1 /* SPDX-License-Identifier: GPL-2.0 */ 2 3 #include <linux/compiler_types.h> 4 #include <linux/errno.h> 5 #include <linux/fs.h> 6 #include <linux/fsnotify.h> 7 #include <linux/gfp.h> 8 #include <linux/idr.h> 9 #include <linux/init.h> 10 #include <linux/ipc_namespace.h> 11 #include <linux/kdev_t.h> 12 #include <linux/kernel.h> 13 #include <linux/list.h> 14 #include <linux/namei.h> 15 #include <linux/magic.h> 16 #include <linux/major.h> 17 #include <linux/miscdevice.h> 18 #include <linux/module.h> 19 #include <linux/mutex.h> 20 #include <linux/mount.h> 21 #include <linux/parser.h> 22 #include <linux/radix-tree.h> 23 #include <linux/sched.h> 24 #include <linux/seq_file.h> 25 #include <linux/slab.h> 26 #include <linux/spinlock_types.h> 27 #include <linux/stddef.h> 28 #include <linux/string.h> 29 #include <linux/types.h> 30 #include <linux/uaccess.h> 31 #include <linux/user_namespace.h> 32 #include <linux/xarray.h> 33 #include <uapi/asm-generic/errno-base.h> 34 #include <uapi/linux/android/binder.h> 35 #include <uapi/linux/android/binderfs.h> 36 37 #include "binder_internal.h" 38 39 #define FIRST_INODE 1 40 #define SECOND_INODE 2 41 #define INODE_OFFSET 3 42 #define INTSTRLEN 21 43 #define BINDERFS_MAX_MINOR (1U << MINORBITS) 44 /* Ensure that the initial ipc namespace always has devices available. */ 45 #define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4) 46 47 static dev_t binderfs_dev; 48 static DEFINE_MUTEX(binderfs_minors_mutex); 49 static DEFINE_IDA(binderfs_minors); 50 51 /** 52 * binderfs_mount_opts - mount options for binderfs 53 * @max: maximum number of allocatable binderfs binder devices 54 */ 55 struct binderfs_mount_opts { 56 int max; 57 }; 58 59 enum { 60 Opt_max, 61 Opt_err 62 }; 63 64 static const match_table_t tokens = { 65 { Opt_max, "max=%d" }, 66 { Opt_err, NULL } 67 }; 68 69 /** 70 * binderfs_info - information about a binderfs mount 71 * @ipc_ns: The ipc namespace the binderfs mount belongs to. 72 * @control_dentry: This records the dentry of this binderfs mount 73 * binder-control device. 74 * @root_uid: uid that needs to be used when a new binder device is 75 * created. 76 * @root_gid: gid that needs to be used when a new binder device is 77 * created. 78 * @mount_opts: The mount options in use. 79 * @device_count: The current number of allocated binder devices. 80 */ 81 struct binderfs_info { 82 struct ipc_namespace *ipc_ns; 83 struct dentry *control_dentry; 84 kuid_t root_uid; 85 kgid_t root_gid; 86 struct binderfs_mount_opts mount_opts; 87 int device_count; 88 }; 89 90 static inline struct binderfs_info *BINDERFS_I(const struct inode *inode) 91 { 92 return inode->i_sb->s_fs_info; 93 } 94 95 bool is_binderfs_device(const struct inode *inode) 96 { 97 if (inode->i_sb->s_magic == BINDERFS_SUPER_MAGIC) 98 return true; 99 100 return false; 101 } 102 103 /** 104 * binderfs_binder_device_create - allocate inode from super block of a 105 * binderfs mount 106 * @ref_inode: inode from wich the super block will be taken 107 * @userp: buffer to copy information about new device for userspace to 108 * @req: struct binderfs_device as copied from userspace 109 * 110 * This function allocates a new binder_device and reserves a new minor 111 * number for it. 112 * Minor numbers are limited and tracked globally in binderfs_minors. The 113 * function will stash a struct binder_device for the specific binder 114 * device in i_private of the inode. 115 * It will go on to allocate a new inode from the super block of the 116 * filesystem mount, stash a struct binder_device in its i_private field 117 * and attach a dentry to that inode. 118 * 119 * Return: 0 on success, negative errno on failure 120 */ 121 static int binderfs_binder_device_create(struct inode *ref_inode, 122 struct binderfs_device __user *userp, 123 struct binderfs_device *req) 124 { 125 int minor, ret; 126 struct dentry *dentry, *root; 127 struct binder_device *device; 128 char *name = NULL; 129 size_t name_len; 130 struct inode *inode = NULL; 131 struct super_block *sb = ref_inode->i_sb; 132 struct binderfs_info *info = sb->s_fs_info; 133 #if defined(CONFIG_IPC_NS) 134 bool use_reserve = (info->ipc_ns == &init_ipc_ns); 135 #else 136 bool use_reserve = true; 137 #endif 138 139 /* Reserve new minor number for the new device. */ 140 mutex_lock(&binderfs_minors_mutex); 141 if (++info->device_count <= info->mount_opts.max) 142 minor = ida_alloc_max(&binderfs_minors, 143 use_reserve ? BINDERFS_MAX_MINOR : 144 BINDERFS_MAX_MINOR_CAPPED, 145 GFP_KERNEL); 146 else 147 minor = -ENOSPC; 148 if (minor < 0) { 149 --info->device_count; 150 mutex_unlock(&binderfs_minors_mutex); 151 return minor; 152 } 153 mutex_unlock(&binderfs_minors_mutex); 154 155 ret = -ENOMEM; 156 device = kzalloc(sizeof(*device), GFP_KERNEL); 157 if (!device) 158 goto err; 159 160 inode = new_inode(sb); 161 if (!inode) 162 goto err; 163 164 inode->i_ino = minor + INODE_OFFSET; 165 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); 166 init_special_inode(inode, S_IFCHR | 0600, 167 MKDEV(MAJOR(binderfs_dev), minor)); 168 inode->i_fop = &binder_fops; 169 inode->i_uid = info->root_uid; 170 inode->i_gid = info->root_gid; 171 172 req->name[BINDERFS_MAX_NAME] = '\0'; /* NUL-terminate */ 173 name_len = strlen(req->name); 174 /* Make sure to include terminating NUL byte */ 175 name = kmemdup(req->name, name_len + 1, GFP_KERNEL); 176 if (!name) 177 goto err; 178 179 device->binderfs_inode = inode; 180 device->context.binder_context_mgr_uid = INVALID_UID; 181 device->context.name = name; 182 device->miscdev.name = name; 183 device->miscdev.minor = minor; 184 mutex_init(&device->context.context_mgr_node_lock); 185 186 req->major = MAJOR(binderfs_dev); 187 req->minor = minor; 188 189 if (userp && copy_to_user(userp, req, sizeof(*req))) { 190 ret = -EFAULT; 191 goto err; 192 } 193 194 root = sb->s_root; 195 inode_lock(d_inode(root)); 196 197 /* look it up */ 198 dentry = lookup_one_len(name, root, name_len); 199 if (IS_ERR(dentry)) { 200 inode_unlock(d_inode(root)); 201 ret = PTR_ERR(dentry); 202 goto err; 203 } 204 205 if (d_really_is_positive(dentry)) { 206 /* already exists */ 207 dput(dentry); 208 inode_unlock(d_inode(root)); 209 ret = -EEXIST; 210 goto err; 211 } 212 213 inode->i_private = device; 214 d_instantiate(dentry, inode); 215 fsnotify_create(root->d_inode, dentry); 216 inode_unlock(d_inode(root)); 217 218 return 0; 219 220 err: 221 kfree(name); 222 kfree(device); 223 mutex_lock(&binderfs_minors_mutex); 224 --info->device_count; 225 ida_free(&binderfs_minors, minor); 226 mutex_unlock(&binderfs_minors_mutex); 227 iput(inode); 228 229 return ret; 230 } 231 232 /** 233 * binderfs_ctl_ioctl - handle binder device node allocation requests 234 * 235 * The request handler for the binder-control device. All requests operate on 236 * the binderfs mount the binder-control device resides in: 237 * - BINDER_CTL_ADD 238 * Allocate a new binder device. 239 * 240 * Return: 0 on success, negative errno on failure 241 */ 242 static long binder_ctl_ioctl(struct file *file, unsigned int cmd, 243 unsigned long arg) 244 { 245 int ret = -EINVAL; 246 struct inode *inode = file_inode(file); 247 struct binderfs_device __user *device = (struct binderfs_device __user *)arg; 248 struct binderfs_device device_req; 249 250 switch (cmd) { 251 case BINDER_CTL_ADD: 252 ret = copy_from_user(&device_req, device, sizeof(device_req)); 253 if (ret) { 254 ret = -EFAULT; 255 break; 256 } 257 258 ret = binderfs_binder_device_create(inode, device, &device_req); 259 break; 260 default: 261 break; 262 } 263 264 return ret; 265 } 266 267 static void binderfs_evict_inode(struct inode *inode) 268 { 269 struct binder_device *device = inode->i_private; 270 struct binderfs_info *info = BINDERFS_I(inode); 271 272 clear_inode(inode); 273 274 if (!device) 275 return; 276 277 mutex_lock(&binderfs_minors_mutex); 278 --info->device_count; 279 ida_free(&binderfs_minors, device->miscdev.minor); 280 mutex_unlock(&binderfs_minors_mutex); 281 282 kfree(device->context.name); 283 kfree(device); 284 } 285 286 /** 287 * binderfs_parse_mount_opts - parse binderfs mount options 288 * @data: options to set (can be NULL in which case defaults are used) 289 */ 290 static int binderfs_parse_mount_opts(char *data, 291 struct binderfs_mount_opts *opts) 292 { 293 char *p; 294 opts->max = BINDERFS_MAX_MINOR; 295 296 while ((p = strsep(&data, ",")) != NULL) { 297 substring_t args[MAX_OPT_ARGS]; 298 int token; 299 int max_devices; 300 301 if (!*p) 302 continue; 303 304 token = match_token(p, tokens, args); 305 switch (token) { 306 case Opt_max: 307 if (match_int(&args[0], &max_devices) || 308 (max_devices < 0 || 309 (max_devices > BINDERFS_MAX_MINOR))) 310 return -EINVAL; 311 312 opts->max = max_devices; 313 break; 314 default: 315 pr_err("Invalid mount options\n"); 316 return -EINVAL; 317 } 318 } 319 320 return 0; 321 } 322 323 static int binderfs_remount(struct super_block *sb, int *flags, char *data) 324 { 325 struct binderfs_info *info = sb->s_fs_info; 326 return binderfs_parse_mount_opts(data, &info->mount_opts); 327 } 328 329 static int binderfs_show_mount_opts(struct seq_file *seq, struct dentry *root) 330 { 331 struct binderfs_info *info; 332 333 info = root->d_sb->s_fs_info; 334 if (info->mount_opts.max <= BINDERFS_MAX_MINOR) 335 seq_printf(seq, ",max=%d", info->mount_opts.max); 336 337 return 0; 338 } 339 340 static const struct super_operations binderfs_super_ops = { 341 .evict_inode = binderfs_evict_inode, 342 .remount_fs = binderfs_remount, 343 .show_options = binderfs_show_mount_opts, 344 .statfs = simple_statfs, 345 }; 346 347 static inline bool is_binderfs_control_device(const struct dentry *dentry) 348 { 349 struct binderfs_info *info = dentry->d_sb->s_fs_info; 350 return info->control_dentry == dentry; 351 } 352 353 static int binderfs_rename(struct inode *old_dir, struct dentry *old_dentry, 354 struct inode *new_dir, struct dentry *new_dentry, 355 unsigned int flags) 356 { 357 if (is_binderfs_control_device(old_dentry) || 358 is_binderfs_control_device(new_dentry)) 359 return -EPERM; 360 361 return simple_rename(old_dir, old_dentry, new_dir, new_dentry, flags); 362 } 363 364 static int binderfs_unlink(struct inode *dir, struct dentry *dentry) 365 { 366 if (is_binderfs_control_device(dentry)) 367 return -EPERM; 368 369 return simple_unlink(dir, dentry); 370 } 371 372 static const struct file_operations binder_ctl_fops = { 373 .owner = THIS_MODULE, 374 .open = nonseekable_open, 375 .unlocked_ioctl = binder_ctl_ioctl, 376 .compat_ioctl = binder_ctl_ioctl, 377 .llseek = noop_llseek, 378 }; 379 380 /** 381 * binderfs_binder_ctl_create - create a new binder-control device 382 * @sb: super block of the binderfs mount 383 * 384 * This function creates a new binder-control device node in the binderfs mount 385 * referred to by @sb. 386 * 387 * Return: 0 on success, negative errno on failure 388 */ 389 static int binderfs_binder_ctl_create(struct super_block *sb) 390 { 391 int minor, ret; 392 struct dentry *dentry; 393 struct binder_device *device; 394 struct inode *inode = NULL; 395 struct dentry *root = sb->s_root; 396 struct binderfs_info *info = sb->s_fs_info; 397 #if defined(CONFIG_IPC_NS) 398 bool use_reserve = (info->ipc_ns == &init_ipc_ns); 399 #else 400 bool use_reserve = true; 401 #endif 402 403 device = kzalloc(sizeof(*device), GFP_KERNEL); 404 if (!device) 405 return -ENOMEM; 406 407 /* If we have already created a binder-control node, return. */ 408 if (info->control_dentry) { 409 ret = 0; 410 goto out; 411 } 412 413 ret = -ENOMEM; 414 inode = new_inode(sb); 415 if (!inode) 416 goto out; 417 418 /* Reserve a new minor number for the new device. */ 419 mutex_lock(&binderfs_minors_mutex); 420 minor = ida_alloc_max(&binderfs_minors, 421 use_reserve ? BINDERFS_MAX_MINOR : 422 BINDERFS_MAX_MINOR_CAPPED, 423 GFP_KERNEL); 424 mutex_unlock(&binderfs_minors_mutex); 425 if (minor < 0) { 426 ret = minor; 427 goto out; 428 } 429 430 inode->i_ino = SECOND_INODE; 431 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); 432 init_special_inode(inode, S_IFCHR | 0600, 433 MKDEV(MAJOR(binderfs_dev), minor)); 434 inode->i_fop = &binder_ctl_fops; 435 inode->i_uid = info->root_uid; 436 inode->i_gid = info->root_gid; 437 438 device->binderfs_inode = inode; 439 device->miscdev.minor = minor; 440 441 dentry = d_alloc_name(root, "binder-control"); 442 if (!dentry) 443 goto out; 444 445 inode->i_private = device; 446 info->control_dentry = dentry; 447 d_add(dentry, inode); 448 449 return 0; 450 451 out: 452 kfree(device); 453 iput(inode); 454 455 return ret; 456 } 457 458 static const struct inode_operations binderfs_dir_inode_operations = { 459 .lookup = simple_lookup, 460 .rename = binderfs_rename, 461 .unlink = binderfs_unlink, 462 }; 463 464 static int binderfs_fill_super(struct super_block *sb, void *data, int silent) 465 { 466 int ret; 467 struct binderfs_info *info; 468 struct inode *inode = NULL; 469 struct binderfs_device device_info = { 0 }; 470 const char *name; 471 size_t len; 472 473 sb->s_blocksize = PAGE_SIZE; 474 sb->s_blocksize_bits = PAGE_SHIFT; 475 476 /* 477 * The binderfs filesystem can be mounted by userns root in a 478 * non-initial userns. By default such mounts have the SB_I_NODEV flag 479 * set in s_iflags to prevent security issues where userns root can 480 * just create random device nodes via mknod() since it owns the 481 * filesystem mount. But binderfs does not allow to create any files 482 * including devices nodes. The only way to create binder devices nodes 483 * is through the binder-control device which userns root is explicitly 484 * allowed to do. So removing the SB_I_NODEV flag from s_iflags is both 485 * necessary and safe. 486 */ 487 sb->s_iflags &= ~SB_I_NODEV; 488 sb->s_iflags |= SB_I_NOEXEC; 489 sb->s_magic = BINDERFS_SUPER_MAGIC; 490 sb->s_op = &binderfs_super_ops; 491 sb->s_time_gran = 1; 492 493 sb->s_fs_info = kzalloc(sizeof(struct binderfs_info), GFP_KERNEL); 494 if (!sb->s_fs_info) 495 return -ENOMEM; 496 info = sb->s_fs_info; 497 498 info->ipc_ns = get_ipc_ns(current->nsproxy->ipc_ns); 499 500 ret = binderfs_parse_mount_opts(data, &info->mount_opts); 501 if (ret) 502 return ret; 503 504 info->root_gid = make_kgid(sb->s_user_ns, 0); 505 if (!gid_valid(info->root_gid)) 506 info->root_gid = GLOBAL_ROOT_GID; 507 info->root_uid = make_kuid(sb->s_user_ns, 0); 508 if (!uid_valid(info->root_uid)) 509 info->root_uid = GLOBAL_ROOT_UID; 510 511 inode = new_inode(sb); 512 if (!inode) 513 return -ENOMEM; 514 515 inode->i_ino = FIRST_INODE; 516 inode->i_fop = &simple_dir_operations; 517 inode->i_mode = S_IFDIR | 0755; 518 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); 519 inode->i_op = &binderfs_dir_inode_operations; 520 set_nlink(inode, 2); 521 522 sb->s_root = d_make_root(inode); 523 if (!sb->s_root) 524 return -ENOMEM; 525 526 ret = binderfs_binder_ctl_create(sb); 527 if (ret) 528 return ret; 529 530 name = binder_devices_param; 531 for (len = strcspn(name, ","); len > 0; len = strcspn(name, ",")) { 532 strscpy(device_info.name, name, len + 1); 533 ret = binderfs_binder_device_create(inode, NULL, &device_info); 534 if (ret) 535 return ret; 536 name += len; 537 if (*name == ',') 538 name++; 539 } 540 541 return 0; 542 } 543 544 static struct dentry *binderfs_mount(struct file_system_type *fs_type, 545 int flags, const char *dev_name, 546 void *data) 547 { 548 return mount_nodev(fs_type, flags, data, binderfs_fill_super); 549 } 550 551 static void binderfs_kill_super(struct super_block *sb) 552 { 553 struct binderfs_info *info = sb->s_fs_info; 554 555 kill_litter_super(sb); 556 557 if (info && info->ipc_ns) 558 put_ipc_ns(info->ipc_ns); 559 560 kfree(info); 561 } 562 563 static struct file_system_type binder_fs_type = { 564 .name = "binder", 565 .mount = binderfs_mount, 566 .kill_sb = binderfs_kill_super, 567 .fs_flags = FS_USERNS_MOUNT, 568 }; 569 570 int __init init_binderfs(void) 571 { 572 int ret; 573 const char *name; 574 size_t len; 575 576 /* Verify that the default binderfs device names are valid. */ 577 name = binder_devices_param; 578 for (len = strcspn(name, ","); len > 0; len = strcspn(name, ",")) { 579 if (len > BINDERFS_MAX_NAME) 580 return -E2BIG; 581 name += len; 582 if (*name == ',') 583 name++; 584 } 585 586 /* Allocate new major number for binderfs. */ 587 ret = alloc_chrdev_region(&binderfs_dev, 0, BINDERFS_MAX_MINOR, 588 "binder"); 589 if (ret) 590 return ret; 591 592 ret = register_filesystem(&binder_fs_type); 593 if (ret) { 594 unregister_chrdev_region(binderfs_dev, BINDERFS_MAX_MINOR); 595 return ret; 596 } 597 598 return ret; 599 } 600