The function qio_channel_get_peercred() returns a pointer to the
credentials of the peer process connected to this socket.
This credentials structure is defined in <sys/socket.h> as follows:
struct ucred {
pid_t pid; /* Process ID of the sending process */
uid_t uid; /* User ID of the sending process */
gid_t gid; /* Group ID of the sending process */
};
The use of this function is possible only for connected AF_UNIX stream
sockets and for AF_UNIX stream and datagram socket pairs.
On platform other than Linux, the function return 0.
Signed-off-by: Anthony Harivel <aharivel@redhat.com>
---
include/io/channel.h | 21 +++++++++++++++++++++
io/channel-socket.c | 23 +++++++++++++++++++++++
io/channel.c | 12 ++++++++++++
3 files changed, 56 insertions(+)
diff --git a/include/io/channel.h b/include/io/channel.h
index 5f9dbaab65b0..0413435ce011 100644
--- a/include/io/channel.h
+++ b/include/io/channel.h
@@ -149,6 +149,9 @@ struct QIOChannelClass {
void *opaque);
int (*io_flush)(QIOChannel *ioc,
Error **errp);
+ void (*io_peerpid)(QIOChannel *ioc,
+ unsigned int *pid,
+ Error **errp);
};
/* General I/O handling functions */
@@ -898,4 +901,22 @@ int coroutine_mixed_fn qio_channel_writev_full_all(QIOChannel *ioc,
int qio_channel_flush(QIOChannel *ioc,
Error **errp);
+/**
+ * qio_channel_get_peercred:
+ * @ioc: the channel object
+ * @pid: pointer to pid
+ * @errp: pointer to a NULL-initialized error object
+ *
+ * Returns the pid of the peer process connected to this socket.
+ *
+ * The use of this function is possible only for connected
+ * AF_UNIX stream sockets and for AF_UNIX stream and datagram
+ * socket pairs on Linux.
+ * Return 0 for the non-Linux OS.
+ *
+ */
+void qio_channel_get_peerpid(QIOChannel *ioc,
+ unsigned int *pid,
+ Error **errp);
+
#endif /* QIO_CHANNEL_H */
diff --git a/io/channel-socket.c b/io/channel-socket.c
index 3a899b060858..e6a73592650c 100644
--- a/io/channel-socket.c
+++ b/io/channel-socket.c
@@ -841,6 +841,28 @@ qio_channel_socket_set_cork(QIOChannel *ioc,
socket_set_cork(sioc->fd, v);
}
+static void
+qio_channel_socket_get_peerpid(QIOChannel *ioc,
+ unsigned int *pid,
+ Error **errp)
+{
+#ifdef CONFIG_LINUX
+ QIOChannelSocket *sioc = QIO_CHANNEL_SOCKET(ioc);
+ Error *err = NULL;
+ socklen_t len = sizeof(struct ucred);
+
+ struct ucred cred;
+ if (getsockopt(sioc->fd,
+ SOL_SOCKET, SO_PEERCRED,
+ &cred, &len) == -1) {
+ error_setg_errno(&err, errno, "Unable to get peer credentials");
+ error_propagate(errp, err);
+ }
+ *pid = (unsigned int)cred.pid;
+#else
+ *pid = 0;
+#endif
+}
static int
qio_channel_socket_close(QIOChannel *ioc,
@@ -938,6 +960,7 @@ static void qio_channel_socket_class_init(ObjectClass *klass,
#ifdef QEMU_MSG_ZEROCOPY
ioc_klass->io_flush = qio_channel_socket_flush;
#endif
+ ioc_klass->io_peerpid = qio_channel_socket_get_peerpid;
}
static const TypeInfo qio_channel_socket_info = {
diff --git a/io/channel.c b/io/channel.c
index 86c5834510ff..a5646650cf72 100644
--- a/io/channel.c
+++ b/io/channel.c
@@ -490,6 +490,18 @@ void qio_channel_set_cork(QIOChannel *ioc,
}
}
+void qio_channel_get_peerpid(QIOChannel *ioc,
+ unsigned int *pid,
+ Error **errp)
+{
+ QIOChannelClass *klass = QIO_CHANNEL_GET_CLASS(ioc);
+
+ if (!klass->io_peerpid) {
+ error_setg(errp, "Channel does not support peer pid");
+ return;
+ }
+ klass->io_peerpid(ioc, pid, errp);
+}
off_t qio_channel_io_seek(QIOChannel *ioc,
off_t offset,
--
2.43.0On Thu, Jan 25, 2024 at 08:22:12AM +0100, Anthony Harivel wrote:
> The function qio_channel_get_peercred() returns a pointer to the
> credentials of the peer process connected to this socket.
>
> This credentials structure is defined in <sys/socket.h> as follows:
>
> struct ucred {
> pid_t pid; /* Process ID of the sending process */
> uid_t uid; /* User ID of the sending process */
> gid_t gid; /* Group ID of the sending process */
> };
>
> The use of this function is possible only for connected AF_UNIX stream
> sockets and for AF_UNIX stream and datagram socket pairs.
>
> On platform other than Linux, the function return 0.
>
> Signed-off-by: Anthony Harivel <aharivel@redhat.com>
> ---
> include/io/channel.h | 21 +++++++++++++++++++++
> io/channel-socket.c | 23 +++++++++++++++++++++++
> io/channel.c | 12 ++++++++++++
> 3 files changed, 56 insertions(+)
>
> diff --git a/include/io/channel.h b/include/io/channel.h
> index 5f9dbaab65b0..0413435ce011 100644
> --- a/include/io/channel.h
> +++ b/include/io/channel.h
> @@ -149,6 +149,9 @@ struct QIOChannelClass {
> void *opaque);
> int (*io_flush)(QIOChannel *ioc,
> Error **errp);
> + void (*io_peerpid)(QIOChannel *ioc,
> + unsigned int *pid,
> + Error **errp);
Idented 1 space too many
> };
>
> /* General I/O handling functions */
> @@ -898,4 +901,22 @@ int coroutine_mixed_fn qio_channel_writev_full_all(QIOChannel *ioc,
> int qio_channel_flush(QIOChannel *ioc,
> Error **errp);
>
> +/**
> + * qio_channel_get_peercred:
> + * @ioc: the channel object
> + * @pid: pointer to pid
> + * @errp: pointer to a NULL-initialized error object
> + *
> + * Returns the pid of the peer process connected to this socket.
> + *
> + * The use of this function is possible only for connected
> + * AF_UNIX stream sockets and for AF_UNIX stream and datagram
> + * socket pairs on Linux.
> + * Return 0 for the non-Linux OS.
Update to say this returns an error for other platforms
> + *
> + */
> +void qio_channel_get_peerpid(QIOChannel *ioc,
> + unsigned int *pid,
> + Error **errp);
Idented 1 space too many
> +
> #endif /* QIO_CHANNEL_H */
> diff --git a/io/channel-socket.c b/io/channel-socket.c
> index 3a899b060858..e6a73592650c 100644
> --- a/io/channel-socket.c
> +++ b/io/channel-socket.c
> @@ -841,6 +841,28 @@ qio_channel_socket_set_cork(QIOChannel *ioc,
> socket_set_cork(sioc->fd, v);
> }
>
> +static void
> +qio_channel_socket_get_peerpid(QIOChannel *ioc,
> + unsigned int *pid,
> + Error **errp)
> +{
> +#ifdef CONFIG_LINUX
> + QIOChannelSocket *sioc = QIO_CHANNEL_SOCKET(ioc);
> + Error *err = NULL;
> + socklen_t len = sizeof(struct ucred);
> +
> + struct ucred cred;
> + if (getsockopt(sioc->fd,
> + SOL_SOCKET, SO_PEERCRED,
> + &cred, &len) == -1) {
> + error_setg_errno(&err, errno, "Unable to get peer credentials");
> + error_propagate(errp, err);
> + }
> + *pid = (unsigned int)cred.pid;
> +#else
> + *pid = 0;
Defaulting 'pid' to 0 is potentially unsafe, because to a caller it
now appears that the remote party is 'root' and thus implied to be
a privileged account.
We should 'error_setg' for any platform we don't have an impl on,
so the caller will see a fail for any usage.
> +#endif
> +}
>
> static int
> qio_channel_socket_close(QIOChannel *ioc,
> @@ -938,6 +960,7 @@ static void qio_channel_socket_class_init(ObjectClass *klass,
> #ifdef QEMU_MSG_ZEROCOPY
> ioc_klass->io_flush = qio_channel_socket_flush;
> #endif
> + ioc_klass->io_peerpid = qio_channel_socket_get_peerpid;
> }
>
> static const TypeInfo qio_channel_socket_info = {
> diff --git a/io/channel.c b/io/channel.c
> index 86c5834510ff..a5646650cf72 100644
> --- a/io/channel.c
> +++ b/io/channel.c
> @@ -490,6 +490,18 @@ void qio_channel_set_cork(QIOChannel *ioc,
> }
> }
>
> +void qio_channel_get_peerpid(QIOChannel *ioc,
> + unsigned int *pid,
> + Error **errp)
> +{
> + QIOChannelClass *klass = QIO_CHANNEL_GET_CLASS(ioc);
> +
> + if (!klass->io_peerpid) {
> + error_setg(errp, "Channel does not support peer pid");
> + return;
> + }
> + klass->io_peerpid(ioc, pid, errp);
> +}
>
> off_t qio_channel_io_seek(QIOChannel *ioc,
> off_t offset,
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Thu, Jan 25, 2024 at 5:38 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
> > +static void
> > +qio_channel_socket_get_peerpid(QIOChannel *ioc,
> > + unsigned int *pid,
> > + Error **errp)
> > +{
> > +#ifdef CONFIG_LINUX
> > + QIOChannelSocket *sioc = QIO_CHANNEL_SOCKET(ioc);
> > + Error *err = NULL;
> > + socklen_t len = sizeof(struct ucred);
> > +
> > + struct ucred cred;
> > + if (getsockopt(sioc->fd,
> > + SOL_SOCKET, SO_PEERCRED,
> > + &cred, &len) == -1) {
> > + error_setg_errno(&err, errno, "Unable to get peer credentials");
> > + error_propagate(errp, err);
> > + }
> > + *pid = (unsigned int)cred.pid;
> > +#else
> > + *pid = 0;
>
> Defaulting 'pid' to 0 is potentially unsafe, because to a caller it
> now appears that the remote party is 'root' and thus implied to be
> a privileged account.
This is a pid, so 0 cannot be confused; however, I agree that
returning an error is better.
Paolo
On Mon, Jan 29, 2024 at 08:25:29PM +0100, Paolo Bonzini wrote:
> On Thu, Jan 25, 2024 at 5:38 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
> > > +static void
> > > +qio_channel_socket_get_peerpid(QIOChannel *ioc,
> > > + unsigned int *pid,
> > > + Error **errp)
> > > +{
> > > +#ifdef CONFIG_LINUX
> > > + QIOChannelSocket *sioc = QIO_CHANNEL_SOCKET(ioc);
> > > + Error *err = NULL;
> > > + socklen_t len = sizeof(struct ucred);
> > > +
> > > + struct ucred cred;
> > > + if (getsockopt(sioc->fd,
> > > + SOL_SOCKET, SO_PEERCRED,
> > > + &cred, &len) == -1) {
> > > + error_setg_errno(&err, errno, "Unable to get peer credentials");
> > > + error_propagate(errp, err);
> > > + }
> > > + *pid = (unsigned int)cred.pid;
> > > +#else
> > > + *pid = 0;
> >
> > Defaulting 'pid' to 0 is potentially unsafe, because to a caller it
> > now appears that the remote party is 'root' and thus implied to be
> > a privileged account.
>
> This is a pid, so 0 cannot be confused; however, I agree that
> returning an error is better.
Opps, face-palm !
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
© 2016 - 2026 Red Hat, Inc.