1 /* SPDX-License-Identifier: GPL-2.0 */ 2 3 #include <linux/compiler_types.h> 4 #include <linux/errno.h> 5 #include <linux/fs.h> 6 #include <linux/fsnotify.h> 7 #include <linux/gfp.h> 8 #include <linux/idr.h> 9 #include <linux/init.h> 10 #include <linux/ipc_namespace.h> 11 #include <linux/kdev_t.h> 12 #include <linux/kernel.h> 13 #include <linux/list.h> 14 #include <linux/magic.h> 15 #include <linux/major.h> 16 #include <linux/miscdevice.h> 17 #include <linux/module.h> 18 #include <linux/mutex.h> 19 #include <linux/mount.h> 20 #include <linux/parser.h> 21 #include <linux/radix-tree.h> 22 #include <linux/sched.h> 23 #include <linux/slab.h> 24 #include <linux/spinlock_types.h> 25 #include <linux/stddef.h> 26 #include <linux/string.h> 27 #include <linux/types.h> 28 #include <linux/uaccess.h> 29 #include <linux/user_namespace.h> 30 #include <linux/xarray.h> 31 #include <uapi/asm-generic/errno-base.h> 32 #include <uapi/linux/android/binder.h> 33 #include <uapi/linux/android/binder_ctl.h> 34 35 #include "binder_internal.h" 36 37 #define FIRST_INODE 1 38 #define SECOND_INODE 2 39 #define INODE_OFFSET 3 40 #define INTSTRLEN 21 41 #define BINDERFS_MAX_MINOR (1U << MINORBITS) 42 43 static struct vfsmount *binderfs_mnt; 44 45 static dev_t binderfs_dev; 46 static DEFINE_MUTEX(binderfs_minors_mutex); 47 static DEFINE_IDA(binderfs_minors); 48 49 /** 50 * binderfs_info - information about a binderfs mount 51 * @ipc_ns: The ipc namespace the binderfs mount belongs to. 52 * @control_dentry: This records the dentry of this binderfs mount 53 * binder-control device. 54 * @root_uid: uid that needs to be used when a new binder device is 55 * created. 56 * @root_gid: gid that needs to be used when a new binder device is 57 * created. 58 */ 59 struct binderfs_info { 60 struct ipc_namespace *ipc_ns; 61 struct dentry *control_dentry; 62 kuid_t root_uid; 63 kgid_t root_gid; 64 65 }; 66 67 static inline struct binderfs_info *BINDERFS_I(const struct inode *inode) 68 { 69 return inode->i_sb->s_fs_info; 70 } 71 72 bool is_binderfs_device(const struct inode *inode) 73 { 74 if (inode->i_sb->s_magic == BINDERFS_SUPER_MAGIC) 75 return true; 76 77 return false; 78 } 79 80 /** 81 * binderfs_binder_device_create - allocate inode from super block of a 82 * binderfs mount 83 * @ref_inode: inode from wich the super block will be taken 84 * @userp: buffer to copy information about new device for userspace to 85 * @req: struct binderfs_device as copied from userspace 86 * 87 * This function allocated a new binder_device and reserves a new minor 88 * number for it. 89 * Minor numbers are limited and tracked globally in binderfs_minors. The 90 * function will stash a struct binder_device for the specific binder 91 * device in i_private of the inode. 92 * It will go on to allocate a new inode from the super block of the 93 * filesystem mount, stash a struct binder_device in its i_private field 94 * and attach a dentry to that inode. 95 * 96 * Return: 0 on success, negative errno on failure 97 */ 98 static int binderfs_binder_device_create(struct inode *ref_inode, 99 struct binderfs_device __user *userp, 100 struct binderfs_device *req) 101 { 102 int minor, ret; 103 struct dentry *dentry, *dup, *root; 104 struct binder_device *device; 105 size_t name_len = BINDERFS_MAX_NAME + 1; 106 char *name = NULL; 107 struct inode *inode = NULL; 108 struct super_block *sb = ref_inode->i_sb; 109 struct binderfs_info *info = sb->s_fs_info; 110 111 /* Reserve new minor number for the new device. */ 112 mutex_lock(&binderfs_minors_mutex); 113 minor = ida_alloc_max(&binderfs_minors, BINDERFS_MAX_MINOR, GFP_KERNEL); 114 mutex_unlock(&binderfs_minors_mutex); 115 if (minor < 0) 116 return minor; 117 118 ret = -ENOMEM; 119 device = kzalloc(sizeof(*device), GFP_KERNEL); 120 if (!device) 121 goto err; 122 123 inode = new_inode(sb); 124 if (!inode) 125 goto err; 126 127 inode->i_ino = minor + INODE_OFFSET; 128 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); 129 init_special_inode(inode, S_IFCHR | 0600, 130 MKDEV(MAJOR(binderfs_dev), minor)); 131 inode->i_fop = &binder_fops; 132 inode->i_uid = info->root_uid; 133 inode->i_gid = info->root_gid; 134 135 name = kmalloc(name_len, GFP_KERNEL); 136 if (!name) 137 goto err; 138 139 strscpy(name, req->name, name_len); 140 141 device->binderfs_inode = inode; 142 device->context.binder_context_mgr_uid = INVALID_UID; 143 device->context.name = name; 144 device->miscdev.name = name; 145 device->miscdev.minor = minor; 146 mutex_init(&device->context.context_mgr_node_lock); 147 148 req->major = MAJOR(binderfs_dev); 149 req->minor = minor; 150 151 ret = copy_to_user(userp, req, sizeof(*req)); 152 if (ret) { 153 ret = -EFAULT; 154 goto err; 155 } 156 157 root = sb->s_root; 158 inode_lock(d_inode(root)); 159 dentry = d_alloc_name(root, name); 160 if (!dentry) { 161 inode_unlock(d_inode(root)); 162 ret = -ENOMEM; 163 goto err; 164 } 165 166 /* Verify that the name userspace gave us is not already in use. */ 167 dup = d_lookup(root, &dentry->d_name); 168 if (dup) { 169 if (d_really_is_positive(dup)) { 170 dput(dup); 171 dput(dentry); 172 inode_unlock(d_inode(root)); 173 ret = -EEXIST; 174 goto err; 175 } 176 dput(dup); 177 } 178 179 inode->i_private = device; 180 d_add(dentry, inode); 181 fsnotify_create(root->d_inode, dentry); 182 inode_unlock(d_inode(root)); 183 184 return 0; 185 186 err: 187 kfree(name); 188 kfree(device); 189 mutex_lock(&binderfs_minors_mutex); 190 ida_free(&binderfs_minors, minor); 191 mutex_unlock(&binderfs_minors_mutex); 192 iput(inode); 193 194 return ret; 195 } 196 197 /** 198 * binderfs_ctl_ioctl - handle binder device node allocation requests 199 * 200 * The request handler for the binder-control device. All requests operate on 201 * the binderfs mount the binder-control device resides in: 202 * - BINDER_CTL_ADD 203 * Allocate a new binder device. 204 * 205 * Return: 0 on success, negative errno on failure 206 */ 207 static long binder_ctl_ioctl(struct file *file, unsigned int cmd, 208 unsigned long arg) 209 { 210 int ret = -EINVAL; 211 struct inode *inode = file_inode(file); 212 struct binderfs_device __user *device = (struct binderfs_device __user *)arg; 213 struct binderfs_device device_req; 214 215 switch (cmd) { 216 case BINDER_CTL_ADD: 217 ret = copy_from_user(&device_req, device, sizeof(device_req)); 218 if (ret) { 219 ret = -EFAULT; 220 break; 221 } 222 223 ret = binderfs_binder_device_create(inode, device, &device_req); 224 break; 225 default: 226 break; 227 } 228 229 return ret; 230 } 231 232 static void binderfs_evict_inode(struct inode *inode) 233 { 234 struct binder_device *device = inode->i_private; 235 236 clear_inode(inode); 237 238 if (!device) 239 return; 240 241 mutex_lock(&binderfs_minors_mutex); 242 ida_free(&binderfs_minors, device->miscdev.minor); 243 mutex_unlock(&binderfs_minors_mutex); 244 245 kfree(device->context.name); 246 kfree(device); 247 } 248 249 static const struct super_operations binderfs_super_ops = { 250 .statfs = simple_statfs, 251 .evict_inode = binderfs_evict_inode, 252 }; 253 254 static int binderfs_rename(struct inode *old_dir, struct dentry *old_dentry, 255 struct inode *new_dir, struct dentry *new_dentry, 256 unsigned int flags) 257 { 258 struct inode *inode = d_inode(old_dentry); 259 260 /* binderfs doesn't support directories. */ 261 if (d_is_dir(old_dentry)) 262 return -EPERM; 263 264 if (flags & ~RENAME_NOREPLACE) 265 return -EINVAL; 266 267 if (!simple_empty(new_dentry)) 268 return -ENOTEMPTY; 269 270 if (d_really_is_positive(new_dentry)) 271 simple_unlink(new_dir, new_dentry); 272 273 old_dir->i_ctime = old_dir->i_mtime = new_dir->i_ctime = 274 new_dir->i_mtime = inode->i_ctime = current_time(old_dir); 275 276 return 0; 277 } 278 279 static int binderfs_unlink(struct inode *dir, struct dentry *dentry) 280 { 281 /* 282 * The control dentry is only ever touched during mount so checking it 283 * here should not require us to take lock. 284 */ 285 if (BINDERFS_I(dir)->control_dentry == dentry) 286 return -EPERM; 287 288 return simple_unlink(dir, dentry); 289 } 290 291 static const struct file_operations binder_ctl_fops = { 292 .owner = THIS_MODULE, 293 .open = nonseekable_open, 294 .unlocked_ioctl = binder_ctl_ioctl, 295 .compat_ioctl = binder_ctl_ioctl, 296 .llseek = noop_llseek, 297 }; 298 299 /** 300 * binderfs_binder_ctl_create - create a new binder-control device 301 * @sb: super block of the binderfs mount 302 * 303 * This function creates a new binder-control device node in the binderfs mount 304 * referred to by @sb. 305 * 306 * Return: 0 on success, negative errno on failure 307 */ 308 static int binderfs_binder_ctl_create(struct super_block *sb) 309 { 310 int minor, ret; 311 struct dentry *dentry; 312 struct binder_device *device; 313 struct inode *inode = NULL; 314 struct dentry *root = sb->s_root; 315 struct binderfs_info *info = sb->s_fs_info; 316 317 device = kzalloc(sizeof(*device), GFP_KERNEL); 318 if (!device) 319 return -ENOMEM; 320 321 inode_lock(d_inode(root)); 322 323 /* If we have already created a binder-control node, return. */ 324 if (info->control_dentry) { 325 ret = 0; 326 goto out; 327 } 328 329 ret = -ENOMEM; 330 inode = new_inode(sb); 331 if (!inode) 332 goto out; 333 334 /* Reserve a new minor number for the new device. */ 335 mutex_lock(&binderfs_minors_mutex); 336 minor = ida_alloc_max(&binderfs_minors, BINDERFS_MAX_MINOR, GFP_KERNEL); 337 mutex_unlock(&binderfs_minors_mutex); 338 if (minor < 0) { 339 ret = minor; 340 goto out; 341 } 342 343 inode->i_ino = SECOND_INODE; 344 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); 345 init_special_inode(inode, S_IFCHR | 0600, 346 MKDEV(MAJOR(binderfs_dev), minor)); 347 inode->i_fop = &binder_ctl_fops; 348 inode->i_uid = info->root_uid; 349 inode->i_gid = info->root_gid; 350 351 device->binderfs_inode = inode; 352 device->miscdev.minor = minor; 353 354 dentry = d_alloc_name(root, "binder-control"); 355 if (!dentry) 356 goto out; 357 358 inode->i_private = device; 359 info->control_dentry = dentry; 360 d_add(dentry, inode); 361 inode_unlock(d_inode(root)); 362 363 return 0; 364 365 out: 366 inode_unlock(d_inode(root)); 367 kfree(device); 368 iput(inode); 369 370 return ret; 371 } 372 373 static const struct inode_operations binderfs_dir_inode_operations = { 374 .lookup = simple_lookup, 375 .rename = binderfs_rename, 376 .unlink = binderfs_unlink, 377 }; 378 379 static int binderfs_fill_super(struct super_block *sb, void *data, int silent) 380 { 381 struct binderfs_info *info; 382 int ret = -ENOMEM; 383 struct inode *inode = NULL; 384 struct ipc_namespace *ipc_ns = sb->s_fs_info; 385 386 get_ipc_ns(ipc_ns); 387 388 sb->s_blocksize = PAGE_SIZE; 389 sb->s_blocksize_bits = PAGE_SHIFT; 390 391 /* 392 * The binderfs filesystem can be mounted by userns root in a 393 * non-initial userns. By default such mounts have the SB_I_NODEV flag 394 * set in s_iflags to prevent security issues where userns root can 395 * just create random device nodes via mknod() since it owns the 396 * filesystem mount. But binderfs does not allow to create any files 397 * including devices nodes. The only way to create binder devices nodes 398 * is through the binder-control device which userns root is explicitly 399 * allowed to do. So removing the SB_I_NODEV flag from s_iflags is both 400 * necessary and safe. 401 */ 402 sb->s_iflags &= ~SB_I_NODEV; 403 sb->s_iflags |= SB_I_NOEXEC; 404 sb->s_magic = BINDERFS_SUPER_MAGIC; 405 sb->s_op = &binderfs_super_ops; 406 sb->s_time_gran = 1; 407 408 info = kzalloc(sizeof(struct binderfs_info), GFP_KERNEL); 409 if (!info) 410 goto err_without_dentry; 411 412 info->ipc_ns = ipc_ns; 413 info->root_gid = make_kgid(sb->s_user_ns, 0); 414 if (!gid_valid(info->root_gid)) 415 info->root_gid = GLOBAL_ROOT_GID; 416 info->root_uid = make_kuid(sb->s_user_ns, 0); 417 if (!uid_valid(info->root_uid)) 418 info->root_uid = GLOBAL_ROOT_UID; 419 420 sb->s_fs_info = info; 421 422 inode = new_inode(sb); 423 if (!inode) 424 goto err_without_dentry; 425 426 inode->i_ino = FIRST_INODE; 427 inode->i_fop = &simple_dir_operations; 428 inode->i_mode = S_IFDIR | 0755; 429 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); 430 inode->i_op = &binderfs_dir_inode_operations; 431 set_nlink(inode, 2); 432 433 sb->s_root = d_make_root(inode); 434 if (!sb->s_root) 435 goto err_without_dentry; 436 437 ret = binderfs_binder_ctl_create(sb); 438 if (ret) 439 goto err_with_dentry; 440 441 return 0; 442 443 err_with_dentry: 444 dput(sb->s_root); 445 sb->s_root = NULL; 446 447 err_without_dentry: 448 put_ipc_ns(ipc_ns); 449 iput(inode); 450 kfree(info); 451 452 return ret; 453 } 454 455 static int binderfs_test_super(struct super_block *sb, void *data) 456 { 457 struct binderfs_info *info = sb->s_fs_info; 458 459 if (info) 460 return info->ipc_ns == data; 461 462 return 0; 463 } 464 465 static int binderfs_set_super(struct super_block *sb, void *data) 466 { 467 sb->s_fs_info = data; 468 return set_anon_super(sb, NULL); 469 } 470 471 static struct dentry *binderfs_mount(struct file_system_type *fs_type, 472 int flags, const char *dev_name, 473 void *data) 474 { 475 struct super_block *sb; 476 struct ipc_namespace *ipc_ns = current->nsproxy->ipc_ns; 477 478 if (!ns_capable(ipc_ns->user_ns, CAP_SYS_ADMIN)) 479 return ERR_PTR(-EPERM); 480 481 sb = sget_userns(fs_type, binderfs_test_super, binderfs_set_super, 482 flags, ipc_ns->user_ns, ipc_ns); 483 if (IS_ERR(sb)) 484 return ERR_CAST(sb); 485 486 if (!sb->s_root) { 487 int ret = binderfs_fill_super(sb, data, flags & SB_SILENT ? 1 : 0); 488 if (ret) { 489 deactivate_locked_super(sb); 490 return ERR_PTR(ret); 491 } 492 493 sb->s_flags |= SB_ACTIVE; 494 } 495 496 return dget(sb->s_root); 497 } 498 499 static void binderfs_kill_super(struct super_block *sb) 500 { 501 struct binderfs_info *info = sb->s_fs_info; 502 503 if (info && info->ipc_ns) 504 put_ipc_ns(info->ipc_ns); 505 506 kfree(info); 507 kill_litter_super(sb); 508 } 509 510 static struct file_system_type binder_fs_type = { 511 .name = "binder", 512 .mount = binderfs_mount, 513 .kill_sb = binderfs_kill_super, 514 .fs_flags = FS_USERNS_MOUNT, 515 }; 516 517 static int __init init_binderfs(void) 518 { 519 int ret; 520 521 /* Allocate new major number for binderfs. */ 522 ret = alloc_chrdev_region(&binderfs_dev, 0, BINDERFS_MAX_MINOR, 523 "binder"); 524 if (ret) 525 return ret; 526 527 ret = register_filesystem(&binder_fs_type); 528 if (ret) { 529 unregister_chrdev_region(binderfs_dev, BINDERFS_MAX_MINOR); 530 return ret; 531 } 532 533 binderfs_mnt = kern_mount(&binder_fs_type); 534 if (IS_ERR(binderfs_mnt)) { 535 ret = PTR_ERR(binderfs_mnt); 536 binderfs_mnt = NULL; 537 unregister_filesystem(&binder_fs_type); 538 unregister_chrdev_region(binderfs_dev, BINDERFS_MAX_MINOR); 539 } 540 541 return ret; 542 } 543 544 device_initcall(init_binderfs); 545