1// SPDX-License-Identifier: GPL-2.0-or-later
2/* -*- linux-c -*- --------------------------------------------------------- *
3 *
4 * linux/fs/devpts/inode.c
5 *
6 * Copyright 1998-2004 H. Peter Anvin -- All Rights Reserved
7 *
8 * ------------------------------------------------------------------------- */
9
10#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/fs.h>
15#include <linux/sched.h>
16#include <linux/namei.h>
17#include <linux/slab.h>
18#include <linux/mount.h>
19#include <linux/tty.h>
20#include <linux/mutex.h>
21#include <linux/magic.h>
22#include <linux/idr.h>
23#include <linux/devpts_fs.h>
24#include <linux/parser.h>
25#include <linux/fsnotify.h>
26#include <linux/seq_file.h>
27
28#define DEVPTS_DEFAULT_MODE 0600
29/*
30 * ptmx is a new node in /dev/pts and will be unused in legacy (single-
31 * instance) mode. To prevent surprises in user space, set permissions of
32 * ptmx to 0. Use 'chmod' or remount with '-o ptmxmode' to set meaningful
33 * permissions.
34 */
35#define DEVPTS_DEFAULT_PTMX_MODE 0000
36#define PTMX_MINOR 2
37
38/*
39 * sysctl support for setting limits on the number of Unix98 ptys allocated.
40 * Otherwise one can eat up all kernel memory by opening /dev/ptmx repeatedly.
41 */
42static int pty_limit = NR_UNIX98_PTY_DEFAULT;
43static int pty_reserve = NR_UNIX98_PTY_RESERVE;
44static int pty_limit_min;
45static int pty_limit_max = INT_MAX;
46static atomic_t pty_count = ATOMIC_INIT(0);
47
48static struct ctl_table pty_table[] = {
49 {
50 .procname = "max",
51 .maxlen = sizeof(int),
52 .mode = 0644,
53 .data = &pty_limit,
54 .proc_handler = proc_dointvec_minmax,
55 .extra1 = &pty_limit_min,
56 .extra2 = &pty_limit_max,
57 }, {
58 .procname = "reserve",
59 .maxlen = sizeof(int),
60 .mode = 0644,
61 .data = &pty_reserve,
62 .proc_handler = proc_dointvec_minmax,
63 .extra1 = &pty_limit_min,
64 .extra2 = &pty_limit_max,
65 }, {
66 .procname = "nr",
67 .maxlen = sizeof(int),
68 .mode = 0444,
69 .data = &pty_count,
70 .proc_handler = proc_dointvec,
71 },
72 {}
73};
74
75struct pts_mount_opts {
76 int setuid;
77 int setgid;
78 kuid_t uid;
79 kgid_t gid;
80 umode_t mode;
81 umode_t ptmxmode;
82 int reserve;
83 int max;
84};
85
86enum {
87 Opt_uid, Opt_gid, Opt_mode, Opt_ptmxmode, Opt_newinstance, Opt_max,
88 Opt_err
89};
90
91static const match_table_t tokens = {
92 {Opt_uid, "uid=%u"},
93 {Opt_gid, "gid=%u"},
94 {Opt_mode, "mode=%o"},
95 {Opt_ptmxmode, "ptmxmode=%o"},
96 {Opt_newinstance, "newinstance"},
97 {Opt_max, "max=%d"},
98 {Opt_err, NULL}
99};
100
101struct pts_fs_info {
102 struct ida allocated_ptys;
103 struct pts_mount_opts mount_opts;
104 struct super_block *sb;
105 struct dentry *ptmx_dentry;
106};
107
108static inline struct pts_fs_info *DEVPTS_SB(struct super_block *sb)
109{
110 return sb->s_fs_info;
111}
112
113static int devpts_ptmx_path(struct path *path)
114{
115 struct super_block *sb;
116 int err;
117
118 /* Is a devpts filesystem at "pts" in the same directory? */
119 err = path_pts(path);
120 if (err)
121 return err;
122
123 /* Is the path the root of a devpts filesystem? */
124 sb = path->mnt->mnt_sb;
125 if ((sb->s_magic != DEVPTS_SUPER_MAGIC) ||
126 (path->mnt->mnt_root != sb->s_root))
127 return -ENODEV;
128
129 return 0;
130}
131
132/*
133 * Try to find a suitable devpts filesystem. We support the following
134 * scenarios:
135 * - The ptmx device node is located in the same directory as the devpts
136 * mount where the pts device nodes are located.
137 * This is e.g. the case when calling open on the /dev/pts/ptmx device
138 * node when the devpts filesystem is mounted at /dev/pts.
139 * - The ptmx device node is located outside the devpts filesystem mount
140 * where the pts device nodes are located. For example, the ptmx device
141 * is a symlink, separate device node, or bind-mount.
142 * A supported scenario is bind-mounting /dev/pts/ptmx to /dev/ptmx and
143 * then calling open on /dev/ptmx. In this case a suitable pts
144 * subdirectory can be found in the common parent directory /dev of the
145 * devpts mount and the ptmx bind-mount, after resolving the /dev/ptmx
146 * bind-mount.
147 * If no suitable pts subdirectory can be found this function will fail.
148 * This is e.g. the case when bind-mounting /dev/pts/ptmx to /ptmx.
149 */
150struct vfsmount *devpts_mntget(struct file *filp, struct pts_fs_info *fsi)
151{
152 struct path path;
153 int err = 0;
154
155 path = filp->f_path;
156 path_get(&path);
157
158 /* Walk upward while the start point is a bind mount of
159 * a single file.
160 */
161 while (path.mnt->mnt_root == path.dentry)
162 if (follow_up(&path) == 0)
163 break;
164
165 /* devpts_ptmx_path() finds a devpts fs or returns an error. */
166 if ((path.mnt->mnt_sb->s_magic != DEVPTS_SUPER_MAGIC) ||
167 (DEVPTS_SB(sb: path.mnt->mnt_sb) != fsi))
168 err = devpts_ptmx_path(path: &path);
169 dput(path.dentry);
170 if (!err) {
171 if (DEVPTS_SB(sb: path.mnt->mnt_sb) == fsi)
172 return path.mnt;
173
174 err = -ENODEV;
175 }
176
177 mntput(mnt: path.mnt);
178 return ERR_PTR(error: err);
179}
180
181struct pts_fs_info *devpts_acquire(struct file *filp)
182{
183 struct pts_fs_info *result;
184 struct path path;
185 struct super_block *sb;
186
187 path = filp->f_path;
188 path_get(&path);
189
190 /* Has the devpts filesystem already been found? */
191 if (path.mnt->mnt_sb->s_magic != DEVPTS_SUPER_MAGIC) {
192 int err;
193
194 err = devpts_ptmx_path(path: &path);
195 if (err) {
196 result = ERR_PTR(error: err);
197 goto out;
198 }
199 }
200
201 /*
202 * pty code needs to hold extra references in case of last /dev/tty close
203 */
204 sb = path.mnt->mnt_sb;
205 atomic_inc(v: &sb->s_active);
206 result = DEVPTS_SB(sb);
207
208out:
209 path_put(&path);
210 return result;
211}
212
213void devpts_release(struct pts_fs_info *fsi)
214{
215 deactivate_super(sb: fsi->sb);
216}
217
218#define PARSE_MOUNT 0
219#define PARSE_REMOUNT 1
220
221/*
222 * parse_mount_options():
223 * Set @opts to mount options specified in @data. If an option is not
224 * specified in @data, set it to its default value.
225 *
226 * Note: @data may be NULL (in which case all options are set to default).
227 */
228static int parse_mount_options(char *data, int op, struct pts_mount_opts *opts)
229{
230 char *p;
231 kuid_t uid;
232 kgid_t gid;
233
234 opts->setuid = 0;
235 opts->setgid = 0;
236 opts->uid = GLOBAL_ROOT_UID;
237 opts->gid = GLOBAL_ROOT_GID;
238 opts->mode = DEVPTS_DEFAULT_MODE;
239 opts->ptmxmode = DEVPTS_DEFAULT_PTMX_MODE;
240 opts->max = NR_UNIX98_PTY_MAX;
241
242 /* Only allow instances mounted from the initial mount
243 * namespace to tap the reserve pool of ptys.
244 */
245 if (op == PARSE_MOUNT)
246 opts->reserve =
247 (current->nsproxy->mnt_ns == init_task.nsproxy->mnt_ns);
248
249 while ((p = strsep(&data, ",")) != NULL) {
250 substring_t args[MAX_OPT_ARGS];
251 int token;
252 int option;
253
254 if (!*p)
255 continue;
256
257 token = match_token(p, tokens, args);
258 switch (token) {
259 case Opt_uid:
260 if (match_int(&args[0], &option))
261 return -EINVAL;
262 uid = make_kuid(current_user_ns(), option);
263 if (!uid_valid(uid))
264 return -EINVAL;
265 opts->uid = uid;
266 opts->setuid = 1;
267 break;
268 case Opt_gid:
269 if (match_int(&args[0], &option))
270 return -EINVAL;
271 gid = make_kgid(current_user_ns(), option);
272 if (!gid_valid(gid))
273 return -EINVAL;
274 opts->gid = gid;
275 opts->setgid = 1;
276 break;
277 case Opt_mode:
278 if (match_octal(&args[0], &option))
279 return -EINVAL;
280 opts->mode = option & S_IALLUGO;
281 break;
282 case Opt_ptmxmode:
283 if (match_octal(&args[0], &option))
284 return -EINVAL;
285 opts->ptmxmode = option & S_IALLUGO;
286 break;
287 case Opt_newinstance:
288 break;
289 case Opt_max:
290 if (match_int(&args[0], &option) ||
291 option < 0 || option > NR_UNIX98_PTY_MAX)
292 return -EINVAL;
293 opts->max = option;
294 break;
295 default:
296 pr_err("called with bogus options\n");
297 return -EINVAL;
298 }
299 }
300
301 return 0;
302}
303
304static int mknod_ptmx(struct super_block *sb)
305{
306 int mode;
307 int rc = -ENOMEM;
308 struct dentry *dentry;
309 struct inode *inode;
310 struct dentry *root = sb->s_root;
311 struct pts_fs_info *fsi = DEVPTS_SB(sb);
312 struct pts_mount_opts *opts = &fsi->mount_opts;
313 kuid_t ptmx_uid = current_fsuid();
314 kgid_t ptmx_gid = current_fsgid();
315
316 inode_lock(inode: d_inode(dentry: root));
317
318 /* If we have already created ptmx node, return */
319 if (fsi->ptmx_dentry) {
320 rc = 0;
321 goto out;
322 }
323
324 dentry = d_alloc_name(root, "ptmx");
325 if (!dentry) {
326 pr_err("Unable to alloc dentry for ptmx node\n");
327 goto out;
328 }
329
330 /*
331 * Create a new 'ptmx' node in this mount of devpts.
332 */
333 inode = new_inode(sb);
334 if (!inode) {
335 pr_err("Unable to alloc inode for ptmx node\n");
336 dput(dentry);
337 goto out;
338 }
339
340 inode->i_ino = 2;
341 simple_inode_init_ts(inode);
342
343 mode = S_IFCHR|opts->ptmxmode;
344 init_special_inode(inode, mode, MKDEV(TTYAUX_MAJOR, 2));
345 inode->i_uid = ptmx_uid;
346 inode->i_gid = ptmx_gid;
347
348 d_add(dentry, inode);
349
350 fsi->ptmx_dentry = dentry;
351 rc = 0;
352out:
353 inode_unlock(inode: d_inode(dentry: root));
354 return rc;
355}
356
357static void update_ptmx_mode(struct pts_fs_info *fsi)
358{
359 struct inode *inode;
360 if (fsi->ptmx_dentry) {
361 inode = d_inode(dentry: fsi->ptmx_dentry);
362 inode->i_mode = S_IFCHR|fsi->mount_opts.ptmxmode;
363 }
364}
365
366static int devpts_remount(struct super_block *sb, int *flags, char *data)
367{
368 int err;
369 struct pts_fs_info *fsi = DEVPTS_SB(sb);
370 struct pts_mount_opts *opts = &fsi->mount_opts;
371
372 err = parse_mount_options(data, PARSE_REMOUNT, opts);
373
374 /*
375 * parse_mount_options() restores options to default values
376 * before parsing and may have changed ptmxmode. So, update the
377 * mode in the inode too. Bogus options don't fail the remount,
378 * so do this even on error return.
379 */
380 update_ptmx_mode(fsi);
381
382 return err;
383}
384
385static int devpts_show_options(struct seq_file *seq, struct dentry *root)
386{
387 struct pts_fs_info *fsi = DEVPTS_SB(sb: root->d_sb);
388 struct pts_mount_opts *opts = &fsi->mount_opts;
389
390 if (opts->setuid)
391 seq_printf(m: seq, fmt: ",uid=%u",
392 from_kuid_munged(to: &init_user_ns, uid: opts->uid));
393 if (opts->setgid)
394 seq_printf(m: seq, fmt: ",gid=%u",
395 from_kgid_munged(to: &init_user_ns, gid: opts->gid));
396 seq_printf(m: seq, fmt: ",mode=%03o", opts->mode);
397 seq_printf(m: seq, fmt: ",ptmxmode=%03o", opts->ptmxmode);
398 if (opts->max < NR_UNIX98_PTY_MAX)
399 seq_printf(m: seq, fmt: ",max=%d", opts->max);
400
401 return 0;
402}
403
404static const struct super_operations devpts_sops = {
405 .statfs = simple_statfs,
406 .remount_fs = devpts_remount,
407 .show_options = devpts_show_options,
408};
409
410static void *new_pts_fs_info(struct super_block *sb)
411{
412 struct pts_fs_info *fsi;
413
414 fsi = kzalloc(size: sizeof(struct pts_fs_info), GFP_KERNEL);
415 if (!fsi)
416 return NULL;
417
418 ida_init(ida: &fsi->allocated_ptys);
419 fsi->mount_opts.mode = DEVPTS_DEFAULT_MODE;
420 fsi->mount_opts.ptmxmode = DEVPTS_DEFAULT_PTMX_MODE;
421 fsi->sb = sb;
422
423 return fsi;
424}
425
426static int
427devpts_fill_super(struct super_block *s, void *data, int silent)
428{
429 struct inode *inode;
430 int error;
431
432 s->s_iflags &= ~SB_I_NODEV;
433 s->s_blocksize = 1024;
434 s->s_blocksize_bits = 10;
435 s->s_magic = DEVPTS_SUPER_MAGIC;
436 s->s_op = &devpts_sops;
437 s->s_d_op = &simple_dentry_operations;
438 s->s_time_gran = 1;
439
440 error = -ENOMEM;
441 s->s_fs_info = new_pts_fs_info(sb: s);
442 if (!s->s_fs_info)
443 goto fail;
444
445 error = parse_mount_options(data, PARSE_MOUNT, opts: &DEVPTS_SB(sb: s)->mount_opts);
446 if (error)
447 goto fail;
448
449 error = -ENOMEM;
450 inode = new_inode(sb: s);
451 if (!inode)
452 goto fail;
453 inode->i_ino = 1;
454 simple_inode_init_ts(inode);
455 inode->i_mode = S_IFDIR | S_IRUGO | S_IXUGO | S_IWUSR;
456 inode->i_op = &simple_dir_inode_operations;
457 inode->i_fop = &simple_dir_operations;
458 set_nlink(inode, nlink: 2);
459
460 s->s_root = d_make_root(inode);
461 if (!s->s_root) {
462 pr_err("get root dentry failed\n");
463 goto fail;
464 }
465
466 error = mknod_ptmx(sb: s);
467 if (error)
468 goto fail_dput;
469
470 return 0;
471fail_dput:
472 dput(s->s_root);
473 s->s_root = NULL;
474fail:
475 return error;
476}
477
478/*
479 * devpts_mount()
480 *
481 * Mount a new (private) instance of devpts. PTYs created in this
482 * instance are independent of the PTYs in other devpts instances.
483 */
484static struct dentry *devpts_mount(struct file_system_type *fs_type,
485 int flags, const char *dev_name, void *data)
486{
487 return mount_nodev(fs_type, flags, data, fill_super: devpts_fill_super);
488}
489
490static void devpts_kill_sb(struct super_block *sb)
491{
492 struct pts_fs_info *fsi = DEVPTS_SB(sb);
493
494 if (fsi)
495 ida_destroy(ida: &fsi->allocated_ptys);
496 kfree(objp: fsi);
497 kill_litter_super(sb);
498}
499
500static struct file_system_type devpts_fs_type = {
501 .name = "devpts",
502 .mount = devpts_mount,
503 .kill_sb = devpts_kill_sb,
504 .fs_flags = FS_USERNS_MOUNT,
505};
506
507/*
508 * The normal naming convention is simply /dev/pts/<number>; this conforms
509 * to the System V naming convention
510 */
511
512int devpts_new_index(struct pts_fs_info *fsi)
513{
514 int index = -ENOSPC;
515
516 if (atomic_inc_return(v: &pty_count) >= (pty_limit -
517 (fsi->mount_opts.reserve ? 0 : pty_reserve)))
518 goto out;
519
520 index = ida_alloc_max(ida: &fsi->allocated_ptys, max: fsi->mount_opts.max - 1,
521 GFP_KERNEL);
522
523out:
524 if (index < 0)
525 atomic_dec(v: &pty_count);
526 return index;
527}
528
529void devpts_kill_index(struct pts_fs_info *fsi, int idx)
530{
531 ida_free(&fsi->allocated_ptys, id: idx);
532 atomic_dec(v: &pty_count);
533}
534
535/**
536 * devpts_pty_new -- create a new inode in /dev/pts/
537 * @fsi: Filesystem info for this instance.
538 * @index: used as a name of the node
539 * @priv: what's given back by devpts_get_priv
540 *
541 * The dentry for the created inode is returned.
542 * Remove it from /dev/pts/ with devpts_pty_kill().
543 */
544struct dentry *devpts_pty_new(struct pts_fs_info *fsi, int index, void *priv)
545{
546 struct dentry *dentry;
547 struct super_block *sb = fsi->sb;
548 struct inode *inode;
549 struct dentry *root;
550 struct pts_mount_opts *opts;
551 char s[12];
552
553 root = sb->s_root;
554 opts = &fsi->mount_opts;
555
556 inode = new_inode(sb);
557 if (!inode)
558 return ERR_PTR(error: -ENOMEM);
559
560 inode->i_ino = index + 3;
561 inode->i_uid = opts->setuid ? opts->uid : current_fsuid();
562 inode->i_gid = opts->setgid ? opts->gid : current_fsgid();
563 simple_inode_init_ts(inode);
564 init_special_inode(inode, S_IFCHR|opts->mode, MKDEV(UNIX98_PTY_SLAVE_MAJOR, index));
565
566 sprintf(buf: s, fmt: "%d", index);
567
568 dentry = d_alloc_name(root, s);
569 if (dentry) {
570 dentry->d_fsdata = priv;
571 d_add(dentry, inode);
572 fsnotify_create(dir: d_inode(dentry: root), dentry);
573 } else {
574 iput(inode);
575 dentry = ERR_PTR(error: -ENOMEM);
576 }
577
578 return dentry;
579}
580
581/**
582 * devpts_get_priv -- get private data for a slave
583 * @dentry: dentry of the slave
584 *
585 * Returns whatever was passed as priv in devpts_pty_new for a given inode.
586 */
587void *devpts_get_priv(struct dentry *dentry)
588{
589 if (dentry->d_sb->s_magic != DEVPTS_SUPER_MAGIC)
590 return NULL;
591 return dentry->d_fsdata;
592}
593
594/**
595 * devpts_pty_kill -- remove inode form /dev/pts/
596 * @dentry: dentry of the slave to be removed
597 *
598 * This is an inverse operation of devpts_pty_new.
599 */
600void devpts_pty_kill(struct dentry *dentry)
601{
602 WARN_ON_ONCE(dentry->d_sb->s_magic != DEVPTS_SUPER_MAGIC);
603
604 dentry->d_fsdata = NULL;
605 drop_nlink(inode: dentry->d_inode);
606 d_drop(dentry);
607 fsnotify_unlink(dir: d_inode(dentry: dentry->d_parent), dentry);
608 dput(dentry); /* d_alloc_name() in devpts_pty_new() */
609}
610
611static int __init init_devpts_fs(void)
612{
613 int err = register_filesystem(&devpts_fs_type);
614 if (!err) {
615 register_sysctl("kernel/pty", pty_table);
616 }
617 return err;
618}
619module_init(init_devpts_fs)
620

source code of linux/fs/devpts/inode.c