1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/anon_inodes.h>
3 #include <linux/exportfs.h>
4 #include <linux/file.h>
5 #include <linux/fs.h>
6 #include <linux/cgroup.h>
7 #include <linux/magic.h>
8 #include <linux/mount.h>
9 #include <linux/pid.h>
10 #include <linux/pidfs.h>
11 #include <linux/sched/signal.h>
12 #include <linux/signal.h>
13 #include <linux/pid_namespace.h>
14 #include <linux/poll.h>
15 #include <linux/proc_fs.h>
16 #include <linux/proc_ns.h>
17 #include <linux/pseudo_fs.h>
18 #include <linux/ptrace.h>
19 #include <linux/seq_file.h>
20 #include <uapi/linux/pidfd.h>
21 #include <linux/ipc_namespace.h>
22 #include <linux/time_namespace.h>
23 #include <linux/utsname.h>
24 #include <net/net_namespace.h>
25 #include <linux/coredump.h>
26 #include <linux/rhashtable.h>
27 #include <linux/llist.h>
28 #include <linux/xattr.h>
29 #include <linux/cookie.h>
30
31 #include "internal.h"
32 #include "mount.h"
33
34 #define PIDFS_PID_DEAD ERR_PTR(-ESRCH)
35
36 static struct kmem_cache *pidfs_attr_cachep __ro_after_init;
37
38 static struct path pidfs_root_path = {};
39
pidfs_get_root(struct path * path)40 void pidfs_get_root(struct path *path)
41 {
42 *path = pidfs_root_path;
43 path_get(path);
44 }
45
46 enum pidfs_attr_mask_bits {
47 PIDFS_ATTR_BIT_EXIT = 0,
48 PIDFS_ATTR_BIT_COREDUMP = 1,
49 };
50
51 struct pidfs_anon_attr {
52 unsigned long attr_mask;
53 struct /* exit info */ {
54 __u64 cgroupid;
55 __s32 exit_code;
56 };
57 __u32 coredump_mask;
58 __u32 coredump_signal;
59 __u32 coredump_code;
60 };
61
62 static struct rhashtable pidfs_ino_ht;
63
64 static const struct rhashtable_params pidfs_ino_ht_params = {
65 .key_offset = offsetof(struct pid, ino),
66 .key_len = sizeof(u64),
67 .head_offset = offsetof(struct pid, pidfs_hash),
68 .automatic_shrinking = true,
69 };
70
71 /*
72 * inode number handling
73 *
74 * On 64 bit nothing special happens. The 64bit number assigned
75 * to struct pid is the inode number.
76 *
77 * On 32 bit the 64 bit number assigned to struct pid is split
78 * into two 32 bit numbers. The lower 32 bits are used as the
79 * inode number and the upper 32 bits are used as the inode
80 * generation number.
81 *
82 * On 32 bit pidfs_ino() will return the lower 32 bit. When
83 * pidfs_ino() returns zero a wrap around happened. When a
84 * wraparound happens the 64 bit number will be incremented by 1
85 * so inode numbering starts at 1 again.
86 *
87 * On 64 bit comparing two pidfds is as simple as comparing
88 * inode numbers.
89 *
90 * When a wraparound happens on 32 bit multiple pidfds with the
91 * same inode number are likely to exist (This isn't a problem
92 * since before pidfs pidfds used the anonymous inode meaning
93 * all pidfds had the same inode number.). Userspace can
94 * reconstruct the 64 bit identifier by retrieving both the
95 * inode number and the inode generation number to compare or
96 * use file handles.
97 */
98 struct pidfs_attr {
99 struct simple_xattrs *xattrs;
100 union {
101 struct pidfs_anon_attr;
102 struct llist_node pidfs_llist;
103 };
104 };
105
106 #if BITS_PER_LONG == 32
107
108 DEFINE_SPINLOCK(pidfs_ino_lock);
109 static u64 pidfs_ino_nr = 1;
110
pidfs_ino(u64 ino)111 static inline unsigned long pidfs_ino(u64 ino)
112 {
113 return lower_32_bits(ino);
114 }
115
116 /* On 32 bit the generation number are the upper 32 bits. */
pidfs_gen(u64 ino)117 static inline u32 pidfs_gen(u64 ino)
118 {
119 return upper_32_bits(ino);
120 }
121
pidfs_alloc_ino(void)122 static inline u64 pidfs_alloc_ino(void)
123 {
124 u64 ino;
125
126 spin_lock(&pidfs_ino_lock);
127 if (pidfs_ino(pidfs_ino_nr) == 0)
128 pidfs_ino_nr++;
129 ino = pidfs_ino_nr++;
130 spin_unlock(&pidfs_ino_lock);
131 return ino;
132 }
133
134 #else
135
136 /* On 64 bit simply return ino. */
pidfs_ino(u64 ino)137 static inline unsigned long pidfs_ino(u64 ino)
138 {
139 return ino;
140 }
141
142 /* On 64 bit the generation number is 0. */
pidfs_gen(u64 ino)143 static inline u32 pidfs_gen(u64 ino)
144 {
145 return 0;
146 }
147
148 DEFINE_COOKIE(pidfs_ino_cookie);
149
pidfs_alloc_ino(void)150 static u64 pidfs_alloc_ino(void)
151 {
152 u64 ino;
153
154 preempt_disable();
155 ino = gen_cookie_next(&pidfs_ino_cookie);
156 preempt_enable();
157
158 VFS_WARN_ON_ONCE(ino < 1);
159 return ino;
160 }
161
162 #endif
163
pidfs_prepare_pid(struct pid * pid)164 void pidfs_prepare_pid(struct pid *pid)
165 {
166 pid->stashed = NULL;
167 pid->attr = NULL;
168 pid->ino = 0;
169 }
170
pidfs_add_pid(struct pid * pid)171 int pidfs_add_pid(struct pid *pid)
172 {
173 int ret;
174
175 pid->ino = pidfs_alloc_ino();
176 ret = rhashtable_insert_fast(&pidfs_ino_ht, &pid->pidfs_hash,
177 pidfs_ino_ht_params);
178 if (unlikely(ret))
179 pid->ino = 0;
180 return ret;
181 }
182
pidfs_remove_pid(struct pid * pid)183 void pidfs_remove_pid(struct pid *pid)
184 {
185 if (likely(pid->ino))
186 rhashtable_remove_fast(&pidfs_ino_ht, &pid->pidfs_hash,
187 pidfs_ino_ht_params);
188 }
189
190 static LLIST_HEAD(pidfs_free_list);
191
pidfs_free_attr_work(struct work_struct * work)192 static void pidfs_free_attr_work(struct work_struct *work)
193 {
194 struct pidfs_attr *attr, *next;
195 struct llist_node *head;
196
197 head = llist_del_all(&pidfs_free_list);
198 llist_for_each_entry_safe(attr, next, head, pidfs_llist) {
199 struct simple_xattrs *xattrs = attr->xattrs;
200
201 if (xattrs) {
202 simple_xattrs_free(xattrs, NULL);
203 kfree(xattrs);
204 }
205 kfree(attr);
206 }
207 }
208
209 static DECLARE_WORK(pidfs_free_work, pidfs_free_attr_work);
210
pidfs_free_pid(struct pid * pid)211 void pidfs_free_pid(struct pid *pid)
212 {
213 struct pidfs_attr *attr = pid->attr;
214
215 /*
216 * Any dentry must've been wiped from the pid by now.
217 * Otherwise there's a reference count bug.
218 */
219 VFS_WARN_ON_ONCE(pid->stashed);
220
221 /*
222 * This if an error occurred during e.g., task creation that
223 * causes us to never go through the exit path.
224 */
225 if (unlikely(!attr))
226 return;
227
228 /* This never had a pidfd created. */
229 if (IS_ERR(attr))
230 return;
231
232 if (likely(!attr->xattrs))
233 kfree(attr);
234 else if (llist_add(&attr->pidfs_llist, &pidfs_free_list))
235 schedule_work(&pidfs_free_work);
236 }
237
238 #ifdef CONFIG_PROC_FS
239 /**
240 * pidfd_show_fdinfo - print information about a pidfd
241 * @m: proc fdinfo file
242 * @f: file referencing a pidfd
243 *
244 * Pid:
245 * This function will print the pid that a given pidfd refers to in the
246 * pid namespace of the procfs instance.
247 * If the pid namespace of the process is not a descendant of the pid
248 * namespace of the procfs instance 0 will be shown as its pid. This is
249 * similar to calling getppid() on a process whose parent is outside of
250 * its pid namespace.
251 *
252 * NSpid:
253 * If pid namespaces are supported then this function will also print
254 * the pid of a given pidfd refers to for all descendant pid namespaces
255 * starting from the current pid namespace of the instance, i.e. the
256 * Pid field and the first entry in the NSpid field will be identical.
257 * If the pid namespace of the process is not a descendant of the pid
258 * namespace of the procfs instance 0 will be shown as its first NSpid
259 * entry and no others will be shown.
260 * Note that this differs from the Pid and NSpid fields in
261 * /proc/<pid>/status where Pid and NSpid are always shown relative to
262 * the pid namespace of the procfs instance. The difference becomes
263 * obvious when sending around a pidfd between pid namespaces from a
264 * different branch of the tree, i.e. where no ancestral relation is
265 * present between the pid namespaces:
266 * - create two new pid namespaces ns1 and ns2 in the initial pid
267 * namespace (also take care to create new mount namespaces in the
268 * new pid namespace and mount procfs)
269 * - create a process with a pidfd in ns1
270 * - send pidfd from ns1 to ns2
271 * - read /proc/self/fdinfo/<pidfd> and observe that both Pid and NSpid
272 * have exactly one entry, which is 0
273 */
pidfd_show_fdinfo(struct seq_file * m,struct file * f)274 static void pidfd_show_fdinfo(struct seq_file *m, struct file *f)
275 {
276 struct pid *pid = pidfd_pid(f);
277 struct pid_namespace *ns;
278 pid_t nr = -1;
279
280 if (likely(pid_has_task(pid, PIDTYPE_PID))) {
281 ns = proc_pid_ns(file_inode(m->file)->i_sb);
282 nr = pid_nr_ns(pid, ns);
283 }
284
285 seq_put_decimal_ll(m, "Pid:\t", nr);
286
287 #ifdef CONFIG_PID_NS
288 seq_put_decimal_ll(m, "\nNSpid:\t", nr);
289 if (nr > 0) {
290 int i;
291
292 /* If nr is non-zero it means that 'pid' is valid and that
293 * ns, i.e. the pid namespace associated with the procfs
294 * instance, is in the pid namespace hierarchy of pid.
295 * Start at one below the already printed level.
296 */
297 for (i = ns->level + 1; i <= pid->level; i++)
298 seq_put_decimal_ll(m, "\t", pid->numbers[i].nr);
299 }
300 #endif
301 seq_putc(m, '\n');
302 }
303 #endif
304
305 /*
306 * Poll support for process exit notification.
307 */
pidfd_poll(struct file * file,struct poll_table_struct * pts)308 static __poll_t pidfd_poll(struct file *file, struct poll_table_struct *pts)
309 {
310 struct pid *pid = pidfd_pid(file);
311 struct task_struct *task;
312 __poll_t poll_flags = 0;
313
314 poll_wait(file, &pid->wait_pidfd, pts);
315 /*
316 * Don't wake waiters if the thread-group leader exited
317 * prematurely. They either get notified when the last subthread
318 * exits or not at all if one of the remaining subthreads execs
319 * and assumes the struct pid of the old thread-group leader.
320 */
321 guard(rcu)();
322 task = pid_task(pid, PIDTYPE_PID);
323 if (!task)
324 poll_flags = EPOLLIN | EPOLLRDNORM | EPOLLHUP;
325 else if (task->exit_state && !delay_group_leader(task))
326 poll_flags = EPOLLIN | EPOLLRDNORM;
327
328 return poll_flags;
329 }
330
pid_in_current_pidns(const struct pid * pid)331 static inline bool pid_in_current_pidns(const struct pid *pid)
332 {
333 const struct pid_namespace *ns = task_active_pid_ns(current);
334
335 if (ns->level <= pid->level)
336 return pid->numbers[ns->level].ns == ns;
337
338 return false;
339 }
340
pidfs_coredump_mask(unsigned long mm_flags)341 static __u32 pidfs_coredump_mask(unsigned long mm_flags)
342 {
343 switch (__get_dumpable(mm_flags)) {
344 case SUID_DUMP_USER:
345 return PIDFD_COREDUMP_USER;
346 case SUID_DUMP_ROOT:
347 return PIDFD_COREDUMP_ROOT;
348 case SUID_DUMP_DISABLE:
349 return PIDFD_COREDUMP_SKIP;
350 default:
351 WARN_ON_ONCE(true);
352 }
353
354 return 0;
355 }
356
357 /* This must be updated whenever a new flag is added */
358 #define PIDFD_INFO_SUPPORTED (PIDFD_INFO_PID | \
359 PIDFD_INFO_CREDS | \
360 PIDFD_INFO_CGROUPID | \
361 PIDFD_INFO_EXIT | \
362 PIDFD_INFO_COREDUMP | \
363 PIDFD_INFO_SUPPORTED_MASK | \
364 PIDFD_INFO_COREDUMP_SIGNAL | \
365 PIDFD_INFO_COREDUMP_CODE)
366
pidfd_info(struct file * file,unsigned int cmd,unsigned long arg)367 static long pidfd_info(struct file *file, unsigned int cmd, unsigned long arg)
368 {
369 struct pidfd_info __user *uinfo = (struct pidfd_info __user *)arg;
370 struct task_struct *task __free(put_task) = NULL;
371 struct pid *pid = pidfd_pid(file);
372 size_t usize = _IOC_SIZE(cmd);
373 struct pidfd_info kinfo = {};
374 struct user_namespace *user_ns;
375 struct pidfs_attr *attr;
376 const struct cred *c;
377 __u64 mask;
378
379 BUILD_BUG_ON(sizeof(struct pidfd_info) != PIDFD_INFO_SIZE_VER3);
380
381 if (!uinfo)
382 return -EINVAL;
383 if (usize < PIDFD_INFO_SIZE_VER0)
384 return -EINVAL; /* First version, no smaller struct possible */
385
386 if (copy_from_user(&mask, &uinfo->mask, sizeof(mask)))
387 return -EFAULT;
388
389 /*
390 * Restrict information retrieval to tasks within the caller's pid
391 * namespace hierarchy.
392 */
393 if (!pid_in_current_pidns(pid))
394 return -EREMOTE;
395
396 attr = READ_ONCE(pid->attr);
397 if (mask & PIDFD_INFO_EXIT) {
398 if (test_bit(PIDFS_ATTR_BIT_EXIT, &attr->attr_mask)) {
399 smp_rmb();
400 kinfo.mask |= PIDFD_INFO_EXIT;
401 #ifdef CONFIG_CGROUPS
402 kinfo.cgroupid = attr->cgroupid;
403 kinfo.mask |= PIDFD_INFO_CGROUPID;
404 #endif
405 kinfo.exit_code = attr->exit_code;
406 }
407 }
408
409 if (mask & PIDFD_INFO_COREDUMP) {
410 if (test_bit(PIDFS_ATTR_BIT_COREDUMP, &attr->attr_mask)) {
411 smp_rmb();
412 kinfo.mask |= PIDFD_INFO_COREDUMP | PIDFD_INFO_COREDUMP_SIGNAL | PIDFD_INFO_COREDUMP_CODE;
413 kinfo.coredump_mask = attr->coredump_mask;
414 kinfo.coredump_signal = attr->coredump_signal;
415 kinfo.coredump_code = attr->coredump_code;
416 }
417 }
418
419 task = get_pid_task(pid, PIDTYPE_PID);
420 if (!task) {
421 /*
422 * If the task has already been reaped, only exit
423 * information is available
424 */
425 if (!(mask & PIDFD_INFO_EXIT))
426 return -ESRCH;
427
428 goto copy_out;
429 }
430
431 c = get_task_cred(task);
432 if (!c)
433 return -ESRCH;
434
435 if ((mask & PIDFD_INFO_COREDUMP) && !kinfo.coredump_mask) {
436 guard(task_lock)(task);
437 if (task->mm) {
438 unsigned long flags = __mm_flags_get_dumpable(task->mm);
439
440 kinfo.coredump_mask = pidfs_coredump_mask(flags);
441 kinfo.mask |= PIDFD_INFO_COREDUMP;
442 /* No coredump actually took place, so no coredump signal. */
443 }
444 }
445
446 /* Unconditionally return identifiers and credentials, the rest only on request */
447
448 user_ns = current_user_ns();
449 kinfo.ruid = from_kuid_munged(user_ns, c->uid);
450 kinfo.rgid = from_kgid_munged(user_ns, c->gid);
451 kinfo.euid = from_kuid_munged(user_ns, c->euid);
452 kinfo.egid = from_kgid_munged(user_ns, c->egid);
453 kinfo.suid = from_kuid_munged(user_ns, c->suid);
454 kinfo.sgid = from_kgid_munged(user_ns, c->sgid);
455 kinfo.fsuid = from_kuid_munged(user_ns, c->fsuid);
456 kinfo.fsgid = from_kgid_munged(user_ns, c->fsgid);
457 kinfo.mask |= PIDFD_INFO_CREDS;
458 put_cred(c);
459
460 #ifdef CONFIG_CGROUPS
461 if (!kinfo.cgroupid) {
462 struct cgroup *cgrp;
463
464 rcu_read_lock();
465 cgrp = task_dfl_cgroup(task);
466 kinfo.cgroupid = cgroup_id(cgrp);
467 kinfo.mask |= PIDFD_INFO_CGROUPID;
468 rcu_read_unlock();
469 }
470 #endif
471
472 /*
473 * Copy pid/tgid last, to reduce the chances the information might be
474 * stale. Note that it is not possible to ensure it will be valid as the
475 * task might return as soon as the copy_to_user finishes, but that's ok
476 * and userspace expects that might happen and can act accordingly, so
477 * this is just best-effort. What we can do however is checking that all
478 * the fields are set correctly, or return ESRCH to avoid providing
479 * incomplete information. */
480
481 kinfo.ppid = task_ppid_vnr(task);
482 kinfo.tgid = task_tgid_vnr(task);
483 kinfo.pid = task_pid_vnr(task);
484 kinfo.mask |= PIDFD_INFO_PID;
485
486 if (kinfo.pid == 0 || kinfo.tgid == 0)
487 return -ESRCH;
488
489 copy_out:
490 if (mask & PIDFD_INFO_SUPPORTED_MASK) {
491 kinfo.mask |= PIDFD_INFO_SUPPORTED_MASK;
492 kinfo.supported_mask = PIDFD_INFO_SUPPORTED;
493 }
494
495 /* Are there bits in the return mask not present in PIDFD_INFO_SUPPORTED? */
496 WARN_ON_ONCE(~PIDFD_INFO_SUPPORTED & kinfo.mask);
497 /*
498 * If userspace and the kernel have the same struct size it can just
499 * be copied. If userspace provides an older struct, only the bits that
500 * userspace knows about will be copied. If userspace provides a new
501 * struct, only the bits that the kernel knows about will be copied.
502 */
503 return copy_struct_to_user(uinfo, usize, &kinfo, sizeof(kinfo), NULL);
504 }
505
pidfs_ioctl_valid(unsigned int cmd)506 static bool pidfs_ioctl_valid(unsigned int cmd)
507 {
508 switch (cmd) {
509 case FS_IOC_GETVERSION:
510 case PIDFD_GET_CGROUP_NAMESPACE:
511 case PIDFD_GET_IPC_NAMESPACE:
512 case PIDFD_GET_MNT_NAMESPACE:
513 case PIDFD_GET_NET_NAMESPACE:
514 case PIDFD_GET_PID_FOR_CHILDREN_NAMESPACE:
515 case PIDFD_GET_TIME_NAMESPACE:
516 case PIDFD_GET_TIME_FOR_CHILDREN_NAMESPACE:
517 case PIDFD_GET_UTS_NAMESPACE:
518 case PIDFD_GET_USER_NAMESPACE:
519 case PIDFD_GET_PID_NAMESPACE:
520 return true;
521 }
522
523 /* Extensible ioctls require some more careful checks. */
524 switch (_IOC_NR(cmd)) {
525 case _IOC_NR(PIDFD_GET_INFO):
526 /*
527 * Try to prevent performing a pidfd ioctl when someone
528 * erronously mistook the file descriptor for a pidfd.
529 * This is not perfect but will catch most cases.
530 */
531 return extensible_ioctl_valid(cmd, PIDFD_GET_INFO, PIDFD_INFO_SIZE_VER0);
532 }
533
534 return false;
535 }
536
pidfd_ioctl(struct file * file,unsigned int cmd,unsigned long arg)537 static long pidfd_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
538 {
539 struct task_struct *task __free(put_task) = NULL;
540 struct nsproxy *nsp __free(put_nsproxy) = NULL;
541 struct ns_common *ns_common = NULL;
542
543 if (!pidfs_ioctl_valid(cmd))
544 return -ENOIOCTLCMD;
545
546 if (cmd == FS_IOC_GETVERSION) {
547 if (!arg)
548 return -EINVAL;
549
550 __u32 __user *argp = (__u32 __user *)arg;
551 return put_user(file_inode(file)->i_generation, argp);
552 }
553
554 /* Extensible IOCTL that does not open namespace FDs, take a shortcut */
555 if (_IOC_NR(cmd) == _IOC_NR(PIDFD_GET_INFO))
556 return pidfd_info(file, cmd, arg);
557
558 task = get_pid_task(pidfd_pid(file), PIDTYPE_PID);
559 if (!task)
560 return -ESRCH;
561
562 if (arg)
563 return -EINVAL;
564
565 scoped_guard(task_lock, task) {
566 nsp = task->nsproxy;
567 if (nsp)
568 get_nsproxy(nsp);
569 }
570 if (!nsp)
571 return -ESRCH; /* just pretend it didn't exist */
572
573 /*
574 * We're trying to open a file descriptor to the namespace so perform a
575 * filesystem cred ptrace check. Also, we mirror nsfs behavior.
576 */
577 if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
578 return -EACCES;
579
580 switch (cmd) {
581 /* Namespaces that hang of nsproxy. */
582 case PIDFD_GET_CGROUP_NAMESPACE:
583 #ifdef CONFIG_CGROUPS
584 if (!ns_ref_get(nsp->cgroup_ns))
585 break;
586 ns_common = to_ns_common(nsp->cgroup_ns);
587 #endif
588 break;
589 case PIDFD_GET_IPC_NAMESPACE:
590 #ifdef CONFIG_IPC_NS
591 if (!ns_ref_get(nsp->ipc_ns))
592 break;
593 ns_common = to_ns_common(nsp->ipc_ns);
594 #endif
595 break;
596 case PIDFD_GET_MNT_NAMESPACE:
597 if (!ns_ref_get(nsp->mnt_ns))
598 break;
599 ns_common = to_ns_common(nsp->mnt_ns);
600 break;
601 case PIDFD_GET_NET_NAMESPACE:
602 #ifdef CONFIG_NET_NS
603 if (!ns_ref_get(nsp->net_ns))
604 break;
605 ns_common = to_ns_common(nsp->net_ns);
606 #endif
607 break;
608 case PIDFD_GET_PID_FOR_CHILDREN_NAMESPACE:
609 #ifdef CONFIG_PID_NS
610 if (!ns_ref_get(nsp->pid_ns_for_children))
611 break;
612 ns_common = to_ns_common(nsp->pid_ns_for_children);
613 #endif
614 break;
615 case PIDFD_GET_TIME_NAMESPACE:
616 #ifdef CONFIG_TIME_NS
617 if (!ns_ref_get(nsp->time_ns))
618 break;
619 ns_common = to_ns_common(nsp->time_ns);
620 #endif
621 break;
622 case PIDFD_GET_TIME_FOR_CHILDREN_NAMESPACE:
623 #ifdef CONFIG_TIME_NS
624 if (!ns_ref_get(nsp->time_ns_for_children))
625 break;
626 ns_common = to_ns_common(nsp->time_ns_for_children);
627 #endif
628 break;
629 case PIDFD_GET_UTS_NAMESPACE:
630 #ifdef CONFIG_UTS_NS
631 if (!ns_ref_get(nsp->uts_ns))
632 break;
633 ns_common = to_ns_common(nsp->uts_ns);
634 #endif
635 break;
636 /* Namespaces that don't hang of nsproxy. */
637 case PIDFD_GET_USER_NAMESPACE:
638 #ifdef CONFIG_USER_NS
639 scoped_guard(rcu) {
640 struct user_namespace *user_ns;
641
642 user_ns = task_cred_xxx(task, user_ns);
643 if (ns_ref_get(user_ns))
644 ns_common = to_ns_common(user_ns);
645 }
646 #endif
647 break;
648 case PIDFD_GET_PID_NAMESPACE:
649 #ifdef CONFIG_PID_NS
650 scoped_guard(rcu) {
651 struct pid_namespace *pid_ns;
652
653 pid_ns = task_active_pid_ns(task);
654 if (ns_ref_get(pid_ns))
655 ns_common = to_ns_common(pid_ns);
656 }
657 #endif
658 break;
659 default:
660 return -ENOIOCTLCMD;
661 }
662
663 if (!ns_common)
664 return -EOPNOTSUPP;
665
666 /* open_namespace() unconditionally consumes the reference */
667 return open_namespace(ns_common);
668 }
669
pidfs_file_release(struct inode * inode,struct file * file)670 static int pidfs_file_release(struct inode *inode, struct file *file)
671 {
672 struct pid *pid = inode->i_private;
673 struct task_struct *task;
674
675 if (!(file->f_flags & PIDFD_AUTOKILL))
676 return 0;
677
678 guard(rcu)();
679 task = pid_task(pid, PIDTYPE_TGID);
680 if (!task)
681 return 0;
682
683 /* Not available for kthreads or user workers for now. */
684 if (WARN_ON_ONCE(task->flags & (PF_KTHREAD | PF_USER_WORKER)))
685 return 0;
686 do_send_sig_info(SIGKILL, SEND_SIG_PRIV, task, PIDTYPE_TGID);
687 return 0;
688 }
689
690 static const struct file_operations pidfs_file_operations = {
691 .release = pidfs_file_release,
692 .poll = pidfd_poll,
693 #ifdef CONFIG_PROC_FS
694 .show_fdinfo = pidfd_show_fdinfo,
695 #endif
696 .unlocked_ioctl = pidfd_ioctl,
697 .compat_ioctl = compat_ptr_ioctl,
698 };
699
pidfd_pid(const struct file * file)700 struct pid *pidfd_pid(const struct file *file)
701 {
702 if (file->f_op != &pidfs_file_operations)
703 return ERR_PTR(-EBADF);
704 return file_inode(file)->i_private;
705 }
706
707 /*
708 * We're called from release_task(). We know there's at least one
709 * reference to struct pid being held that won't be released until the
710 * task has been reaped which cannot happen until we're out of
711 * release_task().
712 *
713 * If this struct pid has at least once been referred to by a pidfd then
714 * pid->attr will be allocated. If not we mark the struct pid as dead so
715 * anyone who is trying to register it with pidfs will fail to do so.
716 * Otherwise we would hand out pidfs for reaped tasks without having
717 * exit information available.
718 *
719 * Worst case is that we've filled in the info and the pid gets freed
720 * right away in free_pid() when no one holds a pidfd anymore. Since
721 * pidfs_exit() currently is placed after exit_task_work() we know that
722 * it cannot be us aka the exiting task holding a pidfd to itself.
723 */
pidfs_exit(struct task_struct * tsk)724 void pidfs_exit(struct task_struct *tsk)
725 {
726 struct pid *pid = task_pid(tsk);
727 struct pidfs_attr *attr;
728 #ifdef CONFIG_CGROUPS
729 struct cgroup *cgrp;
730 #endif
731
732 might_sleep();
733
734 /* Synchronize with pidfs_register_pid(). */
735 scoped_guard(spinlock_irq, &pid->wait_pidfd.lock) {
736 attr = pid->attr;
737 if (!attr) {
738 /*
739 * No one ever held a pidfd for this struct pid.
740 * Mark it as dead so no one can add a pidfs
741 * entry anymore. We're about to be reaped and
742 * so no exit information would be available.
743 */
744 pid->attr = PIDFS_PID_DEAD;
745 return;
746 }
747 }
748
749 /*
750 * If @pid->attr is set someone might still legitimately hold a
751 * pidfd to @pid or someone might concurrently still be getting
752 * a reference to an already stashed dentry from @pid->stashed.
753 * So defer cleaning @pid->attr until the last reference to @pid
754 * is put
755 */
756
757 #ifdef CONFIG_CGROUPS
758 rcu_read_lock();
759 cgrp = task_dfl_cgroup(tsk);
760 attr->cgroupid = cgroup_id(cgrp);
761 rcu_read_unlock();
762 #endif
763 attr->exit_code = tsk->exit_code;
764
765 /* Ensure that PIDFD_GET_INFO sees either all or nothing. */
766 smp_wmb();
767 set_bit(PIDFS_ATTR_BIT_EXIT, &attr->attr_mask);
768 }
769
770 #ifdef CONFIG_COREDUMP
pidfs_coredump(const struct coredump_params * cprm)771 void pidfs_coredump(const struct coredump_params *cprm)
772 {
773 struct pid *pid = cprm->pid;
774 struct pidfs_attr *attr;
775
776 attr = READ_ONCE(pid->attr);
777
778 VFS_WARN_ON_ONCE(!attr);
779 VFS_WARN_ON_ONCE(attr == PIDFS_PID_DEAD);
780
781 /* Note how we were coredumped and that we coredumped. */
782 attr->coredump_mask = pidfs_coredump_mask(cprm->mm_flags) |
783 PIDFD_COREDUMPED;
784 /* If coredumping is set to skip we should never end up here. */
785 VFS_WARN_ON_ONCE(attr->coredump_mask & PIDFD_COREDUMP_SKIP);
786 /* Expose the signal number and code that caused the coredump. */
787 attr->coredump_signal = cprm->siginfo->si_signo;
788 attr->coredump_code = cprm->siginfo->si_code;
789 smp_wmb();
790 set_bit(PIDFS_ATTR_BIT_COREDUMP, &attr->attr_mask);
791 }
792 #endif
793
794 static struct vfsmount *pidfs_mnt __ro_after_init;
795
796 /*
797 * The vfs falls back to simple_setattr() if i_op->setattr() isn't
798 * implemented. Let's reject it completely until we have a clean
799 * permission concept for pidfds.
800 */
pidfs_setattr(struct mnt_idmap * idmap,struct dentry * dentry,struct iattr * attr)801 static int pidfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
802 struct iattr *attr)
803 {
804 return anon_inode_setattr(idmap, dentry, attr);
805 }
806
pidfs_getattr(struct mnt_idmap * idmap,const struct path * path,struct kstat * stat,u32 request_mask,unsigned int query_flags)807 static int pidfs_getattr(struct mnt_idmap *idmap, const struct path *path,
808 struct kstat *stat, u32 request_mask,
809 unsigned int query_flags)
810 {
811 return anon_inode_getattr(idmap, path, stat, request_mask, query_flags);
812 }
813
pidfs_listxattr(struct dentry * dentry,char * buf,size_t size)814 static ssize_t pidfs_listxattr(struct dentry *dentry, char *buf, size_t size)
815 {
816 struct inode *inode = d_inode(dentry);
817 struct pid *pid = inode->i_private;
818 struct pidfs_attr *attr = pid->attr;
819 struct simple_xattrs *xattrs;
820
821 xattrs = READ_ONCE(attr->xattrs);
822 if (!xattrs)
823 return 0;
824
825 return simple_xattr_list(inode, xattrs, buf, size);
826 }
827
828 static const struct inode_operations pidfs_inode_operations = {
829 .getattr = pidfs_getattr,
830 .setattr = pidfs_setattr,
831 .listxattr = pidfs_listxattr,
832 };
833
pidfs_evict_inode(struct inode * inode)834 static void pidfs_evict_inode(struct inode *inode)
835 {
836 struct pid *pid = inode->i_private;
837
838 clear_inode(inode);
839 put_pid(pid);
840 }
841
842 static const struct super_operations pidfs_sops = {
843 .drop_inode = inode_just_drop,
844 .evict_inode = pidfs_evict_inode,
845 .statfs = simple_statfs,
846 };
847
848 /*
849 * 'lsof' has knowledge of out historical anon_inode use, and expects
850 * the pidfs dentry name to start with 'anon_inode'.
851 */
pidfs_dname(struct dentry * dentry,char * buffer,int buflen)852 static char *pidfs_dname(struct dentry *dentry, char *buffer, int buflen)
853 {
854 return dynamic_dname(buffer, buflen, "anon_inode:[pidfd]");
855 }
856
857 const struct dentry_operations pidfs_dentry_operations = {
858 .d_dname = pidfs_dname,
859 .d_prune = stashed_dentry_prune,
860 };
861
pidfs_encode_fh(struct inode * inode,u32 * fh,int * max_len,struct inode * parent)862 static int pidfs_encode_fh(struct inode *inode, u32 *fh, int *max_len,
863 struct inode *parent)
864 {
865 const struct pid *pid = inode->i_private;
866
867 if (*max_len < 2) {
868 *max_len = 2;
869 return FILEID_INVALID;
870 }
871
872 *max_len = 2;
873 *(u64 *)fh = pid->ino;
874 return FILEID_KERNFS;
875 }
876
877 /* Find a struct pid based on the inode number. */
pidfs_ino_get_pid(u64 ino)878 static struct pid *pidfs_ino_get_pid(u64 ino)
879 {
880 struct pid *pid;
881 struct pidfs_attr *attr;
882
883 guard(rcu)();
884 pid = rhashtable_lookup(&pidfs_ino_ht, &ino, pidfs_ino_ht_params);
885 if (!pid)
886 return NULL;
887 attr = READ_ONCE(pid->attr);
888 if (IS_ERR_OR_NULL(attr))
889 return NULL;
890 if (test_bit(PIDFS_ATTR_BIT_EXIT, &attr->attr_mask))
891 return NULL;
892 /* Within our pid namespace hierarchy? */
893 if (pid_vnr(pid) == 0)
894 return NULL;
895 return get_pid(pid);
896 }
897
pidfs_fh_to_dentry(struct super_block * sb,struct fid * fid,int fh_len,int fh_type)898 static struct dentry *pidfs_fh_to_dentry(struct super_block *sb,
899 struct fid *fid, int fh_len,
900 int fh_type)
901 {
902 int ret;
903 u64 pid_ino;
904 struct path path;
905 struct pid *pid;
906
907 if (fh_len < 2)
908 return NULL;
909
910 switch (fh_type) {
911 case FILEID_KERNFS:
912 pid_ino = *(u64 *)fid;
913 break;
914 default:
915 return NULL;
916 }
917
918 pid = pidfs_ino_get_pid(pid_ino);
919 if (!pid)
920 return NULL;
921
922 ret = path_from_stashed(&pid->stashed, pidfs_mnt, pid, &path);
923 if (ret < 0)
924 return ERR_PTR(ret);
925
926 VFS_WARN_ON_ONCE(!pid->attr);
927
928 mntput(path.mnt);
929 return path.dentry;
930 }
931
932 /*
933 * Make sure that we reject any nonsensical flags that users pass via
934 * open_by_handle_at(). Note that PIDFD_THREAD is defined as O_EXCL, and
935 * PIDFD_NONBLOCK as O_NONBLOCK.
936 */
937 #define VALID_FILE_HANDLE_OPEN_FLAGS \
938 (O_RDONLY | O_WRONLY | O_RDWR | O_NONBLOCK | O_CLOEXEC | O_EXCL)
939
pidfs_export_permission(struct handle_to_path_ctx * ctx,unsigned int oflags)940 static int pidfs_export_permission(struct handle_to_path_ctx *ctx,
941 unsigned int oflags)
942 {
943 if (oflags & ~(VALID_FILE_HANDLE_OPEN_FLAGS | O_LARGEFILE))
944 return -EINVAL;
945
946 /*
947 * pidfd_ino_get_pid() will verify that the struct pid is part
948 * of the caller's pid namespace hierarchy. No further
949 * permission checks are needed.
950 */
951 return 0;
952 }
953
pidfs_export_open(const struct path * path,unsigned int oflags)954 static struct file *pidfs_export_open(const struct path *path, unsigned int oflags)
955 {
956 /*
957 * Clear O_LARGEFILE as open_by_handle_at() forces it and raise
958 * O_RDWR as pidfds always are.
959 */
960 oflags &= ~O_LARGEFILE;
961 return dentry_open(path, oflags | O_RDWR, current_cred());
962 }
963
964 static const struct export_operations pidfs_export_operations = {
965 .encode_fh = pidfs_encode_fh,
966 .fh_to_dentry = pidfs_fh_to_dentry,
967 .open = pidfs_export_open,
968 .permission = pidfs_export_permission,
969 };
970
pidfs_init_inode(struct inode * inode,void * data)971 static int pidfs_init_inode(struct inode *inode, void *data)
972 {
973 const struct pid *pid = data;
974
975 inode->i_private = data;
976 inode->i_flags |= S_PRIVATE | S_ANON_INODE;
977 /* We allow to set xattrs. */
978 inode->i_flags &= ~S_IMMUTABLE;
979 inode->i_mode |= S_IRWXU;
980 inode->i_op = &pidfs_inode_operations;
981 inode->i_fop = &pidfs_file_operations;
982 inode->i_ino = pidfs_ino(pid->ino);
983 inode->i_generation = pidfs_gen(pid->ino);
984 return 0;
985 }
986
pidfs_put_data(void * data)987 static void pidfs_put_data(void *data)
988 {
989 struct pid *pid = data;
990 put_pid(pid);
991 }
992
993 /**
994 * pidfs_register_pid - register a struct pid in pidfs
995 * @pid: pid to pin
996 *
997 * Register a struct pid in pidfs.
998 *
999 * Return: On success zero, on error a negative error code is returned.
1000 */
pidfs_register_pid(struct pid * pid)1001 int pidfs_register_pid(struct pid *pid)
1002 {
1003 struct pidfs_attr *new_attr __free(kfree) = NULL;
1004 struct pidfs_attr *attr;
1005
1006 might_sleep();
1007
1008 if (!pid)
1009 return 0;
1010
1011 attr = READ_ONCE(pid->attr);
1012 if (unlikely(attr == PIDFS_PID_DEAD))
1013 return PTR_ERR(PIDFS_PID_DEAD);
1014 if (attr)
1015 return 0;
1016
1017 new_attr = kmem_cache_zalloc(pidfs_attr_cachep, GFP_KERNEL);
1018 if (!new_attr)
1019 return -ENOMEM;
1020
1021 /* Synchronize with pidfs_exit(). */
1022 guard(spinlock_irq)(&pid->wait_pidfd.lock);
1023
1024 attr = pid->attr;
1025 if (unlikely(attr == PIDFS_PID_DEAD))
1026 return PTR_ERR(PIDFS_PID_DEAD);
1027 if (unlikely(attr))
1028 return 0;
1029
1030 pid->attr = no_free_ptr(new_attr);
1031 return 0;
1032 }
1033
pidfs_stash_dentry(struct dentry ** stashed,struct dentry * dentry)1034 static struct dentry *pidfs_stash_dentry(struct dentry **stashed,
1035 struct dentry *dentry)
1036 {
1037 int ret;
1038 struct pid *pid = d_inode(dentry)->i_private;
1039
1040 VFS_WARN_ON_ONCE(stashed != &pid->stashed);
1041
1042 ret = pidfs_register_pid(pid);
1043 if (ret)
1044 return ERR_PTR(ret);
1045
1046 return stash_dentry(stashed, dentry);
1047 }
1048
1049 static const struct stashed_operations pidfs_stashed_ops = {
1050 .stash_dentry = pidfs_stash_dentry,
1051 .init_inode = pidfs_init_inode,
1052 .put_data = pidfs_put_data,
1053 };
1054
pidfs_xattr_get(const struct xattr_handler * handler,struct dentry * unused,struct inode * inode,const char * suffix,void * value,size_t size)1055 static int pidfs_xattr_get(const struct xattr_handler *handler,
1056 struct dentry *unused, struct inode *inode,
1057 const char *suffix, void *value, size_t size)
1058 {
1059 struct pid *pid = inode->i_private;
1060 struct pidfs_attr *attr = pid->attr;
1061 const char *name;
1062 struct simple_xattrs *xattrs;
1063
1064 xattrs = READ_ONCE(attr->xattrs);
1065 if (!xattrs)
1066 return -ENODATA;
1067
1068 name = xattr_full_name(handler, suffix);
1069 return simple_xattr_get(xattrs, name, value, size);
1070 }
1071
pidfs_xattr_set(const struct xattr_handler * handler,struct mnt_idmap * idmap,struct dentry * unused,struct inode * inode,const char * suffix,const void * value,size_t size,int flags)1072 static int pidfs_xattr_set(const struct xattr_handler *handler,
1073 struct mnt_idmap *idmap, struct dentry *unused,
1074 struct inode *inode, const char *suffix,
1075 const void *value, size_t size, int flags)
1076 {
1077 struct pid *pid = inode->i_private;
1078 struct pidfs_attr *attr = pid->attr;
1079 const char *name;
1080 struct simple_xattrs *xattrs;
1081 struct simple_xattr *old_xattr;
1082
1083 /* Ensure we're the only one to set @attr->xattrs. */
1084 WARN_ON_ONCE(!inode_is_locked(inode));
1085
1086 xattrs = simple_xattrs_lazy_alloc(&attr->xattrs, value, flags);
1087 if (IS_ERR_OR_NULL(xattrs))
1088 return PTR_ERR(xattrs);
1089
1090 name = xattr_full_name(handler, suffix);
1091 old_xattr = simple_xattr_set(xattrs, name, value, size, flags);
1092 if (IS_ERR(old_xattr))
1093 return PTR_ERR(old_xattr);
1094
1095 simple_xattr_free_rcu(old_xattr);
1096 return 0;
1097 }
1098
1099 static const struct xattr_handler pidfs_trusted_xattr_handler = {
1100 .prefix = XATTR_TRUSTED_PREFIX,
1101 .get = pidfs_xattr_get,
1102 .set = pidfs_xattr_set,
1103 };
1104
1105 static const struct xattr_handler *const pidfs_xattr_handlers[] = {
1106 &pidfs_trusted_xattr_handler,
1107 NULL
1108 };
1109
pidfs_init_fs_context(struct fs_context * fc)1110 static int pidfs_init_fs_context(struct fs_context *fc)
1111 {
1112 struct pseudo_fs_context *ctx;
1113
1114 ctx = init_pseudo(fc, PID_FS_MAGIC);
1115 if (!ctx)
1116 return -ENOMEM;
1117
1118 fc->s_iflags |= SB_I_NOEXEC;
1119 fc->s_iflags |= SB_I_NODEV;
1120 ctx->s_d_flags |= DCACHE_DONTCACHE;
1121 ctx->ops = &pidfs_sops;
1122 ctx->eops = &pidfs_export_operations;
1123 ctx->dops = &pidfs_dentry_operations;
1124 ctx->xattr = pidfs_xattr_handlers;
1125 fc->s_fs_info = (void *)&pidfs_stashed_ops;
1126 return 0;
1127 }
1128
1129 static struct file_system_type pidfs_type = {
1130 .name = "pidfs",
1131 .init_fs_context = pidfs_init_fs_context,
1132 .kill_sb = kill_anon_super,
1133 };
1134
pidfs_alloc_file(struct pid * pid,unsigned int flags)1135 struct file *pidfs_alloc_file(struct pid *pid, unsigned int flags)
1136 {
1137 struct file *pidfd_file;
1138 struct path path __free(path_put) = {};
1139 int ret;
1140
1141 /*
1142 * Ensure that internal pidfd flags don't overlap with each
1143 * other or with uapi pidfd flags.
1144 */
1145 BUILD_BUG_ON(hweight32(PIDFD_THREAD | PIDFD_NONBLOCK |
1146 PIDFD_STALE | PIDFD_AUTOKILL) != 4);
1147
1148 ret = path_from_stashed(&pid->stashed, pidfs_mnt, get_pid(pid), &path);
1149 if (ret < 0)
1150 return ERR_PTR(ret);
1151
1152 VFS_WARN_ON_ONCE(!pid->attr);
1153
1154 flags &= ~PIDFD_STALE;
1155 flags |= O_RDWR;
1156 pidfd_file = dentry_open(&path, flags, current_cred());
1157 /*
1158 * Raise PIDFD_THREAD and PIDFD_AUTOKILL explicitly as
1159 * do_dentry_open() strips O_EXCL and O_TRUNC.
1160 */
1161 if (!IS_ERR(pidfd_file))
1162 pidfd_file->f_flags |= (flags & (PIDFD_THREAD | PIDFD_AUTOKILL));
1163
1164 return pidfd_file;
1165 }
1166
pidfs_init(void)1167 void __init pidfs_init(void)
1168 {
1169 if (rhashtable_init(&pidfs_ino_ht, &pidfs_ino_ht_params))
1170 panic("Failed to initialize pidfs hashtable");
1171
1172 pidfs_attr_cachep = kmem_cache_create("pidfs_attr_cache", sizeof(struct pidfs_attr), 0,
1173 (SLAB_HWCACHE_ALIGN | SLAB_RECLAIM_ACCOUNT |
1174 SLAB_ACCOUNT | SLAB_PANIC), NULL);
1175
1176 pidfs_mnt = kern_mount(&pidfs_type);
1177 if (IS_ERR(pidfs_mnt))
1178 panic("Failed to mount pidfs pseudo filesystem");
1179
1180 pidfs_root_path.mnt = pidfs_mnt;
1181 pidfs_root_path.dentry = pidfs_mnt->mnt_root;
1182 }
1183