1 | // SPDX-License-Identifier: GPL-2.0 |
2 | |
3 | #include <linux/compiler_types.h> |
4 | #include <linux/errno.h> |
5 | #include <linux/fs.h> |
6 | #include <linux/fsnotify.h> |
7 | #include <linux/gfp.h> |
8 | #include <linux/idr.h> |
9 | #include <linux/init.h> |
10 | #include <linux/ipc_namespace.h> |
11 | #include <linux/kdev_t.h> |
12 | #include <linux/kernel.h> |
13 | #include <linux/list.h> |
14 | #include <linux/namei.h> |
15 | #include <linux/magic.h> |
16 | #include <linux/major.h> |
17 | #include <linux/miscdevice.h> |
18 | #include <linux/module.h> |
19 | #include <linux/mutex.h> |
20 | #include <linux/mount.h> |
21 | #include <linux/fs_parser.h> |
22 | #include <linux/sched.h> |
23 | #include <linux/seq_file.h> |
24 | #include <linux/slab.h> |
25 | #include <linux/spinlock_types.h> |
26 | #include <linux/stddef.h> |
27 | #include <linux/string.h> |
28 | #include <linux/types.h> |
29 | #include <linux/uaccess.h> |
30 | #include <linux/user_namespace.h> |
31 | #include <linux/xarray.h> |
32 | #include <uapi/asm-generic/errno-base.h> |
33 | #include <uapi/linux/android/binder.h> |
34 | #include <uapi/linux/android/binderfs.h> |
35 | |
36 | #include "binder_internal.h" |
37 | |
38 | #define FIRST_INODE 1 |
39 | #define SECOND_INODE 2 |
40 | #define INODE_OFFSET 3 |
41 | #define BINDERFS_MAX_MINOR (1U << MINORBITS) |
42 | /* Ensure that the initial ipc namespace always has devices available. */ |
43 | #define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4) |
44 | |
45 | static dev_t binderfs_dev; |
46 | static DEFINE_MUTEX(binderfs_minors_mutex); |
47 | static DEFINE_IDA(binderfs_minors); |
48 | |
49 | enum binderfs_param { |
50 | Opt_max, |
51 | Opt_stats_mode, |
52 | }; |
53 | |
54 | enum binderfs_stats_mode { |
55 | binderfs_stats_mode_unset, |
56 | binderfs_stats_mode_global, |
57 | }; |
58 | |
59 | struct binder_features { |
60 | bool oneway_spam_detection; |
61 | bool extended_error; |
62 | }; |
63 | |
64 | static const struct constant_table binderfs_param_stats[] = { |
65 | { "global" , binderfs_stats_mode_global }, |
66 | {} |
67 | }; |
68 | |
69 | static const struct fs_parameter_spec binderfs_fs_parameters[] = { |
70 | fsparam_u32("max" , Opt_max), |
71 | fsparam_enum("stats" , Opt_stats_mode, binderfs_param_stats), |
72 | {} |
73 | }; |
74 | |
75 | static struct binder_features binder_features = { |
76 | .oneway_spam_detection = true, |
77 | .extended_error = true, |
78 | }; |
79 | |
80 | static inline struct binderfs_info *BINDERFS_SB(const struct super_block *sb) |
81 | { |
82 | return sb->s_fs_info; |
83 | } |
84 | |
85 | bool is_binderfs_device(const struct inode *inode) |
86 | { |
87 | if (inode->i_sb->s_magic == BINDERFS_SUPER_MAGIC) |
88 | return true; |
89 | |
90 | return false; |
91 | } |
92 | |
93 | /** |
94 | * binderfs_binder_device_create - allocate inode from super block of a |
95 | * binderfs mount |
96 | * @ref_inode: inode from which the super block will be taken |
97 | * @userp: buffer to copy information about new device for userspace to |
98 | * @req: struct binderfs_device as copied from userspace |
99 | * |
100 | * This function allocates a new binder_device and reserves a new minor |
101 | * number for it. |
102 | * Minor numbers are limited and tracked globally in binderfs_minors. The |
103 | * function will stash a struct binder_device for the specific binder |
104 | * device in i_private of the inode. |
105 | * It will go on to allocate a new inode from the super block of the |
106 | * filesystem mount, stash a struct binder_device in its i_private field |
107 | * and attach a dentry to that inode. |
108 | * |
109 | * Return: 0 on success, negative errno on failure |
110 | */ |
111 | static int binderfs_binder_device_create(struct inode *ref_inode, |
112 | struct binderfs_device __user *userp, |
113 | struct binderfs_device *req) |
114 | { |
115 | int minor, ret; |
116 | struct dentry *dentry, *root; |
117 | struct binder_device *device; |
118 | char *name = NULL; |
119 | size_t name_len; |
120 | struct inode *inode = NULL; |
121 | struct super_block *sb = ref_inode->i_sb; |
122 | struct binderfs_info *info = sb->s_fs_info; |
123 | #if defined(CONFIG_IPC_NS) |
124 | bool use_reserve = (info->ipc_ns == &init_ipc_ns); |
125 | #else |
126 | bool use_reserve = true; |
127 | #endif |
128 | |
129 | /* Reserve new minor number for the new device. */ |
130 | mutex_lock(&binderfs_minors_mutex); |
131 | if (++info->device_count <= info->mount_opts.max) |
132 | minor = ida_alloc_max(ida: &binderfs_minors, |
133 | max: use_reserve ? BINDERFS_MAX_MINOR : |
134 | BINDERFS_MAX_MINOR_CAPPED, |
135 | GFP_KERNEL); |
136 | else |
137 | minor = -ENOSPC; |
138 | if (minor < 0) { |
139 | --info->device_count; |
140 | mutex_unlock(lock: &binderfs_minors_mutex); |
141 | return minor; |
142 | } |
143 | mutex_unlock(lock: &binderfs_minors_mutex); |
144 | |
145 | ret = -ENOMEM; |
146 | device = kzalloc(size: sizeof(*device), GFP_KERNEL); |
147 | if (!device) |
148 | goto err; |
149 | |
150 | inode = new_inode(sb); |
151 | if (!inode) |
152 | goto err; |
153 | |
154 | inode->i_ino = minor + INODE_OFFSET; |
155 | simple_inode_init_ts(inode); |
156 | init_special_inode(inode, S_IFCHR | 0600, |
157 | MKDEV(MAJOR(binderfs_dev), minor)); |
158 | inode->i_fop = &binder_fops; |
159 | inode->i_uid = info->root_uid; |
160 | inode->i_gid = info->root_gid; |
161 | |
162 | req->name[BINDERFS_MAX_NAME] = '\0'; /* NUL-terminate */ |
163 | name_len = strlen(req->name); |
164 | /* Make sure to include terminating NUL byte */ |
165 | name = kmemdup(p: req->name, size: name_len + 1, GFP_KERNEL); |
166 | if (!name) |
167 | goto err; |
168 | |
169 | refcount_set(r: &device->ref, n: 1); |
170 | device->binderfs_inode = inode; |
171 | device->context.binder_context_mgr_uid = INVALID_UID; |
172 | device->context.name = name; |
173 | device->miscdev.name = name; |
174 | device->miscdev.minor = minor; |
175 | mutex_init(&device->context.context_mgr_node_lock); |
176 | |
177 | req->major = MAJOR(binderfs_dev); |
178 | req->minor = minor; |
179 | |
180 | if (userp && copy_to_user(to: userp, from: req, n: sizeof(*req))) { |
181 | ret = -EFAULT; |
182 | goto err; |
183 | } |
184 | |
185 | root = sb->s_root; |
186 | inode_lock(inode: d_inode(dentry: root)); |
187 | |
188 | /* look it up */ |
189 | dentry = lookup_one_len(name, root, name_len); |
190 | if (IS_ERR(ptr: dentry)) { |
191 | inode_unlock(inode: d_inode(dentry: root)); |
192 | ret = PTR_ERR(ptr: dentry); |
193 | goto err; |
194 | } |
195 | |
196 | if (d_really_is_positive(dentry)) { |
197 | /* already exists */ |
198 | dput(dentry); |
199 | inode_unlock(inode: d_inode(dentry: root)); |
200 | ret = -EEXIST; |
201 | goto err; |
202 | } |
203 | |
204 | inode->i_private = device; |
205 | d_instantiate(dentry, inode); |
206 | fsnotify_create(dir: root->d_inode, dentry); |
207 | inode_unlock(inode: d_inode(dentry: root)); |
208 | |
209 | return 0; |
210 | |
211 | err: |
212 | kfree(objp: name); |
213 | kfree(objp: device); |
214 | mutex_lock(&binderfs_minors_mutex); |
215 | --info->device_count; |
216 | ida_free(&binderfs_minors, id: minor); |
217 | mutex_unlock(lock: &binderfs_minors_mutex); |
218 | iput(inode); |
219 | |
220 | return ret; |
221 | } |
222 | |
223 | /** |
224 | * binder_ctl_ioctl - handle binder device node allocation requests |
225 | * |
226 | * The request handler for the binder-control device. All requests operate on |
227 | * the binderfs mount the binder-control device resides in: |
228 | * - BINDER_CTL_ADD |
229 | * Allocate a new binder device. |
230 | * |
231 | * Return: %0 on success, negative errno on failure. |
232 | */ |
233 | static long binder_ctl_ioctl(struct file *file, unsigned int cmd, |
234 | unsigned long arg) |
235 | { |
236 | int ret = -EINVAL; |
237 | struct inode *inode = file_inode(f: file); |
238 | struct binderfs_device __user *device = (struct binderfs_device __user *)arg; |
239 | struct binderfs_device device_req; |
240 | |
241 | switch (cmd) { |
242 | case BINDER_CTL_ADD: |
243 | ret = copy_from_user(to: &device_req, from: device, n: sizeof(device_req)); |
244 | if (ret) { |
245 | ret = -EFAULT; |
246 | break; |
247 | } |
248 | |
249 | ret = binderfs_binder_device_create(ref_inode: inode, userp: device, req: &device_req); |
250 | break; |
251 | default: |
252 | break; |
253 | } |
254 | |
255 | return ret; |
256 | } |
257 | |
258 | static void binderfs_evict_inode(struct inode *inode) |
259 | { |
260 | struct binder_device *device = inode->i_private; |
261 | struct binderfs_info *info = BINDERFS_SB(sb: inode->i_sb); |
262 | |
263 | clear_inode(inode); |
264 | |
265 | if (!S_ISCHR(inode->i_mode) || !device) |
266 | return; |
267 | |
268 | mutex_lock(&binderfs_minors_mutex); |
269 | --info->device_count; |
270 | ida_free(&binderfs_minors, id: device->miscdev.minor); |
271 | mutex_unlock(lock: &binderfs_minors_mutex); |
272 | |
273 | if (refcount_dec_and_test(r: &device->ref)) { |
274 | kfree(objp: device->context.name); |
275 | kfree(objp: device); |
276 | } |
277 | } |
278 | |
279 | static int binderfs_fs_context_parse_param(struct fs_context *fc, |
280 | struct fs_parameter *param) |
281 | { |
282 | int opt; |
283 | struct binderfs_mount_opts *ctx = fc->fs_private; |
284 | struct fs_parse_result result; |
285 | |
286 | opt = fs_parse(fc, desc: binderfs_fs_parameters, param, result: &result); |
287 | if (opt < 0) |
288 | return opt; |
289 | |
290 | switch (opt) { |
291 | case Opt_max: |
292 | if (result.uint_32 > BINDERFS_MAX_MINOR) |
293 | return invalfc(fc, "Bad value for '%s'" , param->key); |
294 | |
295 | ctx->max = result.uint_32; |
296 | break; |
297 | case Opt_stats_mode: |
298 | if (!capable(CAP_SYS_ADMIN)) |
299 | return -EPERM; |
300 | |
301 | ctx->stats_mode = result.uint_32; |
302 | break; |
303 | default: |
304 | return invalfc(fc, "Unsupported parameter '%s'" , param->key); |
305 | } |
306 | |
307 | return 0; |
308 | } |
309 | |
310 | static int binderfs_fs_context_reconfigure(struct fs_context *fc) |
311 | { |
312 | struct binderfs_mount_opts *ctx = fc->fs_private; |
313 | struct binderfs_info *info = BINDERFS_SB(sb: fc->root->d_sb); |
314 | |
315 | if (info->mount_opts.stats_mode != ctx->stats_mode) |
316 | return invalfc(fc, "Binderfs stats mode cannot be changed during a remount" ); |
317 | |
318 | info->mount_opts.stats_mode = ctx->stats_mode; |
319 | info->mount_opts.max = ctx->max; |
320 | return 0; |
321 | } |
322 | |
323 | static int binderfs_show_options(struct seq_file *seq, struct dentry *root) |
324 | { |
325 | struct binderfs_info *info = BINDERFS_SB(sb: root->d_sb); |
326 | |
327 | if (info->mount_opts.max <= BINDERFS_MAX_MINOR) |
328 | seq_printf(m: seq, fmt: ",max=%d" , info->mount_opts.max); |
329 | |
330 | switch (info->mount_opts.stats_mode) { |
331 | case binderfs_stats_mode_unset: |
332 | break; |
333 | case binderfs_stats_mode_global: |
334 | seq_printf(m: seq, fmt: ",stats=global" ); |
335 | break; |
336 | } |
337 | |
338 | return 0; |
339 | } |
340 | |
341 | static const struct super_operations binderfs_super_ops = { |
342 | .evict_inode = binderfs_evict_inode, |
343 | .show_options = binderfs_show_options, |
344 | .statfs = simple_statfs, |
345 | }; |
346 | |
347 | static inline bool is_binderfs_control_device(const struct dentry *dentry) |
348 | { |
349 | struct binderfs_info *info = dentry->d_sb->s_fs_info; |
350 | |
351 | return info->control_dentry == dentry; |
352 | } |
353 | |
354 | static int binderfs_rename(struct mnt_idmap *idmap, |
355 | struct inode *old_dir, struct dentry *old_dentry, |
356 | struct inode *new_dir, struct dentry *new_dentry, |
357 | unsigned int flags) |
358 | { |
359 | if (is_binderfs_control_device(dentry: old_dentry) || |
360 | is_binderfs_control_device(dentry: new_dentry)) |
361 | return -EPERM; |
362 | |
363 | return simple_rename(idmap, old_dir, old_dentry, new_dir, |
364 | new_dentry, flags); |
365 | } |
366 | |
367 | static int binderfs_unlink(struct inode *dir, struct dentry *dentry) |
368 | { |
369 | if (is_binderfs_control_device(dentry)) |
370 | return -EPERM; |
371 | |
372 | return simple_unlink(dir, dentry); |
373 | } |
374 | |
375 | static const struct file_operations binder_ctl_fops = { |
376 | .owner = THIS_MODULE, |
377 | .open = nonseekable_open, |
378 | .unlocked_ioctl = binder_ctl_ioctl, |
379 | .compat_ioctl = binder_ctl_ioctl, |
380 | .llseek = noop_llseek, |
381 | }; |
382 | |
383 | /** |
384 | * binderfs_binder_ctl_create - create a new binder-control device |
385 | * @sb: super block of the binderfs mount |
386 | * |
387 | * This function creates a new binder-control device node in the binderfs mount |
388 | * referred to by @sb. |
389 | * |
390 | * Return: 0 on success, negative errno on failure |
391 | */ |
392 | static int binderfs_binder_ctl_create(struct super_block *sb) |
393 | { |
394 | int minor, ret; |
395 | struct dentry *dentry; |
396 | struct binder_device *device; |
397 | struct inode *inode = NULL; |
398 | struct dentry *root = sb->s_root; |
399 | struct binderfs_info *info = sb->s_fs_info; |
400 | #if defined(CONFIG_IPC_NS) |
401 | bool use_reserve = (info->ipc_ns == &init_ipc_ns); |
402 | #else |
403 | bool use_reserve = true; |
404 | #endif |
405 | |
406 | device = kzalloc(size: sizeof(*device), GFP_KERNEL); |
407 | if (!device) |
408 | return -ENOMEM; |
409 | |
410 | /* If we have already created a binder-control node, return. */ |
411 | if (info->control_dentry) { |
412 | ret = 0; |
413 | goto out; |
414 | } |
415 | |
416 | ret = -ENOMEM; |
417 | inode = new_inode(sb); |
418 | if (!inode) |
419 | goto out; |
420 | |
421 | /* Reserve a new minor number for the new device. */ |
422 | mutex_lock(&binderfs_minors_mutex); |
423 | minor = ida_alloc_max(ida: &binderfs_minors, |
424 | max: use_reserve ? BINDERFS_MAX_MINOR : |
425 | BINDERFS_MAX_MINOR_CAPPED, |
426 | GFP_KERNEL); |
427 | mutex_unlock(lock: &binderfs_minors_mutex); |
428 | if (minor < 0) { |
429 | ret = minor; |
430 | goto out; |
431 | } |
432 | |
433 | inode->i_ino = SECOND_INODE; |
434 | simple_inode_init_ts(inode); |
435 | init_special_inode(inode, S_IFCHR | 0600, |
436 | MKDEV(MAJOR(binderfs_dev), minor)); |
437 | inode->i_fop = &binder_ctl_fops; |
438 | inode->i_uid = info->root_uid; |
439 | inode->i_gid = info->root_gid; |
440 | |
441 | refcount_set(r: &device->ref, n: 1); |
442 | device->binderfs_inode = inode; |
443 | device->miscdev.minor = minor; |
444 | |
445 | dentry = d_alloc_name(root, "binder-control" ); |
446 | if (!dentry) |
447 | goto out; |
448 | |
449 | inode->i_private = device; |
450 | info->control_dentry = dentry; |
451 | d_add(dentry, inode); |
452 | |
453 | return 0; |
454 | |
455 | out: |
456 | kfree(objp: device); |
457 | iput(inode); |
458 | |
459 | return ret; |
460 | } |
461 | |
462 | static const struct inode_operations binderfs_dir_inode_operations = { |
463 | .lookup = simple_lookup, |
464 | .rename = binderfs_rename, |
465 | .unlink = binderfs_unlink, |
466 | }; |
467 | |
468 | static struct inode *binderfs_make_inode(struct super_block *sb, int mode) |
469 | { |
470 | struct inode *ret; |
471 | |
472 | ret = new_inode(sb); |
473 | if (ret) { |
474 | ret->i_ino = iunique(sb, BINDERFS_MAX_MINOR + INODE_OFFSET); |
475 | ret->i_mode = mode; |
476 | simple_inode_init_ts(inode: ret); |
477 | } |
478 | return ret; |
479 | } |
480 | |
481 | static struct dentry *binderfs_create_dentry(struct dentry *parent, |
482 | const char *name) |
483 | { |
484 | struct dentry *dentry; |
485 | |
486 | dentry = lookup_one_len(name, parent, strlen(name)); |
487 | if (IS_ERR(ptr: dentry)) |
488 | return dentry; |
489 | |
490 | /* Return error if the file/dir already exists. */ |
491 | if (d_really_is_positive(dentry)) { |
492 | dput(dentry); |
493 | return ERR_PTR(error: -EEXIST); |
494 | } |
495 | |
496 | return dentry; |
497 | } |
498 | |
499 | void binderfs_remove_file(struct dentry *dentry) |
500 | { |
501 | struct inode *parent_inode; |
502 | |
503 | parent_inode = d_inode(dentry: dentry->d_parent); |
504 | inode_lock(inode: parent_inode); |
505 | if (simple_positive(dentry)) { |
506 | dget(dentry); |
507 | simple_unlink(parent_inode, dentry); |
508 | d_delete(dentry); |
509 | dput(dentry); |
510 | } |
511 | inode_unlock(inode: parent_inode); |
512 | } |
513 | |
514 | struct dentry *binderfs_create_file(struct dentry *parent, const char *name, |
515 | const struct file_operations *fops, |
516 | void *data) |
517 | { |
518 | struct dentry *dentry; |
519 | struct inode *new_inode, *parent_inode; |
520 | struct super_block *sb; |
521 | |
522 | parent_inode = d_inode(dentry: parent); |
523 | inode_lock(inode: parent_inode); |
524 | |
525 | dentry = binderfs_create_dentry(parent, name); |
526 | if (IS_ERR(ptr: dentry)) |
527 | goto out; |
528 | |
529 | sb = parent_inode->i_sb; |
530 | new_inode = binderfs_make_inode(sb, S_IFREG | 0444); |
531 | if (!new_inode) { |
532 | dput(dentry); |
533 | dentry = ERR_PTR(error: -ENOMEM); |
534 | goto out; |
535 | } |
536 | |
537 | new_inode->i_fop = fops; |
538 | new_inode->i_private = data; |
539 | d_instantiate(dentry, new_inode); |
540 | fsnotify_create(dir: parent_inode, dentry); |
541 | |
542 | out: |
543 | inode_unlock(inode: parent_inode); |
544 | return dentry; |
545 | } |
546 | |
547 | static struct dentry *binderfs_create_dir(struct dentry *parent, |
548 | const char *name) |
549 | { |
550 | struct dentry *dentry; |
551 | struct inode *new_inode, *parent_inode; |
552 | struct super_block *sb; |
553 | |
554 | parent_inode = d_inode(dentry: parent); |
555 | inode_lock(inode: parent_inode); |
556 | |
557 | dentry = binderfs_create_dentry(parent, name); |
558 | if (IS_ERR(ptr: dentry)) |
559 | goto out; |
560 | |
561 | sb = parent_inode->i_sb; |
562 | new_inode = binderfs_make_inode(sb, S_IFDIR | 0755); |
563 | if (!new_inode) { |
564 | dput(dentry); |
565 | dentry = ERR_PTR(error: -ENOMEM); |
566 | goto out; |
567 | } |
568 | |
569 | new_inode->i_fop = &simple_dir_operations; |
570 | new_inode->i_op = &simple_dir_inode_operations; |
571 | |
572 | set_nlink(inode: new_inode, nlink: 2); |
573 | d_instantiate(dentry, new_inode); |
574 | inc_nlink(inode: parent_inode); |
575 | fsnotify_mkdir(dir: parent_inode, dentry); |
576 | |
577 | out: |
578 | inode_unlock(inode: parent_inode); |
579 | return dentry; |
580 | } |
581 | |
582 | static int binder_features_show(struct seq_file *m, void *unused) |
583 | { |
584 | bool *feature = m->private; |
585 | |
586 | seq_printf(m, fmt: "%d\n" , *feature); |
587 | |
588 | return 0; |
589 | } |
590 | DEFINE_SHOW_ATTRIBUTE(binder_features); |
591 | |
592 | static int init_binder_features(struct super_block *sb) |
593 | { |
594 | struct dentry *dentry, *dir; |
595 | |
596 | dir = binderfs_create_dir(parent: sb->s_root, name: "features" ); |
597 | if (IS_ERR(ptr: dir)) |
598 | return PTR_ERR(ptr: dir); |
599 | |
600 | dentry = binderfs_create_file(parent: dir, name: "oneway_spam_detection" , |
601 | fops: &binder_features_fops, |
602 | data: &binder_features.oneway_spam_detection); |
603 | if (IS_ERR(ptr: dentry)) |
604 | return PTR_ERR(ptr: dentry); |
605 | |
606 | dentry = binderfs_create_file(parent: dir, name: "extended_error" , |
607 | fops: &binder_features_fops, |
608 | data: &binder_features.extended_error); |
609 | if (IS_ERR(ptr: dentry)) |
610 | return PTR_ERR(ptr: dentry); |
611 | |
612 | return 0; |
613 | } |
614 | |
615 | static int init_binder_logs(struct super_block *sb) |
616 | { |
617 | struct dentry *binder_logs_root_dir, *dentry, *proc_log_dir; |
618 | const struct binder_debugfs_entry *db_entry; |
619 | struct binderfs_info *info; |
620 | int ret = 0; |
621 | |
622 | binder_logs_root_dir = binderfs_create_dir(parent: sb->s_root, |
623 | name: "binder_logs" ); |
624 | if (IS_ERR(ptr: binder_logs_root_dir)) { |
625 | ret = PTR_ERR(ptr: binder_logs_root_dir); |
626 | goto out; |
627 | } |
628 | |
629 | binder_for_each_debugfs_entry(db_entry) { |
630 | dentry = binderfs_create_file(parent: binder_logs_root_dir, |
631 | name: db_entry->name, |
632 | fops: db_entry->fops, |
633 | data: db_entry->data); |
634 | if (IS_ERR(ptr: dentry)) { |
635 | ret = PTR_ERR(ptr: dentry); |
636 | goto out; |
637 | } |
638 | } |
639 | |
640 | proc_log_dir = binderfs_create_dir(parent: binder_logs_root_dir, name: "proc" ); |
641 | if (IS_ERR(ptr: proc_log_dir)) { |
642 | ret = PTR_ERR(ptr: proc_log_dir); |
643 | goto out; |
644 | } |
645 | info = sb->s_fs_info; |
646 | info->proc_log_dir = proc_log_dir; |
647 | |
648 | out: |
649 | return ret; |
650 | } |
651 | |
652 | static int binderfs_fill_super(struct super_block *sb, struct fs_context *fc) |
653 | { |
654 | int ret; |
655 | struct binderfs_info *info; |
656 | struct binderfs_mount_opts *ctx = fc->fs_private; |
657 | struct inode *inode = NULL; |
658 | struct binderfs_device device_info = {}; |
659 | const char *name; |
660 | size_t len; |
661 | |
662 | sb->s_blocksize = PAGE_SIZE; |
663 | sb->s_blocksize_bits = PAGE_SHIFT; |
664 | |
665 | /* |
666 | * The binderfs filesystem can be mounted by userns root in a |
667 | * non-initial userns. By default such mounts have the SB_I_NODEV flag |
668 | * set in s_iflags to prevent security issues where userns root can |
669 | * just create random device nodes via mknod() since it owns the |
670 | * filesystem mount. But binderfs does not allow to create any files |
671 | * including devices nodes. The only way to create binder devices nodes |
672 | * is through the binder-control device which userns root is explicitly |
673 | * allowed to do. So removing the SB_I_NODEV flag from s_iflags is both |
674 | * necessary and safe. |
675 | */ |
676 | sb->s_iflags &= ~SB_I_NODEV; |
677 | sb->s_iflags |= SB_I_NOEXEC; |
678 | sb->s_magic = BINDERFS_SUPER_MAGIC; |
679 | sb->s_op = &binderfs_super_ops; |
680 | sb->s_time_gran = 1; |
681 | |
682 | sb->s_fs_info = kzalloc(size: sizeof(struct binderfs_info), GFP_KERNEL); |
683 | if (!sb->s_fs_info) |
684 | return -ENOMEM; |
685 | info = sb->s_fs_info; |
686 | |
687 | info->ipc_ns = get_ipc_ns(current->nsproxy->ipc_ns); |
688 | |
689 | info->root_gid = make_kgid(from: sb->s_user_ns, gid: 0); |
690 | if (!gid_valid(gid: info->root_gid)) |
691 | info->root_gid = GLOBAL_ROOT_GID; |
692 | info->root_uid = make_kuid(sb->s_user_ns, 0); |
693 | if (!uid_valid(info->root_uid)) |
694 | info->root_uid = GLOBAL_ROOT_UID; |
695 | info->mount_opts.max = ctx->max; |
696 | info->mount_opts.stats_mode = ctx->stats_mode; |
697 | |
698 | inode = new_inode(sb); |
699 | if (!inode) |
700 | return -ENOMEM; |
701 | |
702 | inode->i_ino = FIRST_INODE; |
703 | inode->i_fop = &simple_dir_operations; |
704 | inode->i_mode = S_IFDIR | 0755; |
705 | simple_inode_init_ts(inode); |
706 | inode->i_op = &binderfs_dir_inode_operations; |
707 | set_nlink(inode, 2); |
708 | |
709 | sb->s_root = d_make_root(inode); |
710 | if (!sb->s_root) |
711 | return -ENOMEM; |
712 | |
713 | ret = binderfs_binder_ctl_create(sb); |
714 | if (ret) |
715 | return ret; |
716 | |
717 | name = binder_devices_param; |
718 | for (len = strcspn(name, "," ); len > 0; len = strcspn(name, "," )) { |
719 | strscpy(device_info.name, name, len + 1); |
720 | ret = binderfs_binder_device_create(inode, NULL, &device_info); |
721 | if (ret) |
722 | return ret; |
723 | name += len; |
724 | if (*name == ',') |
725 | name++; |
726 | } |
727 | |
728 | ret = init_binder_features(sb); |
729 | if (ret) |
730 | return ret; |
731 | |
732 | if (info->mount_opts.stats_mode == binderfs_stats_mode_global) |
733 | return init_binder_logs(sb); |
734 | |
735 | return 0; |
736 | } |
737 | |
738 | static int binderfs_fs_context_get_tree(struct fs_context *fc) |
739 | { |
740 | return get_tree_nodev(fc, fill_super: binderfs_fill_super); |
741 | } |
742 | |
743 | static void binderfs_fs_context_free(struct fs_context *fc) |
744 | { |
745 | struct binderfs_mount_opts *ctx = fc->fs_private; |
746 | |
747 | kfree(objp: ctx); |
748 | } |
749 | |
750 | static const struct fs_context_operations binderfs_fs_context_ops = { |
751 | .free = binderfs_fs_context_free, |
752 | .get_tree = binderfs_fs_context_get_tree, |
753 | .parse_param = binderfs_fs_context_parse_param, |
754 | .reconfigure = binderfs_fs_context_reconfigure, |
755 | }; |
756 | |
757 | static int binderfs_init_fs_context(struct fs_context *fc) |
758 | { |
759 | struct binderfs_mount_opts *ctx; |
760 | |
761 | ctx = kzalloc(size: sizeof(struct binderfs_mount_opts), GFP_KERNEL); |
762 | if (!ctx) |
763 | return -ENOMEM; |
764 | |
765 | ctx->max = BINDERFS_MAX_MINOR; |
766 | ctx->stats_mode = binderfs_stats_mode_unset; |
767 | |
768 | fc->fs_private = ctx; |
769 | fc->ops = &binderfs_fs_context_ops; |
770 | |
771 | return 0; |
772 | } |
773 | |
774 | static void binderfs_kill_super(struct super_block *sb) |
775 | { |
776 | struct binderfs_info *info = sb->s_fs_info; |
777 | |
778 | /* |
779 | * During inode eviction struct binderfs_info is needed. |
780 | * So first wipe the super_block then free struct binderfs_info. |
781 | */ |
782 | kill_litter_super(sb); |
783 | |
784 | if (info && info->ipc_ns) |
785 | put_ipc_ns(ns: info->ipc_ns); |
786 | |
787 | kfree(objp: info); |
788 | } |
789 | |
790 | static struct file_system_type binder_fs_type = { |
791 | .name = "binder" , |
792 | .init_fs_context = binderfs_init_fs_context, |
793 | .parameters = binderfs_fs_parameters, |
794 | .kill_sb = binderfs_kill_super, |
795 | .fs_flags = FS_USERNS_MOUNT, |
796 | }; |
797 | |
798 | int __init init_binderfs(void) |
799 | { |
800 | int ret; |
801 | const char *name; |
802 | size_t len; |
803 | |
804 | /* Verify that the default binderfs device names are valid. */ |
805 | name = binder_devices_param; |
806 | for (len = strcspn(name, "," ); len > 0; len = strcspn(name, "," )) { |
807 | if (len > BINDERFS_MAX_NAME) |
808 | return -E2BIG; |
809 | name += len; |
810 | if (*name == ',') |
811 | name++; |
812 | } |
813 | |
814 | /* Allocate new major number for binderfs. */ |
815 | ret = alloc_chrdev_region(&binderfs_dev, 0, BINDERFS_MAX_MINOR, |
816 | "binder" ); |
817 | if (ret) |
818 | return ret; |
819 | |
820 | ret = register_filesystem(&binder_fs_type); |
821 | if (ret) { |
822 | unregister_chrdev_region(binderfs_dev, BINDERFS_MAX_MINOR); |
823 | return ret; |
824 | } |
825 | |
826 | return ret; |
827 | } |
828 | |