• David Herrmann's avatar
    net: introduce SO_PEERGROUPS getsockopt · 28b5ba2a
    David Herrmann authored
    This adds the new getsockopt(2) option SO_PEERGROUPS on SOL_SOCKET to
    retrieve the auxiliary groups of the remote peer. It is designed to
    naturally extend SO_PEERCRED. That is, the underlying data is from the
    same credentials. Regarding its syntax, it is based on SO_PEERSEC. That
    is, if the provided buffer is too small, ERANGE is returned and @optlen
    is updated. Otherwise, the information is copied, @optlen is set to the
    actual size, and 0 is returned.
    
    While SO_PEERCRED (and thus `struct ucred') already returns the primary
    group, it lacks the auxiliary group vector. However, nearly all access
    controls (including kernel side VFS and SYSVIPC, but also user-space
    polkit, DBus, ...) consider the entire set of groups, rather than just
    the primary group. But this is currently not possible with pure
    SO_PEERCRED. Instead, user-space has to work around this and query the
    system database for the auxiliary groups of a UID retrieved via
    SO_PEERCRED.
    
    Unfortunately, there is no race-free way to query the auxiliary groups
    of the PID/UID retrieved via SO_PEERCRED. Hence, the current user-space
    solution is to use getgrouplist(3p), which itself falls back to NSS and
    whatever is configured in nsswitch.conf(3). This effectively checks
    which groups we *would* assign to the user if it logged in *now*. On
    normal systems it is as easy as reading /etc/group, but with NSS it can
    resort to quering network databases (eg., LDAP), using IPC or network
    communication.
    
    Long story short: Whenever we want to use auxiliary groups for access
    checks on IPC, we need further IPC to talk to the user/group databases,
    rather than just relying on SO_PEERCRED and the incoming socket. This
    is unfortunate, and might even result in dead-locks if the database
    query uses the same IPC as the original request.
    
    So far, those recursions / dead-locks have been avoided by using
    primitive IPC for all crucial NSS modules. However, we want to avoid
    re-inventing the wheel for each NSS module that might be involved in
    user/group queries. Hence, we would preferably make DBus (and other IPC
    that supports access-management based on groups) work without resorting
    to the user/group database. This new SO_PEERGROUPS ioctl would allow us
    to make dbus-daemon work without ever calling into NSS.
    
    Cc: Michal Sekletar <msekleta@redhat.com>
    Cc: Simon McVittie <simon.mcvittie@collabora.co.uk>
    Reviewed-by: default avatarTom Gundersen <teg@jklm.no>
    Signed-off-by: default avatarDavid Herrmann <dh.herrmann@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    28b5ba2a
socket.h 2.46 KB