3 files changed, 331 insertions, 0 deletions
diff --git a/pkg/sentry/kernel/ipc/BUILD b/pkg/sentry/kernel/ipc/BUILD
new file mode 100644
index 000000000..e42a94e15
--- /dev/null
+++ b/pkg/sentry/kernel/ipc/BUILD
@@ -0,0 +1,20 @@
+load("//tools:defs.bzl", "go_library")
+
+package(licenses = ["notice"])
+
+go_library(
+    name = "ipc",
+    srcs = [
+        "object.go",
+        "registry.go",
+    ],
+    visibility = ["//pkg/sentry:internal"],
+    deps = [
+        "//pkg/abi/linux",
+        "//pkg/context",
+        "//pkg/errors/linuxerr",
+        "//pkg/log",
+        "//pkg/sentry/fs",
+        "//pkg/sentry/kernel/auth",
+    ],
+)
diff --git a/pkg/sentry/kernel/ipc/object.go b/pkg/sentry/kernel/ipc/object.go
new file mode 100644
index 000000000..387b35e7e
--- /dev/null
+++ b/pkg/sentry/kernel/ipc/object.go
@@ -0,0 +1,115 @@
+// Copyright 2021 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package ipc defines functionality and utilities common to sysvipc mechanisms.
+//
+// Lock ordering: [shm/semaphore/msgqueue].Registry.mu -> Mechanism
+package ipc
+
+import (
+	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/sentry/fs"
+	"gvisor.dev/gvisor/pkg/sentry/kernel/auth"
+)
+
+// Key is a user-provided identifier for IPC objects.
+type Key int32
+
+// ID is a kernel identifier for IPC objects.
+type ID int32
+
+// Object represents an abstract IPC object with fields common to all IPC
+// mechanisms.
+//
+// +stateify savable
+type Object struct {
+	// User namespace which owns the IPC namespace which owns the IPC object.
+	// Immutable.
+	UserNS *auth.UserNamespace
+
+	// ID is a kernel identifier for the IPC object. Immutable.
+	ID ID
+
+	// Key is a user-provided identifier for the IPC object. Immutable.
+	Key Key
+
+	// Creator is the user who created the IPC object. Immutable.
+	Creator fs.FileOwner
+
+	// Owner is the current owner of the IPC object.
+	Owner fs.FileOwner
+
+	// Perms is the access permissions the IPC object.
+	Perms fs.FilePermissions
+}
+
+// Mechanism represents a SysV mechanism that holds an IPC object. It can also
+// be looked at as a container for an ipc.Object, which is by definition a fully
+// functional SysV object.
+type Mechanism interface {
+	// Lock behaves the same as Mutex.Lock on the mechanism.
+	Lock()
+
+	// Unlock behaves the same as Mutex.Unlock on the mechanism.
+	Unlock()
+
+	// Object returns a pointer to the mechanism's ipc.Object. Mechanism.Lock,
+	// and Mechanism.Unlock should be used when the object is used.
+	Object() *Object
+
+	// Destroy destroys the mechanism.
+	Destroy()
+}
+
+// NewObject returns a new, initialized ipc.Object. The newly returned object
+// doesn't have a valid ID. When the object is registered, the registry assigns
+// it a new unique ID.
+func NewObject(un *auth.UserNamespace, key Key, creator, owner fs.FileOwner, perms fs.FilePermissions) *Object {
+	return &Object{
+		UserNS:  un,
+		Key:     key,
+		Creator: creator,
+		Owner:   owner,
+		Perms:   perms,
+	}
+}
+
+// CheckOwnership verifies whether an IPC object may be accessed using creds as
+// an owner. See ipc/util.c:ipcctl_obtain_check() in Linux.
+func (o *Object) CheckOwnership(creds *auth.Credentials) bool {
+	if o.Owner.UID == creds.EffectiveKUID || o.Creator.UID == creds.EffectiveKUID {
+		return true
+	}
+
+	// Tasks with CAP_SYS_ADMIN may bypass ownership checks. Strangely, Linux
+	// doesn't use CAP_IPC_OWNER for this despite CAP_IPC_OWNER being documented
+	// for use to "override IPC ownership checks".
+	return creds.HasCapabilityIn(linux.CAP_SYS_ADMIN, o.UserNS)
+}
+
+// CheckPermissions verifies whether an IPC object is accessible using creds for
+// access described by req. See ipc/util.c:ipcperms() in Linux.
+func (o *Object) CheckPermissions(creds *auth.Credentials, req fs.PermMask) bool {
+	p := o.Perms.Other
+	if o.Owner.UID == creds.EffectiveKUID {
+		p = o.Perms.User
+	} else if creds.InGroup(o.Owner.GID) {
+		p = o.Perms.Group
+	}
+
+	if p.SupersetOf(req) {
+		return true
+	}
+	return creds.HasCapabilityIn(linux.CAP_IPC_OWNER, o.UserNS)
+}
diff --git a/pkg/sentry/kernel/ipc/registry.go b/pkg/sentry/kernel/ipc/registry.go
new file mode 100644
index 000000000..91de19070
--- /dev/null
+++ b/pkg/sentry/kernel/ipc/registry.go
@@ -0,0 +1,196 @@
+// Copyright 2021 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ipc
+
+import (
+	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/context"
+	"gvisor.dev/gvisor/pkg/errors/linuxerr"
+	"gvisor.dev/gvisor/pkg/log"
+	"gvisor.dev/gvisor/pkg/sentry/fs"
+	"gvisor.dev/gvisor/pkg/sentry/kernel/auth"
+)
+
+// Registry is similar to Object, but for registries. It represent an abstract
+// SysV IPC registry with fields common to all SysV registries. Registry is not
+// thread-safe, and should be protected using a mutex.
+//
+// +stateify savable
+type Registry struct {
+	// UserNS owning the IPC namespace this registry belongs to. Immutable.
+	UserNS *auth.UserNamespace
+
+	// objects is a map of IDs to IPC mechanisms.
+	objects map[ID]Mechanism
+
+	// KeysToIDs maps a lookup key to an ID.
+	keysToIDs map[Key]ID
+
+	// lastIDUsed is used to find the next available ID for object creation.
+	lastIDUsed ID
+}
+
+// NewRegistry return a new, initialized ipc.Registry.
+func NewRegistry(userNS *auth.UserNamespace) *Registry {
+	return &Registry{
+		UserNS:    userNS,
+		objects:   make(map[ID]Mechanism),
+		keysToIDs: make(map[Key]ID),
+	}
+}
+
+// Find uses key to search for and return a SysV mechanism. Find returns an
+// error if an object is found by shouldn't be, or if the user doesn't have
+// permission to use the object. If no object is found, Find checks create
+// flag, and returns an error only if it's false.
+func (r *Registry) Find(ctx context.Context, key Key, mode linux.FileMode, create, exclusive bool) (Mechanism, error) {
+	if id, ok := r.keysToIDs[key]; ok {
+		mech := r.objects[id]
+		mech.Lock()
+		defer mech.Unlock()
+
+		obj := mech.Object()
+		creds := auth.CredentialsFromContext(ctx)
+		if !obj.CheckPermissions(creds, fs.PermsFromMode(mode)) {
+			// The [calling process / user] does not have permission to access
+			// the set, and does not have the CAP_IPC_OWNER capability in the
+			// user namespace that governs its IPC namespace.
+			return nil, linuxerr.EACCES
+		}
+
+		if create && exclusive {
+			// IPC_CREAT and IPC_EXCL were specified, but an object already
+			// exists for key.
+			return nil, linuxerr.EEXIST
+		}
+		return mech, nil
+	}
+
+	if !create {
+		// No object exists for key and msgflg did not specify IPC_CREAT.
+		return nil, linuxerr.ENOENT
+	}
+
+	return nil, nil
+}
+
+// Register adds the given object into Registry.Objects, and assigns it a new
+// ID. It returns an error if all IDs are exhausted.
+func (r *Registry) Register(m Mechanism) error {
+	id, err := r.newID()
+	if err != nil {
+		return err
+	}
+
+	obj := m.Object()
+	obj.ID = id
+
+	r.objects[id] = m
+	r.keysToIDs[obj.Key] = id
+
+	return nil
+}
+
+// newID finds the first unused ID in the registry, and returns an error if
+// non is found.
+func (r *Registry) newID() (ID, error) {
+	// Find the next available ID.
+	for id := r.lastIDUsed + 1; id != r.lastIDUsed; id++ {
+		// Handle wrap around.
+		if id < 0 {
+			id = 0
+			continue
+		}
+		if r.objects[id] == nil {
+			r.lastIDUsed = id
+			return id, nil
+		}
+	}
+
+	log.Warningf("ids exhausted, they may be leaking")
+
+	// The man pages for shmget(2) mention that ENOSPC should be used if "All
+	// possible shared memory IDs have been taken (SHMMNI)". Other SysV
+	// mechanisms don't have a specific errno for running out of IDs, but they
+	// return ENOSPC if the max number of objects is exceeded, so we assume that
+	// it's the same case.
+	return 0, linuxerr.ENOSPC
+}
+
+// Remove removes the mechanism with the given id from the registry, and calls
+// mechanism.Destroy to perform mechanism-specific removal.
+func (r *Registry) Remove(id ID, creds *auth.Credentials) error {
+	mech := r.objects[id]
+	if mech == nil {
+		return linuxerr.EINVAL
+	}
+
+	mech.Lock()
+	defer mech.Unlock()
+
+	obj := mech.Object()
+
+	// The effective user ID of the calling process must match the creator or
+	// owner of the [mechanism], or the caller must be privileged.
+	if !obj.CheckOwnership(creds) {
+		return linuxerr.EPERM
+	}
+
+	delete(r.objects, obj.ID)
+	delete(r.keysToIDs, obj.Key)
+	mech.Destroy()
+
+	return nil
+}
+
+// ForAllObjects executes a given function for all given objects.
+func (r *Registry) ForAllObjects(f func(o Mechanism)) {
+	for _, o := range r.objects {
+		f(o)
+	}
+}
+
+// FindByID returns the mechanism with the given ID, nil if non exists.
+func (r *Registry) FindByID(id ID) Mechanism {
+	return r.objects[id]
+}
+
+// DissociateKey removes the association between a mechanism and its key
+// (deletes it from r.keysToIDs), preventing it from being discovered by any new
+// process, but not necessarily destroying it. If the given key doesn't exist,
+// nothing is changed.
+func (r *Registry) DissociateKey(key Key) {
+	delete(r.keysToIDs, key)
+}
+
+// DissociateID removes the association between a mechanism and its ID (deletes
+// it from r.objects). An ID can't be removed unless the associated key is
+// removed already, this is done to prevent the users from acquiring nil a
+// Mechanism.
+//
+// Precondition: must be preceded by a call to r.DissociateKey.
+func (r *Registry) DissociateID(id ID) {
+	delete(r.objects, id)
+}
+
+// ObjectCount returns the number of registered objects.
+func (r *Registry) ObjectCount() int {
+	return len(r.objects)
+}
+
+// LastIDUsed returns the last used ID.
+func (r *Registry) LastIDUsed() ID {
+	return r.lastIDUsed
+}