1 | // SPDX-License-Identifier: GPL-2.0-or-later |
2 | /* -*- linux-c -*- --------------------------------------------------------- * |
3 | * |
4 | * linux/fs/devpts/inode.c |
5 | * |
6 | * Copyright 1998-2004 H. Peter Anvin -- All Rights Reserved |
7 | * |
8 | * ------------------------------------------------------------------------- */ |
9 | |
10 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
11 | |
12 | #include <linux/module.h> |
13 | #include <linux/init.h> |
14 | #include <linux/fs.h> |
15 | #include <linux/sched.h> |
16 | #include <linux/namei.h> |
17 | #include <linux/slab.h> |
18 | #include <linux/mount.h> |
19 | #include <linux/tty.h> |
20 | #include <linux/mutex.h> |
21 | #include <linux/magic.h> |
22 | #include <linux/idr.h> |
23 | #include <linux/devpts_fs.h> |
24 | #include <linux/parser.h> |
25 | #include <linux/fsnotify.h> |
26 | #include <linux/seq_file.h> |
27 | |
28 | #define DEVPTS_DEFAULT_MODE 0600 |
29 | /* |
30 | * ptmx is a new node in /dev/pts and will be unused in legacy (single- |
31 | * instance) mode. To prevent surprises in user space, set permissions of |
32 | * ptmx to 0. Use 'chmod' or remount with '-o ptmxmode' to set meaningful |
33 | * permissions. |
34 | */ |
35 | #define DEVPTS_DEFAULT_PTMX_MODE 0000 |
36 | #define PTMX_MINOR 2 |
37 | |
38 | /* |
39 | * sysctl support for setting limits on the number of Unix98 ptys allocated. |
40 | * Otherwise one can eat up all kernel memory by opening /dev/ptmx repeatedly. |
41 | */ |
42 | static int pty_limit = NR_UNIX98_PTY_DEFAULT; |
43 | static int pty_reserve = NR_UNIX98_PTY_RESERVE; |
44 | static int pty_limit_min; |
45 | static int pty_limit_max = INT_MAX; |
46 | static atomic_t pty_count = ATOMIC_INIT(0); |
47 | |
48 | static struct ctl_table pty_table[] = { |
49 | { |
50 | .procname = "max" , |
51 | .maxlen = sizeof(int), |
52 | .mode = 0644, |
53 | .data = &pty_limit, |
54 | .proc_handler = proc_dointvec_minmax, |
55 | .extra1 = &pty_limit_min, |
56 | .extra2 = &pty_limit_max, |
57 | }, { |
58 | .procname = "reserve" , |
59 | .maxlen = sizeof(int), |
60 | .mode = 0644, |
61 | .data = &pty_reserve, |
62 | .proc_handler = proc_dointvec_minmax, |
63 | .extra1 = &pty_limit_min, |
64 | .extra2 = &pty_limit_max, |
65 | }, { |
66 | .procname = "nr" , |
67 | .maxlen = sizeof(int), |
68 | .mode = 0444, |
69 | .data = &pty_count, |
70 | .proc_handler = proc_dointvec, |
71 | }, |
72 | {} |
73 | }; |
74 | |
75 | struct pts_mount_opts { |
76 | int setuid; |
77 | int setgid; |
78 | kuid_t uid; |
79 | kgid_t gid; |
80 | umode_t mode; |
81 | umode_t ptmxmode; |
82 | int reserve; |
83 | int max; |
84 | }; |
85 | |
86 | enum { |
87 | Opt_uid, Opt_gid, Opt_mode, Opt_ptmxmode, Opt_newinstance, Opt_max, |
88 | Opt_err |
89 | }; |
90 | |
91 | static const match_table_t tokens = { |
92 | {Opt_uid, "uid=%u" }, |
93 | {Opt_gid, "gid=%u" }, |
94 | {Opt_mode, "mode=%o" }, |
95 | {Opt_ptmxmode, "ptmxmode=%o" }, |
96 | {Opt_newinstance, "newinstance" }, |
97 | {Opt_max, "max=%d" }, |
98 | {Opt_err, NULL} |
99 | }; |
100 | |
101 | struct pts_fs_info { |
102 | struct ida allocated_ptys; |
103 | struct pts_mount_opts mount_opts; |
104 | struct super_block *sb; |
105 | struct dentry *ptmx_dentry; |
106 | }; |
107 | |
108 | static inline struct pts_fs_info *DEVPTS_SB(struct super_block *sb) |
109 | { |
110 | return sb->s_fs_info; |
111 | } |
112 | |
113 | static int devpts_ptmx_path(struct path *path) |
114 | { |
115 | struct super_block *sb; |
116 | int err; |
117 | |
118 | /* Is a devpts filesystem at "pts" in the same directory? */ |
119 | err = path_pts(path); |
120 | if (err) |
121 | return err; |
122 | |
123 | /* Is the path the root of a devpts filesystem? */ |
124 | sb = path->mnt->mnt_sb; |
125 | if ((sb->s_magic != DEVPTS_SUPER_MAGIC) || |
126 | (path->mnt->mnt_root != sb->s_root)) |
127 | return -ENODEV; |
128 | |
129 | return 0; |
130 | } |
131 | |
132 | /* |
133 | * Try to find a suitable devpts filesystem. We support the following |
134 | * scenarios: |
135 | * - The ptmx device node is located in the same directory as the devpts |
136 | * mount where the pts device nodes are located. |
137 | * This is e.g. the case when calling open on the /dev/pts/ptmx device |
138 | * node when the devpts filesystem is mounted at /dev/pts. |
139 | * - The ptmx device node is located outside the devpts filesystem mount |
140 | * where the pts device nodes are located. For example, the ptmx device |
141 | * is a symlink, separate device node, or bind-mount. |
142 | * A supported scenario is bind-mounting /dev/pts/ptmx to /dev/ptmx and |
143 | * then calling open on /dev/ptmx. In this case a suitable pts |
144 | * subdirectory can be found in the common parent directory /dev of the |
145 | * devpts mount and the ptmx bind-mount, after resolving the /dev/ptmx |
146 | * bind-mount. |
147 | * If no suitable pts subdirectory can be found this function will fail. |
148 | * This is e.g. the case when bind-mounting /dev/pts/ptmx to /ptmx. |
149 | */ |
150 | struct vfsmount *devpts_mntget(struct file *filp, struct pts_fs_info *fsi) |
151 | { |
152 | struct path path; |
153 | int err = 0; |
154 | |
155 | path = filp->f_path; |
156 | path_get(&path); |
157 | |
158 | /* Walk upward while the start point is a bind mount of |
159 | * a single file. |
160 | */ |
161 | while (path.mnt->mnt_root == path.dentry) |
162 | if (follow_up(&path) == 0) |
163 | break; |
164 | |
165 | /* devpts_ptmx_path() finds a devpts fs or returns an error. */ |
166 | if ((path.mnt->mnt_sb->s_magic != DEVPTS_SUPER_MAGIC) || |
167 | (DEVPTS_SB(sb: path.mnt->mnt_sb) != fsi)) |
168 | err = devpts_ptmx_path(path: &path); |
169 | dput(path.dentry); |
170 | if (!err) { |
171 | if (DEVPTS_SB(sb: path.mnt->mnt_sb) == fsi) |
172 | return path.mnt; |
173 | |
174 | err = -ENODEV; |
175 | } |
176 | |
177 | mntput(mnt: path.mnt); |
178 | return ERR_PTR(error: err); |
179 | } |
180 | |
181 | struct pts_fs_info *devpts_acquire(struct file *filp) |
182 | { |
183 | struct pts_fs_info *result; |
184 | struct path path; |
185 | struct super_block *sb; |
186 | |
187 | path = filp->f_path; |
188 | path_get(&path); |
189 | |
190 | /* Has the devpts filesystem already been found? */ |
191 | if (path.mnt->mnt_sb->s_magic != DEVPTS_SUPER_MAGIC) { |
192 | int err; |
193 | |
194 | err = devpts_ptmx_path(path: &path); |
195 | if (err) { |
196 | result = ERR_PTR(error: err); |
197 | goto out; |
198 | } |
199 | } |
200 | |
201 | /* |
202 | * pty code needs to hold extra references in case of last /dev/tty close |
203 | */ |
204 | sb = path.mnt->mnt_sb; |
205 | atomic_inc(v: &sb->s_active); |
206 | result = DEVPTS_SB(sb); |
207 | |
208 | out: |
209 | path_put(&path); |
210 | return result; |
211 | } |
212 | |
213 | void devpts_release(struct pts_fs_info *fsi) |
214 | { |
215 | deactivate_super(sb: fsi->sb); |
216 | } |
217 | |
218 | #define PARSE_MOUNT 0 |
219 | #define PARSE_REMOUNT 1 |
220 | |
221 | /* |
222 | * parse_mount_options(): |
223 | * Set @opts to mount options specified in @data. If an option is not |
224 | * specified in @data, set it to its default value. |
225 | * |
226 | * Note: @data may be NULL (in which case all options are set to default). |
227 | */ |
228 | static int parse_mount_options(char *data, int op, struct pts_mount_opts *opts) |
229 | { |
230 | char *p; |
231 | kuid_t uid; |
232 | kgid_t gid; |
233 | |
234 | opts->setuid = 0; |
235 | opts->setgid = 0; |
236 | opts->uid = GLOBAL_ROOT_UID; |
237 | opts->gid = GLOBAL_ROOT_GID; |
238 | opts->mode = DEVPTS_DEFAULT_MODE; |
239 | opts->ptmxmode = DEVPTS_DEFAULT_PTMX_MODE; |
240 | opts->max = NR_UNIX98_PTY_MAX; |
241 | |
242 | /* Only allow instances mounted from the initial mount |
243 | * namespace to tap the reserve pool of ptys. |
244 | */ |
245 | if (op == PARSE_MOUNT) |
246 | opts->reserve = |
247 | (current->nsproxy->mnt_ns == init_task.nsproxy->mnt_ns); |
248 | |
249 | while ((p = strsep(&data, "," )) != NULL) { |
250 | substring_t args[MAX_OPT_ARGS]; |
251 | int token; |
252 | int option; |
253 | |
254 | if (!*p) |
255 | continue; |
256 | |
257 | token = match_token(p, tokens, args); |
258 | switch (token) { |
259 | case Opt_uid: |
260 | if (match_int(&args[0], &option)) |
261 | return -EINVAL; |
262 | uid = make_kuid(current_user_ns(), option); |
263 | if (!uid_valid(uid)) |
264 | return -EINVAL; |
265 | opts->uid = uid; |
266 | opts->setuid = 1; |
267 | break; |
268 | case Opt_gid: |
269 | if (match_int(&args[0], &option)) |
270 | return -EINVAL; |
271 | gid = make_kgid(current_user_ns(), option); |
272 | if (!gid_valid(gid)) |
273 | return -EINVAL; |
274 | opts->gid = gid; |
275 | opts->setgid = 1; |
276 | break; |
277 | case Opt_mode: |
278 | if (match_octal(&args[0], &option)) |
279 | return -EINVAL; |
280 | opts->mode = option & S_IALLUGO; |
281 | break; |
282 | case Opt_ptmxmode: |
283 | if (match_octal(&args[0], &option)) |
284 | return -EINVAL; |
285 | opts->ptmxmode = option & S_IALLUGO; |
286 | break; |
287 | case Opt_newinstance: |
288 | break; |
289 | case Opt_max: |
290 | if (match_int(&args[0], &option) || |
291 | option < 0 || option > NR_UNIX98_PTY_MAX) |
292 | return -EINVAL; |
293 | opts->max = option; |
294 | break; |
295 | default: |
296 | pr_err("called with bogus options\n" ); |
297 | return -EINVAL; |
298 | } |
299 | } |
300 | |
301 | return 0; |
302 | } |
303 | |
304 | static int mknod_ptmx(struct super_block *sb) |
305 | { |
306 | int mode; |
307 | int rc = -ENOMEM; |
308 | struct dentry *dentry; |
309 | struct inode *inode; |
310 | struct dentry *root = sb->s_root; |
311 | struct pts_fs_info *fsi = DEVPTS_SB(sb); |
312 | struct pts_mount_opts *opts = &fsi->mount_opts; |
313 | kuid_t ptmx_uid = current_fsuid(); |
314 | kgid_t ptmx_gid = current_fsgid(); |
315 | |
316 | inode_lock(inode: d_inode(dentry: root)); |
317 | |
318 | /* If we have already created ptmx node, return */ |
319 | if (fsi->ptmx_dentry) { |
320 | rc = 0; |
321 | goto out; |
322 | } |
323 | |
324 | dentry = d_alloc_name(root, "ptmx" ); |
325 | if (!dentry) { |
326 | pr_err("Unable to alloc dentry for ptmx node\n" ); |
327 | goto out; |
328 | } |
329 | |
330 | /* |
331 | * Create a new 'ptmx' node in this mount of devpts. |
332 | */ |
333 | inode = new_inode(sb); |
334 | if (!inode) { |
335 | pr_err("Unable to alloc inode for ptmx node\n" ); |
336 | dput(dentry); |
337 | goto out; |
338 | } |
339 | |
340 | inode->i_ino = 2; |
341 | simple_inode_init_ts(inode); |
342 | |
343 | mode = S_IFCHR|opts->ptmxmode; |
344 | init_special_inode(inode, mode, MKDEV(TTYAUX_MAJOR, 2)); |
345 | inode->i_uid = ptmx_uid; |
346 | inode->i_gid = ptmx_gid; |
347 | |
348 | d_add(dentry, inode); |
349 | |
350 | fsi->ptmx_dentry = dentry; |
351 | rc = 0; |
352 | out: |
353 | inode_unlock(inode: d_inode(dentry: root)); |
354 | return rc; |
355 | } |
356 | |
357 | static void update_ptmx_mode(struct pts_fs_info *fsi) |
358 | { |
359 | struct inode *inode; |
360 | if (fsi->ptmx_dentry) { |
361 | inode = d_inode(dentry: fsi->ptmx_dentry); |
362 | inode->i_mode = S_IFCHR|fsi->mount_opts.ptmxmode; |
363 | } |
364 | } |
365 | |
366 | static int devpts_remount(struct super_block *sb, int *flags, char *data) |
367 | { |
368 | int err; |
369 | struct pts_fs_info *fsi = DEVPTS_SB(sb); |
370 | struct pts_mount_opts *opts = &fsi->mount_opts; |
371 | |
372 | err = parse_mount_options(data, PARSE_REMOUNT, opts); |
373 | |
374 | /* |
375 | * parse_mount_options() restores options to default values |
376 | * before parsing and may have changed ptmxmode. So, update the |
377 | * mode in the inode too. Bogus options don't fail the remount, |
378 | * so do this even on error return. |
379 | */ |
380 | update_ptmx_mode(fsi); |
381 | |
382 | return err; |
383 | } |
384 | |
385 | static int devpts_show_options(struct seq_file *seq, struct dentry *root) |
386 | { |
387 | struct pts_fs_info *fsi = DEVPTS_SB(sb: root->d_sb); |
388 | struct pts_mount_opts *opts = &fsi->mount_opts; |
389 | |
390 | if (opts->setuid) |
391 | seq_printf(m: seq, fmt: ",uid=%u" , |
392 | from_kuid_munged(to: &init_user_ns, uid: opts->uid)); |
393 | if (opts->setgid) |
394 | seq_printf(m: seq, fmt: ",gid=%u" , |
395 | from_kgid_munged(to: &init_user_ns, gid: opts->gid)); |
396 | seq_printf(m: seq, fmt: ",mode=%03o" , opts->mode); |
397 | seq_printf(m: seq, fmt: ",ptmxmode=%03o" , opts->ptmxmode); |
398 | if (opts->max < NR_UNIX98_PTY_MAX) |
399 | seq_printf(m: seq, fmt: ",max=%d" , opts->max); |
400 | |
401 | return 0; |
402 | } |
403 | |
404 | static const struct super_operations devpts_sops = { |
405 | .statfs = simple_statfs, |
406 | .remount_fs = devpts_remount, |
407 | .show_options = devpts_show_options, |
408 | }; |
409 | |
410 | static void *new_pts_fs_info(struct super_block *sb) |
411 | { |
412 | struct pts_fs_info *fsi; |
413 | |
414 | fsi = kzalloc(size: sizeof(struct pts_fs_info), GFP_KERNEL); |
415 | if (!fsi) |
416 | return NULL; |
417 | |
418 | ida_init(ida: &fsi->allocated_ptys); |
419 | fsi->mount_opts.mode = DEVPTS_DEFAULT_MODE; |
420 | fsi->mount_opts.ptmxmode = DEVPTS_DEFAULT_PTMX_MODE; |
421 | fsi->sb = sb; |
422 | |
423 | return fsi; |
424 | } |
425 | |
426 | static int |
427 | devpts_fill_super(struct super_block *s, void *data, int silent) |
428 | { |
429 | struct inode *inode; |
430 | int error; |
431 | |
432 | s->s_iflags &= ~SB_I_NODEV; |
433 | s->s_blocksize = 1024; |
434 | s->s_blocksize_bits = 10; |
435 | s->s_magic = DEVPTS_SUPER_MAGIC; |
436 | s->s_op = &devpts_sops; |
437 | s->s_d_op = &simple_dentry_operations; |
438 | s->s_time_gran = 1; |
439 | |
440 | error = -ENOMEM; |
441 | s->s_fs_info = new_pts_fs_info(sb: s); |
442 | if (!s->s_fs_info) |
443 | goto fail; |
444 | |
445 | error = parse_mount_options(data, PARSE_MOUNT, opts: &DEVPTS_SB(sb: s)->mount_opts); |
446 | if (error) |
447 | goto fail; |
448 | |
449 | error = -ENOMEM; |
450 | inode = new_inode(sb: s); |
451 | if (!inode) |
452 | goto fail; |
453 | inode->i_ino = 1; |
454 | simple_inode_init_ts(inode); |
455 | inode->i_mode = S_IFDIR | S_IRUGO | S_IXUGO | S_IWUSR; |
456 | inode->i_op = &simple_dir_inode_operations; |
457 | inode->i_fop = &simple_dir_operations; |
458 | set_nlink(inode, nlink: 2); |
459 | |
460 | s->s_root = d_make_root(inode); |
461 | if (!s->s_root) { |
462 | pr_err("get root dentry failed\n" ); |
463 | goto fail; |
464 | } |
465 | |
466 | error = mknod_ptmx(sb: s); |
467 | if (error) |
468 | goto fail_dput; |
469 | |
470 | return 0; |
471 | fail_dput: |
472 | dput(s->s_root); |
473 | s->s_root = NULL; |
474 | fail: |
475 | return error; |
476 | } |
477 | |
478 | /* |
479 | * devpts_mount() |
480 | * |
481 | * Mount a new (private) instance of devpts. PTYs created in this |
482 | * instance are independent of the PTYs in other devpts instances. |
483 | */ |
484 | static struct dentry *devpts_mount(struct file_system_type *fs_type, |
485 | int flags, const char *dev_name, void *data) |
486 | { |
487 | return mount_nodev(fs_type, flags, data, fill_super: devpts_fill_super); |
488 | } |
489 | |
490 | static void devpts_kill_sb(struct super_block *sb) |
491 | { |
492 | struct pts_fs_info *fsi = DEVPTS_SB(sb); |
493 | |
494 | if (fsi) |
495 | ida_destroy(ida: &fsi->allocated_ptys); |
496 | kfree(objp: fsi); |
497 | kill_litter_super(sb); |
498 | } |
499 | |
500 | static struct file_system_type devpts_fs_type = { |
501 | .name = "devpts" , |
502 | .mount = devpts_mount, |
503 | .kill_sb = devpts_kill_sb, |
504 | .fs_flags = FS_USERNS_MOUNT, |
505 | }; |
506 | |
507 | /* |
508 | * The normal naming convention is simply /dev/pts/<number>; this conforms |
509 | * to the System V naming convention |
510 | */ |
511 | |
512 | int devpts_new_index(struct pts_fs_info *fsi) |
513 | { |
514 | int index = -ENOSPC; |
515 | |
516 | if (atomic_inc_return(v: &pty_count) >= (pty_limit - |
517 | (fsi->mount_opts.reserve ? 0 : pty_reserve))) |
518 | goto out; |
519 | |
520 | index = ida_alloc_max(ida: &fsi->allocated_ptys, max: fsi->mount_opts.max - 1, |
521 | GFP_KERNEL); |
522 | |
523 | out: |
524 | if (index < 0) |
525 | atomic_dec(v: &pty_count); |
526 | return index; |
527 | } |
528 | |
529 | void devpts_kill_index(struct pts_fs_info *fsi, int idx) |
530 | { |
531 | ida_free(&fsi->allocated_ptys, id: idx); |
532 | atomic_dec(v: &pty_count); |
533 | } |
534 | |
535 | /** |
536 | * devpts_pty_new -- create a new inode in /dev/pts/ |
537 | * @fsi: Filesystem info for this instance. |
538 | * @index: used as a name of the node |
539 | * @priv: what's given back by devpts_get_priv |
540 | * |
541 | * The dentry for the created inode is returned. |
542 | * Remove it from /dev/pts/ with devpts_pty_kill(). |
543 | */ |
544 | struct dentry *devpts_pty_new(struct pts_fs_info *fsi, int index, void *priv) |
545 | { |
546 | struct dentry *dentry; |
547 | struct super_block *sb = fsi->sb; |
548 | struct inode *inode; |
549 | struct dentry *root; |
550 | struct pts_mount_opts *opts; |
551 | char s[12]; |
552 | |
553 | root = sb->s_root; |
554 | opts = &fsi->mount_opts; |
555 | |
556 | inode = new_inode(sb); |
557 | if (!inode) |
558 | return ERR_PTR(error: -ENOMEM); |
559 | |
560 | inode->i_ino = index + 3; |
561 | inode->i_uid = opts->setuid ? opts->uid : current_fsuid(); |
562 | inode->i_gid = opts->setgid ? opts->gid : current_fsgid(); |
563 | simple_inode_init_ts(inode); |
564 | init_special_inode(inode, S_IFCHR|opts->mode, MKDEV(UNIX98_PTY_SLAVE_MAJOR, index)); |
565 | |
566 | sprintf(buf: s, fmt: "%d" , index); |
567 | |
568 | dentry = d_alloc_name(root, s); |
569 | if (dentry) { |
570 | dentry->d_fsdata = priv; |
571 | d_add(dentry, inode); |
572 | fsnotify_create(dir: d_inode(dentry: root), dentry); |
573 | } else { |
574 | iput(inode); |
575 | dentry = ERR_PTR(error: -ENOMEM); |
576 | } |
577 | |
578 | return dentry; |
579 | } |
580 | |
581 | /** |
582 | * devpts_get_priv -- get private data for a slave |
583 | * @dentry: dentry of the slave |
584 | * |
585 | * Returns whatever was passed as priv in devpts_pty_new for a given inode. |
586 | */ |
587 | void *devpts_get_priv(struct dentry *dentry) |
588 | { |
589 | if (dentry->d_sb->s_magic != DEVPTS_SUPER_MAGIC) |
590 | return NULL; |
591 | return dentry->d_fsdata; |
592 | } |
593 | |
594 | /** |
595 | * devpts_pty_kill -- remove inode form /dev/pts/ |
596 | * @dentry: dentry of the slave to be removed |
597 | * |
598 | * This is an inverse operation of devpts_pty_new. |
599 | */ |
600 | void devpts_pty_kill(struct dentry *dentry) |
601 | { |
602 | WARN_ON_ONCE(dentry->d_sb->s_magic != DEVPTS_SUPER_MAGIC); |
603 | |
604 | dentry->d_fsdata = NULL; |
605 | drop_nlink(inode: dentry->d_inode); |
606 | d_drop(dentry); |
607 | fsnotify_unlink(dir: d_inode(dentry: dentry->d_parent), dentry); |
608 | dput(dentry); /* d_alloc_name() in devpts_pty_new() */ |
609 | } |
610 | |
611 | static int __init init_devpts_fs(void) |
612 | { |
613 | int err = register_filesystem(&devpts_fs_type); |
614 | if (!err) { |
615 | register_sysctl("kernel/pty" , pty_table); |
616 | } |
617 | return err; |
618 | } |
619 | module_init(init_devpts_fs) |
620 | |