1 | /* SPDX-License-Identifier: GPL-2.0 */ |
2 | |
3 | #include <linux/compiler_types.h> |
4 | #include <linux/errno.h> |
5 | #include <linux/fs.h> |
6 | #include <linux/fsnotify.h> |
7 | #include <linux/gfp.h> |
8 | #include <linux/idr.h> |
9 | #include <linux/init.h> |
10 | #include <linux/ipc_namespace.h> |
11 | #include <linux/kdev_t.h> |
12 | #include <linux/kernel.h> |
13 | #include <linux/list.h> |
14 | #include <linux/namei.h> |
15 | #include <linux/magic.h> |
16 | #include <linux/major.h> |
17 | #include <linux/miscdevice.h> |
18 | #include <linux/module.h> |
19 | #include <linux/mutex.h> |
20 | #include <linux/mount.h> |
21 | #include <linux/parser.h> |
22 | #include <linux/radix-tree.h> |
23 | #include <linux/sched.h> |
24 | #include <linux/seq_file.h> |
25 | #include <linux/slab.h> |
26 | #include <linux/spinlock_types.h> |
27 | #include <linux/stddef.h> |
28 | #include <linux/string.h> |
29 | #include <linux/types.h> |
30 | #include <linux/uaccess.h> |
31 | #include <linux/user_namespace.h> |
32 | #include <linux/xarray.h> |
33 | #include <uapi/asm-generic/errno-base.h> |
34 | #include <uapi/linux/android/binder.h> |
35 | #include <uapi/linux/android/binderfs.h> |
36 | |
37 | #include "binder_internal.h" |
38 | |
39 | #define FIRST_INODE 1 |
40 | #define SECOND_INODE 2 |
41 | #define INODE_OFFSET 3 |
42 | #define INTSTRLEN 21 |
43 | #define BINDERFS_MAX_MINOR (1U << MINORBITS) |
44 | /* Ensure that the initial ipc namespace always has devices available. */ |
45 | #define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4) |
46 | |
47 | static dev_t binderfs_dev; |
48 | static DEFINE_MUTEX(binderfs_minors_mutex); |
49 | static DEFINE_IDA(binderfs_minors); |
50 | |
51 | /** |
52 | * binderfs_mount_opts - mount options for binderfs |
53 | * @max: maximum number of allocatable binderfs binder devices |
54 | */ |
55 | struct binderfs_mount_opts { |
56 | int max; |
57 | }; |
58 | |
59 | enum { |
60 | Opt_max, |
61 | Opt_err |
62 | }; |
63 | |
64 | static const match_table_t tokens = { |
65 | { Opt_max, "max=%d" }, |
66 | { Opt_err, NULL } |
67 | }; |
68 | |
69 | /** |
70 | * binderfs_info - information about a binderfs mount |
71 | * @ipc_ns: The ipc namespace the binderfs mount belongs to. |
72 | * @control_dentry: This records the dentry of this binderfs mount |
73 | * binder-control device. |
74 | * @root_uid: uid that needs to be used when a new binder device is |
75 | * created. |
76 | * @root_gid: gid that needs to be used when a new binder device is |
77 | * created. |
78 | * @mount_opts: The mount options in use. |
79 | * @device_count: The current number of allocated binder devices. |
80 | */ |
81 | struct binderfs_info { |
82 | struct ipc_namespace *ipc_ns; |
83 | struct dentry *control_dentry; |
84 | kuid_t root_uid; |
85 | kgid_t root_gid; |
86 | struct binderfs_mount_opts mount_opts; |
87 | int device_count; |
88 | }; |
89 | |
90 | static inline struct binderfs_info *BINDERFS_I(const struct inode *inode) |
91 | { |
92 | return inode->i_sb->s_fs_info; |
93 | } |
94 | |
95 | bool is_binderfs_device(const struct inode *inode) |
96 | { |
97 | if (inode->i_sb->s_magic == BINDERFS_SUPER_MAGIC) |
98 | return true; |
99 | |
100 | return false; |
101 | } |
102 | |
103 | /** |
104 | * binderfs_binder_device_create - allocate inode from super block of a |
105 | * binderfs mount |
106 | * @ref_inode: inode from wich the super block will be taken |
107 | * @userp: buffer to copy information about new device for userspace to |
108 | * @req: struct binderfs_device as copied from userspace |
109 | * |
110 | * This function allocates a new binder_device and reserves a new minor |
111 | * number for it. |
112 | * Minor numbers are limited and tracked globally in binderfs_minors. The |
113 | * function will stash a struct binder_device for the specific binder |
114 | * device in i_private of the inode. |
115 | * It will go on to allocate a new inode from the super block of the |
116 | * filesystem mount, stash a struct binder_device in its i_private field |
117 | * and attach a dentry to that inode. |
118 | * |
119 | * Return: 0 on success, negative errno on failure |
120 | */ |
121 | static int binderfs_binder_device_create(struct inode *ref_inode, |
122 | struct binderfs_device __user *userp, |
123 | struct binderfs_device *req) |
124 | { |
125 | int minor, ret; |
126 | struct dentry *dentry, *root; |
127 | struct binder_device *device; |
128 | char *name = NULL; |
129 | size_t name_len; |
130 | struct inode *inode = NULL; |
131 | struct super_block *sb = ref_inode->i_sb; |
132 | struct binderfs_info *info = sb->s_fs_info; |
133 | #if defined(CONFIG_IPC_NS) |
134 | bool use_reserve = (info->ipc_ns == &init_ipc_ns); |
135 | #else |
136 | bool use_reserve = true; |
137 | #endif |
138 | |
139 | /* Reserve new minor number for the new device. */ |
140 | mutex_lock(&binderfs_minors_mutex); |
141 | if (++info->device_count <= info->mount_opts.max) |
142 | minor = ida_alloc_max(&binderfs_minors, |
143 | use_reserve ? BINDERFS_MAX_MINOR : |
144 | BINDERFS_MAX_MINOR_CAPPED, |
145 | GFP_KERNEL); |
146 | else |
147 | minor = -ENOSPC; |
148 | if (minor < 0) { |
149 | --info->device_count; |
150 | mutex_unlock(&binderfs_minors_mutex); |
151 | return minor; |
152 | } |
153 | mutex_unlock(&binderfs_minors_mutex); |
154 | |
155 | ret = -ENOMEM; |
156 | device = kzalloc(sizeof(*device), GFP_KERNEL); |
157 | if (!device) |
158 | goto err; |
159 | |
160 | inode = new_inode(sb); |
161 | if (!inode) |
162 | goto err; |
163 | |
164 | inode->i_ino = minor + INODE_OFFSET; |
165 | inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); |
166 | init_special_inode(inode, S_IFCHR | 0600, |
167 | MKDEV(MAJOR(binderfs_dev), minor)); |
168 | inode->i_fop = &binder_fops; |
169 | inode->i_uid = info->root_uid; |
170 | inode->i_gid = info->root_gid; |
171 | |
172 | req->name[BINDERFS_MAX_NAME] = '\0'; /* NUL-terminate */ |
173 | name_len = strlen(req->name); |
174 | /* Make sure to include terminating NUL byte */ |
175 | name = kmemdup(req->name, name_len + 1, GFP_KERNEL); |
176 | if (!name) |
177 | goto err; |
178 | |
179 | device->binderfs_inode = inode; |
180 | device->context.binder_context_mgr_uid = INVALID_UID; |
181 | device->context.name = name; |
182 | device->miscdev.name = name; |
183 | device->miscdev.minor = minor; |
184 | mutex_init(&device->context.context_mgr_node_lock); |
185 | |
186 | req->major = MAJOR(binderfs_dev); |
187 | req->minor = minor; |
188 | |
189 | ret = copy_to_user(userp, req, sizeof(*req)); |
190 | if (ret) { |
191 | ret = -EFAULT; |
192 | goto err; |
193 | } |
194 | |
195 | root = sb->s_root; |
196 | inode_lock(d_inode(root)); |
197 | |
198 | /* look it up */ |
199 | dentry = lookup_one_len(name, root, name_len); |
200 | if (IS_ERR(dentry)) { |
201 | inode_unlock(d_inode(root)); |
202 | ret = PTR_ERR(dentry); |
203 | goto err; |
204 | } |
205 | |
206 | if (d_really_is_positive(dentry)) { |
207 | /* already exists */ |
208 | dput(dentry); |
209 | inode_unlock(d_inode(root)); |
210 | ret = -EEXIST; |
211 | goto err; |
212 | } |
213 | |
214 | inode->i_private = device; |
215 | d_instantiate(dentry, inode); |
216 | fsnotify_create(root->d_inode, dentry); |
217 | inode_unlock(d_inode(root)); |
218 | |
219 | return 0; |
220 | |
221 | err: |
222 | kfree(name); |
223 | kfree(device); |
224 | mutex_lock(&binderfs_minors_mutex); |
225 | --info->device_count; |
226 | ida_free(&binderfs_minors, minor); |
227 | mutex_unlock(&binderfs_minors_mutex); |
228 | iput(inode); |
229 | |
230 | return ret; |
231 | } |
232 | |
233 | /** |
234 | * binderfs_ctl_ioctl - handle binder device node allocation requests |
235 | * |
236 | * The request handler for the binder-control device. All requests operate on |
237 | * the binderfs mount the binder-control device resides in: |
238 | * - BINDER_CTL_ADD |
239 | * Allocate a new binder device. |
240 | * |
241 | * Return: 0 on success, negative errno on failure |
242 | */ |
243 | static long binder_ctl_ioctl(struct file *file, unsigned int cmd, |
244 | unsigned long arg) |
245 | { |
246 | int ret = -EINVAL; |
247 | struct inode *inode = file_inode(file); |
248 | struct binderfs_device __user *device = (struct binderfs_device __user *)arg; |
249 | struct binderfs_device device_req; |
250 | |
251 | switch (cmd) { |
252 | case BINDER_CTL_ADD: |
253 | ret = copy_from_user(&device_req, device, sizeof(device_req)); |
254 | if (ret) { |
255 | ret = -EFAULT; |
256 | break; |
257 | } |
258 | |
259 | ret = binderfs_binder_device_create(inode, device, &device_req); |
260 | break; |
261 | default: |
262 | break; |
263 | } |
264 | |
265 | return ret; |
266 | } |
267 | |
268 | static void binderfs_evict_inode(struct inode *inode) |
269 | { |
270 | struct binder_device *device = inode->i_private; |
271 | struct binderfs_info *info = BINDERFS_I(inode); |
272 | |
273 | clear_inode(inode); |
274 | |
275 | if (!device) |
276 | return; |
277 | |
278 | mutex_lock(&binderfs_minors_mutex); |
279 | --info->device_count; |
280 | ida_free(&binderfs_minors, device->miscdev.minor); |
281 | mutex_unlock(&binderfs_minors_mutex); |
282 | |
283 | kfree(device->context.name); |
284 | kfree(device); |
285 | } |
286 | |
287 | /** |
288 | * binderfs_parse_mount_opts - parse binderfs mount options |
289 | * @data: options to set (can be NULL in which case defaults are used) |
290 | */ |
291 | static int binderfs_parse_mount_opts(char *data, |
292 | struct binderfs_mount_opts *opts) |
293 | { |
294 | char *p; |
295 | opts->max = BINDERFS_MAX_MINOR; |
296 | |
297 | while ((p = strsep(&data, "," )) != NULL) { |
298 | substring_t args[MAX_OPT_ARGS]; |
299 | int token; |
300 | int max_devices; |
301 | |
302 | if (!*p) |
303 | continue; |
304 | |
305 | token = match_token(p, tokens, args); |
306 | switch (token) { |
307 | case Opt_max: |
308 | if (match_int(&args[0], &max_devices) || |
309 | (max_devices < 0 || |
310 | (max_devices > BINDERFS_MAX_MINOR))) |
311 | return -EINVAL; |
312 | |
313 | opts->max = max_devices; |
314 | break; |
315 | default: |
316 | pr_err("Invalid mount options\n" ); |
317 | return -EINVAL; |
318 | } |
319 | } |
320 | |
321 | return 0; |
322 | } |
323 | |
324 | static int binderfs_remount(struct super_block *sb, int *flags, char *data) |
325 | { |
326 | struct binderfs_info *info = sb->s_fs_info; |
327 | return binderfs_parse_mount_opts(data, &info->mount_opts); |
328 | } |
329 | |
330 | static int binderfs_show_mount_opts(struct seq_file *seq, struct dentry *root) |
331 | { |
332 | struct binderfs_info *info; |
333 | |
334 | info = root->d_sb->s_fs_info; |
335 | if (info->mount_opts.max <= BINDERFS_MAX_MINOR) |
336 | seq_printf(seq, ",max=%d" , info->mount_opts.max); |
337 | |
338 | return 0; |
339 | } |
340 | |
341 | static const struct super_operations binderfs_super_ops = { |
342 | .evict_inode = binderfs_evict_inode, |
343 | .remount_fs = binderfs_remount, |
344 | .show_options = binderfs_show_mount_opts, |
345 | .statfs = simple_statfs, |
346 | }; |
347 | |
348 | static inline bool is_binderfs_control_device(const struct dentry *dentry) |
349 | { |
350 | struct binderfs_info *info = dentry->d_sb->s_fs_info; |
351 | return info->control_dentry == dentry; |
352 | } |
353 | |
354 | static int binderfs_rename(struct inode *old_dir, struct dentry *old_dentry, |
355 | struct inode *new_dir, struct dentry *new_dentry, |
356 | unsigned int flags) |
357 | { |
358 | if (is_binderfs_control_device(old_dentry) || |
359 | is_binderfs_control_device(new_dentry)) |
360 | return -EPERM; |
361 | |
362 | return simple_rename(old_dir, old_dentry, new_dir, new_dentry, flags); |
363 | } |
364 | |
365 | static int binderfs_unlink(struct inode *dir, struct dentry *dentry) |
366 | { |
367 | if (is_binderfs_control_device(dentry)) |
368 | return -EPERM; |
369 | |
370 | return simple_unlink(dir, dentry); |
371 | } |
372 | |
373 | static const struct file_operations binder_ctl_fops = { |
374 | .owner = THIS_MODULE, |
375 | .open = nonseekable_open, |
376 | .unlocked_ioctl = binder_ctl_ioctl, |
377 | .compat_ioctl = binder_ctl_ioctl, |
378 | .llseek = noop_llseek, |
379 | }; |
380 | |
381 | /** |
382 | * binderfs_binder_ctl_create - create a new binder-control device |
383 | * @sb: super block of the binderfs mount |
384 | * |
385 | * This function creates a new binder-control device node in the binderfs mount |
386 | * referred to by @sb. |
387 | * |
388 | * Return: 0 on success, negative errno on failure |
389 | */ |
390 | static int binderfs_binder_ctl_create(struct super_block *sb) |
391 | { |
392 | int minor, ret; |
393 | struct dentry *dentry; |
394 | struct binder_device *device; |
395 | struct inode *inode = NULL; |
396 | struct dentry *root = sb->s_root; |
397 | struct binderfs_info *info = sb->s_fs_info; |
398 | #if defined(CONFIG_IPC_NS) |
399 | bool use_reserve = (info->ipc_ns == &init_ipc_ns); |
400 | #else |
401 | bool use_reserve = true; |
402 | #endif |
403 | |
404 | device = kzalloc(sizeof(*device), GFP_KERNEL); |
405 | if (!device) |
406 | return -ENOMEM; |
407 | |
408 | /* If we have already created a binder-control node, return. */ |
409 | if (info->control_dentry) { |
410 | ret = 0; |
411 | goto out; |
412 | } |
413 | |
414 | ret = -ENOMEM; |
415 | inode = new_inode(sb); |
416 | if (!inode) |
417 | goto out; |
418 | |
419 | /* Reserve a new minor number for the new device. */ |
420 | mutex_lock(&binderfs_minors_mutex); |
421 | minor = ida_alloc_max(&binderfs_minors, |
422 | use_reserve ? BINDERFS_MAX_MINOR : |
423 | BINDERFS_MAX_MINOR_CAPPED, |
424 | GFP_KERNEL); |
425 | mutex_unlock(&binderfs_minors_mutex); |
426 | if (minor < 0) { |
427 | ret = minor; |
428 | goto out; |
429 | } |
430 | |
431 | inode->i_ino = SECOND_INODE; |
432 | inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); |
433 | init_special_inode(inode, S_IFCHR | 0600, |
434 | MKDEV(MAJOR(binderfs_dev), minor)); |
435 | inode->i_fop = &binder_ctl_fops; |
436 | inode->i_uid = info->root_uid; |
437 | inode->i_gid = info->root_gid; |
438 | |
439 | device->binderfs_inode = inode; |
440 | device->miscdev.minor = minor; |
441 | |
442 | dentry = d_alloc_name(root, "binder-control" ); |
443 | if (!dentry) |
444 | goto out; |
445 | |
446 | inode->i_private = device; |
447 | info->control_dentry = dentry; |
448 | d_add(dentry, inode); |
449 | |
450 | return 0; |
451 | |
452 | out: |
453 | kfree(device); |
454 | iput(inode); |
455 | |
456 | return ret; |
457 | } |
458 | |
459 | static const struct inode_operations binderfs_dir_inode_operations = { |
460 | .lookup = simple_lookup, |
461 | .rename = binderfs_rename, |
462 | .unlink = binderfs_unlink, |
463 | }; |
464 | |
465 | static int binderfs_fill_super(struct super_block *sb, void *data, int silent) |
466 | { |
467 | int ret; |
468 | struct binderfs_info *info; |
469 | struct inode *inode = NULL; |
470 | |
471 | sb->s_blocksize = PAGE_SIZE; |
472 | sb->s_blocksize_bits = PAGE_SHIFT; |
473 | |
474 | /* |
475 | * The binderfs filesystem can be mounted by userns root in a |
476 | * non-initial userns. By default such mounts have the SB_I_NODEV flag |
477 | * set in s_iflags to prevent security issues where userns root can |
478 | * just create random device nodes via mknod() since it owns the |
479 | * filesystem mount. But binderfs does not allow to create any files |
480 | * including devices nodes. The only way to create binder devices nodes |
481 | * is through the binder-control device which userns root is explicitly |
482 | * allowed to do. So removing the SB_I_NODEV flag from s_iflags is both |
483 | * necessary and safe. |
484 | */ |
485 | sb->s_iflags &= ~SB_I_NODEV; |
486 | sb->s_iflags |= SB_I_NOEXEC; |
487 | sb->s_magic = BINDERFS_SUPER_MAGIC; |
488 | sb->s_op = &binderfs_super_ops; |
489 | sb->s_time_gran = 1; |
490 | |
491 | sb->s_fs_info = kzalloc(sizeof(struct binderfs_info), GFP_KERNEL); |
492 | if (!sb->s_fs_info) |
493 | return -ENOMEM; |
494 | info = sb->s_fs_info; |
495 | |
496 | info->ipc_ns = get_ipc_ns(current->nsproxy->ipc_ns); |
497 | |
498 | ret = binderfs_parse_mount_opts(data, &info->mount_opts); |
499 | if (ret) |
500 | return ret; |
501 | |
502 | info->root_gid = make_kgid(sb->s_user_ns, 0); |
503 | if (!gid_valid(info->root_gid)) |
504 | info->root_gid = GLOBAL_ROOT_GID; |
505 | info->root_uid = make_kuid(sb->s_user_ns, 0); |
506 | if (!uid_valid(info->root_uid)) |
507 | info->root_uid = GLOBAL_ROOT_UID; |
508 | |
509 | inode = new_inode(sb); |
510 | if (!inode) |
511 | return -ENOMEM; |
512 | |
513 | inode->i_ino = FIRST_INODE; |
514 | inode->i_fop = &simple_dir_operations; |
515 | inode->i_mode = S_IFDIR | 0755; |
516 | inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); |
517 | inode->i_op = &binderfs_dir_inode_operations; |
518 | set_nlink(inode, 2); |
519 | |
520 | sb->s_root = d_make_root(inode); |
521 | if (!sb->s_root) |
522 | return -ENOMEM; |
523 | |
524 | return binderfs_binder_ctl_create(sb); |
525 | } |
526 | |
527 | static struct dentry *binderfs_mount(struct file_system_type *fs_type, |
528 | int flags, const char *dev_name, |
529 | void *data) |
530 | { |
531 | return mount_nodev(fs_type, flags, data, binderfs_fill_super); |
532 | } |
533 | |
534 | static void binderfs_kill_super(struct super_block *sb) |
535 | { |
536 | struct binderfs_info *info = sb->s_fs_info; |
537 | |
538 | kill_litter_super(sb); |
539 | |
540 | if (info && info->ipc_ns) |
541 | put_ipc_ns(info->ipc_ns); |
542 | |
543 | kfree(info); |
544 | } |
545 | |
546 | static struct file_system_type binder_fs_type = { |
547 | .name = "binder" , |
548 | .mount = binderfs_mount, |
549 | .kill_sb = binderfs_kill_super, |
550 | .fs_flags = FS_USERNS_MOUNT, |
551 | }; |
552 | |
553 | int __init init_binderfs(void) |
554 | { |
555 | int ret; |
556 | |
557 | /* Allocate new major number for binderfs. */ |
558 | ret = alloc_chrdev_region(&binderfs_dev, 0, BINDERFS_MAX_MINOR, |
559 | "binder" ); |
560 | if (ret) |
561 | return ret; |
562 | |
563 | ret = register_filesystem(&binder_fs_type); |
564 | if (ret) { |
565 | unregister_chrdev_region(binderfs_dev, BINDERFS_MAX_MINOR); |
566 | return ret; |
567 | } |
568 | |
569 | return ret; |
570 | } |
571 | |