
< nblocks
; i
++) {
35 b
= (void *)__get_free_page(GFP_USER
);
37 goto out_undo_partial_alloc
;
38 group_info
->blocks
[i
] = b
;
43 out_undo_partial_alloc
:
45 free_page((unsigned long)group_info
->blocks
[i
]);
51 EXPORT_SYMBOL(groups_alloc
);
53 void groups_free(struct group_info
*group_info
)
55 if (group_info
->blocks
[0] != group_info
->small_block
) {
57 for (i
= 0; i
< group_info
->nblocks
; i
++)
58 free_page((unsigned long)group_info
->blocks
[i
]);
63 EXPORT_SYMBOL(groups_free
);
65 /* export the group_info to a user-space array */
66 static int groups_to_user(gid_t __user
*grouplist
,
67 const struct group_info
*group_info
)
69 struct user_namespace
*user_ns
= current_user_ns();
71 unsigned int count
= group_info
->ngroups
;
73 for (i
= 0; i
< count
; i
++) {
75 gid
= from_kgid_munged(user_ns
, GROUP_AT(group_info
, i
));
76 if (put_user(gid
, grouplist
+i
))
82 /* fill a group_info from a user-space array - it must be allocated already */
83 static int groups_from_user(struct group_info
*group_info
,
84 gid_t __user
*grouplist
)
86 struct user_namespace
*user_ns
= current_user_ns();
88 unsigned int count
= group_info
->ngroups
;
90 for (i
= 0; i
< count
; i
++) {
93 if (get_user(gid
, grouplist
+i
))
96 kgid
= make_kgid(user_ns
, gid
);
100 GROUP_AT(group_info
, i
) = kgid
;
105 /* a simple Shell sort */
106 static void groups_sort(struct group_info
*group_info
)
108 int base
, max
, stride
;
109 int gidsetsize
= group_info
->ngroups
;
111 for (stride
= 1; stride
< gidsetsize
; stride
= 3 * stride
+ 1)
116 max
= gidsetsize
- stride
;
117 for (base
= 0; base
< max
; base
++) {
119 int right
= left
+ stride
;
120 kgid_t tmp
= GROUP_AT(group_info
, right
);
122 while (left
>= 0 && gid_gt(GROUP_AT(group_info
, left
), tmp
)) {
123 GROUP_AT(group_info
, right
) =
124 GROUP_AT(group_info
, left
);
128 GROUP_AT(group_info
, right
) = tmp
;
134 /* a simple bsearch */
135 int groups_search(const struct group_info
*group_info
, kgid_t grp
)
137 unsigned int left
, right
;
143 right
= group_info
->ngroups
;
144 while (left
< right
) {
145 unsigned int mid
= (left
+right
)/2;
146 if (gid_gt(grp
, GROUP_AT(group_info
, mid
)))
148 else if (gid_lt(grp
, GROUP_AT(group_info
, mid
)))
157 * set_groups - Change a group subscription in a set of credentials
158 * @new: The newly prepared set of credentials to alter
159 * @group_info: The group list to install
161 void set_groups(struct cred
*new, struct group_info
*group_info
)
163 put_group_info(new->group_info
);
164 groups_sort(group_info
);
165 get_group_info(group_info
);
166 new->group_info
= group_info
;
169 EXPORT_SYMBOL(set_groups
);
172 * set_current_groups - Change current's group subscription
173 * @group_info: The group list to impose
175 * Validate a group subscription and, if valid, impose it upon current's task
178 int set_current_groups(struct group_info
*group_info
)
182 new = prepare_creds();
186 set_groups(new, group_info
);
187 return commit_creds(new);
190 EXPORT_SYMBOL(set_current_groups
);
192 SYSCALL_DEFINE2(getgroups
, int, gidsetsize
, gid_t __user
*, grouplist
)
194 const struct cred
*cred
= current_cred();
200 /* no need to grab task_lock here; it cannot change */
201 i
= cred
->group_info
->ngroups
;
203 if (i
> gidsetsize
) {
207 if (groups_to_user(grouplist
, cred
->group_info
)) {
217 * SMP: Our groups are copy-on-write. We can set them safely
218 * without another task interfering.
221 SYSCALL_DEFINE2(setgroups
, int, gidsetsize
, gid_t __user
*, grouplist
)
223 struct group_info
*group_info
;
226 if (!ns_capable(current_user_ns(), CAP_SETGID
))
228 if ((unsigned)gidsetsize
> NGROUPS_MAX
)
231 group_info
= groups_alloc(gidsetsize
);
234 retval
= groups_from_user(group_info
, grouplist
);
236 put_group_info(group_info
);
240 retval
= set_current_groups(group_info
);
241 put_group_info(group_info
);
247 * Check whether we're fsgid/egid or in the supplemental group..
249 int in_group_p(kgid_t grp
)
251 const struct cred
*cred
= current_cred();
254 if (!gid_eq(grp
, cred
->fsgid
))
255 retval
= groups_search(cred
->group_info
, grp
);
259 EXPORT_SYMBOL(in_group_p
);
261 int in_egroup_p(kgid_t grp
)
263 const struct cred
*cred
= current_cred();
266 if (!gid_eq(grp
, cred
->egid
))
267 retval
= groups_search(cred
->group_info
, grp
);
271 EXPORT_SYMBOL(in_egroup_p
);