1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef LINUX_PID_SYSCTL_H 3 #define LINUX_PID_SYSCTL_H 4 5 #include <linux/pid_namespace.h> 6 7 #if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) 8 static int pid_mfd_noexec_dointvec_minmax(struct ctl_table *table, 9 int write, void *buf, size_t *lenp, loff_t *ppos) 10 { 11 struct pid_namespace *ns = task_active_pid_ns(current); 12 struct ctl_table table_copy; 13 int err, scope, parent_scope; 14 15 if (write && !ns_capable(ns->user_ns, CAP_SYS_ADMIN)) 16 return -EPERM; 17 18 table_copy = *table; 19 20 /* You cannot set a lower enforcement value than your parent. */ 21 parent_scope = pidns_memfd_noexec_scope(ns->parent); 22 /* Equivalent to pidns_memfd_noexec_scope(ns). */ 23 scope = max(READ_ONCE(ns->memfd_noexec_scope), parent_scope); 24 25 table_copy.data = &scope; 26 table_copy.extra1 = &parent_scope; 27 28 err = proc_dointvec_minmax(&table_copy, write, buf, lenp, ppos); 29 if (!err && write) 30 WRITE_ONCE(ns->memfd_noexec_scope, scope); 31 return err; 32 } 33 34 static struct ctl_table pid_ns_ctl_table_vm[] = { 35 { 36 .procname = "memfd_noexec", 37 .data = &init_pid_ns.memfd_noexec_scope, 38 .maxlen = sizeof(init_pid_ns.memfd_noexec_scope), 39 .mode = 0644, 40 .proc_handler = pid_mfd_noexec_dointvec_minmax, 41 .extra1 = SYSCTL_ZERO, 42 .extra2 = SYSCTL_TWO, 43 }, 44 { } 45 }; 46 static inline void register_pid_ns_sysctl_table_vm(void) 47 { 48 register_sysctl("vm", pid_ns_ctl_table_vm); 49 } 50 #else 51 static inline void register_pid_ns_sysctl_table_vm(void) {} 52 #endif 53 54 #endif /* LINUX_PID_SYSCTL_H */ 55