1 /* 2 * umh - the kernel usermode helper 3 */ 4 #include <linux/module.h> 5 #include <linux/sched.h> 6 #include <linux/sched/task.h> 7 #include <linux/binfmts.h> 8 #include <linux/syscalls.h> 9 #include <linux/unistd.h> 10 #include <linux/kmod.h> 11 #include <linux/slab.h> 12 #include <linux/completion.h> 13 #include <linux/cred.h> 14 #include <linux/file.h> 15 #include <linux/fdtable.h> 16 #include <linux/workqueue.h> 17 #include <linux/security.h> 18 #include <linux/mount.h> 19 #include <linux/kernel.h> 20 #include <linux/init.h> 21 #include <linux/resource.h> 22 #include <linux/notifier.h> 23 #include <linux/suspend.h> 24 #include <linux/rwsem.h> 25 #include <linux/ptrace.h> 26 #include <linux/async.h> 27 #include <linux/uaccess.h> 28 #include <linux/shmem_fs.h> 29 #include <linux/pipe_fs_i.h> 30 31 #include <trace/events/module.h> 32 33 #define CAP_BSET (void *)1 34 #define CAP_PI (void *)2 35 36 static kernel_cap_t usermodehelper_bset = CAP_FULL_SET; 37 static kernel_cap_t usermodehelper_inheritable = CAP_FULL_SET; 38 static DEFINE_SPINLOCK(umh_sysctl_lock); 39 static DECLARE_RWSEM(umhelper_sem); 40 static LIST_HEAD(umh_list); 41 static DEFINE_MUTEX(umh_list_lock); 42 43 static void call_usermodehelper_freeinfo(struct subprocess_info *info) 44 { 45 if (info->cleanup) 46 (*info->cleanup)(info); 47 kfree(info); 48 } 49 50 static void umh_complete(struct subprocess_info *sub_info) 51 { 52 struct completion *comp = xchg(&sub_info->complete, NULL); 53 /* 54 * See call_usermodehelper_exec(). If xchg() returns NULL 55 * we own sub_info, the UMH_KILLABLE caller has gone away 56 * or the caller used UMH_NO_WAIT. 57 */ 58 if (comp) 59 complete(comp); 60 else 61 call_usermodehelper_freeinfo(sub_info); 62 } 63 64 /* 65 * This is the task which runs the usermode application 66 */ 67 static int call_usermodehelper_exec_async(void *data) 68 { 69 struct subprocess_info *sub_info = data; 70 struct cred *new; 71 int retval; 72 73 spin_lock_irq(¤t->sighand->siglock); 74 flush_signal_handlers(current, 1); 75 spin_unlock_irq(¤t->sighand->siglock); 76 77 /* 78 * Our parent (unbound workqueue) runs with elevated scheduling 79 * priority. Avoid propagating that into the userspace child. 80 */ 81 set_user_nice(current, 0); 82 83 retval = -ENOMEM; 84 new = prepare_kernel_cred(current); 85 if (!new) 86 goto out; 87 88 spin_lock(&umh_sysctl_lock); 89 new->cap_bset = cap_intersect(usermodehelper_bset, new->cap_bset); 90 new->cap_inheritable = cap_intersect(usermodehelper_inheritable, 91 new->cap_inheritable); 92 spin_unlock(&umh_sysctl_lock); 93 94 if (sub_info->init) { 95 retval = sub_info->init(sub_info, new); 96 if (retval) { 97 abort_creds(new); 98 goto out; 99 } 100 } 101 102 commit_creds(new); 103 104 sub_info->pid = task_pid_nr(current); 105 if (sub_info->file) { 106 retval = do_execve_file(sub_info->file, 107 sub_info->argv, sub_info->envp); 108 if (!retval) 109 current->flags |= PF_UMH; 110 } else 111 retval = do_execve(getname_kernel(sub_info->path), 112 (const char __user *const __user *)sub_info->argv, 113 (const char __user *const __user *)sub_info->envp); 114 out: 115 sub_info->retval = retval; 116 /* 117 * call_usermodehelper_exec_sync() will call umh_complete 118 * if UHM_WAIT_PROC. 119 */ 120 if (!(sub_info->wait & UMH_WAIT_PROC)) 121 umh_complete(sub_info); 122 if (!retval) 123 return 0; 124 do_exit(0); 125 } 126 127 /* Handles UMH_WAIT_PROC. */ 128 static void call_usermodehelper_exec_sync(struct subprocess_info *sub_info) 129 { 130 pid_t pid; 131 132 /* If SIGCLD is ignored kernel_wait4 won't populate the status. */ 133 kernel_sigaction(SIGCHLD, SIG_DFL); 134 pid = kernel_thread(call_usermodehelper_exec_async, sub_info, SIGCHLD); 135 if (pid < 0) { 136 sub_info->retval = pid; 137 } else { 138 int ret = -ECHILD; 139 /* 140 * Normally it is bogus to call wait4() from in-kernel because 141 * wait4() wants to write the exit code to a userspace address. 142 * But call_usermodehelper_exec_sync() always runs as kernel 143 * thread (workqueue) and put_user() to a kernel address works 144 * OK for kernel threads, due to their having an mm_segment_t 145 * which spans the entire address space. 146 * 147 * Thus the __user pointer cast is valid here. 148 */ 149 kernel_wait4(pid, (int __user *)&ret, 0, NULL); 150 151 /* 152 * If ret is 0, either call_usermodehelper_exec_async failed and 153 * the real error code is already in sub_info->retval or 154 * sub_info->retval is 0 anyway, so don't mess with it then. 155 */ 156 if (ret) 157 sub_info->retval = ret; 158 } 159 160 /* Restore default kernel sig handler */ 161 kernel_sigaction(SIGCHLD, SIG_IGN); 162 163 umh_complete(sub_info); 164 } 165 166 /* 167 * We need to create the usermodehelper kernel thread from a task that is affine 168 * to an optimized set of CPUs (or nohz housekeeping ones) such that they 169 * inherit a widest affinity irrespective of call_usermodehelper() callers with 170 * possibly reduced affinity (eg: per-cpu workqueues). We don't want 171 * usermodehelper targets to contend a busy CPU. 172 * 173 * Unbound workqueues provide such wide affinity and allow to block on 174 * UMH_WAIT_PROC requests without blocking pending request (up to some limit). 175 * 176 * Besides, workqueues provide the privilege level that caller might not have 177 * to perform the usermodehelper request. 178 * 179 */ 180 static void call_usermodehelper_exec_work(struct work_struct *work) 181 { 182 struct subprocess_info *sub_info = 183 container_of(work, struct subprocess_info, work); 184 185 if (sub_info->wait & UMH_WAIT_PROC) { 186 call_usermodehelper_exec_sync(sub_info); 187 } else { 188 pid_t pid; 189 /* 190 * Use CLONE_PARENT to reparent it to kthreadd; we do not 191 * want to pollute current->children, and we need a parent 192 * that always ignores SIGCHLD to ensure auto-reaping. 193 */ 194 pid = kernel_thread(call_usermodehelper_exec_async, sub_info, 195 CLONE_PARENT | SIGCHLD); 196 if (pid < 0) { 197 sub_info->retval = pid; 198 umh_complete(sub_info); 199 } 200 } 201 } 202 203 /* 204 * If set, call_usermodehelper_exec() will exit immediately returning -EBUSY 205 * (used for preventing user land processes from being created after the user 206 * land has been frozen during a system-wide hibernation or suspend operation). 207 * Should always be manipulated under umhelper_sem acquired for write. 208 */ 209 static enum umh_disable_depth usermodehelper_disabled = UMH_DISABLED; 210 211 /* Number of helpers running */ 212 static atomic_t running_helpers = ATOMIC_INIT(0); 213 214 /* 215 * Wait queue head used by usermodehelper_disable() to wait for all running 216 * helpers to finish. 217 */ 218 static DECLARE_WAIT_QUEUE_HEAD(running_helpers_waitq); 219 220 /* 221 * Used by usermodehelper_read_lock_wait() to wait for usermodehelper_disabled 222 * to become 'false'. 223 */ 224 static DECLARE_WAIT_QUEUE_HEAD(usermodehelper_disabled_waitq); 225 226 /* 227 * Time to wait for running_helpers to become zero before the setting of 228 * usermodehelper_disabled in usermodehelper_disable() fails 229 */ 230 #define RUNNING_HELPERS_TIMEOUT (5 * HZ) 231 232 int usermodehelper_read_trylock(void) 233 { 234 DEFINE_WAIT(wait); 235 int ret = 0; 236 237 down_read(&umhelper_sem); 238 for (;;) { 239 prepare_to_wait(&usermodehelper_disabled_waitq, &wait, 240 TASK_INTERRUPTIBLE); 241 if (!usermodehelper_disabled) 242 break; 243 244 if (usermodehelper_disabled == UMH_DISABLED) 245 ret = -EAGAIN; 246 247 up_read(&umhelper_sem); 248 249 if (ret) 250 break; 251 252 schedule(); 253 try_to_freeze(); 254 255 down_read(&umhelper_sem); 256 } 257 finish_wait(&usermodehelper_disabled_waitq, &wait); 258 return ret; 259 } 260 EXPORT_SYMBOL_GPL(usermodehelper_read_trylock); 261 262 long usermodehelper_read_lock_wait(long timeout) 263 { 264 DEFINE_WAIT(wait); 265 266 if (timeout < 0) 267 return -EINVAL; 268 269 down_read(&umhelper_sem); 270 for (;;) { 271 prepare_to_wait(&usermodehelper_disabled_waitq, &wait, 272 TASK_UNINTERRUPTIBLE); 273 if (!usermodehelper_disabled) 274 break; 275 276 up_read(&umhelper_sem); 277 278 timeout = schedule_timeout(timeout); 279 if (!timeout) 280 break; 281 282 down_read(&umhelper_sem); 283 } 284 finish_wait(&usermodehelper_disabled_waitq, &wait); 285 return timeout; 286 } 287 EXPORT_SYMBOL_GPL(usermodehelper_read_lock_wait); 288 289 void usermodehelper_read_unlock(void) 290 { 291 up_read(&umhelper_sem); 292 } 293 EXPORT_SYMBOL_GPL(usermodehelper_read_unlock); 294 295 /** 296 * __usermodehelper_set_disable_depth - Modify usermodehelper_disabled. 297 * @depth: New value to assign to usermodehelper_disabled. 298 * 299 * Change the value of usermodehelper_disabled (under umhelper_sem locked for 300 * writing) and wakeup tasks waiting for it to change. 301 */ 302 void __usermodehelper_set_disable_depth(enum umh_disable_depth depth) 303 { 304 down_write(&umhelper_sem); 305 usermodehelper_disabled = depth; 306 wake_up(&usermodehelper_disabled_waitq); 307 up_write(&umhelper_sem); 308 } 309 310 /** 311 * __usermodehelper_disable - Prevent new helpers from being started. 312 * @depth: New value to assign to usermodehelper_disabled. 313 * 314 * Set usermodehelper_disabled to @depth and wait for running helpers to exit. 315 */ 316 int __usermodehelper_disable(enum umh_disable_depth depth) 317 { 318 long retval; 319 320 if (!depth) 321 return -EINVAL; 322 323 down_write(&umhelper_sem); 324 usermodehelper_disabled = depth; 325 up_write(&umhelper_sem); 326 327 /* 328 * From now on call_usermodehelper_exec() won't start any new 329 * helpers, so it is sufficient if running_helpers turns out to 330 * be zero at one point (it may be increased later, but that 331 * doesn't matter). 332 */ 333 retval = wait_event_timeout(running_helpers_waitq, 334 atomic_read(&running_helpers) == 0, 335 RUNNING_HELPERS_TIMEOUT); 336 if (retval) 337 return 0; 338 339 __usermodehelper_set_disable_depth(UMH_ENABLED); 340 return -EAGAIN; 341 } 342 343 static void helper_lock(void) 344 { 345 atomic_inc(&running_helpers); 346 smp_mb__after_atomic(); 347 } 348 349 static void helper_unlock(void) 350 { 351 if (atomic_dec_and_test(&running_helpers)) 352 wake_up(&running_helpers_waitq); 353 } 354 355 /** 356 * call_usermodehelper_setup - prepare to call a usermode helper 357 * @path: path to usermode executable 358 * @argv: arg vector for process 359 * @envp: environment for process 360 * @gfp_mask: gfp mask for memory allocation 361 * @cleanup: a cleanup function 362 * @init: an init function 363 * @data: arbitrary context sensitive data 364 * 365 * Returns either %NULL on allocation failure, or a subprocess_info 366 * structure. This should be passed to call_usermodehelper_exec to 367 * exec the process and free the structure. 368 * 369 * The init function is used to customize the helper process prior to 370 * exec. A non-zero return code causes the process to error out, exit, 371 * and return the failure to the calling process 372 * 373 * The cleanup function is just before ethe subprocess_info is about to 374 * be freed. This can be used for freeing the argv and envp. The 375 * Function must be runnable in either a process context or the 376 * context in which call_usermodehelper_exec is called. 377 */ 378 struct subprocess_info *call_usermodehelper_setup(const char *path, char **argv, 379 char **envp, gfp_t gfp_mask, 380 int (*init)(struct subprocess_info *info, struct cred *new), 381 void (*cleanup)(struct subprocess_info *info), 382 void *data) 383 { 384 struct subprocess_info *sub_info; 385 sub_info = kzalloc(sizeof(struct subprocess_info), gfp_mask); 386 if (!sub_info) 387 goto out; 388 389 INIT_WORK(&sub_info->work, call_usermodehelper_exec_work); 390 391 #ifdef CONFIG_STATIC_USERMODEHELPER 392 sub_info->path = CONFIG_STATIC_USERMODEHELPER_PATH; 393 #else 394 sub_info->path = path; 395 #endif 396 sub_info->argv = argv; 397 sub_info->envp = envp; 398 399 sub_info->cleanup = cleanup; 400 sub_info->init = init; 401 sub_info->data = data; 402 out: 403 return sub_info; 404 } 405 EXPORT_SYMBOL(call_usermodehelper_setup); 406 407 struct subprocess_info *call_usermodehelper_setup_file(struct file *file, 408 int (*init)(struct subprocess_info *info, struct cred *new), 409 void (*cleanup)(struct subprocess_info *info), void *data) 410 { 411 struct subprocess_info *sub_info; 412 struct umh_info *info = data; 413 const char *cmdline = (info->cmdline) ? info->cmdline : "usermodehelper"; 414 415 sub_info = kzalloc(sizeof(struct subprocess_info), GFP_KERNEL); 416 if (!sub_info) 417 return NULL; 418 419 sub_info->argv = argv_split(GFP_KERNEL, cmdline, NULL); 420 if (!sub_info->argv) { 421 kfree(sub_info); 422 return NULL; 423 } 424 425 INIT_WORK(&sub_info->work, call_usermodehelper_exec_work); 426 sub_info->path = "none"; 427 sub_info->file = file; 428 sub_info->init = init; 429 sub_info->cleanup = cleanup; 430 sub_info->data = data; 431 return sub_info; 432 } 433 434 static int umh_pipe_setup(struct subprocess_info *info, struct cred *new) 435 { 436 struct umh_info *umh_info = info->data; 437 struct file *from_umh[2]; 438 struct file *to_umh[2]; 439 int err; 440 441 /* create pipe to send data to umh */ 442 err = create_pipe_files(to_umh, 0); 443 if (err) 444 return err; 445 err = replace_fd(0, to_umh[0], 0); 446 fput(to_umh[0]); 447 if (err < 0) { 448 fput(to_umh[1]); 449 return err; 450 } 451 452 /* create pipe to receive data from umh */ 453 err = create_pipe_files(from_umh, 0); 454 if (err) { 455 fput(to_umh[1]); 456 replace_fd(0, NULL, 0); 457 return err; 458 } 459 err = replace_fd(1, from_umh[1], 0); 460 fput(from_umh[1]); 461 if (err < 0) { 462 fput(to_umh[1]); 463 replace_fd(0, NULL, 0); 464 fput(from_umh[0]); 465 return err; 466 } 467 468 umh_info->pipe_to_umh = to_umh[1]; 469 umh_info->pipe_from_umh = from_umh[0]; 470 return 0; 471 } 472 473 static void umh_clean_and_save_pid(struct subprocess_info *info) 474 { 475 struct umh_info *umh_info = info->data; 476 477 argv_free(info->argv); 478 umh_info->pid = info->pid; 479 } 480 481 /** 482 * fork_usermode_blob - fork a blob of bytes as a usermode process 483 * @data: a blob of bytes that can be do_execv-ed as a file 484 * @len: length of the blob 485 * @info: information about usermode process (shouldn't be NULL) 486 * 487 * If info->cmdline is set it will be used as command line for the 488 * user process, else "usermodehelper" is used. 489 * 490 * Returns either negative error or zero which indicates success 491 * in executing a blob of bytes as a usermode process. In such 492 * case 'struct umh_info *info' is populated with two pipes 493 * and a pid of the process. The caller is responsible for health 494 * check of the user process, killing it via pid, and closing the 495 * pipes when user process is no longer needed. 496 */ 497 int fork_usermode_blob(void *data, size_t len, struct umh_info *info) 498 { 499 struct subprocess_info *sub_info; 500 struct file *file; 501 ssize_t written; 502 loff_t pos = 0; 503 int err; 504 505 file = shmem_kernel_file_setup("", len, 0); 506 if (IS_ERR(file)) 507 return PTR_ERR(file); 508 509 written = kernel_write(file, data, len, &pos); 510 if (written != len) { 511 err = written; 512 if (err >= 0) 513 err = -ENOMEM; 514 goto out; 515 } 516 517 err = -ENOMEM; 518 sub_info = call_usermodehelper_setup_file(file, umh_pipe_setup, 519 umh_clean_and_save_pid, info); 520 if (!sub_info) 521 goto out; 522 523 err = call_usermodehelper_exec(sub_info, UMH_WAIT_EXEC); 524 if (!err) { 525 mutex_lock(&umh_list_lock); 526 list_add(&info->list, &umh_list); 527 mutex_unlock(&umh_list_lock); 528 } 529 out: 530 fput(file); 531 return err; 532 } 533 EXPORT_SYMBOL_GPL(fork_usermode_blob); 534 535 /** 536 * call_usermodehelper_exec - start a usermode application 537 * @sub_info: information about the subprocessa 538 * @wait: wait for the application to finish and return status. 539 * when UMH_NO_WAIT don't wait at all, but you get no useful error back 540 * when the program couldn't be exec'ed. This makes it safe to call 541 * from interrupt context. 542 * 543 * Runs a user-space application. The application is started 544 * asynchronously if wait is not set, and runs as a child of system workqueues. 545 * (ie. it runs with full root capabilities and optimized affinity). 546 */ 547 int call_usermodehelper_exec(struct subprocess_info *sub_info, int wait) 548 { 549 DECLARE_COMPLETION_ONSTACK(done); 550 int retval = 0; 551 552 if (!sub_info->path) { 553 call_usermodehelper_freeinfo(sub_info); 554 return -EINVAL; 555 } 556 helper_lock(); 557 if (usermodehelper_disabled) { 558 retval = -EBUSY; 559 goto out; 560 } 561 562 /* 563 * If there is no binary for us to call, then just return and get out of 564 * here. This allows us to set STATIC_USERMODEHELPER_PATH to "" and 565 * disable all call_usermodehelper() calls. 566 */ 567 if (strlen(sub_info->path) == 0) 568 goto out; 569 570 /* 571 * Set the completion pointer only if there is a waiter. 572 * This makes it possible to use umh_complete to free 573 * the data structure in case of UMH_NO_WAIT. 574 */ 575 sub_info->complete = (wait == UMH_NO_WAIT) ? NULL : &done; 576 sub_info->wait = wait; 577 578 queue_work(system_unbound_wq, &sub_info->work); 579 if (wait == UMH_NO_WAIT) /* task has freed sub_info */ 580 goto unlock; 581 582 if (wait & UMH_KILLABLE) { 583 retval = wait_for_completion_killable(&done); 584 if (!retval) 585 goto wait_done; 586 587 /* umh_complete() will see NULL and free sub_info */ 588 if (xchg(&sub_info->complete, NULL)) 589 goto unlock; 590 /* fallthrough, umh_complete() was already called */ 591 } 592 593 wait_for_completion(&done); 594 wait_done: 595 retval = sub_info->retval; 596 out: 597 call_usermodehelper_freeinfo(sub_info); 598 unlock: 599 helper_unlock(); 600 return retval; 601 } 602 EXPORT_SYMBOL(call_usermodehelper_exec); 603 604 /** 605 * call_usermodehelper() - prepare and start a usermode application 606 * @path: path to usermode executable 607 * @argv: arg vector for process 608 * @envp: environment for process 609 * @wait: wait for the application to finish and return status. 610 * when UMH_NO_WAIT don't wait at all, but you get no useful error back 611 * when the program couldn't be exec'ed. This makes it safe to call 612 * from interrupt context. 613 * 614 * This function is the equivalent to use call_usermodehelper_setup() and 615 * call_usermodehelper_exec(). 616 */ 617 int call_usermodehelper(const char *path, char **argv, char **envp, int wait) 618 { 619 struct subprocess_info *info; 620 gfp_t gfp_mask = (wait == UMH_NO_WAIT) ? GFP_ATOMIC : GFP_KERNEL; 621 622 info = call_usermodehelper_setup(path, argv, envp, gfp_mask, 623 NULL, NULL, NULL); 624 if (info == NULL) 625 return -ENOMEM; 626 627 return call_usermodehelper_exec(info, wait); 628 } 629 EXPORT_SYMBOL(call_usermodehelper); 630 631 static int proc_cap_handler(struct ctl_table *table, int write, 632 void __user *buffer, size_t *lenp, loff_t *ppos) 633 { 634 struct ctl_table t; 635 unsigned long cap_array[_KERNEL_CAPABILITY_U32S]; 636 kernel_cap_t new_cap; 637 int err, i; 638 639 if (write && (!capable(CAP_SETPCAP) || 640 !capable(CAP_SYS_MODULE))) 641 return -EPERM; 642 643 /* 644 * convert from the global kernel_cap_t to the ulong array to print to 645 * userspace if this is a read. 646 */ 647 spin_lock(&umh_sysctl_lock); 648 for (i = 0; i < _KERNEL_CAPABILITY_U32S; i++) { 649 if (table->data == CAP_BSET) 650 cap_array[i] = usermodehelper_bset.cap[i]; 651 else if (table->data == CAP_PI) 652 cap_array[i] = usermodehelper_inheritable.cap[i]; 653 else 654 BUG(); 655 } 656 spin_unlock(&umh_sysctl_lock); 657 658 t = *table; 659 t.data = &cap_array; 660 661 /* 662 * actually read or write and array of ulongs from userspace. Remember 663 * these are least significant 32 bits first 664 */ 665 err = proc_doulongvec_minmax(&t, write, buffer, lenp, ppos); 666 if (err < 0) 667 return err; 668 669 /* 670 * convert from the sysctl array of ulongs to the kernel_cap_t 671 * internal representation 672 */ 673 for (i = 0; i < _KERNEL_CAPABILITY_U32S; i++) 674 new_cap.cap[i] = cap_array[i]; 675 676 /* 677 * Drop everything not in the new_cap (but don't add things) 678 */ 679 if (write) { 680 spin_lock(&umh_sysctl_lock); 681 if (table->data == CAP_BSET) 682 usermodehelper_bset = cap_intersect(usermodehelper_bset, new_cap); 683 if (table->data == CAP_PI) 684 usermodehelper_inheritable = cap_intersect(usermodehelper_inheritable, new_cap); 685 spin_unlock(&umh_sysctl_lock); 686 } 687 688 return 0; 689 } 690 691 void __exit_umh(struct task_struct *tsk) 692 { 693 struct umh_info *info; 694 pid_t pid = tsk->pid; 695 696 mutex_lock(&umh_list_lock); 697 list_for_each_entry(info, &umh_list, list) { 698 if (info->pid == pid) { 699 list_del(&info->list); 700 mutex_unlock(&umh_list_lock); 701 goto out; 702 } 703 } 704 mutex_unlock(&umh_list_lock); 705 return; 706 out: 707 if (info->cleanup) 708 info->cleanup(info); 709 } 710 711 struct ctl_table usermodehelper_table[] = { 712 { 713 .procname = "bset", 714 .data = CAP_BSET, 715 .maxlen = _KERNEL_CAPABILITY_U32S * sizeof(unsigned long), 716 .mode = 0600, 717 .proc_handler = proc_cap_handler, 718 }, 719 { 720 .procname = "inheritable", 721 .data = CAP_PI, 722 .maxlen = _KERNEL_CAPABILITY_U32S * sizeof(unsigned long), 723 .mode = 0600, 724 .proc_handler = proc_cap_handler, 725 }, 726 { } 727 }; 728