1 | // SPDX-License-Identifier: GPL-2.0-or-later |
2 | /* -*- linux-c -*- --------------------------------------------------------- * |
3 | * |
4 | * linux/fs/devpts/inode.c |
5 | * |
6 | * Copyright 1998-2004 H. Peter Anvin -- All Rights Reserved |
7 | * |
8 | * ------------------------------------------------------------------------- */ |
9 | |
10 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
11 | |
12 | #include <linux/module.h> |
13 | #include <linux/init.h> |
14 | #include <linux/fs.h> |
15 | #include <linux/sched.h> |
16 | #include <linux/namei.h> |
17 | #include <linux/slab.h> |
18 | #include <linux/mount.h> |
19 | #include <linux/tty.h> |
20 | #include <linux/mutex.h> |
21 | #include <linux/magic.h> |
22 | #include <linux/idr.h> |
23 | #include <linux/devpts_fs.h> |
24 | #include <linux/parser.h> |
25 | #include <linux/fsnotify.h> |
26 | #include <linux/seq_file.h> |
27 | |
28 | #define DEVPTS_DEFAULT_MODE 0600 |
29 | /* |
30 | * ptmx is a new node in /dev/pts and will be unused in legacy (single- |
31 | * instance) mode. To prevent surprises in user space, set permissions of |
32 | * ptmx to 0. Use 'chmod' or remount with '-o ptmxmode' to set meaningful |
33 | * permissions. |
34 | */ |
35 | #define DEVPTS_DEFAULT_PTMX_MODE 0000 |
36 | #define PTMX_MINOR 2 |
37 | |
38 | /* |
39 | * sysctl support for setting limits on the number of Unix98 ptys allocated. |
40 | * Otherwise one can eat up all kernel memory by opening /dev/ptmx repeatedly. |
41 | */ |
42 | static int pty_limit = NR_UNIX98_PTY_DEFAULT; |
43 | static int pty_reserve = NR_UNIX98_PTY_RESERVE; |
44 | static int pty_limit_min; |
45 | static int pty_limit_max = INT_MAX; |
46 | static atomic_t pty_count = ATOMIC_INIT(0); |
47 | |
48 | static struct ctl_table pty_table[] = { |
49 | { |
50 | .procname = "max" , |
51 | .maxlen = sizeof(int), |
52 | .mode = 0644, |
53 | .data = &pty_limit, |
54 | .proc_handler = proc_dointvec_minmax, |
55 | .extra1 = &pty_limit_min, |
56 | .extra2 = &pty_limit_max, |
57 | }, { |
58 | .procname = "reserve" , |
59 | .maxlen = sizeof(int), |
60 | .mode = 0644, |
61 | .data = &pty_reserve, |
62 | .proc_handler = proc_dointvec_minmax, |
63 | .extra1 = &pty_limit_min, |
64 | .extra2 = &pty_limit_max, |
65 | }, { |
66 | .procname = "nr" , |
67 | .maxlen = sizeof(int), |
68 | .mode = 0444, |
69 | .data = &pty_count, |
70 | .proc_handler = proc_dointvec, |
71 | }, |
72 | }; |
73 | |
74 | struct pts_mount_opts { |
75 | int setuid; |
76 | int setgid; |
77 | kuid_t uid; |
78 | kgid_t gid; |
79 | umode_t mode; |
80 | umode_t ptmxmode; |
81 | int reserve; |
82 | int max; |
83 | }; |
84 | |
85 | enum { |
86 | Opt_uid, Opt_gid, Opt_mode, Opt_ptmxmode, Opt_newinstance, Opt_max, |
87 | Opt_err |
88 | }; |
89 | |
90 | static const match_table_t tokens = { |
91 | {Opt_uid, "uid=%u" }, |
92 | {Opt_gid, "gid=%u" }, |
93 | {Opt_mode, "mode=%o" }, |
94 | {Opt_ptmxmode, "ptmxmode=%o" }, |
95 | {Opt_newinstance, "newinstance" }, |
96 | {Opt_max, "max=%d" }, |
97 | {Opt_err, NULL} |
98 | }; |
99 | |
100 | struct pts_fs_info { |
101 | struct ida allocated_ptys; |
102 | struct pts_mount_opts mount_opts; |
103 | struct super_block *sb; |
104 | struct dentry *ptmx_dentry; |
105 | }; |
106 | |
107 | static inline struct pts_fs_info *DEVPTS_SB(struct super_block *sb) |
108 | { |
109 | return sb->s_fs_info; |
110 | } |
111 | |
112 | static int devpts_ptmx_path(struct path *path) |
113 | { |
114 | struct super_block *sb; |
115 | int err; |
116 | |
117 | /* Is a devpts filesystem at "pts" in the same directory? */ |
118 | err = path_pts(path); |
119 | if (err) |
120 | return err; |
121 | |
122 | /* Is the path the root of a devpts filesystem? */ |
123 | sb = path->mnt->mnt_sb; |
124 | if ((sb->s_magic != DEVPTS_SUPER_MAGIC) || |
125 | (path->mnt->mnt_root != sb->s_root)) |
126 | return -ENODEV; |
127 | |
128 | return 0; |
129 | } |
130 | |
131 | /* |
132 | * Try to find a suitable devpts filesystem. We support the following |
133 | * scenarios: |
134 | * - The ptmx device node is located in the same directory as the devpts |
135 | * mount where the pts device nodes are located. |
136 | * This is e.g. the case when calling open on the /dev/pts/ptmx device |
137 | * node when the devpts filesystem is mounted at /dev/pts. |
138 | * - The ptmx device node is located outside the devpts filesystem mount |
139 | * where the pts device nodes are located. For example, the ptmx device |
140 | * is a symlink, separate device node, or bind-mount. |
141 | * A supported scenario is bind-mounting /dev/pts/ptmx to /dev/ptmx and |
142 | * then calling open on /dev/ptmx. In this case a suitable pts |
143 | * subdirectory can be found in the common parent directory /dev of the |
144 | * devpts mount and the ptmx bind-mount, after resolving the /dev/ptmx |
145 | * bind-mount. |
146 | * If no suitable pts subdirectory can be found this function will fail. |
147 | * This is e.g. the case when bind-mounting /dev/pts/ptmx to /ptmx. |
148 | */ |
149 | struct vfsmount *devpts_mntget(struct file *filp, struct pts_fs_info *fsi) |
150 | { |
151 | struct path path; |
152 | int err = 0; |
153 | |
154 | path = filp->f_path; |
155 | path_get(&path); |
156 | |
157 | /* Walk upward while the start point is a bind mount of |
158 | * a single file. |
159 | */ |
160 | while (path.mnt->mnt_root == path.dentry) |
161 | if (follow_up(&path) == 0) |
162 | break; |
163 | |
164 | /* devpts_ptmx_path() finds a devpts fs or returns an error. */ |
165 | if ((path.mnt->mnt_sb->s_magic != DEVPTS_SUPER_MAGIC) || |
166 | (DEVPTS_SB(sb: path.mnt->mnt_sb) != fsi)) |
167 | err = devpts_ptmx_path(path: &path); |
168 | dput(path.dentry); |
169 | if (!err) { |
170 | if (DEVPTS_SB(sb: path.mnt->mnt_sb) == fsi) |
171 | return path.mnt; |
172 | |
173 | err = -ENODEV; |
174 | } |
175 | |
176 | mntput(mnt: path.mnt); |
177 | return ERR_PTR(error: err); |
178 | } |
179 | |
180 | struct pts_fs_info *devpts_acquire(struct file *filp) |
181 | { |
182 | struct pts_fs_info *result; |
183 | struct path path; |
184 | struct super_block *sb; |
185 | |
186 | path = filp->f_path; |
187 | path_get(&path); |
188 | |
189 | /* Has the devpts filesystem already been found? */ |
190 | if (path.mnt->mnt_sb->s_magic != DEVPTS_SUPER_MAGIC) { |
191 | int err; |
192 | |
193 | err = devpts_ptmx_path(path: &path); |
194 | if (err) { |
195 | result = ERR_PTR(error: err); |
196 | goto out; |
197 | } |
198 | } |
199 | |
200 | /* |
201 | * pty code needs to hold extra references in case of last /dev/tty close |
202 | */ |
203 | sb = path.mnt->mnt_sb; |
204 | atomic_inc(v: &sb->s_active); |
205 | result = DEVPTS_SB(sb); |
206 | |
207 | out: |
208 | path_put(&path); |
209 | return result; |
210 | } |
211 | |
212 | void devpts_release(struct pts_fs_info *fsi) |
213 | { |
214 | deactivate_super(sb: fsi->sb); |
215 | } |
216 | |
217 | #define PARSE_MOUNT 0 |
218 | #define PARSE_REMOUNT 1 |
219 | |
220 | /* |
221 | * parse_mount_options(): |
222 | * Set @opts to mount options specified in @data. If an option is not |
223 | * specified in @data, set it to its default value. |
224 | * |
225 | * Note: @data may be NULL (in which case all options are set to default). |
226 | */ |
227 | static int parse_mount_options(char *data, int op, struct pts_mount_opts *opts) |
228 | { |
229 | char *p; |
230 | kuid_t uid; |
231 | kgid_t gid; |
232 | |
233 | opts->setuid = 0; |
234 | opts->setgid = 0; |
235 | opts->uid = GLOBAL_ROOT_UID; |
236 | opts->gid = GLOBAL_ROOT_GID; |
237 | opts->mode = DEVPTS_DEFAULT_MODE; |
238 | opts->ptmxmode = DEVPTS_DEFAULT_PTMX_MODE; |
239 | opts->max = NR_UNIX98_PTY_MAX; |
240 | |
241 | /* Only allow instances mounted from the initial mount |
242 | * namespace to tap the reserve pool of ptys. |
243 | */ |
244 | if (op == PARSE_MOUNT) |
245 | opts->reserve = |
246 | (current->nsproxy->mnt_ns == init_task.nsproxy->mnt_ns); |
247 | |
248 | while ((p = strsep(&data, "," )) != NULL) { |
249 | substring_t args[MAX_OPT_ARGS]; |
250 | int token; |
251 | int option; |
252 | |
253 | if (!*p) |
254 | continue; |
255 | |
256 | token = match_token(p, tokens, args); |
257 | switch (token) { |
258 | case Opt_uid: |
259 | if (match_int(&args[0], &option)) |
260 | return -EINVAL; |
261 | uid = make_kuid(current_user_ns(), option); |
262 | if (!uid_valid(uid)) |
263 | return -EINVAL; |
264 | opts->uid = uid; |
265 | opts->setuid = 1; |
266 | break; |
267 | case Opt_gid: |
268 | if (match_int(&args[0], &option)) |
269 | return -EINVAL; |
270 | gid = make_kgid(current_user_ns(), option); |
271 | if (!gid_valid(gid)) |
272 | return -EINVAL; |
273 | opts->gid = gid; |
274 | opts->setgid = 1; |
275 | break; |
276 | case Opt_mode: |
277 | if (match_octal(&args[0], &option)) |
278 | return -EINVAL; |
279 | opts->mode = option & S_IALLUGO; |
280 | break; |
281 | case Opt_ptmxmode: |
282 | if (match_octal(&args[0], &option)) |
283 | return -EINVAL; |
284 | opts->ptmxmode = option & S_IALLUGO; |
285 | break; |
286 | case Opt_newinstance: |
287 | break; |
288 | case Opt_max: |
289 | if (match_int(&args[0], &option) || |
290 | option < 0 || option > NR_UNIX98_PTY_MAX) |
291 | return -EINVAL; |
292 | opts->max = option; |
293 | break; |
294 | default: |
295 | pr_err("called with bogus options\n" ); |
296 | return -EINVAL; |
297 | } |
298 | } |
299 | |
300 | return 0; |
301 | } |
302 | |
303 | static int mknod_ptmx(struct super_block *sb) |
304 | { |
305 | int mode; |
306 | int rc = -ENOMEM; |
307 | struct dentry *dentry; |
308 | struct inode *inode; |
309 | struct dentry *root = sb->s_root; |
310 | struct pts_fs_info *fsi = DEVPTS_SB(sb); |
311 | struct pts_mount_opts *opts = &fsi->mount_opts; |
312 | kuid_t ptmx_uid = current_fsuid(); |
313 | kgid_t ptmx_gid = current_fsgid(); |
314 | |
315 | inode_lock(inode: d_inode(dentry: root)); |
316 | |
317 | /* If we have already created ptmx node, return */ |
318 | if (fsi->ptmx_dentry) { |
319 | rc = 0; |
320 | goto out; |
321 | } |
322 | |
323 | dentry = d_alloc_name(root, "ptmx" ); |
324 | if (!dentry) { |
325 | pr_err("Unable to alloc dentry for ptmx node\n" ); |
326 | goto out; |
327 | } |
328 | |
329 | /* |
330 | * Create a new 'ptmx' node in this mount of devpts. |
331 | */ |
332 | inode = new_inode(sb); |
333 | if (!inode) { |
334 | pr_err("Unable to alloc inode for ptmx node\n" ); |
335 | dput(dentry); |
336 | goto out; |
337 | } |
338 | |
339 | inode->i_ino = 2; |
340 | simple_inode_init_ts(inode); |
341 | |
342 | mode = S_IFCHR|opts->ptmxmode; |
343 | init_special_inode(inode, mode, MKDEV(TTYAUX_MAJOR, 2)); |
344 | inode->i_uid = ptmx_uid; |
345 | inode->i_gid = ptmx_gid; |
346 | |
347 | d_add(dentry, inode); |
348 | |
349 | fsi->ptmx_dentry = dentry; |
350 | rc = 0; |
351 | out: |
352 | inode_unlock(inode: d_inode(dentry: root)); |
353 | return rc; |
354 | } |
355 | |
356 | static void update_ptmx_mode(struct pts_fs_info *fsi) |
357 | { |
358 | struct inode *inode; |
359 | if (fsi->ptmx_dentry) { |
360 | inode = d_inode(dentry: fsi->ptmx_dentry); |
361 | inode->i_mode = S_IFCHR|fsi->mount_opts.ptmxmode; |
362 | } |
363 | } |
364 | |
365 | static int devpts_remount(struct super_block *sb, int *flags, char *data) |
366 | { |
367 | int err; |
368 | struct pts_fs_info *fsi = DEVPTS_SB(sb); |
369 | struct pts_mount_opts *opts = &fsi->mount_opts; |
370 | |
371 | err = parse_mount_options(data, PARSE_REMOUNT, opts); |
372 | |
373 | /* |
374 | * parse_mount_options() restores options to default values |
375 | * before parsing and may have changed ptmxmode. So, update the |
376 | * mode in the inode too. Bogus options don't fail the remount, |
377 | * so do this even on error return. |
378 | */ |
379 | update_ptmx_mode(fsi); |
380 | |
381 | return err; |
382 | } |
383 | |
384 | static int devpts_show_options(struct seq_file *seq, struct dentry *root) |
385 | { |
386 | struct pts_fs_info *fsi = DEVPTS_SB(sb: root->d_sb); |
387 | struct pts_mount_opts *opts = &fsi->mount_opts; |
388 | |
389 | if (opts->setuid) |
390 | seq_printf(m: seq, fmt: ",uid=%u" , |
391 | from_kuid_munged(to: &init_user_ns, uid: opts->uid)); |
392 | if (opts->setgid) |
393 | seq_printf(m: seq, fmt: ",gid=%u" , |
394 | from_kgid_munged(to: &init_user_ns, gid: opts->gid)); |
395 | seq_printf(m: seq, fmt: ",mode=%03o" , opts->mode); |
396 | seq_printf(m: seq, fmt: ",ptmxmode=%03o" , opts->ptmxmode); |
397 | if (opts->max < NR_UNIX98_PTY_MAX) |
398 | seq_printf(m: seq, fmt: ",max=%d" , opts->max); |
399 | |
400 | return 0; |
401 | } |
402 | |
403 | static const struct super_operations devpts_sops = { |
404 | .statfs = simple_statfs, |
405 | .remount_fs = devpts_remount, |
406 | .show_options = devpts_show_options, |
407 | }; |
408 | |
409 | static void *new_pts_fs_info(struct super_block *sb) |
410 | { |
411 | struct pts_fs_info *fsi; |
412 | |
413 | fsi = kzalloc(size: sizeof(struct pts_fs_info), GFP_KERNEL); |
414 | if (!fsi) |
415 | return NULL; |
416 | |
417 | ida_init(ida: &fsi->allocated_ptys); |
418 | fsi->mount_opts.mode = DEVPTS_DEFAULT_MODE; |
419 | fsi->mount_opts.ptmxmode = DEVPTS_DEFAULT_PTMX_MODE; |
420 | fsi->sb = sb; |
421 | |
422 | return fsi; |
423 | } |
424 | |
425 | static int |
426 | devpts_fill_super(struct super_block *s, void *data, int silent) |
427 | { |
428 | struct inode *inode; |
429 | int error; |
430 | |
431 | s->s_iflags &= ~SB_I_NODEV; |
432 | s->s_blocksize = 1024; |
433 | s->s_blocksize_bits = 10; |
434 | s->s_magic = DEVPTS_SUPER_MAGIC; |
435 | s->s_op = &devpts_sops; |
436 | s->s_d_op = &simple_dentry_operations; |
437 | s->s_time_gran = 1; |
438 | |
439 | error = -ENOMEM; |
440 | s->s_fs_info = new_pts_fs_info(sb: s); |
441 | if (!s->s_fs_info) |
442 | goto fail; |
443 | |
444 | error = parse_mount_options(data, PARSE_MOUNT, opts: &DEVPTS_SB(sb: s)->mount_opts); |
445 | if (error) |
446 | goto fail; |
447 | |
448 | error = -ENOMEM; |
449 | inode = new_inode(sb: s); |
450 | if (!inode) |
451 | goto fail; |
452 | inode->i_ino = 1; |
453 | simple_inode_init_ts(inode); |
454 | inode->i_mode = S_IFDIR | S_IRUGO | S_IXUGO | S_IWUSR; |
455 | inode->i_op = &simple_dir_inode_operations; |
456 | inode->i_fop = &simple_dir_operations; |
457 | set_nlink(inode, nlink: 2); |
458 | |
459 | s->s_root = d_make_root(inode); |
460 | if (!s->s_root) { |
461 | pr_err("get root dentry failed\n" ); |
462 | goto fail; |
463 | } |
464 | |
465 | error = mknod_ptmx(sb: s); |
466 | if (error) |
467 | goto fail_dput; |
468 | |
469 | return 0; |
470 | fail_dput: |
471 | dput(s->s_root); |
472 | s->s_root = NULL; |
473 | fail: |
474 | return error; |
475 | } |
476 | |
477 | /* |
478 | * devpts_mount() |
479 | * |
480 | * Mount a new (private) instance of devpts. PTYs created in this |
481 | * instance are independent of the PTYs in other devpts instances. |
482 | */ |
483 | static struct dentry *devpts_mount(struct file_system_type *fs_type, |
484 | int flags, const char *dev_name, void *data) |
485 | { |
486 | return mount_nodev(fs_type, flags, data, fill_super: devpts_fill_super); |
487 | } |
488 | |
489 | static void devpts_kill_sb(struct super_block *sb) |
490 | { |
491 | struct pts_fs_info *fsi = DEVPTS_SB(sb); |
492 | |
493 | if (fsi) |
494 | ida_destroy(ida: &fsi->allocated_ptys); |
495 | kfree(objp: fsi); |
496 | kill_litter_super(sb); |
497 | } |
498 | |
499 | static struct file_system_type devpts_fs_type = { |
500 | .name = "devpts" , |
501 | .mount = devpts_mount, |
502 | .kill_sb = devpts_kill_sb, |
503 | .fs_flags = FS_USERNS_MOUNT, |
504 | }; |
505 | |
506 | /* |
507 | * The normal naming convention is simply /dev/pts/<number>; this conforms |
508 | * to the System V naming convention |
509 | */ |
510 | |
511 | int devpts_new_index(struct pts_fs_info *fsi) |
512 | { |
513 | int index = -ENOSPC; |
514 | |
515 | if (atomic_inc_return(v: &pty_count) >= (pty_limit - |
516 | (fsi->mount_opts.reserve ? 0 : pty_reserve))) |
517 | goto out; |
518 | |
519 | index = ida_alloc_max(ida: &fsi->allocated_ptys, max: fsi->mount_opts.max - 1, |
520 | GFP_KERNEL); |
521 | |
522 | out: |
523 | if (index < 0) |
524 | atomic_dec(v: &pty_count); |
525 | return index; |
526 | } |
527 | |
528 | void devpts_kill_index(struct pts_fs_info *fsi, int idx) |
529 | { |
530 | ida_free(&fsi->allocated_ptys, id: idx); |
531 | atomic_dec(v: &pty_count); |
532 | } |
533 | |
534 | /** |
535 | * devpts_pty_new -- create a new inode in /dev/pts/ |
536 | * @fsi: Filesystem info for this instance. |
537 | * @index: used as a name of the node |
538 | * @priv: what's given back by devpts_get_priv |
539 | * |
540 | * The dentry for the created inode is returned. |
541 | * Remove it from /dev/pts/ with devpts_pty_kill(). |
542 | */ |
543 | struct dentry *devpts_pty_new(struct pts_fs_info *fsi, int index, void *priv) |
544 | { |
545 | struct dentry *dentry; |
546 | struct super_block *sb = fsi->sb; |
547 | struct inode *inode; |
548 | struct dentry *root; |
549 | struct pts_mount_opts *opts; |
550 | char s[12]; |
551 | |
552 | root = sb->s_root; |
553 | opts = &fsi->mount_opts; |
554 | |
555 | inode = new_inode(sb); |
556 | if (!inode) |
557 | return ERR_PTR(error: -ENOMEM); |
558 | |
559 | inode->i_ino = index + 3; |
560 | inode->i_uid = opts->setuid ? opts->uid : current_fsuid(); |
561 | inode->i_gid = opts->setgid ? opts->gid : current_fsgid(); |
562 | simple_inode_init_ts(inode); |
563 | init_special_inode(inode, S_IFCHR|opts->mode, MKDEV(UNIX98_PTY_SLAVE_MAJOR, index)); |
564 | |
565 | sprintf(buf: s, fmt: "%d" , index); |
566 | |
567 | dentry = d_alloc_name(root, s); |
568 | if (dentry) { |
569 | dentry->d_fsdata = priv; |
570 | d_add(dentry, inode); |
571 | fsnotify_create(dir: d_inode(dentry: root), dentry); |
572 | } else { |
573 | iput(inode); |
574 | dentry = ERR_PTR(error: -ENOMEM); |
575 | } |
576 | |
577 | return dentry; |
578 | } |
579 | |
580 | /** |
581 | * devpts_get_priv -- get private data for a slave |
582 | * @dentry: dentry of the slave |
583 | * |
584 | * Returns whatever was passed as priv in devpts_pty_new for a given inode. |
585 | */ |
586 | void *devpts_get_priv(struct dentry *dentry) |
587 | { |
588 | if (dentry->d_sb->s_magic != DEVPTS_SUPER_MAGIC) |
589 | return NULL; |
590 | return dentry->d_fsdata; |
591 | } |
592 | |
593 | /** |
594 | * devpts_pty_kill -- remove inode form /dev/pts/ |
595 | * @dentry: dentry of the slave to be removed |
596 | * |
597 | * This is an inverse operation of devpts_pty_new. |
598 | */ |
599 | void devpts_pty_kill(struct dentry *dentry) |
600 | { |
601 | WARN_ON_ONCE(dentry->d_sb->s_magic != DEVPTS_SUPER_MAGIC); |
602 | |
603 | dentry->d_fsdata = NULL; |
604 | drop_nlink(inode: dentry->d_inode); |
605 | d_drop(dentry); |
606 | fsnotify_unlink(dir: d_inode(dentry: dentry->d_parent), dentry); |
607 | dput(dentry); /* d_alloc_name() in devpts_pty_new() */ |
608 | } |
609 | |
610 | static int __init init_devpts_fs(void) |
611 | { |
612 | int err = register_filesystem(&devpts_fs_type); |
613 | if (!err) { |
614 | register_sysctl("kernel/pty" , pty_table); |
615 | } |
616 | return err; |
617 | } |
618 | module_init(init_devpts_fs) |
619 | |