xref: /linux/mm/memfd.c (revision 56ce7b791b787e0aee19601e422f13a18d4eafe7) 
1  /*
2   * memfd_create system call and file sealing support
3   *
4   * Code was originally included in shmem.c, and broken out to facilitate
5   * use by hugetlbfs as well as tmpfs.
6   *
7   * This file is released under the GPL.
8   */
9  
10  #include <linux/fs.h>
11  #include <linux/vfs.h>
12  #include <linux/pagemap.h>
13  #include <linux/file.h>
14  #include <linux/mm.h>
15  #include <linux/sched/signal.h>
16  #include <linux/khugepaged.h>
17  #include <linux/syscalls.h>
18  #include <linux/hugetlb.h>
19  #include <linux/shmem_fs.h>
20  #include <linux/memfd.h>
21  #include <linux/pid_namespace.h>
22  #include <uapi/linux/memfd.h>
23  
24  /*
25   * We need a tag: a new tag would expand every xa_node by 8 bytes,
26   * so reuse a tag which we firmly believe is never set or cleared on tmpfs
27   * or hugetlbfs because they are memory only filesystems.
28   */
29  #define MEMFD_TAG_PINNED        PAGECACHE_TAG_TOWRITE
30  #define LAST_SCAN               4       /* about 150ms max */
31  
32  static void memfd_tag_pins(struct xa_state *xas)
33  {
34  	struct page *page;
35  	int latency = 0;
36  	int cache_count;
37  
38  	lru_add_drain();
39  
40  	xas_lock_irq(xas);
41  	xas_for_each(xas, page, ULONG_MAX) {
42  		cache_count = 1;
43  		if (!xa_is_value(page) &&
44  		    PageTransHuge(page) && !PageHuge(page))
45  			cache_count = HPAGE_PMD_NR;
46  
47  		if (!xa_is_value(page) &&
48  		    page_count(page) - total_mapcount(page) != cache_count)
49  			xas_set_mark(xas, MEMFD_TAG_PINNED);
50  		if (cache_count != 1)
51  			xas_set(xas, page->index + cache_count);
52  
53  		latency += cache_count;
54  		if (latency < XA_CHECK_SCHED)
55  			continue;
56  		latency = 0;
57  
58  		xas_pause(xas);
59  		xas_unlock_irq(xas);
60  		cond_resched();
61  		xas_lock_irq(xas);
62  	}
63  	xas_unlock_irq(xas);
64  }
65  
66  /*
67   * Setting SEAL_WRITE requires us to verify there's no pending writer. However,
68   * via get_user_pages(), drivers might have some pending I/O without any active
69   * user-space mappings (eg., direct-IO, AIO). Therefore, we look at all pages
70   * and see whether it has an elevated ref-count. If so, we tag them and wait for
71   * them to be dropped.
72   * The caller must guarantee that no new user will acquire writable references
73   * to those pages to avoid races.
74   */
75  static int memfd_wait_for_pins(struct address_space *mapping)
76  {
77  	XA_STATE(xas, &mapping->i_pages, 0);
78  	struct page *page;
79  	int error, scan;
80  
81  	memfd_tag_pins(&xas);
82  
83  	error = 0;
84  	for (scan = 0; scan <= LAST_SCAN; scan++) {
85  		int latency = 0;
86  		int cache_count;
87  
88  		if (!xas_marked(&xas, MEMFD_TAG_PINNED))
89  			break;
90  
91  		if (!scan)
92  			lru_add_drain_all();
93  		else if (schedule_timeout_killable((HZ << scan) / 200))
94  			scan = LAST_SCAN;
95  
96  		xas_set(&xas, 0);
97  		xas_lock_irq(&xas);
98  		xas_for_each_marked(&xas, page, ULONG_MAX, MEMFD_TAG_PINNED) {
99  			bool clear = true;
100  
101  			cache_count = 1;
102  			if (!xa_is_value(page) &&
103  			    PageTransHuge(page) && !PageHuge(page))
104  				cache_count = HPAGE_PMD_NR;
105  
106  			if (!xa_is_value(page) && cache_count !=
107  			    page_count(page) - total_mapcount(page)) {
108  				/*
109  				 * On the last scan, we clean up all those tags
110  				 * we inserted; but make a note that we still
111  				 * found pages pinned.
112  				 */
113  				if (scan == LAST_SCAN)
114  					error = -EBUSY;
115  				else
116  					clear = false;
117  			}
118  			if (clear)
119  				xas_clear_mark(&xas, MEMFD_TAG_PINNED);
120  
121  			latency += cache_count;
122  			if (latency < XA_CHECK_SCHED)
123  				continue;
124  			latency = 0;
125  
126  			xas_pause(&xas);
127  			xas_unlock_irq(&xas);
128  			cond_resched();
129  			xas_lock_irq(&xas);
130  		}
131  		xas_unlock_irq(&xas);
132  	}
133  
134  	return error;
135  }
136  
137  static unsigned int *memfd_file_seals_ptr(struct file *file)
138  {
139  	if (shmem_file(file))
140  		return &SHMEM_I(file_inode(file))->seals;
141  
142  #ifdef CONFIG_HUGETLBFS
143  	if (is_file_hugepages(file))
144  		return &HUGETLBFS_I(file_inode(file))->seals;
145  #endif
146  
147  	return NULL;
148  }
149  
150  #define F_ALL_SEALS (F_SEAL_SEAL | \
151  		     F_SEAL_EXEC | \
152  		     F_SEAL_SHRINK | \
153  		     F_SEAL_GROW | \
154  		     F_SEAL_WRITE | \
155  		     F_SEAL_FUTURE_WRITE)
156  
157  static int memfd_add_seals(struct file *file, unsigned int seals)
158  {
159  	struct inode *inode = file_inode(file);
160  	unsigned int *file_seals;
161  	int error;
162  
163  	/*
164  	 * SEALING
165  	 * Sealing allows multiple parties to share a tmpfs or hugetlbfs file
166  	 * but restrict access to a specific subset of file operations. Seals
167  	 * can only be added, but never removed. This way, mutually untrusted
168  	 * parties can share common memory regions with a well-defined policy.
169  	 * A malicious peer can thus never perform unwanted operations on a
170  	 * shared object.
171  	 *
172  	 * Seals are only supported on special tmpfs or hugetlbfs files and
173  	 * always affect the whole underlying inode. Once a seal is set, it
174  	 * may prevent some kinds of access to the file. Currently, the
175  	 * following seals are defined:
176  	 *   SEAL_SEAL: Prevent further seals from being set on this file
177  	 *   SEAL_SHRINK: Prevent the file from shrinking
178  	 *   SEAL_GROW: Prevent the file from growing
179  	 *   SEAL_WRITE: Prevent write access to the file
180  	 *   SEAL_EXEC: Prevent modification of the exec bits in the file mode
181  	 *
182  	 * As we don't require any trust relationship between two parties, we
183  	 * must prevent seals from being removed. Therefore, sealing a file
184  	 * only adds a given set of seals to the file, it never touches
185  	 * existing seals. Furthermore, the "setting seals"-operation can be
186  	 * sealed itself, which basically prevents any further seal from being
187  	 * added.
188  	 *
189  	 * Semantics of sealing are only defined on volatile files. Only
190  	 * anonymous tmpfs and hugetlbfs files support sealing. More
191  	 * importantly, seals are never written to disk. Therefore, there's
192  	 * no plan to support it on other file types.
193  	 */
194  
195  	if (!(file->f_mode & FMODE_WRITE))
196  		return -EPERM;
197  	if (seals & ~(unsigned int)F_ALL_SEALS)
198  		return -EINVAL;
199  
200  	inode_lock(inode);
201  
202  	file_seals = memfd_file_seals_ptr(file);
203  	if (!file_seals) {
204  		error = -EINVAL;
205  		goto unlock;
206  	}
207  
208  	if (*file_seals & F_SEAL_SEAL) {
209  		error = -EPERM;
210  		goto unlock;
211  	}
212  
213  	if ((seals & F_SEAL_WRITE) && !(*file_seals & F_SEAL_WRITE)) {
214  		error = mapping_deny_writable(file->f_mapping);
215  		if (error)
216  			goto unlock;
217  
218  		error = memfd_wait_for_pins(file->f_mapping);
219  		if (error) {
220  			mapping_allow_writable(file->f_mapping);
221  			goto unlock;
222  		}
223  	}
224  
225  	/*
226  	 * SEAL_EXEC implys SEAL_WRITE, making W^X from the start.
227  	 */
228  	if (seals & F_SEAL_EXEC && inode->i_mode & 0111)
229  		seals |= F_SEAL_SHRINK|F_SEAL_GROW|F_SEAL_WRITE|F_SEAL_FUTURE_WRITE;
230  
231  	*file_seals |= seals;
232  	error = 0;
233  
234  unlock:
235  	inode_unlock(inode);
236  	return error;
237  }
238  
239  static int memfd_get_seals(struct file *file)
240  {
241  	unsigned int *seals = memfd_file_seals_ptr(file);
242  
243  	return seals ? *seals : -EINVAL;
244  }
245  
246  long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg)
247  {
248  	long error;
249  
250  	switch (cmd) {
251  	case F_ADD_SEALS:
252  		error = memfd_add_seals(file, arg);
253  		break;
254  	case F_GET_SEALS:
255  		error = memfd_get_seals(file);
256  		break;
257  	default:
258  		error = -EINVAL;
259  		break;
260  	}
261  
262  	return error;
263  }
264  
265  #define MFD_NAME_PREFIX "memfd:"
266  #define MFD_NAME_PREFIX_LEN (sizeof(MFD_NAME_PREFIX) - 1)
267  #define MFD_NAME_MAX_LEN (NAME_MAX - MFD_NAME_PREFIX_LEN)
268  
269  #define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_HUGETLB | MFD_NOEXEC_SEAL | MFD_EXEC)
270  
271  SYSCALL_DEFINE2(memfd_create,
272  		const char __user *, uname,
273  		unsigned int, flags)
274  {
275  	char comm[TASK_COMM_LEN];
276  	unsigned int *file_seals;
277  	struct file *file;
278  	int fd, error;
279  	char *name;
280  	long len;
281  
282  	if (!(flags & MFD_HUGETLB)) {
283  		if (flags & ~(unsigned int)MFD_ALL_FLAGS)
284  			return -EINVAL;
285  	} else {
286  		/* Allow huge page size encoding in flags. */
287  		if (flags & ~(unsigned int)(MFD_ALL_FLAGS |
288  				(MFD_HUGE_MASK << MFD_HUGE_SHIFT)))
289  			return -EINVAL;
290  	}
291  
292  	/* Invalid if both EXEC and NOEXEC_SEAL are set.*/
293  	if ((flags & MFD_EXEC) && (flags & MFD_NOEXEC_SEAL))
294  		return -EINVAL;
295  
296  	if (!(flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) {
297  #ifdef CONFIG_SYSCTL
298  		int sysctl = MEMFD_NOEXEC_SCOPE_EXEC;
299  		struct pid_namespace *ns;
300  
301  		ns = task_active_pid_ns(current);
302  		if (ns)
303  			sysctl = ns->memfd_noexec_scope;
304  
305  		switch (sysctl) {
306  		case MEMFD_NOEXEC_SCOPE_EXEC:
307  			flags |= MFD_EXEC;
308  			break;
309  		case MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL:
310  			flags |= MFD_NOEXEC_SEAL;
311  			break;
312  		default:
313  			pr_warn_once(
314  				"memfd_create(): MFD_NOEXEC_SEAL is enforced, pid=%d '%s'\n",
315  				task_pid_nr(current), get_task_comm(comm, current));
316  			return -EINVAL;
317  		}
318  #else
319  		flags |= MFD_EXEC;
320  #endif
321  		pr_warn_once(
322  			"memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=%d '%s'\n",
323  			task_pid_nr(current), get_task_comm(comm, current));
324  	}
325  
326  	/* length includes terminating zero */
327  	len = strnlen_user(uname, MFD_NAME_MAX_LEN + 1);
328  	if (len <= 0)
329  		return -EFAULT;
330  	if (len > MFD_NAME_MAX_LEN + 1)
331  		return -EINVAL;
332  
333  	name = kmalloc(len + MFD_NAME_PREFIX_LEN, GFP_KERNEL);
334  	if (!name)
335  		return -ENOMEM;
336  
337  	strcpy(name, MFD_NAME_PREFIX);
338  	if (copy_from_user(&name[MFD_NAME_PREFIX_LEN], uname, len)) {
339  		error = -EFAULT;
340  		goto err_name;
341  	}
342  
343  	/* terminating-zero may have changed after strnlen_user() returned */
344  	if (name[len + MFD_NAME_PREFIX_LEN - 1]) {
345  		error = -EFAULT;
346  		goto err_name;
347  	}
348  
349  	fd = get_unused_fd_flags((flags & MFD_CLOEXEC) ? O_CLOEXEC : 0);
350  	if (fd < 0) {
351  		error = fd;
352  		goto err_name;
353  	}
354  
355  	if (flags & MFD_HUGETLB) {
356  		file = hugetlb_file_setup(name, 0, VM_NORESERVE,
357  					HUGETLB_ANONHUGE_INODE,
358  					(flags >> MFD_HUGE_SHIFT) &
359  					MFD_HUGE_MASK);
360  	} else
361  		file = shmem_file_setup(name, 0, VM_NORESERVE);
362  	if (IS_ERR(file)) {
363  		error = PTR_ERR(file);
364  		goto err_fd;
365  	}
366  	file->f_mode |= FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE;
367  	file->f_flags |= O_LARGEFILE;
368  
369  	if (flags & MFD_NOEXEC_SEAL) {
370  		struct inode *inode = file_inode(file);
371  
372  		inode->i_mode &= ~0111;
373  		file_seals = memfd_file_seals_ptr(file);
374  		if (file_seals) {
375  			*file_seals &= ~F_SEAL_SEAL;
376  			*file_seals |= F_SEAL_EXEC;
377  		}
378  	} else if (flags & MFD_ALLOW_SEALING) {
379  		/* MFD_EXEC and MFD_ALLOW_SEALING are set */
380  		file_seals = memfd_file_seals_ptr(file);
381  		if (file_seals)
382  			*file_seals &= ~F_SEAL_SEAL;
383  	}
384  
385  	fd_install(fd, file);
386  	kfree(name);
387  	return fd;
388  
389  err_fd:
390  	put_unused_fd(fd);
391  err_name:
392  	kfree(name);
393  	return error;
394  }
395