Implement SO_PEERCRED socket option for UNIX sockets and its tests.

PiperOrigin-RevId: 828197810

Author: AnilAltinay

pkg/sentry/socket/hostinet/socket.go

@@ -24,6 +24,7 @@ import (
 	"gvisor.dev/gvisor/pkg/errors/linuxerr"
 	"gvisor.dev/gvisor/pkg/fdnotifier"
 	"gvisor.dev/gvisor/pkg/log"
+	"gvisor.dev/gvisor/pkg/marshal"
 	"gvisor.dev/gvisor/pkg/marshal/primitive"
 	"gvisor.dev/gvisor/pkg/safemem"
 	"gvisor.dev/gvisor/pkg/sentry/arch"
@@ -828,3 +829,8 @@ func init() {
 		registered[fam] = struct{}{}
 	}
 }
+
+// GetPeerCreds implements socket.Socket.GetPeerCreds
+func (s *Socket) GetPeerCreds(t *kernel.Task) (marshal.Marshallable, *syserr.Error) {
+	return nil, syserr.ErrNotSupported
+}

pkg/sentry/socket/netlink/socket.go

@@ -568,6 +568,11 @@ func (s *Socket) GetPeerName(t *kernel.Task) (linux.SockAddr, uint32, *syserr.Er
 	return sa, uint32(sa.SizeBytes()), nil
 }
 
+// GetPeerCreds implements socket.Socket.GetPeerCreds.
+func (s *Socket) GetPeerCreds(t *kernel.Task) (marshal.Marshallable, *syserr.Error) {
+	return nil, syserr.ErrNotSupported
+}
+
 // RecvMsg implements socket.Socket.RecvMsg.
 func (s *Socket) RecvMsg(t *kernel.Task, dst usermem.IOSequence, flags int, haveDeadline bool, deadline ktime.Time, senderRequested bool, controlDataLen uint64) (int, int, linux.SockAddr, uint32, socket.ControlMessages, *syserr.Error) {
 	from := &linux.SockAddrNetlink{

pkg/sentry/socket/netstack/netstack.go

@@ -980,14 +980,7 @@ func getSockOptSocket(t *kernel.Task, s socket.Socket, ep commonEndpoint, family
 		if family != linux.AF_UNIX || outLen < unix.SizeofUcred {
 			return nil, syserr.ErrInvalidArgument
 		}
-
-		tcred := t.Credentials()
-		creds := linux.ControlMessageCredentials{
-			PID: int32(t.ThreadGroup().ID()),
-			UID: uint32(tcred.EffectiveKUID.In(tcred.UserNamespace).OrOverflow()),
-			GID: uint32(tcred.EffectiveKGID.In(tcred.UserNamespace).OrOverflow()),
-		}
-		return &creds, nil
+		return s.GetPeerCreds(t)
 
 	case linux.SO_PASSCRED:
 		if outLen < sizeOfInt32 {
@@ -3051,6 +3044,10 @@ func (s *sock) GetPeerName(*kernel.Task) (linux.SockAddr, uint32, *syserr.Error)
 	return a, l, nil
 }
 
+func (s *sock) GetPeerCreds(*kernel.Task) (marshal.Marshallable, *syserr.Error) {
+	return nil, syserr.ErrNotSupported
+}
+
 func (s *sock) fillCmsgInq(cmsg *socket.ControlMessages) {
 	if !s.sockOptInq {
 		return

pkg/sentry/socket/plugin/stack/socket.go

@@ -569,6 +569,11 @@ func (s *socketOperations) GetPeerName(t *kernel.Task) (linux.SockAddr, uint32,
 	return socket.UnmarshalSockAddr(s.family, addr), addrlen, nil
 }
 
+// GetPeerCreds implements socket.Socket.GetPeerCreds.
+func (s *socketOperations) GetPeerCreds(t *kernel.Task) (marshal.Marshallable, *syserr.Error) {
+	return nil, syserr.ErrInvalidEndpointState
+}
+
 // recv is a helper function for doing non-blocking read once.
 // It returns:
 // 1. number of bytes received;

pkg/sentry/socket/socket.go

@@ -257,6 +257,9 @@ type Socket interface {
 	// necessarily the actual length of the address.
 	GetPeerName(t *kernel.Task) (addr linux.SockAddr, addrLen uint32, err *syserr.Error)
 
+	// GetPeerCreds returns the peer credentials of the socket.
+	GetPeerCreds(t *kernel.Task) (marshal.Marshallable, *syserr.Error)
+
 	// RecvMsg implements the recvmsg(2) linux unix.
 	//
 	// senderAddrLen is the address length to be returned to the application,

pkg/sentry/socket/unix/BUILD

@@ -42,6 +42,7 @@ go_library(
         "//pkg/sentry/fsutil",
         "//pkg/sentry/inet",
         "//pkg/sentry/kernel",
+        "//pkg/sentry/kernel/auth",
         "//pkg/sentry/ktime",
         "//pkg/sentry/socket",
         "//pkg/sentry/socket/control",

pkg/sentry/socket/unix/transport/BUILD

@@ -97,6 +97,7 @@ go_library(
         "//pkg/log",
         "//pkg/refs",
         "//pkg/sentry/hostfd",
+        "//pkg/sentry/kernel/auth",
         "//pkg/sentry/uniqueid",
         "//pkg/sync",
         "//pkg/sync/locking",

pkg/sentry/socket/unix/transport/connectioned.go

@@ -106,6 +106,14 @@ type connectionedEndpoint struct {
 	// tcpip.SockStream.
 	stype linux.SockType
 
+	// peerCreds is used to store the peer credentials.
+	// This will store the socket's own credentials until the connection is
+	// established with connect(2). Once the connection is established, this
+	// will store the peer's credentials. The use of this option is possible
+	// only for connected `AF_UNIX` stream sockets and for `AF_UNIX` stream and
+	// datagram socket pairs created using socketpair(2)
+	peerCreds CredentialsControlMessage
+
 	// acceptedChan is per the TCP endpoint implementation. Note that the
 	// sockets in this channel are _already in the connected state_, and
 	// have another associated connectionedEndpoint.
@@ -274,6 +282,16 @@ func (e *connectionedEndpoint) Close(ctx context.Context) {
 	}
 }
 
+func (e *connectionedEndpoint) swapPeerCredsLocked(ctx context.Context, cend ConnectingEndpoint, ne *connectionedEndpoint) *syserr.Error {
+	ce, ok := cend.(*connectionedEndpoint)
+	if !ok {
+		return syserr.ErrInvalidEndpointState
+	}
+	// Swap peer credentials between the two endpoints.
+	ne.peerCreds, ce.peerCreds = ce.peerCreds, ne.peerCreds
+	return nil
+}
+
 // BidirectionalConnect implements BoundEndpoint.BidirectionalConnect.
 func (e *connectionedEndpoint) BidirectionalConnect(ctx context.Context, ce ConnectingEndpoint, returnConnect func(Receiver, ConnectedEndpoint), opts UnixSocketOpts) *syserr.Error {
 	if ce.Type() != e.stype {
@@ -327,6 +345,7 @@ func (e *connectionedEndpoint) BidirectionalConnect(ctx context.Context, ce Conn
 	ne.ops.SetSendBufferSize(defaultBufferSize, false /* notify */)
 	ne.ops.SetReceiveBufferSize(defaultBufferSize, false /* notify */)
 	ne.SocketOptions().SetPassCred(e.SocketOptions().GetPassCred())
+	ne.peerCreds = e.peerCreds
 
 	readQueue := &queue{ReaderQueue: ce.WaiterQueue(), WriterQueue: ne.Queue, limit: defaultBufferSize}
 	readQueue.InitRefs()
@@ -354,6 +373,9 @@ func (e *connectionedEndpoint) BidirectionalConnect(ctx context.Context, ce Conn
 		}
 		readQueue.IncRef()
 		if e.stype == linux.SOCK_STREAM {
+			if err := e.swapPeerCredsLocked(ctx, ce, ne); err != nil {
+				return err
+			}
 			returnConnect(&streamQueueReceiver{queueReceiver: queueReceiver{readQueue: readQueue}}, connected)
 		} else {
 			returnConnect(&queueReceiver{readQueue: readQueue}, connected)
@@ -655,3 +677,15 @@ func (e *connectionedEndpoint) EventUnregister(we *waiter.Entry) {
 func (e *connectionedEndpoint) GetAcceptConn() bool {
 	return e.Listening()
 }
+
+func (e *connectionedEndpoint) PeerCreds() CredentialsControlMessage {
+	e.Lock()
+	defer e.Unlock()
+	return e.peerCreds
+}
+
+func (e *connectionedEndpoint) SetPeerCreds(creds CredentialsControlMessage) {
+	e.Lock()
+	defer e.Unlock()
+	e.peerCreds = creds
+}

pkg/sentry/socket/unix/transport/connectionless.go

@@ -158,6 +158,14 @@ func (*connectionlessEndpoint) Accept(context.Context, *Address, UnixSocketOpts)
 	return nil, syserr.ErrNotSupported
 }
 
+func (e *connectionlessEndpoint) PeerCreds() CredentialsControlMessage {
+	return nil
+}
+
+func (e *connectionlessEndpoint) SetPeerCreds(creds CredentialsControlMessage) {
+	// no-op
+}
+
 // Bind binds the connection.
 //
 // For Unix endpoints, this _only sets the address associated with the socket_.

pkg/sentry/socket/unix/transport/unix.go

@@ -52,6 +52,16 @@ type CredentialsControlMessage interface {
 	Equals(CredentialsControlMessage) bool
 }
 
+// A PeerCredentialer is a socket or endpoint that supports the SO_PEERCREDS socket
+// option.
+type PeerCredentialer interface {
+	// PeerCreds returns the peer credentials.
+	PeerCreds() CredentialsControlMessage
+
+	// SetPeerCreds sets the peer credentials.
+	SetPeerCreds(creds CredentialsControlMessage)
+}
+
 // A ControlMessages represents a collection of socket control messages.
 //
 // +stateify savable
@@ -151,6 +161,7 @@ type UnixSocketOpts struct {
 // etc. to Unix socket implementations.
 type Endpoint interface {
 	Credentialer
+	PeerCredentialer
 	waiter.Waitable
 
 	// Close puts the endpoint in a closed state and frees all resources