xref: /openbmc/linux/drivers/android/binderfs.c (revision 176f011b)
1 /* SPDX-License-Identifier: GPL-2.0 */
2 
3 #include <linux/compiler_types.h>
4 #include <linux/errno.h>
5 #include <linux/fs.h>
6 #include <linux/fsnotify.h>
7 #include <linux/gfp.h>
8 #include <linux/idr.h>
9 #include <linux/init.h>
10 #include <linux/ipc_namespace.h>
11 #include <linux/kdev_t.h>
12 #include <linux/kernel.h>
13 #include <linux/list.h>
14 #include <linux/magic.h>
15 #include <linux/major.h>
16 #include <linux/miscdevice.h>
17 #include <linux/module.h>
18 #include <linux/mutex.h>
19 #include <linux/mount.h>
20 #include <linux/parser.h>
21 #include <linux/radix-tree.h>
22 #include <linux/sched.h>
23 #include <linux/slab.h>
24 #include <linux/spinlock_types.h>
25 #include <linux/stddef.h>
26 #include <linux/string.h>
27 #include <linux/types.h>
28 #include <linux/uaccess.h>
29 #include <linux/user_namespace.h>
30 #include <linux/xarray.h>
31 #include <uapi/asm-generic/errno-base.h>
32 #include <uapi/linux/android/binder.h>
33 #include <uapi/linux/android/binder_ctl.h>
34 
35 #include "binder_internal.h"
36 
37 #define FIRST_INODE 1
38 #define SECOND_INODE 2
39 #define INODE_OFFSET 3
40 #define INTSTRLEN 21
41 #define BINDERFS_MAX_MINOR (1U << MINORBITS)
42 
43 static struct vfsmount *binderfs_mnt;
44 
45 static dev_t binderfs_dev;
46 static DEFINE_MUTEX(binderfs_minors_mutex);
47 static DEFINE_IDA(binderfs_minors);
48 
49 /**
50  * binderfs_info - information about a binderfs mount
51  * @ipc_ns:         The ipc namespace the binderfs mount belongs to.
52  * @control_dentry: This records the dentry of this binderfs mount
53  *                  binder-control device.
54  * @root_uid:       uid that needs to be used when a new binder device is
55  *                  created.
56  * @root_gid:       gid that needs to be used when a new binder device is
57  *                  created.
58  */
59 struct binderfs_info {
60 	struct ipc_namespace *ipc_ns;
61 	struct dentry *control_dentry;
62 	kuid_t root_uid;
63 	kgid_t root_gid;
64 
65 };
66 
67 static inline struct binderfs_info *BINDERFS_I(const struct inode *inode)
68 {
69 	return inode->i_sb->s_fs_info;
70 }
71 
72 bool is_binderfs_device(const struct inode *inode)
73 {
74 	if (inode->i_sb->s_magic == BINDERFS_SUPER_MAGIC)
75 		return true;
76 
77 	return false;
78 }
79 
80 /**
81  * binderfs_binder_device_create - allocate inode from super block of a
82  *                                 binderfs mount
83  * @ref_inode: inode from wich the super block will be taken
84  * @userp:     buffer to copy information about new device for userspace to
85  * @req:       struct binderfs_device as copied from userspace
86  *
87  * This function allocated a new binder_device and reserves a new minor
88  * number for it.
89  * Minor numbers are limited and tracked globally in binderfs_minors. The
90  * function will stash a struct binder_device for the specific binder
91  * device in i_private of the inode.
92  * It will go on to allocate a new inode from the super block of the
93  * filesystem mount, stash a struct binder_device in its i_private field
94  * and attach a dentry to that inode.
95  *
96  * Return: 0 on success, negative errno on failure
97  */
98 static int binderfs_binder_device_create(struct inode *ref_inode,
99 					 struct binderfs_device __user *userp,
100 					 struct binderfs_device *req)
101 {
102 	int minor, ret;
103 	struct dentry *dentry, *dup, *root;
104 	struct binder_device *device;
105 	size_t name_len = BINDERFS_MAX_NAME + 1;
106 	char *name = NULL;
107 	struct inode *inode = NULL;
108 	struct super_block *sb = ref_inode->i_sb;
109 	struct binderfs_info *info = sb->s_fs_info;
110 
111 	/* Reserve new minor number for the new device. */
112 	mutex_lock(&binderfs_minors_mutex);
113 	minor = ida_alloc_max(&binderfs_minors, BINDERFS_MAX_MINOR, GFP_KERNEL);
114 	mutex_unlock(&binderfs_minors_mutex);
115 	if (minor < 0)
116 		return minor;
117 
118 	ret = -ENOMEM;
119 	device = kzalloc(sizeof(*device), GFP_KERNEL);
120 	if (!device)
121 		goto err;
122 
123 	inode = new_inode(sb);
124 	if (!inode)
125 		goto err;
126 
127 	inode->i_ino = minor + INODE_OFFSET;
128 	inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
129 	init_special_inode(inode, S_IFCHR | 0600,
130 			   MKDEV(MAJOR(binderfs_dev), minor));
131 	inode->i_fop = &binder_fops;
132 	inode->i_uid = info->root_uid;
133 	inode->i_gid = info->root_gid;
134 
135 	name = kmalloc(name_len, GFP_KERNEL);
136 	if (!name)
137 		goto err;
138 
139 	strscpy(name, req->name, name_len);
140 
141 	device->binderfs_inode = inode;
142 	device->context.binder_context_mgr_uid = INVALID_UID;
143 	device->context.name = name;
144 	device->miscdev.name = name;
145 	device->miscdev.minor = minor;
146 	mutex_init(&device->context.context_mgr_node_lock);
147 
148 	req->major = MAJOR(binderfs_dev);
149 	req->minor = minor;
150 
151 	ret = copy_to_user(userp, req, sizeof(*req));
152 	if (ret) {
153 		ret = -EFAULT;
154 		goto err;
155 	}
156 
157 	root = sb->s_root;
158 	inode_lock(d_inode(root));
159 	dentry = d_alloc_name(root, name);
160 	if (!dentry) {
161 		inode_unlock(d_inode(root));
162 		ret = -ENOMEM;
163 		goto err;
164 	}
165 
166 	/* Verify that the name userspace gave us is not already in use. */
167 	dup = d_lookup(root, &dentry->d_name);
168 	if (dup) {
169 		if (d_really_is_positive(dup)) {
170 			dput(dup);
171 			dput(dentry);
172 			inode_unlock(d_inode(root));
173 			ret = -EEXIST;
174 			goto err;
175 		}
176 		dput(dup);
177 	}
178 
179 	inode->i_private = device;
180 	d_add(dentry, inode);
181 	fsnotify_create(root->d_inode, dentry);
182 	inode_unlock(d_inode(root));
183 
184 	return 0;
185 
186 err:
187 	kfree(name);
188 	kfree(device);
189 	mutex_lock(&binderfs_minors_mutex);
190 	ida_free(&binderfs_minors, minor);
191 	mutex_unlock(&binderfs_minors_mutex);
192 	iput(inode);
193 
194 	return ret;
195 }
196 
197 /**
198  * binderfs_ctl_ioctl - handle binder device node allocation requests
199  *
200  * The request handler for the binder-control device. All requests operate on
201  * the binderfs mount the binder-control device resides in:
202  * - BINDER_CTL_ADD
203  *   Allocate a new binder device.
204  *
205  * Return: 0 on success, negative errno on failure
206  */
207 static long binder_ctl_ioctl(struct file *file, unsigned int cmd,
208 			     unsigned long arg)
209 {
210 	int ret = -EINVAL;
211 	struct inode *inode = file_inode(file);
212 	struct binderfs_device __user *device = (struct binderfs_device __user *)arg;
213 	struct binderfs_device device_req;
214 
215 	switch (cmd) {
216 	case BINDER_CTL_ADD:
217 		ret = copy_from_user(&device_req, device, sizeof(device_req));
218 		if (ret) {
219 			ret = -EFAULT;
220 			break;
221 		}
222 
223 		ret = binderfs_binder_device_create(inode, device, &device_req);
224 		break;
225 	default:
226 		break;
227 	}
228 
229 	return ret;
230 }
231 
232 static void binderfs_evict_inode(struct inode *inode)
233 {
234 	struct binder_device *device = inode->i_private;
235 
236 	clear_inode(inode);
237 
238 	if (!device)
239 		return;
240 
241 	mutex_lock(&binderfs_minors_mutex);
242 	ida_free(&binderfs_minors, device->miscdev.minor);
243 	mutex_unlock(&binderfs_minors_mutex);
244 
245 	kfree(device->context.name);
246 	kfree(device);
247 }
248 
249 static const struct super_operations binderfs_super_ops = {
250 	.statfs = simple_statfs,
251 	.evict_inode = binderfs_evict_inode,
252 };
253 
254 static int binderfs_rename(struct inode *old_dir, struct dentry *old_dentry,
255 			   struct inode *new_dir, struct dentry *new_dentry,
256 			   unsigned int flags)
257 {
258 	struct inode *inode = d_inode(old_dentry);
259 
260 	/* binderfs doesn't support directories. */
261 	if (d_is_dir(old_dentry))
262 		return -EPERM;
263 
264 	if (flags & ~RENAME_NOREPLACE)
265 		return -EINVAL;
266 
267 	if (!simple_empty(new_dentry))
268 		return -ENOTEMPTY;
269 
270 	if (d_really_is_positive(new_dentry))
271 		simple_unlink(new_dir, new_dentry);
272 
273 	old_dir->i_ctime = old_dir->i_mtime = new_dir->i_ctime =
274 		new_dir->i_mtime = inode->i_ctime = current_time(old_dir);
275 
276 	return 0;
277 }
278 
279 static int binderfs_unlink(struct inode *dir, struct dentry *dentry)
280 {
281 	/*
282 	 * The control dentry is only ever touched during mount so checking it
283 	 * here should not require us to take lock.
284 	 */
285 	if (BINDERFS_I(dir)->control_dentry == dentry)
286 		return -EPERM;
287 
288 	return simple_unlink(dir, dentry);
289 }
290 
291 static const struct file_operations binder_ctl_fops = {
292 	.owner		= THIS_MODULE,
293 	.open		= nonseekable_open,
294 	.unlocked_ioctl	= binder_ctl_ioctl,
295 	.compat_ioctl	= binder_ctl_ioctl,
296 	.llseek		= noop_llseek,
297 };
298 
299 /**
300  * binderfs_binder_ctl_create - create a new binder-control device
301  * @sb: super block of the binderfs mount
302  *
303  * This function creates a new binder-control device node in the binderfs mount
304  * referred to by @sb.
305  *
306  * Return: 0 on success, negative errno on failure
307  */
308 static int binderfs_binder_ctl_create(struct super_block *sb)
309 {
310 	int minor, ret;
311 	struct dentry *dentry;
312 	struct binder_device *device;
313 	struct inode *inode = NULL;
314 	struct dentry *root = sb->s_root;
315 	struct binderfs_info *info = sb->s_fs_info;
316 
317 	device = kzalloc(sizeof(*device), GFP_KERNEL);
318 	if (!device)
319 		return -ENOMEM;
320 
321 	inode_lock(d_inode(root));
322 
323 	/* If we have already created a binder-control node, return. */
324 	if (info->control_dentry) {
325 		ret = 0;
326 		goto out;
327 	}
328 
329 	ret = -ENOMEM;
330 	inode = new_inode(sb);
331 	if (!inode)
332 		goto out;
333 
334 	/* Reserve a new minor number for the new device. */
335 	mutex_lock(&binderfs_minors_mutex);
336 	minor = ida_alloc_max(&binderfs_minors, BINDERFS_MAX_MINOR, GFP_KERNEL);
337 	mutex_unlock(&binderfs_minors_mutex);
338 	if (minor < 0) {
339 		ret = minor;
340 		goto out;
341 	}
342 
343 	inode->i_ino = SECOND_INODE;
344 	inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
345 	init_special_inode(inode, S_IFCHR | 0600,
346 			   MKDEV(MAJOR(binderfs_dev), minor));
347 	inode->i_fop = &binder_ctl_fops;
348 	inode->i_uid = info->root_uid;
349 	inode->i_gid = info->root_gid;
350 
351 	device->binderfs_inode = inode;
352 	device->miscdev.minor = minor;
353 
354 	dentry = d_alloc_name(root, "binder-control");
355 	if (!dentry)
356 		goto out;
357 
358 	inode->i_private = device;
359 	info->control_dentry = dentry;
360 	d_add(dentry, inode);
361 	inode_unlock(d_inode(root));
362 
363 	return 0;
364 
365 out:
366 	inode_unlock(d_inode(root));
367 	kfree(device);
368 	iput(inode);
369 
370 	return ret;
371 }
372 
373 static const struct inode_operations binderfs_dir_inode_operations = {
374 	.lookup = simple_lookup,
375 	.rename = binderfs_rename,
376 	.unlink = binderfs_unlink,
377 };
378 
379 static int binderfs_fill_super(struct super_block *sb, void *data, int silent)
380 {
381 	struct binderfs_info *info;
382 	int ret = -ENOMEM;
383 	struct inode *inode = NULL;
384 	struct ipc_namespace *ipc_ns = sb->s_fs_info;
385 
386 	get_ipc_ns(ipc_ns);
387 
388 	sb->s_blocksize = PAGE_SIZE;
389 	sb->s_blocksize_bits = PAGE_SHIFT;
390 
391 	/*
392 	 * The binderfs filesystem can be mounted by userns root in a
393 	 * non-initial userns. By default such mounts have the SB_I_NODEV flag
394 	 * set in s_iflags to prevent security issues where userns root can
395 	 * just create random device nodes via mknod() since it owns the
396 	 * filesystem mount. But binderfs does not allow to create any files
397 	 * including devices nodes. The only way to create binder devices nodes
398 	 * is through the binder-control device which userns root is explicitly
399 	 * allowed to do. So removing the SB_I_NODEV flag from s_iflags is both
400 	 * necessary and safe.
401 	 */
402 	sb->s_iflags &= ~SB_I_NODEV;
403 	sb->s_iflags |= SB_I_NOEXEC;
404 	sb->s_magic = BINDERFS_SUPER_MAGIC;
405 	sb->s_op = &binderfs_super_ops;
406 	sb->s_time_gran = 1;
407 
408 	info = kzalloc(sizeof(struct binderfs_info), GFP_KERNEL);
409 	if (!info)
410 		goto err_without_dentry;
411 
412 	info->ipc_ns = ipc_ns;
413 	info->root_gid = make_kgid(sb->s_user_ns, 0);
414 	if (!gid_valid(info->root_gid))
415 		info->root_gid = GLOBAL_ROOT_GID;
416 	info->root_uid = make_kuid(sb->s_user_ns, 0);
417 	if (!uid_valid(info->root_uid))
418 		info->root_uid = GLOBAL_ROOT_UID;
419 
420 	sb->s_fs_info = info;
421 
422 	inode = new_inode(sb);
423 	if (!inode)
424 		goto err_without_dentry;
425 
426 	inode->i_ino = FIRST_INODE;
427 	inode->i_fop = &simple_dir_operations;
428 	inode->i_mode = S_IFDIR | 0755;
429 	inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
430 	inode->i_op = &binderfs_dir_inode_operations;
431 	set_nlink(inode, 2);
432 
433 	sb->s_root = d_make_root(inode);
434 	if (!sb->s_root)
435 		goto err_without_dentry;
436 
437 	ret = binderfs_binder_ctl_create(sb);
438 	if (ret)
439 		goto err_with_dentry;
440 
441 	return 0;
442 
443 err_with_dentry:
444 	dput(sb->s_root);
445 	sb->s_root = NULL;
446 
447 err_without_dentry:
448 	put_ipc_ns(ipc_ns);
449 	iput(inode);
450 	kfree(info);
451 
452 	return ret;
453 }
454 
455 static int binderfs_test_super(struct super_block *sb, void *data)
456 {
457 	struct binderfs_info *info = sb->s_fs_info;
458 
459 	if (info)
460 		return info->ipc_ns == data;
461 
462 	return 0;
463 }
464 
465 static int binderfs_set_super(struct super_block *sb, void *data)
466 {
467 	sb->s_fs_info = data;
468 	return set_anon_super(sb, NULL);
469 }
470 
471 static struct dentry *binderfs_mount(struct file_system_type *fs_type,
472 				     int flags, const char *dev_name,
473 				     void *data)
474 {
475 	struct super_block *sb;
476 	struct ipc_namespace *ipc_ns = current->nsproxy->ipc_ns;
477 
478 	if (!ns_capable(ipc_ns->user_ns, CAP_SYS_ADMIN))
479 		return ERR_PTR(-EPERM);
480 
481 	sb = sget_userns(fs_type, binderfs_test_super, binderfs_set_super,
482 			 flags, ipc_ns->user_ns, ipc_ns);
483 	if (IS_ERR(sb))
484 		return ERR_CAST(sb);
485 
486 	if (!sb->s_root) {
487 		int ret = binderfs_fill_super(sb, data, flags & SB_SILENT ? 1 : 0);
488 		if (ret) {
489 			deactivate_locked_super(sb);
490 			return ERR_PTR(ret);
491 		}
492 
493 		sb->s_flags |= SB_ACTIVE;
494 	}
495 
496 	return dget(sb->s_root);
497 }
498 
499 static void binderfs_kill_super(struct super_block *sb)
500 {
501 	struct binderfs_info *info = sb->s_fs_info;
502 
503 	if (info && info->ipc_ns)
504 		put_ipc_ns(info->ipc_ns);
505 
506 	kfree(info);
507 	kill_litter_super(sb);
508 }
509 
510 static struct file_system_type binder_fs_type = {
511 	.name		= "binder",
512 	.mount		= binderfs_mount,
513 	.kill_sb	= binderfs_kill_super,
514 	.fs_flags	= FS_USERNS_MOUNT,
515 };
516 
517 static int __init init_binderfs(void)
518 {
519 	int ret;
520 
521 	/* Allocate new major number for binderfs. */
522 	ret = alloc_chrdev_region(&binderfs_dev, 0, BINDERFS_MAX_MINOR,
523 				  "binder");
524 	if (ret)
525 		return ret;
526 
527 	ret = register_filesystem(&binder_fs_type);
528 	if (ret) {
529 		unregister_chrdev_region(binderfs_dev, BINDERFS_MAX_MINOR);
530 		return ret;
531 	}
532 
533 	binderfs_mnt = kern_mount(&binder_fs_type);
534 	if (IS_ERR(binderfs_mnt)) {
535 		ret = PTR_ERR(binderfs_mnt);
536 		binderfs_mnt = NULL;
537 		unregister_filesystem(&binder_fs_type);
538 		unregister_chrdev_region(binderfs_dev, BINDERFS_MAX_MINOR);
539 	}
540 
541 	return ret;
542 }
543 
544 device_initcall(init_binderfs);
545