xref: /linux/kernel/umh.c (revision a514e6f8f5caa24413731bed54b322bd34d918dd)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * umh - the kernel usermode helper
4  */
5 #include <linux/module.h>
6 #include <linux/sched.h>
7 #include <linux/sched/task.h>
8 #include <linux/binfmts.h>
9 #include <linux/syscalls.h>
10 #include <linux/unistd.h>
11 #include <linux/kmod.h>
12 #include <linux/slab.h>
13 #include <linux/completion.h>
14 #include <linux/cred.h>
15 #include <linux/file.h>
16 #include <linux/fs_struct.h>
17 #include <linux/workqueue.h>
18 #include <linux/security.h>
19 #include <linux/mount.h>
20 #include <linux/kernel.h>
21 #include <linux/init.h>
22 #include <linux/resource.h>
23 #include <linux/notifier.h>
24 #include <linux/suspend.h>
25 #include <linux/rwsem.h>
26 #include <linux/ptrace.h>
27 #include <linux/async.h>
28 #include <linux/uaccess.h>
29 #include <linux/initrd.h>
30 #include <linux/freezer.h>
31 
32 #include <trace/events/module.h>
33 
34 static kernel_cap_t usermodehelper_bset = CAP_FULL_SET;
35 static kernel_cap_t usermodehelper_inheritable = CAP_FULL_SET;
36 static DEFINE_SPINLOCK(umh_sysctl_lock);
37 static DECLARE_RWSEM(umhelper_sem);
38 
39 static void call_usermodehelper_freeinfo(struct subprocess_info *info)
40 {
41 	if (info->cleanup)
42 		(*info->cleanup)(info);
43 	kfree(info);
44 }
45 
46 static void umh_complete(struct subprocess_info *sub_info)
47 {
48 	struct completion *comp = xchg(&sub_info->complete, NULL);
49 	/*
50 	 * See call_usermodehelper_exec(). If xchg() returns NULL
51 	 * we own sub_info, the UMH_KILLABLE caller has gone away
52 	 * or the caller used UMH_NO_WAIT.
53 	 */
54 	if (comp)
55 		complete(comp);
56 	else
57 		call_usermodehelper_freeinfo(sub_info);
58 }
59 
60 /*
61  * This is the task which runs the usermode application
62  */
63 static int call_usermodehelper_exec_async(void *data)
64 {
65 	struct subprocess_info *sub_info = data;
66 	struct cred *new;
67 	int retval;
68 
69 	spin_lock_irq(&current->sighand->siglock);
70 	flush_signal_handlers(current, 1);
71 	spin_unlock_irq(&current->sighand->siglock);
72 
73 	/*
74 	 * Initial kernel threads share ther FS with init, in order to
75 	 * get the init root directory. But we've now created a new
76 	 * thread that is going to execve a user process and has its own
77 	 * 'struct fs_struct'. Reset umask to the default.
78 	 */
79 	current->fs->umask = 0022;
80 
81 	/*
82 	 * Our parent (unbound workqueue) runs with elevated scheduling
83 	 * priority. Avoid propagating that into the userspace child.
84 	 */
85 	set_user_nice(current, 0);
86 
87 	retval = -ENOMEM;
88 	new = prepare_kernel_cred(current);
89 	if (!new)
90 		goto out;
91 
92 	spin_lock(&umh_sysctl_lock);
93 	new->cap_bset = cap_intersect(usermodehelper_bset, new->cap_bset);
94 	new->cap_inheritable = cap_intersect(usermodehelper_inheritable,
95 					     new->cap_inheritable);
96 	spin_unlock(&umh_sysctl_lock);
97 
98 	if (sub_info->init) {
99 		retval = sub_info->init(sub_info, new);
100 		if (retval) {
101 			abort_creds(new);
102 			goto out;
103 		}
104 	}
105 
106 	commit_creds(new);
107 
108 	wait_for_initramfs();
109 	retval = kernel_execve(sub_info->path,
110 			       (const char *const *)sub_info->argv,
111 			       (const char *const *)sub_info->envp);
112 out:
113 	sub_info->retval = retval;
114 	/*
115 	 * call_usermodehelper_exec_sync() will call umh_complete
116 	 * if UHM_WAIT_PROC.
117 	 */
118 	if (!(sub_info->wait & UMH_WAIT_PROC))
119 		umh_complete(sub_info);
120 	if (!retval)
121 		return 0;
122 	do_exit(0);
123 }
124 
125 /* Handles UMH_WAIT_PROC.  */
126 static void call_usermodehelper_exec_sync(struct subprocess_info *sub_info)
127 {
128 	pid_t pid;
129 
130 	/* If SIGCLD is ignored do_wait won't populate the status. */
131 	kernel_sigaction(SIGCHLD, SIG_DFL);
132 	pid = user_mode_thread(call_usermodehelper_exec_async, sub_info, SIGCHLD);
133 	if (pid < 0)
134 		sub_info->retval = pid;
135 	else
136 		kernel_wait(pid, &sub_info->retval);
137 
138 	/* Restore default kernel sig handler */
139 	kernel_sigaction(SIGCHLD, SIG_IGN);
140 	umh_complete(sub_info);
141 }
142 
143 /*
144  * We need to create the usermodehelper kernel thread from a task that is affine
145  * to an optimized set of CPUs (or nohz housekeeping ones) such that they
146  * inherit a widest affinity irrespective of call_usermodehelper() callers with
147  * possibly reduced affinity (eg: per-cpu workqueues). We don't want
148  * usermodehelper targets to contend a busy CPU.
149  *
150  * Unbound workqueues provide such wide affinity and allow to block on
151  * UMH_WAIT_PROC requests without blocking pending request (up to some limit).
152  *
153  * Besides, workqueues provide the privilege level that caller might not have
154  * to perform the usermodehelper request.
155  *
156  */
157 static void call_usermodehelper_exec_work(struct work_struct *work)
158 {
159 	struct subprocess_info *sub_info =
160 		container_of(work, struct subprocess_info, work);
161 
162 	if (sub_info->wait & UMH_WAIT_PROC) {
163 		call_usermodehelper_exec_sync(sub_info);
164 	} else {
165 		pid_t pid;
166 		/*
167 		 * Use CLONE_PARENT to reparent it to kthreadd; we do not
168 		 * want to pollute current->children, and we need a parent
169 		 * that always ignores SIGCHLD to ensure auto-reaping.
170 		 */
171 		pid = user_mode_thread(call_usermodehelper_exec_async, sub_info,
172 				       CLONE_PARENT | SIGCHLD);
173 		if (pid < 0) {
174 			sub_info->retval = pid;
175 			umh_complete(sub_info);
176 		}
177 	}
178 }
179 
180 /*
181  * If set, call_usermodehelper_exec() will exit immediately returning -EBUSY
182  * (used for preventing user land processes from being created after the user
183  * land has been frozen during a system-wide hibernation or suspend operation).
184  * Should always be manipulated under umhelper_sem acquired for write.
185  */
186 static enum umh_disable_depth usermodehelper_disabled = UMH_DISABLED;
187 
188 /* Number of helpers running */
189 static atomic_t running_helpers = ATOMIC_INIT(0);
190 
191 /*
192  * Wait queue head used by usermodehelper_disable() to wait for all running
193  * helpers to finish.
194  */
195 static DECLARE_WAIT_QUEUE_HEAD(running_helpers_waitq);
196 
197 /*
198  * Used by usermodehelper_read_lock_wait() to wait for usermodehelper_disabled
199  * to become 'false'.
200  */
201 static DECLARE_WAIT_QUEUE_HEAD(usermodehelper_disabled_waitq);
202 
203 /*
204  * Time to wait for running_helpers to become zero before the setting of
205  * usermodehelper_disabled in usermodehelper_disable() fails
206  */
207 #define RUNNING_HELPERS_TIMEOUT	(5 * HZ)
208 
209 int usermodehelper_read_trylock(void)
210 {
211 	DEFINE_WAIT(wait);
212 	int ret = 0;
213 
214 	down_read(&umhelper_sem);
215 	for (;;) {
216 		prepare_to_wait(&usermodehelper_disabled_waitq, &wait,
217 				TASK_INTERRUPTIBLE);
218 		if (!usermodehelper_disabled)
219 			break;
220 
221 		if (usermodehelper_disabled == UMH_DISABLED)
222 			ret = -EAGAIN;
223 
224 		up_read(&umhelper_sem);
225 
226 		if (ret)
227 			break;
228 
229 		schedule();
230 		try_to_freeze();
231 
232 		down_read(&umhelper_sem);
233 	}
234 	finish_wait(&usermodehelper_disabled_waitq, &wait);
235 	return ret;
236 }
237 EXPORT_SYMBOL_GPL(usermodehelper_read_trylock);
238 
239 long usermodehelper_read_lock_wait(long timeout)
240 {
241 	DEFINE_WAIT(wait);
242 
243 	if (timeout < 0)
244 		return -EINVAL;
245 
246 	down_read(&umhelper_sem);
247 	for (;;) {
248 		prepare_to_wait(&usermodehelper_disabled_waitq, &wait,
249 				TASK_UNINTERRUPTIBLE);
250 		if (!usermodehelper_disabled)
251 			break;
252 
253 		up_read(&umhelper_sem);
254 
255 		timeout = schedule_timeout(timeout);
256 		if (!timeout)
257 			break;
258 
259 		down_read(&umhelper_sem);
260 	}
261 	finish_wait(&usermodehelper_disabled_waitq, &wait);
262 	return timeout;
263 }
264 EXPORT_SYMBOL_GPL(usermodehelper_read_lock_wait);
265 
266 void usermodehelper_read_unlock(void)
267 {
268 	up_read(&umhelper_sem);
269 }
270 EXPORT_SYMBOL_GPL(usermodehelper_read_unlock);
271 
272 /**
273  * __usermodehelper_set_disable_depth - Modify usermodehelper_disabled.
274  * @depth: New value to assign to usermodehelper_disabled.
275  *
276  * Change the value of usermodehelper_disabled (under umhelper_sem locked for
277  * writing) and wakeup tasks waiting for it to change.
278  */
279 void __usermodehelper_set_disable_depth(enum umh_disable_depth depth)
280 {
281 	down_write(&umhelper_sem);
282 	usermodehelper_disabled = depth;
283 	wake_up(&usermodehelper_disabled_waitq);
284 	up_write(&umhelper_sem);
285 }
286 
287 /**
288  * __usermodehelper_disable - Prevent new helpers from being started.
289  * @depth: New value to assign to usermodehelper_disabled.
290  *
291  * Set usermodehelper_disabled to @depth and wait for running helpers to exit.
292  */
293 int __usermodehelper_disable(enum umh_disable_depth depth)
294 {
295 	long retval;
296 
297 	if (!depth)
298 		return -EINVAL;
299 
300 	down_write(&umhelper_sem);
301 	usermodehelper_disabled = depth;
302 	up_write(&umhelper_sem);
303 
304 	/*
305 	 * From now on call_usermodehelper_exec() won't start any new
306 	 * helpers, so it is sufficient if running_helpers turns out to
307 	 * be zero at one point (it may be increased later, but that
308 	 * doesn't matter).
309 	 */
310 	retval = wait_event_timeout(running_helpers_waitq,
311 					atomic_read(&running_helpers) == 0,
312 					RUNNING_HELPERS_TIMEOUT);
313 	if (retval)
314 		return 0;
315 
316 	__usermodehelper_set_disable_depth(UMH_ENABLED);
317 	return -EAGAIN;
318 }
319 
320 static void helper_lock(void)
321 {
322 	atomic_inc(&running_helpers);
323 	smp_mb__after_atomic();
324 }
325 
326 static void helper_unlock(void)
327 {
328 	if (atomic_dec_and_test(&running_helpers))
329 		wake_up(&running_helpers_waitq);
330 }
331 
332 /**
333  * call_usermodehelper_setup - prepare to call a usermode helper
334  * @path: path to usermode executable
335  * @argv: arg vector for process
336  * @envp: environment for process
337  * @gfp_mask: gfp mask for memory allocation
338  * @init: an init function
339  * @cleanup: a cleanup function
340  * @data: arbitrary context sensitive data
341  *
342  * Returns either %NULL on allocation failure, or a subprocess_info
343  * structure.  This should be passed to call_usermodehelper_exec to
344  * exec the process and free the structure.
345  *
346  * The init function is used to customize the helper process prior to
347  * exec.  A non-zero return code causes the process to error out, exit,
348  * and return the failure to the calling process
349  *
350  * The cleanup function is just before the subprocess_info is about to
351  * be freed.  This can be used for freeing the argv and envp.  The
352  * Function must be runnable in either a process context or the
353  * context in which call_usermodehelper_exec is called.
354  */
355 struct subprocess_info *call_usermodehelper_setup(const char *path, char **argv,
356 		char **envp, gfp_t gfp_mask,
357 		int (*init)(struct subprocess_info *info, struct cred *new),
358 		void (*cleanup)(struct subprocess_info *info),
359 		void *data)
360 {
361 	struct subprocess_info *sub_info;
362 	sub_info = kzalloc(sizeof(struct subprocess_info), gfp_mask);
363 	if (!sub_info)
364 		goto out;
365 
366 	INIT_WORK(&sub_info->work, call_usermodehelper_exec_work);
367 
368 #ifdef CONFIG_STATIC_USERMODEHELPER
369 	sub_info->path = CONFIG_STATIC_USERMODEHELPER_PATH;
370 #else
371 	sub_info->path = path;
372 #endif
373 	sub_info->argv = argv;
374 	sub_info->envp = envp;
375 
376 	sub_info->cleanup = cleanup;
377 	sub_info->init = init;
378 	sub_info->data = data;
379   out:
380 	return sub_info;
381 }
382 EXPORT_SYMBOL(call_usermodehelper_setup);
383 
384 /**
385  * call_usermodehelper_exec - start a usermode application
386  * @sub_info: information about the subprocess
387  * @wait: wait for the application to finish and return status.
388  *        when UMH_NO_WAIT don't wait at all, but you get no useful error back
389  *        when the program couldn't be exec'ed. This makes it safe to call
390  *        from interrupt context.
391  *
392  * Runs a user-space application.  The application is started
393  * asynchronously if wait is not set, and runs as a child of system workqueues.
394  * (ie. it runs with full root capabilities and optimized affinity).
395  *
396  * Note: successful return value does not guarantee the helper was called at
397  * all. You can't rely on sub_info->{init,cleanup} being called even for
398  * UMH_WAIT_* wait modes as STATIC_USERMODEHELPER_PATH="" turns all helpers
399  * into a successful no-op.
400  */
401 int call_usermodehelper_exec(struct subprocess_info *sub_info, int wait)
402 {
403 	unsigned int state = TASK_UNINTERRUPTIBLE;
404 	DECLARE_COMPLETION_ONSTACK(done);
405 	int retval = 0;
406 
407 	if (!sub_info->path) {
408 		call_usermodehelper_freeinfo(sub_info);
409 		return -EINVAL;
410 	}
411 	helper_lock();
412 	if (usermodehelper_disabled) {
413 		retval = -EBUSY;
414 		goto out;
415 	}
416 
417 	/*
418 	 * If there is no binary for us to call, then just return and get out of
419 	 * here.  This allows us to set STATIC_USERMODEHELPER_PATH to "" and
420 	 * disable all call_usermodehelper() calls.
421 	 */
422 	if (strlen(sub_info->path) == 0)
423 		goto out;
424 
425 	/*
426 	 * Set the completion pointer only if there is a waiter.
427 	 * This makes it possible to use umh_complete to free
428 	 * the data structure in case of UMH_NO_WAIT.
429 	 */
430 	sub_info->complete = (wait == UMH_NO_WAIT) ? NULL : &done;
431 	sub_info->wait = wait;
432 
433 	queue_work(system_unbound_wq, &sub_info->work);
434 	if (wait == UMH_NO_WAIT)	/* task has freed sub_info */
435 		goto unlock;
436 
437 	if (wait & UMH_FREEZABLE)
438 		state |= TASK_FREEZABLE;
439 
440 	if (wait & UMH_KILLABLE) {
441 		retval = wait_for_completion_state(&done, state | TASK_KILLABLE);
442 		if (!retval)
443 			goto wait_done;
444 
445 		/* umh_complete() will see NULL and free sub_info */
446 		if (xchg(&sub_info->complete, NULL))
447 			goto unlock;
448 
449 		/*
450 		 * fallthrough; in case of -ERESTARTSYS now do uninterruptible
451 		 * wait_for_completion_state(). Since umh_complete() shall call
452 		 * complete() in a moment if xchg() above returned NULL, this
453 		 * uninterruptible wait_for_completion_state() will not block
454 		 * SIGKILL'ed processes for long.
455 		 */
456 	}
457 	wait_for_completion_state(&done, state);
458 
459 wait_done:
460 	retval = sub_info->retval;
461 out:
462 	call_usermodehelper_freeinfo(sub_info);
463 unlock:
464 	helper_unlock();
465 	return retval;
466 }
467 EXPORT_SYMBOL(call_usermodehelper_exec);
468 
469 /**
470  * call_usermodehelper() - prepare and start a usermode application
471  * @path: path to usermode executable
472  * @argv: arg vector for process
473  * @envp: environment for process
474  * @wait: wait for the application to finish and return status.
475  *        when UMH_NO_WAIT don't wait at all, but you get no useful error back
476  *        when the program couldn't be exec'ed. This makes it safe to call
477  *        from interrupt context.
478  *
479  * This function is the equivalent to use call_usermodehelper_setup() and
480  * call_usermodehelper_exec().
481  */
482 int call_usermodehelper(const char *path, char **argv, char **envp, int wait)
483 {
484 	struct subprocess_info *info;
485 	gfp_t gfp_mask = (wait == UMH_NO_WAIT) ? GFP_ATOMIC : GFP_KERNEL;
486 
487 	info = call_usermodehelper_setup(path, argv, envp, gfp_mask,
488 					 NULL, NULL, NULL);
489 	if (info == NULL)
490 		return -ENOMEM;
491 
492 	return call_usermodehelper_exec(info, wait);
493 }
494 EXPORT_SYMBOL(call_usermodehelper);
495 
496 #if defined(CONFIG_SYSCTL)
497 static int proc_cap_handler(const struct ctl_table *table, int write,
498 			 void *buffer, size_t *lenp, loff_t *ppos)
499 {
500 	struct ctl_table t;
501 	unsigned long cap_array[2];
502 	kernel_cap_t new_cap, *cap;
503 	int err;
504 
505 	if (write && (!capable(CAP_SETPCAP) ||
506 		      !capable(CAP_SYS_MODULE)))
507 		return -EPERM;
508 
509 	/*
510 	 * convert from the global kernel_cap_t to the ulong array to print to
511 	 * userspace if this is a read.
512 	 *
513 	 * Legacy format: capabilities are exposed as two 32-bit values
514 	 */
515 	cap = table->data;
516 	spin_lock(&umh_sysctl_lock);
517 	cap_array[0] = (u32) cap->val;
518 	cap_array[1] = cap->val >> 32;
519 	spin_unlock(&umh_sysctl_lock);
520 
521 	t = *table;
522 	t.data = &cap_array;
523 
524 	/*
525 	 * actually read or write and array of ulongs from userspace.  Remember
526 	 * these are least significant 32 bits first
527 	 */
528 	err = proc_doulongvec_minmax(&t, write, buffer, lenp, ppos);
529 	if (err < 0)
530 		return err;
531 
532 	new_cap.val = (u32)cap_array[0];
533 	new_cap.val += (u64)cap_array[1] << 32;
534 
535 	/*
536 	 * Drop everything not in the new_cap (but don't add things)
537 	 */
538 	if (write) {
539 		spin_lock(&umh_sysctl_lock);
540 		*cap = cap_intersect(*cap, new_cap);
541 		spin_unlock(&umh_sysctl_lock);
542 	}
543 
544 	return 0;
545 }
546 
547 static struct ctl_table usermodehelper_table[] = {
548 	{
549 		.procname	= "bset",
550 		.data		= &usermodehelper_bset,
551 		.maxlen		= 2 * sizeof(unsigned long),
552 		.mode		= 0600,
553 		.proc_handler	= proc_cap_handler,
554 	},
555 	{
556 		.procname	= "inheritable",
557 		.data		= &usermodehelper_inheritable,
558 		.maxlen		= 2 * sizeof(unsigned long),
559 		.mode		= 0600,
560 		.proc_handler	= proc_cap_handler,
561 	},
562 };
563 
564 static int __init init_umh_sysctls(void)
565 {
566 	register_sysctl_init("kernel/usermodehelper", usermodehelper_table);
567 	return 0;
568 }
569 early_initcall(init_umh_sysctls);
570 #endif /* CONFIG_SYSCTL */
571