1 /* SPDX-License-Identifier: GPL-2.0 */ 2 3 #include <linux/compiler_types.h> 4 #include <linux/errno.h> 5 #include <linux/fs.h> 6 #include <linux/fsnotify.h> 7 #include <linux/gfp.h> 8 #include <linux/idr.h> 9 #include <linux/init.h> 10 #include <linux/ipc_namespace.h> 11 #include <linux/kdev_t.h> 12 #include <linux/kernel.h> 13 #include <linux/list.h> 14 #include <linux/namei.h> 15 #include <linux/magic.h> 16 #include <linux/major.h> 17 #include <linux/miscdevice.h> 18 #include <linux/module.h> 19 #include <linux/mutex.h> 20 #include <linux/mount.h> 21 #include <linux/parser.h> 22 #include <linux/radix-tree.h> 23 #include <linux/sched.h> 24 #include <linux/seq_file.h> 25 #include <linux/slab.h> 26 #include <linux/spinlock_types.h> 27 #include <linux/stddef.h> 28 #include <linux/string.h> 29 #include <linux/types.h> 30 #include <linux/uaccess.h> 31 #include <linux/user_namespace.h> 32 #include <linux/xarray.h> 33 #include <uapi/asm-generic/errno-base.h> 34 #include <uapi/linux/android/binder.h> 35 #include <uapi/linux/android/binderfs.h> 36 37 #include "binder_internal.h" 38 39 #define FIRST_INODE 1 40 #define SECOND_INODE 2 41 #define INODE_OFFSET 3 42 #define INTSTRLEN 21 43 #define BINDERFS_MAX_MINOR (1U << MINORBITS) 44 /* Ensure that the initial ipc namespace always has devices available. */ 45 #define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4) 46 47 static dev_t binderfs_dev; 48 static DEFINE_MUTEX(binderfs_minors_mutex); 49 static DEFINE_IDA(binderfs_minors); 50 51 /** 52 * binderfs_mount_opts - mount options for binderfs 53 * @max: maximum number of allocatable binderfs binder devices 54 * @stats_mode: enable binder stats in binderfs. 55 */ 56 struct binderfs_mount_opts { 57 int max; 58 int stats_mode; 59 }; 60 61 enum { 62 Opt_max, 63 Opt_stats_mode, 64 Opt_err 65 }; 66 67 enum binderfs_stats_mode { 68 STATS_NONE, 69 STATS_GLOBAL, 70 }; 71 72 static const match_table_t tokens = { 73 { Opt_max, "max=%d" }, 74 { Opt_stats_mode, "stats=%s" }, 75 { Opt_err, NULL } 76 }; 77 78 /** 79 * binderfs_info - information about a binderfs mount 80 * @ipc_ns: The ipc namespace the binderfs mount belongs to. 81 * @control_dentry: This records the dentry of this binderfs mount 82 * binder-control device. 83 * @root_uid: uid that needs to be used when a new binder device is 84 * created. 85 * @root_gid: gid that needs to be used when a new binder device is 86 * created. 87 * @mount_opts: The mount options in use. 88 * @device_count: The current number of allocated binder devices. 89 */ 90 struct binderfs_info { 91 struct ipc_namespace *ipc_ns; 92 struct dentry *control_dentry; 93 kuid_t root_uid; 94 kgid_t root_gid; 95 struct binderfs_mount_opts mount_opts; 96 int device_count; 97 }; 98 99 static inline struct binderfs_info *BINDERFS_I(const struct inode *inode) 100 { 101 return inode->i_sb->s_fs_info; 102 } 103 104 bool is_binderfs_device(const struct inode *inode) 105 { 106 if (inode->i_sb->s_magic == BINDERFS_SUPER_MAGIC) 107 return true; 108 109 return false; 110 } 111 112 /** 113 * binderfs_binder_device_create - allocate inode from super block of a 114 * binderfs mount 115 * @ref_inode: inode from wich the super block will be taken 116 * @userp: buffer to copy information about new device for userspace to 117 * @req: struct binderfs_device as copied from userspace 118 * 119 * This function allocates a new binder_device and reserves a new minor 120 * number for it. 121 * Minor numbers are limited and tracked globally in binderfs_minors. The 122 * function will stash a struct binder_device for the specific binder 123 * device in i_private of the inode. 124 * It will go on to allocate a new inode from the super block of the 125 * filesystem mount, stash a struct binder_device in its i_private field 126 * and attach a dentry to that inode. 127 * 128 * Return: 0 on success, negative errno on failure 129 */ 130 static int binderfs_binder_device_create(struct inode *ref_inode, 131 struct binderfs_device __user *userp, 132 struct binderfs_device *req) 133 { 134 int minor, ret; 135 struct dentry *dentry, *root; 136 struct binder_device *device; 137 char *name = NULL; 138 size_t name_len; 139 struct inode *inode = NULL; 140 struct super_block *sb = ref_inode->i_sb; 141 struct binderfs_info *info = sb->s_fs_info; 142 #if defined(CONFIG_IPC_NS) 143 bool use_reserve = (info->ipc_ns == &init_ipc_ns); 144 #else 145 bool use_reserve = true; 146 #endif 147 148 /* Reserve new minor number for the new device. */ 149 mutex_lock(&binderfs_minors_mutex); 150 if (++info->device_count <= info->mount_opts.max) 151 minor = ida_alloc_max(&binderfs_minors, 152 use_reserve ? BINDERFS_MAX_MINOR : 153 BINDERFS_MAX_MINOR_CAPPED, 154 GFP_KERNEL); 155 else 156 minor = -ENOSPC; 157 if (minor < 0) { 158 --info->device_count; 159 mutex_unlock(&binderfs_minors_mutex); 160 return minor; 161 } 162 mutex_unlock(&binderfs_minors_mutex); 163 164 ret = -ENOMEM; 165 device = kzalloc(sizeof(*device), GFP_KERNEL); 166 if (!device) 167 goto err; 168 169 inode = new_inode(sb); 170 if (!inode) 171 goto err; 172 173 inode->i_ino = minor + INODE_OFFSET; 174 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); 175 init_special_inode(inode, S_IFCHR | 0600, 176 MKDEV(MAJOR(binderfs_dev), minor)); 177 inode->i_fop = &binder_fops; 178 inode->i_uid = info->root_uid; 179 inode->i_gid = info->root_gid; 180 181 req->name[BINDERFS_MAX_NAME] = '\0'; /* NUL-terminate */ 182 name_len = strlen(req->name); 183 /* Make sure to include terminating NUL byte */ 184 name = kmemdup(req->name, name_len + 1, GFP_KERNEL); 185 if (!name) 186 goto err; 187 188 device->binderfs_inode = inode; 189 device->context.binder_context_mgr_uid = INVALID_UID; 190 device->context.name = name; 191 device->miscdev.name = name; 192 device->miscdev.minor = minor; 193 mutex_init(&device->context.context_mgr_node_lock); 194 195 req->major = MAJOR(binderfs_dev); 196 req->minor = minor; 197 198 if (userp && copy_to_user(userp, req, sizeof(*req))) { 199 ret = -EFAULT; 200 goto err; 201 } 202 203 root = sb->s_root; 204 inode_lock(d_inode(root)); 205 206 /* look it up */ 207 dentry = lookup_one_len(name, root, name_len); 208 if (IS_ERR(dentry)) { 209 inode_unlock(d_inode(root)); 210 ret = PTR_ERR(dentry); 211 goto err; 212 } 213 214 if (d_really_is_positive(dentry)) { 215 /* already exists */ 216 dput(dentry); 217 inode_unlock(d_inode(root)); 218 ret = -EEXIST; 219 goto err; 220 } 221 222 inode->i_private = device; 223 d_instantiate(dentry, inode); 224 fsnotify_create(root->d_inode, dentry); 225 inode_unlock(d_inode(root)); 226 227 return 0; 228 229 err: 230 kfree(name); 231 kfree(device); 232 mutex_lock(&binderfs_minors_mutex); 233 --info->device_count; 234 ida_free(&binderfs_minors, minor); 235 mutex_unlock(&binderfs_minors_mutex); 236 iput(inode); 237 238 return ret; 239 } 240 241 /** 242 * binderfs_ctl_ioctl - handle binder device node allocation requests 243 * 244 * The request handler for the binder-control device. All requests operate on 245 * the binderfs mount the binder-control device resides in: 246 * - BINDER_CTL_ADD 247 * Allocate a new binder device. 248 * 249 * Return: 0 on success, negative errno on failure 250 */ 251 static long binder_ctl_ioctl(struct file *file, unsigned int cmd, 252 unsigned long arg) 253 { 254 int ret = -EINVAL; 255 struct inode *inode = file_inode(file); 256 struct binderfs_device __user *device = (struct binderfs_device __user *)arg; 257 struct binderfs_device device_req; 258 259 switch (cmd) { 260 case BINDER_CTL_ADD: 261 ret = copy_from_user(&device_req, device, sizeof(device_req)); 262 if (ret) { 263 ret = -EFAULT; 264 break; 265 } 266 267 ret = binderfs_binder_device_create(inode, device, &device_req); 268 break; 269 default: 270 break; 271 } 272 273 return ret; 274 } 275 276 static void binderfs_evict_inode(struct inode *inode) 277 { 278 struct binder_device *device = inode->i_private; 279 struct binderfs_info *info = BINDERFS_I(inode); 280 281 clear_inode(inode); 282 283 if (!device) 284 return; 285 286 mutex_lock(&binderfs_minors_mutex); 287 --info->device_count; 288 ida_free(&binderfs_minors, device->miscdev.minor); 289 mutex_unlock(&binderfs_minors_mutex); 290 291 kfree(device->context.name); 292 kfree(device); 293 } 294 295 /** 296 * binderfs_parse_mount_opts - parse binderfs mount options 297 * @data: options to set (can be NULL in which case defaults are used) 298 */ 299 static int binderfs_parse_mount_opts(char *data, 300 struct binderfs_mount_opts *opts) 301 { 302 char *p, *stats; 303 opts->max = BINDERFS_MAX_MINOR; 304 opts->stats_mode = STATS_NONE; 305 306 while ((p = strsep(&data, ",")) != NULL) { 307 substring_t args[MAX_OPT_ARGS]; 308 int token; 309 int max_devices; 310 311 if (!*p) 312 continue; 313 314 token = match_token(p, tokens, args); 315 switch (token) { 316 case Opt_max: 317 if (match_int(&args[0], &max_devices) || 318 (max_devices < 0 || 319 (max_devices > BINDERFS_MAX_MINOR))) 320 return -EINVAL; 321 322 opts->max = max_devices; 323 break; 324 case Opt_stats_mode: 325 if (!capable(CAP_SYS_ADMIN)) 326 return -EINVAL; 327 328 stats = match_strdup(&args[0]); 329 if (!stats) 330 return -ENOMEM; 331 332 if (strcmp(stats, "global") != 0) { 333 kfree(stats); 334 return -EINVAL; 335 } 336 337 opts->stats_mode = STATS_GLOBAL; 338 kfree(stats); 339 break; 340 default: 341 pr_err("Invalid mount options\n"); 342 return -EINVAL; 343 } 344 } 345 346 return 0; 347 } 348 349 static int binderfs_remount(struct super_block *sb, int *flags, char *data) 350 { 351 int prev_stats_mode, ret; 352 struct binderfs_info *info = sb->s_fs_info; 353 354 prev_stats_mode = info->mount_opts.stats_mode; 355 ret = binderfs_parse_mount_opts(data, &info->mount_opts); 356 if (ret) 357 return ret; 358 359 if (prev_stats_mode != info->mount_opts.stats_mode) { 360 pr_err("Binderfs stats mode cannot be changed during a remount\n"); 361 info->mount_opts.stats_mode = prev_stats_mode; 362 return -EINVAL; 363 } 364 365 return 0; 366 } 367 368 static int binderfs_show_mount_opts(struct seq_file *seq, struct dentry *root) 369 { 370 struct binderfs_info *info; 371 372 info = root->d_sb->s_fs_info; 373 if (info->mount_opts.max <= BINDERFS_MAX_MINOR) 374 seq_printf(seq, ",max=%d", info->mount_opts.max); 375 if (info->mount_opts.stats_mode == STATS_GLOBAL) 376 seq_printf(seq, ",stats=global"); 377 378 return 0; 379 } 380 381 static const struct super_operations binderfs_super_ops = { 382 .evict_inode = binderfs_evict_inode, 383 .remount_fs = binderfs_remount, 384 .show_options = binderfs_show_mount_opts, 385 .statfs = simple_statfs, 386 }; 387 388 static inline bool is_binderfs_control_device(const struct dentry *dentry) 389 { 390 struct binderfs_info *info = dentry->d_sb->s_fs_info; 391 return info->control_dentry == dentry; 392 } 393 394 static int binderfs_rename(struct inode *old_dir, struct dentry *old_dentry, 395 struct inode *new_dir, struct dentry *new_dentry, 396 unsigned int flags) 397 { 398 if (is_binderfs_control_device(old_dentry) || 399 is_binderfs_control_device(new_dentry)) 400 return -EPERM; 401 402 return simple_rename(old_dir, old_dentry, new_dir, new_dentry, flags); 403 } 404 405 static int binderfs_unlink(struct inode *dir, struct dentry *dentry) 406 { 407 if (is_binderfs_control_device(dentry)) 408 return -EPERM; 409 410 return simple_unlink(dir, dentry); 411 } 412 413 static const struct file_operations binder_ctl_fops = { 414 .owner = THIS_MODULE, 415 .open = nonseekable_open, 416 .unlocked_ioctl = binder_ctl_ioctl, 417 .compat_ioctl = binder_ctl_ioctl, 418 .llseek = noop_llseek, 419 }; 420 421 /** 422 * binderfs_binder_ctl_create - create a new binder-control device 423 * @sb: super block of the binderfs mount 424 * 425 * This function creates a new binder-control device node in the binderfs mount 426 * referred to by @sb. 427 * 428 * Return: 0 on success, negative errno on failure 429 */ 430 static int binderfs_binder_ctl_create(struct super_block *sb) 431 { 432 int minor, ret; 433 struct dentry *dentry; 434 struct binder_device *device; 435 struct inode *inode = NULL; 436 struct dentry *root = sb->s_root; 437 struct binderfs_info *info = sb->s_fs_info; 438 #if defined(CONFIG_IPC_NS) 439 bool use_reserve = (info->ipc_ns == &init_ipc_ns); 440 #else 441 bool use_reserve = true; 442 #endif 443 444 device = kzalloc(sizeof(*device), GFP_KERNEL); 445 if (!device) 446 return -ENOMEM; 447 448 /* If we have already created a binder-control node, return. */ 449 if (info->control_dentry) { 450 ret = 0; 451 goto out; 452 } 453 454 ret = -ENOMEM; 455 inode = new_inode(sb); 456 if (!inode) 457 goto out; 458 459 /* Reserve a new minor number for the new device. */ 460 mutex_lock(&binderfs_minors_mutex); 461 minor = ida_alloc_max(&binderfs_minors, 462 use_reserve ? BINDERFS_MAX_MINOR : 463 BINDERFS_MAX_MINOR_CAPPED, 464 GFP_KERNEL); 465 mutex_unlock(&binderfs_minors_mutex); 466 if (minor < 0) { 467 ret = minor; 468 goto out; 469 } 470 471 inode->i_ino = SECOND_INODE; 472 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); 473 init_special_inode(inode, S_IFCHR | 0600, 474 MKDEV(MAJOR(binderfs_dev), minor)); 475 inode->i_fop = &binder_ctl_fops; 476 inode->i_uid = info->root_uid; 477 inode->i_gid = info->root_gid; 478 479 device->binderfs_inode = inode; 480 device->miscdev.minor = minor; 481 482 dentry = d_alloc_name(root, "binder-control"); 483 if (!dentry) 484 goto out; 485 486 inode->i_private = device; 487 info->control_dentry = dentry; 488 d_add(dentry, inode); 489 490 return 0; 491 492 out: 493 kfree(device); 494 iput(inode); 495 496 return ret; 497 } 498 499 static const struct inode_operations binderfs_dir_inode_operations = { 500 .lookup = simple_lookup, 501 .rename = binderfs_rename, 502 .unlink = binderfs_unlink, 503 }; 504 505 static int binderfs_fill_super(struct super_block *sb, void *data, int silent) 506 { 507 int ret; 508 struct binderfs_info *info; 509 struct inode *inode = NULL; 510 struct binderfs_device device_info = { 0 }; 511 const char *name; 512 size_t len; 513 514 sb->s_blocksize = PAGE_SIZE; 515 sb->s_blocksize_bits = PAGE_SHIFT; 516 517 /* 518 * The binderfs filesystem can be mounted by userns root in a 519 * non-initial userns. By default such mounts have the SB_I_NODEV flag 520 * set in s_iflags to prevent security issues where userns root can 521 * just create random device nodes via mknod() since it owns the 522 * filesystem mount. But binderfs does not allow to create any files 523 * including devices nodes. The only way to create binder devices nodes 524 * is through the binder-control device which userns root is explicitly 525 * allowed to do. So removing the SB_I_NODEV flag from s_iflags is both 526 * necessary and safe. 527 */ 528 sb->s_iflags &= ~SB_I_NODEV; 529 sb->s_iflags |= SB_I_NOEXEC; 530 sb->s_magic = BINDERFS_SUPER_MAGIC; 531 sb->s_op = &binderfs_super_ops; 532 sb->s_time_gran = 1; 533 534 sb->s_fs_info = kzalloc(sizeof(struct binderfs_info), GFP_KERNEL); 535 if (!sb->s_fs_info) 536 return -ENOMEM; 537 info = sb->s_fs_info; 538 539 info->ipc_ns = get_ipc_ns(current->nsproxy->ipc_ns); 540 541 ret = binderfs_parse_mount_opts(data, &info->mount_opts); 542 if (ret) 543 return ret; 544 545 info->root_gid = make_kgid(sb->s_user_ns, 0); 546 if (!gid_valid(info->root_gid)) 547 info->root_gid = GLOBAL_ROOT_GID; 548 info->root_uid = make_kuid(sb->s_user_ns, 0); 549 if (!uid_valid(info->root_uid)) 550 info->root_uid = GLOBAL_ROOT_UID; 551 552 inode = new_inode(sb); 553 if (!inode) 554 return -ENOMEM; 555 556 inode->i_ino = FIRST_INODE; 557 inode->i_fop = &simple_dir_operations; 558 inode->i_mode = S_IFDIR | 0755; 559 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); 560 inode->i_op = &binderfs_dir_inode_operations; 561 set_nlink(inode, 2); 562 563 sb->s_root = d_make_root(inode); 564 if (!sb->s_root) 565 return -ENOMEM; 566 567 ret = binderfs_binder_ctl_create(sb); 568 if (ret) 569 return ret; 570 571 name = binder_devices_param; 572 for (len = strcspn(name, ","); len > 0; len = strcspn(name, ",")) { 573 strscpy(device_info.name, name, len + 1); 574 ret = binderfs_binder_device_create(inode, NULL, &device_info); 575 if (ret) 576 return ret; 577 name += len; 578 if (*name == ',') 579 name++; 580 } 581 582 return 0; 583 } 584 585 static struct dentry *binderfs_mount(struct file_system_type *fs_type, 586 int flags, const char *dev_name, 587 void *data) 588 { 589 return mount_nodev(fs_type, flags, data, binderfs_fill_super); 590 } 591 592 static void binderfs_kill_super(struct super_block *sb) 593 { 594 struct binderfs_info *info = sb->s_fs_info; 595 596 kill_litter_super(sb); 597 598 if (info && info->ipc_ns) 599 put_ipc_ns(info->ipc_ns); 600 601 kfree(info); 602 } 603 604 static struct file_system_type binder_fs_type = { 605 .name = "binder", 606 .mount = binderfs_mount, 607 .kill_sb = binderfs_kill_super, 608 .fs_flags = FS_USERNS_MOUNT, 609 }; 610 611 int __init init_binderfs(void) 612 { 613 int ret; 614 const char *name; 615 size_t len; 616 617 /* Verify that the default binderfs device names are valid. */ 618 name = binder_devices_param; 619 for (len = strcspn(name, ","); len > 0; len = strcspn(name, ",")) { 620 if (len > BINDERFS_MAX_NAME) 621 return -E2BIG; 622 name += len; 623 if (*name == ',') 624 name++; 625 } 626 627 /* Allocate new major number for binderfs. */ 628 ret = alloc_chrdev_region(&binderfs_dev, 0, BINDERFS_MAX_MINOR, 629 "binder"); 630 if (ret) 631 return ret; 632 633 ret = register_filesystem(&binder_fs_type); 634 if (ret) { 635 unregister_chrdev_region(binderfs_dev, BINDERFS_MAX_MINOR); 636 return ret; 637 } 638 639 return ret; 640 } 641