1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef LINUX_PID_SYSCTL_H 3 #define LINUX_PID_SYSCTL_H 4 5 #include <linux/pid_namespace.h> 6 7 #if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE) 8 static inline void initialize_memfd_noexec_scope(struct pid_namespace *ns) 9 { 10 ns->memfd_noexec_scope = 11 task_active_pid_ns(current)->memfd_noexec_scope; 12 } 13 14 static int pid_mfd_noexec_dointvec_minmax(struct ctl_table *table, 15 int write, void *buf, size_t *lenp, loff_t *ppos) 16 { 17 struct pid_namespace *ns = task_active_pid_ns(current); 18 struct ctl_table table_copy; 19 20 if (write && !ns_capable(ns->user_ns, CAP_SYS_ADMIN)) 21 return -EPERM; 22 23 table_copy = *table; 24 if (ns != &init_pid_ns) 25 table_copy.data = &ns->memfd_noexec_scope; 26 27 /* 28 * set minimum to current value, the effect is only bigger 29 * value is accepted. 30 */ 31 if (*(int *)table_copy.data > *(int *)table_copy.extra1) 32 table_copy.extra1 = table_copy.data; 33 34 return proc_dointvec_minmax(&table_copy, write, buf, lenp, ppos); 35 } 36 37 static struct ctl_table pid_ns_ctl_table_vm[] = { 38 { 39 .procname = "memfd_noexec", 40 .data = &init_pid_ns.memfd_noexec_scope, 41 .maxlen = sizeof(init_pid_ns.memfd_noexec_scope), 42 .mode = 0644, 43 .proc_handler = pid_mfd_noexec_dointvec_minmax, 44 .extra1 = SYSCTL_ZERO, 45 .extra2 = SYSCTL_TWO, 46 }, 47 { } 48 }; 49 static inline void register_pid_ns_sysctl_table_vm(void) 50 { 51 register_sysctl("vm", pid_ns_ctl_table_vm); 52 } 53 #else 54 static inline void initialize_memfd_noexec_scope(struct pid_namespace *ns) {} 55 static inline void set_memfd_noexec_scope(struct pid_namespace *ns) {} 56 static inline void register_pid_ns_sysctl_table_vm(void) {} 57 #endif 58 59 #endif /* LINUX_PID_SYSCTL_H */ 60