1// SPDX-License-Identifier: GPL-2.0-or-later
2/* -*- linux-c -*- --------------------------------------------------------- *
3 *
4 * linux/fs/devpts/inode.c
5 *
6 * Copyright 1998-2004 H. Peter Anvin -- All Rights Reserved
7 *
8 * ------------------------------------------------------------------------- */
9
10#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/fs.h>
15#include <linux/sched.h>
16#include <linux/namei.h>
17#include <linux/slab.h>
18#include <linux/mount.h>
19#include <linux/tty.h>
20#include <linux/mutex.h>
21#include <linux/magic.h>
22#include <linux/idr.h>
23#include <linux/devpts_fs.h>
24#include <linux/parser.h>
25#include <linux/fsnotify.h>
26#include <linux/seq_file.h>
27
28#define DEVPTS_DEFAULT_MODE 0600
29/*
30 * ptmx is a new node in /dev/pts and will be unused in legacy (single-
31 * instance) mode. To prevent surprises in user space, set permissions of
32 * ptmx to 0. Use 'chmod' or remount with '-o ptmxmode' to set meaningful
33 * permissions.
34 */
35#define DEVPTS_DEFAULT_PTMX_MODE 0000
36#define PTMX_MINOR 2
37
38/*
39 * sysctl support for setting limits on the number of Unix98 ptys allocated.
40 * Otherwise one can eat up all kernel memory by opening /dev/ptmx repeatedly.
41 */
42static int pty_limit = NR_UNIX98_PTY_DEFAULT;
43static int pty_reserve = NR_UNIX98_PTY_RESERVE;
44static int pty_limit_min;
45static int pty_limit_max = INT_MAX;
46static atomic_t pty_count = ATOMIC_INIT(0);
47
48static struct ctl_table pty_table[] = {
49 {
50 .procname = "max",
51 .maxlen = sizeof(int),
52 .mode = 0644,
53 .data = &pty_limit,
54 .proc_handler = proc_dointvec_minmax,
55 .extra1 = &pty_limit_min,
56 .extra2 = &pty_limit_max,
57 }, {
58 .procname = "reserve",
59 .maxlen = sizeof(int),
60 .mode = 0644,
61 .data = &pty_reserve,
62 .proc_handler = proc_dointvec_minmax,
63 .extra1 = &pty_limit_min,
64 .extra2 = &pty_limit_max,
65 }, {
66 .procname = "nr",
67 .maxlen = sizeof(int),
68 .mode = 0444,
69 .data = &pty_count,
70 .proc_handler = proc_dointvec,
71 },
72};
73
74struct pts_mount_opts {
75 int setuid;
76 int setgid;
77 kuid_t uid;
78 kgid_t gid;
79 umode_t mode;
80 umode_t ptmxmode;
81 int reserve;
82 int max;
83};
84
85enum {
86 Opt_uid, Opt_gid, Opt_mode, Opt_ptmxmode, Opt_newinstance, Opt_max,
87 Opt_err
88};
89
90static const match_table_t tokens = {
91 {Opt_uid, "uid=%u"},
92 {Opt_gid, "gid=%u"},
93 {Opt_mode, "mode=%o"},
94 {Opt_ptmxmode, "ptmxmode=%o"},
95 {Opt_newinstance, "newinstance"},
96 {Opt_max, "max=%d"},
97 {Opt_err, NULL}
98};
99
100struct pts_fs_info {
101 struct ida allocated_ptys;
102 struct pts_mount_opts mount_opts;
103 struct super_block *sb;
104 struct dentry *ptmx_dentry;
105};
106
107static inline struct pts_fs_info *DEVPTS_SB(struct super_block *sb)
108{
109 return sb->s_fs_info;
110}
111
112static int devpts_ptmx_path(struct path *path)
113{
114 struct super_block *sb;
115 int err;
116
117 /* Is a devpts filesystem at "pts" in the same directory? */
118 err = path_pts(path);
119 if (err)
120 return err;
121
122 /* Is the path the root of a devpts filesystem? */
123 sb = path->mnt->mnt_sb;
124 if ((sb->s_magic != DEVPTS_SUPER_MAGIC) ||
125 (path->mnt->mnt_root != sb->s_root))
126 return -ENODEV;
127
128 return 0;
129}
130
131/*
132 * Try to find a suitable devpts filesystem. We support the following
133 * scenarios:
134 * - The ptmx device node is located in the same directory as the devpts
135 * mount where the pts device nodes are located.
136 * This is e.g. the case when calling open on the /dev/pts/ptmx device
137 * node when the devpts filesystem is mounted at /dev/pts.
138 * - The ptmx device node is located outside the devpts filesystem mount
139 * where the pts device nodes are located. For example, the ptmx device
140 * is a symlink, separate device node, or bind-mount.
141 * A supported scenario is bind-mounting /dev/pts/ptmx to /dev/ptmx and
142 * then calling open on /dev/ptmx. In this case a suitable pts
143 * subdirectory can be found in the common parent directory /dev of the
144 * devpts mount and the ptmx bind-mount, after resolving the /dev/ptmx
145 * bind-mount.
146 * If no suitable pts subdirectory can be found this function will fail.
147 * This is e.g. the case when bind-mounting /dev/pts/ptmx to /ptmx.
148 */
149struct vfsmount *devpts_mntget(struct file *filp, struct pts_fs_info *fsi)
150{
151 struct path path;
152 int err = 0;
153
154 path = filp->f_path;
155 path_get(&path);
156
157 /* Walk upward while the start point is a bind mount of
158 * a single file.
159 */
160 while (path.mnt->mnt_root == path.dentry)
161 if (follow_up(&path) == 0)
162 break;
163
164 /* devpts_ptmx_path() finds a devpts fs or returns an error. */
165 if ((path.mnt->mnt_sb->s_magic != DEVPTS_SUPER_MAGIC) ||
166 (DEVPTS_SB(sb: path.mnt->mnt_sb) != fsi))
167 err = devpts_ptmx_path(path: &path);
168 dput(path.dentry);
169 if (!err) {
170 if (DEVPTS_SB(sb: path.mnt->mnt_sb) == fsi)
171 return path.mnt;
172
173 err = -ENODEV;
174 }
175
176 mntput(mnt: path.mnt);
177 return ERR_PTR(error: err);
178}
179
180struct pts_fs_info *devpts_acquire(struct file *filp)
181{
182 struct pts_fs_info *result;
183 struct path path;
184 struct super_block *sb;
185
186 path = filp->f_path;
187 path_get(&path);
188
189 /* Has the devpts filesystem already been found? */
190 if (path.mnt->mnt_sb->s_magic != DEVPTS_SUPER_MAGIC) {
191 int err;
192
193 err = devpts_ptmx_path(path: &path);
194 if (err) {
195 result = ERR_PTR(error: err);
196 goto out;
197 }
198 }
199
200 /*
201 * pty code needs to hold extra references in case of last /dev/tty close
202 */
203 sb = path.mnt->mnt_sb;
204 atomic_inc(v: &sb->s_active);
205 result = DEVPTS_SB(sb);
206
207out:
208 path_put(&path);
209 return result;
210}
211
212void devpts_release(struct pts_fs_info *fsi)
213{
214 deactivate_super(sb: fsi->sb);
215}
216
217#define PARSE_MOUNT 0
218#define PARSE_REMOUNT 1
219
220/*
221 * parse_mount_options():
222 * Set @opts to mount options specified in @data. If an option is not
223 * specified in @data, set it to its default value.
224 *
225 * Note: @data may be NULL (in which case all options are set to default).
226 */
227static int parse_mount_options(char *data, int op, struct pts_mount_opts *opts)
228{
229 char *p;
230 kuid_t uid;
231 kgid_t gid;
232
233 opts->setuid = 0;
234 opts->setgid = 0;
235 opts->uid = GLOBAL_ROOT_UID;
236 opts->gid = GLOBAL_ROOT_GID;
237 opts->mode = DEVPTS_DEFAULT_MODE;
238 opts->ptmxmode = DEVPTS_DEFAULT_PTMX_MODE;
239 opts->max = NR_UNIX98_PTY_MAX;
240
241 /* Only allow instances mounted from the initial mount
242 * namespace to tap the reserve pool of ptys.
243 */
244 if (op == PARSE_MOUNT)
245 opts->reserve =
246 (current->nsproxy->mnt_ns == init_task.nsproxy->mnt_ns);
247
248 while ((p = strsep(&data, ",")) != NULL) {
249 substring_t args[MAX_OPT_ARGS];
250 int token;
251 int option;
252
253 if (!*p)
254 continue;
255
256 token = match_token(p, tokens, args);
257 switch (token) {
258 case Opt_uid:
259 if (match_int(&args[0], &option))
260 return -EINVAL;
261 uid = make_kuid(current_user_ns(), option);
262 if (!uid_valid(uid))
263 return -EINVAL;
264 opts->uid = uid;
265 opts->setuid = 1;
266 break;
267 case Opt_gid:
268 if (match_int(&args[0], &option))
269 return -EINVAL;
270 gid = make_kgid(current_user_ns(), option);
271 if (!gid_valid(gid))
272 return -EINVAL;
273 opts->gid = gid;
274 opts->setgid = 1;
275 break;
276 case Opt_mode:
277 if (match_octal(&args[0], &option))
278 return -EINVAL;
279 opts->mode = option & S_IALLUGO;
280 break;
281 case Opt_ptmxmode:
282 if (match_octal(&args[0], &option))
283 return -EINVAL;
284 opts->ptmxmode = option & S_IALLUGO;
285 break;
286 case Opt_newinstance:
287 break;
288 case Opt_max:
289 if (match_int(&args[0], &option) ||
290 option < 0 || option > NR_UNIX98_PTY_MAX)
291 return -EINVAL;
292 opts->max = option;
293 break;
294 default:
295 pr_err("called with bogus options\n");
296 return -EINVAL;
297 }
298 }
299
300 return 0;
301}
302
303static int mknod_ptmx(struct super_block *sb)
304{
305 int mode;
306 int rc = -ENOMEM;
307 struct dentry *dentry;
308 struct inode *inode;
309 struct dentry *root = sb->s_root;
310 struct pts_fs_info *fsi = DEVPTS_SB(sb);
311 struct pts_mount_opts *opts = &fsi->mount_opts;
312 kuid_t ptmx_uid = current_fsuid();
313 kgid_t ptmx_gid = current_fsgid();
314
315 inode_lock(inode: d_inode(dentry: root));
316
317 /* If we have already created ptmx node, return */
318 if (fsi->ptmx_dentry) {
319 rc = 0;
320 goto out;
321 }
322
323 dentry = d_alloc_name(root, "ptmx");
324 if (!dentry) {
325 pr_err("Unable to alloc dentry for ptmx node\n");
326 goto out;
327 }
328
329 /*
330 * Create a new 'ptmx' node in this mount of devpts.
331 */
332 inode = new_inode(sb);
333 if (!inode) {
334 pr_err("Unable to alloc inode for ptmx node\n");
335 dput(dentry);
336 goto out;
337 }
338
339 inode->i_ino = 2;
340 simple_inode_init_ts(inode);
341
342 mode = S_IFCHR|opts->ptmxmode;
343 init_special_inode(inode, mode, MKDEV(TTYAUX_MAJOR, 2));
344 inode->i_uid = ptmx_uid;
345 inode->i_gid = ptmx_gid;
346
347 d_add(dentry, inode);
348
349 fsi->ptmx_dentry = dentry;
350 rc = 0;
351out:
352 inode_unlock(inode: d_inode(dentry: root));
353 return rc;
354}
355
356static void update_ptmx_mode(struct pts_fs_info *fsi)
357{
358 struct inode *inode;
359 if (fsi->ptmx_dentry) {
360 inode = d_inode(dentry: fsi->ptmx_dentry);
361 inode->i_mode = S_IFCHR|fsi->mount_opts.ptmxmode;
362 }
363}
364
365static int devpts_remount(struct super_block *sb, int *flags, char *data)
366{
367 int err;
368 struct pts_fs_info *fsi = DEVPTS_SB(sb);
369 struct pts_mount_opts *opts = &fsi->mount_opts;
370
371 err = parse_mount_options(data, PARSE_REMOUNT, opts);
372
373 /*
374 * parse_mount_options() restores options to default values
375 * before parsing and may have changed ptmxmode. So, update the
376 * mode in the inode too. Bogus options don't fail the remount,
377 * so do this even on error return.
378 */
379 update_ptmx_mode(fsi);
380
381 return err;
382}
383
384static int devpts_show_options(struct seq_file *seq, struct dentry *root)
385{
386 struct pts_fs_info *fsi = DEVPTS_SB(sb: root->d_sb);
387 struct pts_mount_opts *opts = &fsi->mount_opts;
388
389 if (opts->setuid)
390 seq_printf(m: seq, fmt: ",uid=%u",
391 from_kuid_munged(to: &init_user_ns, uid: opts->uid));
392 if (opts->setgid)
393 seq_printf(m: seq, fmt: ",gid=%u",
394 from_kgid_munged(to: &init_user_ns, gid: opts->gid));
395 seq_printf(m: seq, fmt: ",mode=%03o", opts->mode);
396 seq_printf(m: seq, fmt: ",ptmxmode=%03o", opts->ptmxmode);
397 if (opts->max < NR_UNIX98_PTY_MAX)
398 seq_printf(m: seq, fmt: ",max=%d", opts->max);
399
400 return 0;
401}
402
403static const struct super_operations devpts_sops = {
404 .statfs = simple_statfs,
405 .remount_fs = devpts_remount,
406 .show_options = devpts_show_options,
407};
408
409static void *new_pts_fs_info(struct super_block *sb)
410{
411 struct pts_fs_info *fsi;
412
413 fsi = kzalloc(size: sizeof(struct pts_fs_info), GFP_KERNEL);
414 if (!fsi)
415 return NULL;
416
417 ida_init(ida: &fsi->allocated_ptys);
418 fsi->mount_opts.mode = DEVPTS_DEFAULT_MODE;
419 fsi->mount_opts.ptmxmode = DEVPTS_DEFAULT_PTMX_MODE;
420 fsi->sb = sb;
421
422 return fsi;
423}
424
425static int
426devpts_fill_super(struct super_block *s, void *data, int silent)
427{
428 struct inode *inode;
429 int error;
430
431 s->s_iflags &= ~SB_I_NODEV;
432 s->s_blocksize = 1024;
433 s->s_blocksize_bits = 10;
434 s->s_magic = DEVPTS_SUPER_MAGIC;
435 s->s_op = &devpts_sops;
436 s->s_d_op = &simple_dentry_operations;
437 s->s_time_gran = 1;
438
439 error = -ENOMEM;
440 s->s_fs_info = new_pts_fs_info(sb: s);
441 if (!s->s_fs_info)
442 goto fail;
443
444 error = parse_mount_options(data, PARSE_MOUNT, opts: &DEVPTS_SB(sb: s)->mount_opts);
445 if (error)
446 goto fail;
447
448 error = -ENOMEM;
449 inode = new_inode(sb: s);
450 if (!inode)
451 goto fail;
452 inode->i_ino = 1;
453 simple_inode_init_ts(inode);
454 inode->i_mode = S_IFDIR | S_IRUGO | S_IXUGO | S_IWUSR;
455 inode->i_op = &simple_dir_inode_operations;
456 inode->i_fop = &simple_dir_operations;
457 set_nlink(inode, nlink: 2);
458
459 s->s_root = d_make_root(inode);
460 if (!s->s_root) {
461 pr_err("get root dentry failed\n");
462 goto fail;
463 }
464
465 error = mknod_ptmx(sb: s);
466 if (error)
467 goto fail_dput;
468
469 return 0;
470fail_dput:
471 dput(s->s_root);
472 s->s_root = NULL;
473fail:
474 return error;
475}
476
477/*
478 * devpts_mount()
479 *
480 * Mount a new (private) instance of devpts. PTYs created in this
481 * instance are independent of the PTYs in other devpts instances.
482 */
483static struct dentry *devpts_mount(struct file_system_type *fs_type,
484 int flags, const char *dev_name, void *data)
485{
486 return mount_nodev(fs_type, flags, data, fill_super: devpts_fill_super);
487}
488
489static void devpts_kill_sb(struct super_block *sb)
490{
491 struct pts_fs_info *fsi = DEVPTS_SB(sb);
492
493 if (fsi)
494 ida_destroy(ida: &fsi->allocated_ptys);
495 kfree(objp: fsi);
496 kill_litter_super(sb);
497}
498
499static struct file_system_type devpts_fs_type = {
500 .name = "devpts",
501 .mount = devpts_mount,
502 .kill_sb = devpts_kill_sb,
503 .fs_flags = FS_USERNS_MOUNT,
504};
505
506/*
507 * The normal naming convention is simply /dev/pts/<number>; this conforms
508 * to the System V naming convention
509 */
510
511int devpts_new_index(struct pts_fs_info *fsi)
512{
513 int index = -ENOSPC;
514
515 if (atomic_inc_return(v: &pty_count) >= (pty_limit -
516 (fsi->mount_opts.reserve ? 0 : pty_reserve)))
517 goto out;
518
519 index = ida_alloc_max(ida: &fsi->allocated_ptys, max: fsi->mount_opts.max - 1,
520 GFP_KERNEL);
521
522out:
523 if (index < 0)
524 atomic_dec(v: &pty_count);
525 return index;
526}
527
528void devpts_kill_index(struct pts_fs_info *fsi, int idx)
529{
530 ida_free(&fsi->allocated_ptys, id: idx);
531 atomic_dec(v: &pty_count);
532}
533
534/**
535 * devpts_pty_new -- create a new inode in /dev/pts/
536 * @fsi: Filesystem info for this instance.
537 * @index: used as a name of the node
538 * @priv: what's given back by devpts_get_priv
539 *
540 * The dentry for the created inode is returned.
541 * Remove it from /dev/pts/ with devpts_pty_kill().
542 */
543struct dentry *devpts_pty_new(struct pts_fs_info *fsi, int index, void *priv)
544{
545 struct dentry *dentry;
546 struct super_block *sb = fsi->sb;
547 struct inode *inode;
548 struct dentry *root;
549 struct pts_mount_opts *opts;
550 char s[12];
551
552 root = sb->s_root;
553 opts = &fsi->mount_opts;
554
555 inode = new_inode(sb);
556 if (!inode)
557 return ERR_PTR(error: -ENOMEM);
558
559 inode->i_ino = index + 3;
560 inode->i_uid = opts->setuid ? opts->uid : current_fsuid();
561 inode->i_gid = opts->setgid ? opts->gid : current_fsgid();
562 simple_inode_init_ts(inode);
563 init_special_inode(inode, S_IFCHR|opts->mode, MKDEV(UNIX98_PTY_SLAVE_MAJOR, index));
564
565 sprintf(buf: s, fmt: "%d", index);
566
567 dentry = d_alloc_name(root, s);
568 if (dentry) {
569 dentry->d_fsdata = priv;
570 d_add(dentry, inode);
571 fsnotify_create(dir: d_inode(dentry: root), dentry);
572 } else {
573 iput(inode);
574 dentry = ERR_PTR(error: -ENOMEM);
575 }
576
577 return dentry;
578}
579
580/**
581 * devpts_get_priv -- get private data for a slave
582 * @dentry: dentry of the slave
583 *
584 * Returns whatever was passed as priv in devpts_pty_new for a given inode.
585 */
586void *devpts_get_priv(struct dentry *dentry)
587{
588 if (dentry->d_sb->s_magic != DEVPTS_SUPER_MAGIC)
589 return NULL;
590 return dentry->d_fsdata;
591}
592
593/**
594 * devpts_pty_kill -- remove inode form /dev/pts/
595 * @dentry: dentry of the slave to be removed
596 *
597 * This is an inverse operation of devpts_pty_new.
598 */
599void devpts_pty_kill(struct dentry *dentry)
600{
601 WARN_ON_ONCE(dentry->d_sb->s_magic != DEVPTS_SUPER_MAGIC);
602
603 dentry->d_fsdata = NULL;
604 drop_nlink(inode: dentry->d_inode);
605 d_drop(dentry);
606 fsnotify_unlink(dir: d_inode(dentry: dentry->d_parent), dentry);
607 dput(dentry); /* d_alloc_name() in devpts_pty_new() */
608}
609
610static int __init init_devpts_fs(void)
611{
612 int err = register_filesystem(&devpts_fs_type);
613 if (!err) {
614 register_sysctl("kernel/pty", pty_table);
615 }
616 return err;
617}
618module_init(init_devpts_fs)
619

source code of linux/fs/devpts/inode.c