1 /* SPDX-License-Identifier: GPL-2.0 */ 2 3 #include <linux/compiler_types.h> 4 #include <linux/errno.h> 5 #include <linux/fs.h> 6 #include <linux/fsnotify.h> 7 #include <linux/gfp.h> 8 #include <linux/idr.h> 9 #include <linux/init.h> 10 #include <linux/ipc_namespace.h> 11 #include <linux/kdev_t.h> 12 #include <linux/kernel.h> 13 #include <linux/list.h> 14 #include <linux/namei.h> 15 #include <linux/magic.h> 16 #include <linux/major.h> 17 #include <linux/miscdevice.h> 18 #include <linux/module.h> 19 #include <linux/mutex.h> 20 #include <linux/mount.h> 21 #include <linux/parser.h> 22 #include <linux/radix-tree.h> 23 #include <linux/sched.h> 24 #include <linux/seq_file.h> 25 #include <linux/slab.h> 26 #include <linux/spinlock_types.h> 27 #include <linux/stddef.h> 28 #include <linux/string.h> 29 #include <linux/types.h> 30 #include <linux/uaccess.h> 31 #include <linux/user_namespace.h> 32 #include <linux/xarray.h> 33 #include <uapi/asm-generic/errno-base.h> 34 #include <uapi/linux/android/binder.h> 35 #include <uapi/linux/android/binderfs.h> 36 37 #include "binder_internal.h" 38 39 #define FIRST_INODE 1 40 #define SECOND_INODE 2 41 #define INODE_OFFSET 3 42 #define INTSTRLEN 21 43 #define BINDERFS_MAX_MINOR (1U << MINORBITS) 44 /* Ensure that the initial ipc namespace always has devices available. */ 45 #define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4) 46 47 static dev_t binderfs_dev; 48 static DEFINE_MUTEX(binderfs_minors_mutex); 49 static DEFINE_IDA(binderfs_minors); 50 51 /** 52 * binderfs_mount_opts - mount options for binderfs 53 * @max: maximum number of allocatable binderfs binder devices 54 */ 55 struct binderfs_mount_opts { 56 int max; 57 }; 58 59 enum { 60 Opt_max, 61 Opt_err 62 }; 63 64 static const match_table_t tokens = { 65 { Opt_max, "max=%d" }, 66 { Opt_err, NULL } 67 }; 68 69 /** 70 * binderfs_info - information about a binderfs mount 71 * @ipc_ns: The ipc namespace the binderfs mount belongs to. 72 * @control_dentry: This records the dentry of this binderfs mount 73 * binder-control device. 74 * @root_uid: uid that needs to be used when a new binder device is 75 * created. 76 * @root_gid: gid that needs to be used when a new binder device is 77 * created. 78 * @mount_opts: The mount options in use. 79 * @device_count: The current number of allocated binder devices. 80 */ 81 struct binderfs_info { 82 struct ipc_namespace *ipc_ns; 83 struct dentry *control_dentry; 84 kuid_t root_uid; 85 kgid_t root_gid; 86 struct binderfs_mount_opts mount_opts; 87 int device_count; 88 }; 89 90 static inline struct binderfs_info *BINDERFS_I(const struct inode *inode) 91 { 92 return inode->i_sb->s_fs_info; 93 } 94 95 bool is_binderfs_device(const struct inode *inode) 96 { 97 if (inode->i_sb->s_magic == BINDERFS_SUPER_MAGIC) 98 return true; 99 100 return false; 101 } 102 103 /** 104 * binderfs_binder_device_create - allocate inode from super block of a 105 * binderfs mount 106 * @ref_inode: inode from wich the super block will be taken 107 * @userp: buffer to copy information about new device for userspace to 108 * @req: struct binderfs_device as copied from userspace 109 * 110 * This function allocates a new binder_device and reserves a new minor 111 * number for it. 112 * Minor numbers are limited and tracked globally in binderfs_minors. The 113 * function will stash a struct binder_device for the specific binder 114 * device in i_private of the inode. 115 * It will go on to allocate a new inode from the super block of the 116 * filesystem mount, stash a struct binder_device in its i_private field 117 * and attach a dentry to that inode. 118 * 119 * Return: 0 on success, negative errno on failure 120 */ 121 static int binderfs_binder_device_create(struct inode *ref_inode, 122 struct binderfs_device __user *userp, 123 struct binderfs_device *req) 124 { 125 int minor, ret; 126 struct dentry *dentry, *root; 127 struct binder_device *device; 128 char *name = NULL; 129 size_t name_len; 130 struct inode *inode = NULL; 131 struct super_block *sb = ref_inode->i_sb; 132 struct binderfs_info *info = sb->s_fs_info; 133 #if defined(CONFIG_IPC_NS) 134 bool use_reserve = (info->ipc_ns == &init_ipc_ns); 135 #else 136 bool use_reserve = true; 137 #endif 138 139 /* Reserve new minor number for the new device. */ 140 mutex_lock(&binderfs_minors_mutex); 141 if (++info->device_count <= info->mount_opts.max) 142 minor = ida_alloc_max(&binderfs_minors, 143 use_reserve ? BINDERFS_MAX_MINOR : 144 BINDERFS_MAX_MINOR_CAPPED, 145 GFP_KERNEL); 146 else 147 minor = -ENOSPC; 148 if (minor < 0) { 149 --info->device_count; 150 mutex_unlock(&binderfs_minors_mutex); 151 return minor; 152 } 153 mutex_unlock(&binderfs_minors_mutex); 154 155 ret = -ENOMEM; 156 device = kzalloc(sizeof(*device), GFP_KERNEL); 157 if (!device) 158 goto err; 159 160 inode = new_inode(sb); 161 if (!inode) 162 goto err; 163 164 inode->i_ino = minor + INODE_OFFSET; 165 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); 166 init_special_inode(inode, S_IFCHR | 0600, 167 MKDEV(MAJOR(binderfs_dev), minor)); 168 inode->i_fop = &binder_fops; 169 inode->i_uid = info->root_uid; 170 inode->i_gid = info->root_gid; 171 172 req->name[BINDERFS_MAX_NAME] = '\0'; /* NUL-terminate */ 173 name_len = strlen(req->name); 174 /* Make sure to include terminating NUL byte */ 175 name = kmemdup(req->name, name_len + 1, GFP_KERNEL); 176 if (!name) 177 goto err; 178 179 device->binderfs_inode = inode; 180 device->context.binder_context_mgr_uid = INVALID_UID; 181 device->context.name = name; 182 device->miscdev.name = name; 183 device->miscdev.minor = minor; 184 mutex_init(&device->context.context_mgr_node_lock); 185 186 req->major = MAJOR(binderfs_dev); 187 req->minor = minor; 188 189 ret = copy_to_user(userp, req, sizeof(*req)); 190 if (ret) { 191 ret = -EFAULT; 192 goto err; 193 } 194 195 root = sb->s_root; 196 inode_lock(d_inode(root)); 197 198 /* look it up */ 199 dentry = lookup_one_len(name, root, name_len); 200 if (IS_ERR(dentry)) { 201 inode_unlock(d_inode(root)); 202 ret = PTR_ERR(dentry); 203 goto err; 204 } 205 206 if (d_really_is_positive(dentry)) { 207 /* already exists */ 208 dput(dentry); 209 inode_unlock(d_inode(root)); 210 ret = -EEXIST; 211 goto err; 212 } 213 214 inode->i_private = device; 215 d_instantiate(dentry, inode); 216 fsnotify_create(root->d_inode, dentry); 217 inode_unlock(d_inode(root)); 218 219 return 0; 220 221 err: 222 kfree(name); 223 kfree(device); 224 mutex_lock(&binderfs_minors_mutex); 225 --info->device_count; 226 ida_free(&binderfs_minors, minor); 227 mutex_unlock(&binderfs_minors_mutex); 228 iput(inode); 229 230 return ret; 231 } 232 233 /** 234 * binderfs_ctl_ioctl - handle binder device node allocation requests 235 * 236 * The request handler for the binder-control device. All requests operate on 237 * the binderfs mount the binder-control device resides in: 238 * - BINDER_CTL_ADD 239 * Allocate a new binder device. 240 * 241 * Return: 0 on success, negative errno on failure 242 */ 243 static long binder_ctl_ioctl(struct file *file, unsigned int cmd, 244 unsigned long arg) 245 { 246 int ret = -EINVAL; 247 struct inode *inode = file_inode(file); 248 struct binderfs_device __user *device = (struct binderfs_device __user *)arg; 249 struct binderfs_device device_req; 250 251 switch (cmd) { 252 case BINDER_CTL_ADD: 253 ret = copy_from_user(&device_req, device, sizeof(device_req)); 254 if (ret) { 255 ret = -EFAULT; 256 break; 257 } 258 259 ret = binderfs_binder_device_create(inode, device, &device_req); 260 break; 261 default: 262 break; 263 } 264 265 return ret; 266 } 267 268 static void binderfs_evict_inode(struct inode *inode) 269 { 270 struct binder_device *device = inode->i_private; 271 struct binderfs_info *info = BINDERFS_I(inode); 272 273 clear_inode(inode); 274 275 if (!device) 276 return; 277 278 mutex_lock(&binderfs_minors_mutex); 279 --info->device_count; 280 ida_free(&binderfs_minors, device->miscdev.minor); 281 mutex_unlock(&binderfs_minors_mutex); 282 283 kfree(device->context.name); 284 kfree(device); 285 } 286 287 /** 288 * binderfs_parse_mount_opts - parse binderfs mount options 289 * @data: options to set (can be NULL in which case defaults are used) 290 */ 291 static int binderfs_parse_mount_opts(char *data, 292 struct binderfs_mount_opts *opts) 293 { 294 char *p; 295 opts->max = BINDERFS_MAX_MINOR; 296 297 while ((p = strsep(&data, ",")) != NULL) { 298 substring_t args[MAX_OPT_ARGS]; 299 int token; 300 int max_devices; 301 302 if (!*p) 303 continue; 304 305 token = match_token(p, tokens, args); 306 switch (token) { 307 case Opt_max: 308 if (match_int(&args[0], &max_devices) || 309 (max_devices < 0 || 310 (max_devices > BINDERFS_MAX_MINOR))) 311 return -EINVAL; 312 313 opts->max = max_devices; 314 break; 315 default: 316 pr_err("Invalid mount options\n"); 317 return -EINVAL; 318 } 319 } 320 321 return 0; 322 } 323 324 static int binderfs_remount(struct super_block *sb, int *flags, char *data) 325 { 326 struct binderfs_info *info = sb->s_fs_info; 327 return binderfs_parse_mount_opts(data, &info->mount_opts); 328 } 329 330 static int binderfs_show_mount_opts(struct seq_file *seq, struct dentry *root) 331 { 332 struct binderfs_info *info; 333 334 info = root->d_sb->s_fs_info; 335 if (info->mount_opts.max <= BINDERFS_MAX_MINOR) 336 seq_printf(seq, ",max=%d", info->mount_opts.max); 337 338 return 0; 339 } 340 341 static const struct super_operations binderfs_super_ops = { 342 .evict_inode = binderfs_evict_inode, 343 .remount_fs = binderfs_remount, 344 .show_options = binderfs_show_mount_opts, 345 .statfs = simple_statfs, 346 }; 347 348 static inline bool is_binderfs_control_device(const struct dentry *dentry) 349 { 350 struct binderfs_info *info = dentry->d_sb->s_fs_info; 351 return info->control_dentry == dentry; 352 } 353 354 static int binderfs_rename(struct inode *old_dir, struct dentry *old_dentry, 355 struct inode *new_dir, struct dentry *new_dentry, 356 unsigned int flags) 357 { 358 if (is_binderfs_control_device(old_dentry) || 359 is_binderfs_control_device(new_dentry)) 360 return -EPERM; 361 362 return simple_rename(old_dir, old_dentry, new_dir, new_dentry, flags); 363 } 364 365 static int binderfs_unlink(struct inode *dir, struct dentry *dentry) 366 { 367 if (is_binderfs_control_device(dentry)) 368 return -EPERM; 369 370 return simple_unlink(dir, dentry); 371 } 372 373 static const struct file_operations binder_ctl_fops = { 374 .owner = THIS_MODULE, 375 .open = nonseekable_open, 376 .unlocked_ioctl = binder_ctl_ioctl, 377 .compat_ioctl = binder_ctl_ioctl, 378 .llseek = noop_llseek, 379 }; 380 381 /** 382 * binderfs_binder_ctl_create - create a new binder-control device 383 * @sb: super block of the binderfs mount 384 * 385 * This function creates a new binder-control device node in the binderfs mount 386 * referred to by @sb. 387 * 388 * Return: 0 on success, negative errno on failure 389 */ 390 static int binderfs_binder_ctl_create(struct super_block *sb) 391 { 392 int minor, ret; 393 struct dentry *dentry; 394 struct binder_device *device; 395 struct inode *inode = NULL; 396 struct dentry *root = sb->s_root; 397 struct binderfs_info *info = sb->s_fs_info; 398 399 device = kzalloc(sizeof(*device), GFP_KERNEL); 400 if (!device) 401 return -ENOMEM; 402 403 /* If we have already created a binder-control node, return. */ 404 if (info->control_dentry) { 405 ret = 0; 406 goto out; 407 } 408 409 ret = -ENOMEM; 410 inode = new_inode(sb); 411 if (!inode) 412 goto out; 413 414 /* Reserve a new minor number for the new device. */ 415 mutex_lock(&binderfs_minors_mutex); 416 minor = ida_alloc_max(&binderfs_minors, BINDERFS_MAX_MINOR, GFP_KERNEL); 417 mutex_unlock(&binderfs_minors_mutex); 418 if (minor < 0) { 419 ret = minor; 420 goto out; 421 } 422 423 inode->i_ino = SECOND_INODE; 424 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); 425 init_special_inode(inode, S_IFCHR | 0600, 426 MKDEV(MAJOR(binderfs_dev), minor)); 427 inode->i_fop = &binder_ctl_fops; 428 inode->i_uid = info->root_uid; 429 inode->i_gid = info->root_gid; 430 431 device->binderfs_inode = inode; 432 device->miscdev.minor = minor; 433 434 dentry = d_alloc_name(root, "binder-control"); 435 if (!dentry) 436 goto out; 437 438 inode->i_private = device; 439 info->control_dentry = dentry; 440 d_add(dentry, inode); 441 442 return 0; 443 444 out: 445 kfree(device); 446 iput(inode); 447 448 return ret; 449 } 450 451 static const struct inode_operations binderfs_dir_inode_operations = { 452 .lookup = simple_lookup, 453 .rename = binderfs_rename, 454 .unlink = binderfs_unlink, 455 }; 456 457 static int binderfs_fill_super(struct super_block *sb, void *data, int silent) 458 { 459 int ret; 460 struct binderfs_info *info; 461 struct inode *inode = NULL; 462 463 sb->s_blocksize = PAGE_SIZE; 464 sb->s_blocksize_bits = PAGE_SHIFT; 465 466 /* 467 * The binderfs filesystem can be mounted by userns root in a 468 * non-initial userns. By default such mounts have the SB_I_NODEV flag 469 * set in s_iflags to prevent security issues where userns root can 470 * just create random device nodes via mknod() since it owns the 471 * filesystem mount. But binderfs does not allow to create any files 472 * including devices nodes. The only way to create binder devices nodes 473 * is through the binder-control device which userns root is explicitly 474 * allowed to do. So removing the SB_I_NODEV flag from s_iflags is both 475 * necessary and safe. 476 */ 477 sb->s_iflags &= ~SB_I_NODEV; 478 sb->s_iflags |= SB_I_NOEXEC; 479 sb->s_magic = BINDERFS_SUPER_MAGIC; 480 sb->s_op = &binderfs_super_ops; 481 sb->s_time_gran = 1; 482 483 sb->s_fs_info = kzalloc(sizeof(struct binderfs_info), GFP_KERNEL); 484 if (!sb->s_fs_info) 485 return -ENOMEM; 486 info = sb->s_fs_info; 487 488 info->ipc_ns = get_ipc_ns(current->nsproxy->ipc_ns); 489 490 ret = binderfs_parse_mount_opts(data, &info->mount_opts); 491 if (ret) 492 return ret; 493 494 info->root_gid = make_kgid(sb->s_user_ns, 0); 495 if (!gid_valid(info->root_gid)) 496 info->root_gid = GLOBAL_ROOT_GID; 497 info->root_uid = make_kuid(sb->s_user_ns, 0); 498 if (!uid_valid(info->root_uid)) 499 info->root_uid = GLOBAL_ROOT_UID; 500 501 inode = new_inode(sb); 502 if (!inode) 503 return -ENOMEM; 504 505 inode->i_ino = FIRST_INODE; 506 inode->i_fop = &simple_dir_operations; 507 inode->i_mode = S_IFDIR | 0755; 508 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); 509 inode->i_op = &binderfs_dir_inode_operations; 510 set_nlink(inode, 2); 511 512 sb->s_root = d_make_root(inode); 513 if (!sb->s_root) 514 return -ENOMEM; 515 516 return binderfs_binder_ctl_create(sb); 517 } 518 519 static struct dentry *binderfs_mount(struct file_system_type *fs_type, 520 int flags, const char *dev_name, 521 void *data) 522 { 523 return mount_nodev(fs_type, flags, data, binderfs_fill_super); 524 } 525 526 static void binderfs_kill_super(struct super_block *sb) 527 { 528 struct binderfs_info *info = sb->s_fs_info; 529 530 kill_litter_super(sb); 531 532 if (info && info->ipc_ns) 533 put_ipc_ns(info->ipc_ns); 534 535 kfree(info); 536 } 537 538 static struct file_system_type binder_fs_type = { 539 .name = "binder", 540 .mount = binderfs_mount, 541 .kill_sb = binderfs_kill_super, 542 .fs_flags = FS_USERNS_MOUNT, 543 }; 544 545 static int __init init_binderfs(void) 546 { 547 int ret; 548 549 /* Allocate new major number for binderfs. */ 550 ret = alloc_chrdev_region(&binderfs_dev, 0, BINDERFS_MAX_MINOR, 551 "binder"); 552 if (ret) 553 return ret; 554 555 ret = register_filesystem(&binder_fs_type); 556 if (ret) { 557 unregister_chrdev_region(binderfs_dev, BINDERFS_MAX_MINOR); 558 return ret; 559 } 560 561 return ret; 562 } 563 564 device_initcall(init_binderfs); 565