lib: Add per-user packet pools

The IRMd will now check the user UID and GID for privileged access,
avoiding unprivileged users being able to disrupt all IPC (e.g. by
shm_open the single pool and corrupting its metadata).

Non-privileged users are now limited to a PUP (per-user pool) for
sending/receiving packets. It is still created by the IRMd, but owned
by the user (uid) with 600 permissions. It does not add additional
copies for local IPC between their own processes (i.e. over the local
IPCP), but packets between processes owned by a different user or
destined over the network (other IPCPs) will incur a copy when
crossing the PUP / PUP or the PUP / GSPP boundary.

Privileged users and users in the ouroboros group still have direct
access to the GSPP (globally shared private pool) for packet transfer
that will avoid additional copies when processing packets between
processes owned by different users and to the network.

This aligns the security model with UNIX trust domains defined by UID
and GID by leveraging file permission on the pools in shared memory.

┌─────────────────────────────────────────────────────────────┐
│ Source Pool    │ Dest Pool      │ Operation    │ Copies     │
├─────────────────────────────────────────────────────────────┤
│ GSPP           │ GSPP           │ Zero-copy    │ 0          │
│ PUP.uid        │ PUP.uid        │ Zero-copy    │ 0          │
│ PUP.uid1       │ PUP.uid2       │ memcpy()     │ 1          │
│ PUP.uid        │ GSPP           │ memcpy()     │ 1          │
│ GSPP           │ PUP.uid        │ memcpy()     │ 1          │
└─────────────────────────────────────────────────────────────┘

This also renames the struct ai ("application instance") in dev.c to
struct proc (process).

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>

7 files changed, 29 insertions, 13 deletions

diff --git a/include/ouroboros/flow.h b/include/ouroboros/flow.h
index f9aa0d83..6b3dcde4 100644
--- a/include/ouroboros/flow.h
+++ b/include/ouroboros/flow.h
@@ -46,6 +46,8 @@ struct flow_info {
         pid_t           n_pid;
         pid_t           n_1_pid;
 
+        uid_t           uid;   /* 0 = privileged (GSPP), > 0 = PUP uid */
+
         time_t          mpl;
 
         struct qos_spec qs;
diff --git a/include/ouroboros/ipcp-dev.h b/include/ouroboros/ipcp-dev.h
index 118f1101..37c8064f 100644
--- a/include/ouroboros/ipcp-dev.h
+++ b/include/ouroboros/ipcp-dev.h
@@ -47,10 +47,12 @@ int    ipcp_flow_write(int                  fd,
                        struct ssm_pk_buff * spb);
 
 int    np1_flow_read(int                   fd,
-                     struct ssm_pk_buff ** spb);
+                     struct ssm_pk_buff ** spb,
+                     struct ssm_pool *     pool);
 
 int    np1_flow_write(int                  fd,
-                      struct ssm_pk_buff * spb);
+                      struct ssm_pk_buff * spb,
+                      struct ssm_pool *    pool);
 
 int    ipcp_flow_dealloc(int fd);
 
diff --git a/include/ouroboros/local-dev.h b/include/ouroboros/local-dev.h
index da62e31c..cd0298d3 100644
--- a/include/ouroboros/local-dev.h
+++ b/include/ouroboros/local-dev.h
@@ -23,9 +23,11 @@
 #ifndef OUROBOROS_LIB_LOCAL_DEV_H
 #define OUROBOROS_LIB_LOCAL_DEV_H
 
-ssize_t local_flow_read(int fd);
+#include <ouroboros/ssm_pool.h>
 
-int     local_flow_write(int    fd,
-                         size_t idx);
+int     local_flow_transfer(int               src_fd,
+                            int               dst_fd,
+                            struct ssm_pool * src_pool,
+                            struct ssm_pool * dst_pool);
 
 #endif /* OUROBOROS_LIB_LOCAL_DEV_H */
diff --git a/include/ouroboros/proc.h b/include/ouroboros/proc.h
index 80c67227..0e27362e 100644
--- a/include/ouroboros/proc.h
+++ b/include/ouroboros/proc.h
@@ -31,8 +31,9 @@
 /* Processes */
 struct proc_info {
         pid_t pid;
-        char  prog[PROG_NAME_SIZE + 1];  /* program instantiated */
-
+        char  prog[PROG_NAME_SIZE + 1];
+        uid_t uid;
+        gid_t gid;
 };
 
 /* Programs */
diff --git a/include/ouroboros/serdes-irm.h b/include/ouroboros/serdes-irm.h
index 246db23d..bd04fc57 100644
--- a/include/ouroboros/serdes-irm.h
+++ b/include/ouroboros/serdes-irm.h
@@ -26,6 +26,7 @@
 #include <ouroboros/crypt.h>
 #include <ouroboros/flow.h>
 #include <ouroboros/ipcp.h>
+#include <ouroboros/proc.h>
 #include <ouroboros/time.h>
 #include <ouroboros/utils.h>
 
@@ -69,8 +70,8 @@ int ipcp_flow_dealloc__irm_req_ser(buffer_t *               buf,
 int ipcp_create_r__irm_req_ser(buffer_t *               buf,
                                const struct ipcp_info * ipcp);
 
-int proc_announce__irm_req_ser(buffer_t *   buf,
-                               const char * prog);
+int proc_announce__irm_req_ser(buffer_t *               buf,
+                               const struct proc_info * proc);
 
 int proc_exit__irm_req_ser(buffer_t *   buf);
 
diff --git a/include/ouroboros/ssm_pool.h b/include/ouroboros/ssm_pool.h
index 80b22489..4becbdf5 100644
--- a/include/ouroboros/ssm_pool.h
+++ b/include/ouroboros/ssm_pool.h
@@ -32,18 +32,20 @@
 
 struct ssm_pool;
 
-struct ssm_pool *    ssm_pool_create(void);
+/* Pool API: uid = 0 for GSPP (privileged), uid > 0 for PUP (per-user) */
+struct ssm_pool *    ssm_pool_create(uid_t uid,
+                                     gid_t gid);
 
-struct ssm_pool *    ssm_pool_open(void);
+struct ssm_pool *    ssm_pool_open(uid_t uid);
 
 void                 ssm_pool_close(struct ssm_pool * pool);
 
 void                 ssm_pool_destroy(struct ssm_pool * pool);
 
-void                 ssm_pool_purge(void);
-
 int                  ssm_pool_mlock(struct ssm_pool * pool);
 
+void                 ssm_pool_gspp_purge(void);
+
 /* Alloc count bytes, returns block index, a ptr and pk_buff.  */
 ssize_t              ssm_pool_alloc(struct ssm_pool *    pool,
                                    size_t                count,
diff --git a/include/ouroboros/utils.h b/include/ouroboros/utils.h
index 5d082d5c..f53361eb 100644
--- a/include/ouroboros/utils.h
+++ b/include/ouroboros/utils.h
@@ -23,9 +23,11 @@
 #ifndef OUROBOROS_LIB_UTILS_H
 #define OUROBOROS_LIB_UTILS_H
 
+#include <stdbool.h>
 #include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/types.h>
 #include <unistd.h>
 
 #define MIN(a,b) (((a) < (b)) ? (a) : (b))
@@ -54,6 +56,10 @@ char * path_strip(const char * src);
 
 char * trim_whitespace(char * str);
 
+bool   is_ouroboros_member_uid(uid_t uid);
+
+bool   is_ouroboros_member(void);
+
 /* functions for copying and destroying arguments list */
 size_t  argvlen(const char ** argv);