1 /* SPDX-License-Identifier: GPL-2.0 */ 2 3 #include <linux/compiler_types.h> 4 #include <linux/errno.h> 5 #include <linux/fs.h> 6 #include <linux/fsnotify.h> 7 #include <linux/gfp.h> 8 #include <linux/idr.h> 9 #include <linux/init.h> 10 #include <linux/ipc_namespace.h> 11 #include <linux/kdev_t.h> 12 #include <linux/kernel.h> 13 #include <linux/list.h> 14 #include <linux/magic.h> 15 #include <linux/major.h> 16 #include <linux/miscdevice.h> 17 #include <linux/module.h> 18 #include <linux/mutex.h> 19 #include <linux/mount.h> 20 #include <linux/parser.h> 21 #include <linux/radix-tree.h> 22 #include <linux/sched.h> 23 #include <linux/seq_file.h> 24 #include <linux/slab.h> 25 #include <linux/spinlock_types.h> 26 #include <linux/stddef.h> 27 #include <linux/string.h> 28 #include <linux/types.h> 29 #include <linux/uaccess.h> 30 #include <linux/user_namespace.h> 31 #include <linux/xarray.h> 32 #include <uapi/asm-generic/errno-base.h> 33 #include <uapi/linux/android/binder.h> 34 #include <uapi/linux/android/binderfs.h> 35 36 #include "binder_internal.h" 37 38 #define FIRST_INODE 1 39 #define SECOND_INODE 2 40 #define INODE_OFFSET 3 41 #define INTSTRLEN 21 42 #define BINDERFS_MAX_MINOR (1U << MINORBITS) 43 /* Ensure that the initial ipc namespace always has devices available. */ 44 #define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4) 45 46 static dev_t binderfs_dev; 47 static DEFINE_MUTEX(binderfs_minors_mutex); 48 static DEFINE_IDA(binderfs_minors); 49 50 /** 51 * binderfs_mount_opts - mount options for binderfs 52 * @max: maximum number of allocatable binderfs binder devices 53 */ 54 struct binderfs_mount_opts { 55 int max; 56 }; 57 58 enum { 59 Opt_max, 60 Opt_err 61 }; 62 63 static const match_table_t tokens = { 64 { Opt_max, "max=%d" }, 65 { Opt_err, NULL } 66 }; 67 68 /** 69 * binderfs_info - information about a binderfs mount 70 * @ipc_ns: The ipc namespace the binderfs mount belongs to. 71 * @control_dentry: This records the dentry of this binderfs mount 72 * binder-control device. 73 * @root_uid: uid that needs to be used when a new binder device is 74 * created. 75 * @root_gid: gid that needs to be used when a new binder device is 76 * created. 77 * @mount_opts: The mount options in use. 78 * @device_count: The current number of allocated binder devices. 79 */ 80 struct binderfs_info { 81 struct ipc_namespace *ipc_ns; 82 struct dentry *control_dentry; 83 kuid_t root_uid; 84 kgid_t root_gid; 85 struct binderfs_mount_opts mount_opts; 86 int device_count; 87 }; 88 89 static inline struct binderfs_info *BINDERFS_I(const struct inode *inode) 90 { 91 return inode->i_sb->s_fs_info; 92 } 93 94 bool is_binderfs_device(const struct inode *inode) 95 { 96 if (inode->i_sb->s_magic == BINDERFS_SUPER_MAGIC) 97 return true; 98 99 return false; 100 } 101 102 /** 103 * binderfs_binder_device_create - allocate inode from super block of a 104 * binderfs mount 105 * @ref_inode: inode from wich the super block will be taken 106 * @userp: buffer to copy information about new device for userspace to 107 * @req: struct binderfs_device as copied from userspace 108 * 109 * This function allocated a new binder_device and reserves a new minor 110 * number for it. 111 * Minor numbers are limited and tracked globally in binderfs_minors. The 112 * function will stash a struct binder_device for the specific binder 113 * device in i_private of the inode. 114 * It will go on to allocate a new inode from the super block of the 115 * filesystem mount, stash a struct binder_device in its i_private field 116 * and attach a dentry to that inode. 117 * 118 * Return: 0 on success, negative errno on failure 119 */ 120 static int binderfs_binder_device_create(struct inode *ref_inode, 121 struct binderfs_device __user *userp, 122 struct binderfs_device *req) 123 { 124 int minor, ret; 125 struct dentry *dentry, *dup, *root; 126 struct binder_device *device; 127 size_t name_len = BINDERFS_MAX_NAME + 1; 128 char *name = NULL; 129 struct inode *inode = NULL; 130 struct super_block *sb = ref_inode->i_sb; 131 struct binderfs_info *info = sb->s_fs_info; 132 #if defined(CONFIG_IPC_NS) 133 bool use_reserve = (info->ipc_ns == &init_ipc_ns); 134 #else 135 bool use_reserve = true; 136 #endif 137 138 /* Reserve new minor number for the new device. */ 139 mutex_lock(&binderfs_minors_mutex); 140 if (++info->device_count <= info->mount_opts.max) 141 minor = ida_alloc_max(&binderfs_minors, 142 use_reserve ? BINDERFS_MAX_MINOR : 143 BINDERFS_MAX_MINOR_CAPPED, 144 GFP_KERNEL); 145 else 146 minor = -ENOSPC; 147 if (minor < 0) { 148 --info->device_count; 149 mutex_unlock(&binderfs_minors_mutex); 150 return minor; 151 } 152 mutex_unlock(&binderfs_minors_mutex); 153 154 ret = -ENOMEM; 155 device = kzalloc(sizeof(*device), GFP_KERNEL); 156 if (!device) 157 goto err; 158 159 inode = new_inode(sb); 160 if (!inode) 161 goto err; 162 163 inode->i_ino = minor + INODE_OFFSET; 164 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); 165 init_special_inode(inode, S_IFCHR | 0600, 166 MKDEV(MAJOR(binderfs_dev), minor)); 167 inode->i_fop = &binder_fops; 168 inode->i_uid = info->root_uid; 169 inode->i_gid = info->root_gid; 170 171 name = kmalloc(name_len, GFP_KERNEL); 172 if (!name) 173 goto err; 174 175 strscpy(name, req->name, name_len); 176 177 device->binderfs_inode = inode; 178 device->context.binder_context_mgr_uid = INVALID_UID; 179 device->context.name = name; 180 device->miscdev.name = name; 181 device->miscdev.minor = minor; 182 mutex_init(&device->context.context_mgr_node_lock); 183 184 req->major = MAJOR(binderfs_dev); 185 req->minor = minor; 186 187 ret = copy_to_user(userp, req, sizeof(*req)); 188 if (ret) { 189 ret = -EFAULT; 190 goto err; 191 } 192 193 root = sb->s_root; 194 inode_lock(d_inode(root)); 195 dentry = d_alloc_name(root, name); 196 if (!dentry) { 197 inode_unlock(d_inode(root)); 198 ret = -ENOMEM; 199 goto err; 200 } 201 202 /* Verify that the name userspace gave us is not already in use. */ 203 dup = d_lookup(root, &dentry->d_name); 204 if (dup) { 205 if (d_really_is_positive(dup)) { 206 dput(dup); 207 dput(dentry); 208 inode_unlock(d_inode(root)); 209 ret = -EEXIST; 210 goto err; 211 } 212 dput(dup); 213 } 214 215 inode->i_private = device; 216 d_add(dentry, inode); 217 fsnotify_create(root->d_inode, dentry); 218 inode_unlock(d_inode(root)); 219 220 return 0; 221 222 err: 223 kfree(name); 224 kfree(device); 225 mutex_lock(&binderfs_minors_mutex); 226 --info->device_count; 227 ida_free(&binderfs_minors, minor); 228 mutex_unlock(&binderfs_minors_mutex); 229 iput(inode); 230 231 return ret; 232 } 233 234 /** 235 * binderfs_ctl_ioctl - handle binder device node allocation requests 236 * 237 * The request handler for the binder-control device. All requests operate on 238 * the binderfs mount the binder-control device resides in: 239 * - BINDER_CTL_ADD 240 * Allocate a new binder device. 241 * 242 * Return: 0 on success, negative errno on failure 243 */ 244 static long binder_ctl_ioctl(struct file *file, unsigned int cmd, 245 unsigned long arg) 246 { 247 int ret = -EINVAL; 248 struct inode *inode = file_inode(file); 249 struct binderfs_device __user *device = (struct binderfs_device __user *)arg; 250 struct binderfs_device device_req; 251 252 switch (cmd) { 253 case BINDER_CTL_ADD: 254 ret = copy_from_user(&device_req, device, sizeof(device_req)); 255 if (ret) { 256 ret = -EFAULT; 257 break; 258 } 259 260 ret = binderfs_binder_device_create(inode, device, &device_req); 261 break; 262 default: 263 break; 264 } 265 266 return ret; 267 } 268 269 static void binderfs_evict_inode(struct inode *inode) 270 { 271 struct binder_device *device = inode->i_private; 272 struct binderfs_info *info = BINDERFS_I(inode); 273 274 clear_inode(inode); 275 276 if (!device) 277 return; 278 279 mutex_lock(&binderfs_minors_mutex); 280 --info->device_count; 281 ida_free(&binderfs_minors, device->miscdev.minor); 282 mutex_unlock(&binderfs_minors_mutex); 283 284 kfree(device->context.name); 285 kfree(device); 286 } 287 288 /** 289 * binderfs_parse_mount_opts - parse binderfs mount options 290 * @data: options to set (can be NULL in which case defaults are used) 291 */ 292 static int binderfs_parse_mount_opts(char *data, 293 struct binderfs_mount_opts *opts) 294 { 295 char *p; 296 opts->max = BINDERFS_MAX_MINOR; 297 298 while ((p = strsep(&data, ",")) != NULL) { 299 substring_t args[MAX_OPT_ARGS]; 300 int token; 301 int max_devices; 302 303 if (!*p) 304 continue; 305 306 token = match_token(p, tokens, args); 307 switch (token) { 308 case Opt_max: 309 if (match_int(&args[0], &max_devices) || 310 (max_devices < 0 || 311 (max_devices > BINDERFS_MAX_MINOR))) 312 return -EINVAL; 313 314 opts->max = max_devices; 315 break; 316 default: 317 pr_err("Invalid mount options\n"); 318 return -EINVAL; 319 } 320 } 321 322 return 0; 323 } 324 325 static int binderfs_remount(struct super_block *sb, int *flags, char *data) 326 { 327 struct binderfs_info *info = sb->s_fs_info; 328 return binderfs_parse_mount_opts(data, &info->mount_opts); 329 } 330 331 static int binderfs_show_mount_opts(struct seq_file *seq, struct dentry *root) 332 { 333 struct binderfs_info *info; 334 335 info = root->d_sb->s_fs_info; 336 if (info->mount_opts.max <= BINDERFS_MAX_MINOR) 337 seq_printf(seq, ",max=%d", info->mount_opts.max); 338 339 return 0; 340 } 341 342 static const struct super_operations binderfs_super_ops = { 343 .evict_inode = binderfs_evict_inode, 344 .remount_fs = binderfs_remount, 345 .show_options = binderfs_show_mount_opts, 346 .statfs = simple_statfs, 347 }; 348 349 static int binderfs_rename(struct inode *old_dir, struct dentry *old_dentry, 350 struct inode *new_dir, struct dentry *new_dentry, 351 unsigned int flags) 352 { 353 struct inode *inode = d_inode(old_dentry); 354 355 /* binderfs doesn't support directories. */ 356 if (d_is_dir(old_dentry)) 357 return -EPERM; 358 359 if (flags & ~RENAME_NOREPLACE) 360 return -EINVAL; 361 362 if (!simple_empty(new_dentry)) 363 return -ENOTEMPTY; 364 365 if (d_really_is_positive(new_dentry)) 366 simple_unlink(new_dir, new_dentry); 367 368 old_dir->i_ctime = old_dir->i_mtime = new_dir->i_ctime = 369 new_dir->i_mtime = inode->i_ctime = current_time(old_dir); 370 371 return 0; 372 } 373 374 static int binderfs_unlink(struct inode *dir, struct dentry *dentry) 375 { 376 /* 377 * The control dentry is only ever touched during mount so checking it 378 * here should not require us to take lock. 379 */ 380 if (BINDERFS_I(dir)->control_dentry == dentry) 381 return -EPERM; 382 383 return simple_unlink(dir, dentry); 384 } 385 386 static const struct file_operations binder_ctl_fops = { 387 .owner = THIS_MODULE, 388 .open = nonseekable_open, 389 .unlocked_ioctl = binder_ctl_ioctl, 390 .compat_ioctl = binder_ctl_ioctl, 391 .llseek = noop_llseek, 392 }; 393 394 /** 395 * binderfs_binder_ctl_create - create a new binder-control device 396 * @sb: super block of the binderfs mount 397 * 398 * This function creates a new binder-control device node in the binderfs mount 399 * referred to by @sb. 400 * 401 * Return: 0 on success, negative errno on failure 402 */ 403 static int binderfs_binder_ctl_create(struct super_block *sb) 404 { 405 int minor, ret; 406 struct dentry *dentry; 407 struct binder_device *device; 408 struct inode *inode = NULL; 409 struct dentry *root = sb->s_root; 410 struct binderfs_info *info = sb->s_fs_info; 411 412 device = kzalloc(sizeof(*device), GFP_KERNEL); 413 if (!device) 414 return -ENOMEM; 415 416 inode_lock(d_inode(root)); 417 418 /* If we have already created a binder-control node, return. */ 419 if (info->control_dentry) { 420 ret = 0; 421 goto out; 422 } 423 424 ret = -ENOMEM; 425 inode = new_inode(sb); 426 if (!inode) 427 goto out; 428 429 /* Reserve a new minor number for the new device. */ 430 mutex_lock(&binderfs_minors_mutex); 431 minor = ida_alloc_max(&binderfs_minors, BINDERFS_MAX_MINOR, GFP_KERNEL); 432 mutex_unlock(&binderfs_minors_mutex); 433 if (minor < 0) { 434 ret = minor; 435 goto out; 436 } 437 438 inode->i_ino = SECOND_INODE; 439 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); 440 init_special_inode(inode, S_IFCHR | 0600, 441 MKDEV(MAJOR(binderfs_dev), minor)); 442 inode->i_fop = &binder_ctl_fops; 443 inode->i_uid = info->root_uid; 444 inode->i_gid = info->root_gid; 445 446 device->binderfs_inode = inode; 447 device->miscdev.minor = minor; 448 449 dentry = d_alloc_name(root, "binder-control"); 450 if (!dentry) 451 goto out; 452 453 inode->i_private = device; 454 info->control_dentry = dentry; 455 d_add(dentry, inode); 456 inode_unlock(d_inode(root)); 457 458 return 0; 459 460 out: 461 inode_unlock(d_inode(root)); 462 kfree(device); 463 iput(inode); 464 465 return ret; 466 } 467 468 static const struct inode_operations binderfs_dir_inode_operations = { 469 .lookup = simple_lookup, 470 .rename = binderfs_rename, 471 .unlink = binderfs_unlink, 472 }; 473 474 static int binderfs_fill_super(struct super_block *sb, void *data, int silent) 475 { 476 struct binderfs_info *info; 477 int ret = -ENOMEM; 478 struct inode *inode = NULL; 479 struct ipc_namespace *ipc_ns = current->nsproxy->ipc_ns; 480 481 get_ipc_ns(ipc_ns); 482 483 sb->s_blocksize = PAGE_SIZE; 484 sb->s_blocksize_bits = PAGE_SHIFT; 485 486 /* 487 * The binderfs filesystem can be mounted by userns root in a 488 * non-initial userns. By default such mounts have the SB_I_NODEV flag 489 * set in s_iflags to prevent security issues where userns root can 490 * just create random device nodes via mknod() since it owns the 491 * filesystem mount. But binderfs does not allow to create any files 492 * including devices nodes. The only way to create binder devices nodes 493 * is through the binder-control device which userns root is explicitly 494 * allowed to do. So removing the SB_I_NODEV flag from s_iflags is both 495 * necessary and safe. 496 */ 497 sb->s_iflags &= ~SB_I_NODEV; 498 sb->s_iflags |= SB_I_NOEXEC; 499 sb->s_magic = BINDERFS_SUPER_MAGIC; 500 sb->s_op = &binderfs_super_ops; 501 sb->s_time_gran = 1; 502 503 info = kzalloc(sizeof(struct binderfs_info), GFP_KERNEL); 504 if (!info) 505 goto err_without_dentry; 506 507 ret = binderfs_parse_mount_opts(data, &info->mount_opts); 508 if (ret) 509 goto err_without_dentry; 510 511 info->ipc_ns = ipc_ns; 512 info->root_gid = make_kgid(sb->s_user_ns, 0); 513 if (!gid_valid(info->root_gid)) 514 info->root_gid = GLOBAL_ROOT_GID; 515 info->root_uid = make_kuid(sb->s_user_ns, 0); 516 if (!uid_valid(info->root_uid)) 517 info->root_uid = GLOBAL_ROOT_UID; 518 519 sb->s_fs_info = info; 520 521 ret = -ENOMEM; 522 inode = new_inode(sb); 523 if (!inode) 524 goto err_without_dentry; 525 526 inode->i_ino = FIRST_INODE; 527 inode->i_fop = &simple_dir_operations; 528 inode->i_mode = S_IFDIR | 0755; 529 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); 530 inode->i_op = &binderfs_dir_inode_operations; 531 set_nlink(inode, 2); 532 533 sb->s_root = d_make_root(inode); 534 if (!sb->s_root) 535 goto err_without_dentry; 536 537 ret = binderfs_binder_ctl_create(sb); 538 if (ret) 539 goto err_with_dentry; 540 541 return 0; 542 543 err_with_dentry: 544 dput(sb->s_root); 545 sb->s_root = NULL; 546 547 err_without_dentry: 548 put_ipc_ns(ipc_ns); 549 iput(inode); 550 kfree(info); 551 552 return ret; 553 } 554 555 static struct dentry *binderfs_mount(struct file_system_type *fs_type, 556 int flags, const char *dev_name, 557 void *data) 558 { 559 return mount_nodev(fs_type, flags, data, binderfs_fill_super); 560 } 561 562 static void binderfs_kill_super(struct super_block *sb) 563 { 564 struct binderfs_info *info = sb->s_fs_info; 565 566 if (info && info->ipc_ns) 567 put_ipc_ns(info->ipc_ns); 568 569 kfree(info); 570 kill_litter_super(sb); 571 } 572 573 static struct file_system_type binder_fs_type = { 574 .name = "binder", 575 .mount = binderfs_mount, 576 .kill_sb = binderfs_kill_super, 577 .fs_flags = FS_USERNS_MOUNT, 578 }; 579 580 static int __init init_binderfs(void) 581 { 582 int ret; 583 584 /* Allocate new major number for binderfs. */ 585 ret = alloc_chrdev_region(&binderfs_dev, 0, BINDERFS_MAX_MINOR, 586 "binder"); 587 if (ret) 588 return ret; 589 590 ret = register_filesystem(&binder_fs_type); 591 if (ret) { 592 unregister_chrdev_region(binderfs_dev, BINDERFS_MAX_MINOR); 593 return ret; 594 } 595 596 return ret; 597 } 598 599 device_initcall(init_binderfs); 600