root/drivers/android/binderfs.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. BINDERFS_I
  2. is_binderfs_device
  3. binderfs_binder_device_create
  4. binder_ctl_ioctl
  5. binderfs_evict_inode
  6. binderfs_parse_mount_opts
  7. binderfs_remount
  8. binderfs_show_mount_opts
  9. is_binderfs_control_device
  10. binderfs_rename
  11. binderfs_unlink
  12. binderfs_binder_ctl_create
  13. binderfs_make_inode
  14. binderfs_create_dentry
  15. binderfs_remove_file
  16. binderfs_create_file
  17. binderfs_create_dir
  18. init_binder_logs
  19. binderfs_fill_super
  20. binderfs_mount
  21. binderfs_kill_super
  22. init_binderfs

   1 /* SPDX-License-Identifier: GPL-2.0 */
   2 
   3 #include <linux/compiler_types.h>
   4 #include <linux/errno.h>
   5 #include <linux/fs.h>
   6 #include <linux/fsnotify.h>
   7 #include <linux/gfp.h>
   8 #include <linux/idr.h>
   9 #include <linux/init.h>
  10 #include <linux/ipc_namespace.h>
  11 #include <linux/kdev_t.h>
  12 #include <linux/kernel.h>
  13 #include <linux/list.h>
  14 #include <linux/namei.h>
  15 #include <linux/magic.h>
  16 #include <linux/major.h>
  17 #include <linux/miscdevice.h>
  18 #include <linux/module.h>
  19 #include <linux/mutex.h>
  20 #include <linux/mount.h>
  21 #include <linux/parser.h>
  22 #include <linux/radix-tree.h>
  23 #include <linux/sched.h>
  24 #include <linux/seq_file.h>
  25 #include <linux/slab.h>
  26 #include <linux/spinlock_types.h>
  27 #include <linux/stddef.h>
  28 #include <linux/string.h>
  29 #include <linux/types.h>
  30 #include <linux/uaccess.h>
  31 #include <linux/user_namespace.h>
  32 #include <linux/xarray.h>
  33 #include <uapi/asm-generic/errno-base.h>
  34 #include <uapi/linux/android/binder.h>
  35 #include <uapi/linux/android/binderfs.h>
  36 
  37 #include "binder_internal.h"
  38 
  39 #define FIRST_INODE 1
  40 #define SECOND_INODE 2
  41 #define INODE_OFFSET 3
  42 #define INTSTRLEN 21
  43 #define BINDERFS_MAX_MINOR (1U << MINORBITS)
  44 /* Ensure that the initial ipc namespace always has devices available. */
  45 #define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4)
  46 
  47 static dev_t binderfs_dev;
  48 static DEFINE_MUTEX(binderfs_minors_mutex);
  49 static DEFINE_IDA(binderfs_minors);
  50 
  51 enum {
  52         Opt_max,
  53         Opt_stats_mode,
  54         Opt_err
  55 };
  56 
  57 enum binderfs_stats_mode {
  58         STATS_NONE,
  59         STATS_GLOBAL,
  60 };
  61 
  62 static const match_table_t tokens = {
  63         { Opt_max, "max=%d" },
  64         { Opt_stats_mode, "stats=%s" },
  65         { Opt_err, NULL     }
  66 };
  67 
  68 static inline struct binderfs_info *BINDERFS_I(const struct inode *inode)
  69 {
  70         return inode->i_sb->s_fs_info;
  71 }
  72 
  73 bool is_binderfs_device(const struct inode *inode)
  74 {
  75         if (inode->i_sb->s_magic == BINDERFS_SUPER_MAGIC)
  76                 return true;
  77 
  78         return false;
  79 }
  80 
  81 /**
  82  * binderfs_binder_device_create - allocate inode from super block of a
  83  *                                 binderfs mount
  84  * @ref_inode: inode from wich the super block will be taken
  85  * @userp:     buffer to copy information about new device for userspace to
  86  * @req:       struct binderfs_device as copied from userspace
  87  *
  88  * This function allocates a new binder_device and reserves a new minor
  89  * number for it.
  90  * Minor numbers are limited and tracked globally in binderfs_minors. The
  91  * function will stash a struct binder_device for the specific binder
  92  * device in i_private of the inode.
  93  * It will go on to allocate a new inode from the super block of the
  94  * filesystem mount, stash a struct binder_device in its i_private field
  95  * and attach a dentry to that inode.
  96  *
  97  * Return: 0 on success, negative errno on failure
  98  */
  99 static int binderfs_binder_device_create(struct inode *ref_inode,
 100                                          struct binderfs_device __user *userp,
 101                                          struct binderfs_device *req)
 102 {
 103         int minor, ret;
 104         struct dentry *dentry, *root;
 105         struct binder_device *device;
 106         char *name = NULL;
 107         size_t name_len;
 108         struct inode *inode = NULL;
 109         struct super_block *sb = ref_inode->i_sb;
 110         struct binderfs_info *info = sb->s_fs_info;
 111 #if defined(CONFIG_IPC_NS)
 112         bool use_reserve = (info->ipc_ns == &init_ipc_ns);
 113 #else
 114         bool use_reserve = true;
 115 #endif
 116 
 117         /* Reserve new minor number for the new device. */
 118         mutex_lock(&binderfs_minors_mutex);
 119         if (++info->device_count <= info->mount_opts.max)
 120                 minor = ida_alloc_max(&binderfs_minors,
 121                                       use_reserve ? BINDERFS_MAX_MINOR :
 122                                                     BINDERFS_MAX_MINOR_CAPPED,
 123                                       GFP_KERNEL);
 124         else
 125                 minor = -ENOSPC;
 126         if (minor < 0) {
 127                 --info->device_count;
 128                 mutex_unlock(&binderfs_minors_mutex);
 129                 return minor;
 130         }
 131         mutex_unlock(&binderfs_minors_mutex);
 132 
 133         ret = -ENOMEM;
 134         device = kzalloc(sizeof(*device), GFP_KERNEL);
 135         if (!device)
 136                 goto err;
 137 
 138         inode = new_inode(sb);
 139         if (!inode)
 140                 goto err;
 141 
 142         inode->i_ino = minor + INODE_OFFSET;
 143         inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
 144         init_special_inode(inode, S_IFCHR | 0600,
 145                            MKDEV(MAJOR(binderfs_dev), minor));
 146         inode->i_fop = &binder_fops;
 147         inode->i_uid = info->root_uid;
 148         inode->i_gid = info->root_gid;
 149 
 150         req->name[BINDERFS_MAX_NAME] = '\0'; /* NUL-terminate */
 151         name_len = strlen(req->name);
 152         /* Make sure to include terminating NUL byte */
 153         name = kmemdup(req->name, name_len + 1, GFP_KERNEL);
 154         if (!name)
 155                 goto err;
 156 
 157         refcount_set(&device->ref, 1);
 158         device->binderfs_inode = inode;
 159         device->context.binder_context_mgr_uid = INVALID_UID;
 160         device->context.name = name;
 161         device->miscdev.name = name;
 162         device->miscdev.minor = minor;
 163         mutex_init(&device->context.context_mgr_node_lock);
 164 
 165         req->major = MAJOR(binderfs_dev);
 166         req->minor = minor;
 167 
 168         if (userp && copy_to_user(userp, req, sizeof(*req))) {
 169                 ret = -EFAULT;
 170                 goto err;
 171         }
 172 
 173         root = sb->s_root;
 174         inode_lock(d_inode(root));
 175 
 176         /* look it up */
 177         dentry = lookup_one_len(name, root, name_len);
 178         if (IS_ERR(dentry)) {
 179                 inode_unlock(d_inode(root));
 180                 ret = PTR_ERR(dentry);
 181                 goto err;
 182         }
 183 
 184         if (d_really_is_positive(dentry)) {
 185                 /* already exists */
 186                 dput(dentry);
 187                 inode_unlock(d_inode(root));
 188                 ret = -EEXIST;
 189                 goto err;
 190         }
 191 
 192         inode->i_private = device;
 193         d_instantiate(dentry, inode);
 194         fsnotify_create(root->d_inode, dentry);
 195         inode_unlock(d_inode(root));
 196 
 197         return 0;
 198 
 199 err:
 200         kfree(name);
 201         kfree(device);
 202         mutex_lock(&binderfs_minors_mutex);
 203         --info->device_count;
 204         ida_free(&binderfs_minors, minor);
 205         mutex_unlock(&binderfs_minors_mutex);
 206         iput(inode);
 207 
 208         return ret;
 209 }
 210 
 211 /**
 212  * binderfs_ctl_ioctl - handle binder device node allocation requests
 213  *
 214  * The request handler for the binder-control device. All requests operate on
 215  * the binderfs mount the binder-control device resides in:
 216  * - BINDER_CTL_ADD
 217  *   Allocate a new binder device.
 218  *
 219  * Return: 0 on success, negative errno on failure
 220  */
 221 static long binder_ctl_ioctl(struct file *file, unsigned int cmd,
 222                              unsigned long arg)
 223 {
 224         int ret = -EINVAL;
 225         struct inode *inode = file_inode(file);
 226         struct binderfs_device __user *device = (struct binderfs_device __user *)arg;
 227         struct binderfs_device device_req;
 228 
 229         switch (cmd) {
 230         case BINDER_CTL_ADD:
 231                 ret = copy_from_user(&device_req, device, sizeof(device_req));
 232                 if (ret) {
 233                         ret = -EFAULT;
 234                         break;
 235                 }
 236 
 237                 ret = binderfs_binder_device_create(inode, device, &device_req);
 238                 break;
 239         default:
 240                 break;
 241         }
 242 
 243         return ret;
 244 }
 245 
 246 static void binderfs_evict_inode(struct inode *inode)
 247 {
 248         struct binder_device *device = inode->i_private;
 249         struct binderfs_info *info = BINDERFS_I(inode);
 250 
 251         clear_inode(inode);
 252 
 253         if (!S_ISCHR(inode->i_mode) || !device)
 254                 return;
 255 
 256         mutex_lock(&binderfs_minors_mutex);
 257         --info->device_count;
 258         ida_free(&binderfs_minors, device->miscdev.minor);
 259         mutex_unlock(&binderfs_minors_mutex);
 260 
 261         if (refcount_dec_and_test(&device->ref)) {
 262                 kfree(device->context.name);
 263                 kfree(device);
 264         }
 265 }
 266 
 267 /**
 268  * binderfs_parse_mount_opts - parse binderfs mount options
 269  * @data: options to set (can be NULL in which case defaults are used)
 270  */
 271 static int binderfs_parse_mount_opts(char *data,
 272                                      struct binderfs_mount_opts *opts)
 273 {
 274         char *p, *stats;
 275         opts->max = BINDERFS_MAX_MINOR;
 276         opts->stats_mode = STATS_NONE;
 277 
 278         while ((p = strsep(&data, ",")) != NULL) {
 279                 substring_t args[MAX_OPT_ARGS];
 280                 int token;
 281                 int max_devices;
 282 
 283                 if (!*p)
 284                         continue;
 285 
 286                 token = match_token(p, tokens, args);
 287                 switch (token) {
 288                 case Opt_max:
 289                         if (match_int(&args[0], &max_devices) ||
 290                             (max_devices < 0 ||
 291                              (max_devices > BINDERFS_MAX_MINOR)))
 292                                 return -EINVAL;
 293 
 294                         opts->max = max_devices;
 295                         break;
 296                 case Opt_stats_mode:
 297                         if (!capable(CAP_SYS_ADMIN))
 298                                 return -EINVAL;
 299 
 300                         stats = match_strdup(&args[0]);
 301                         if (!stats)
 302                                 return -ENOMEM;
 303 
 304                         if (strcmp(stats, "global") != 0) {
 305                                 kfree(stats);
 306                                 return -EINVAL;
 307                         }
 308 
 309                         opts->stats_mode = STATS_GLOBAL;
 310                         kfree(stats);
 311                         break;
 312                 default:
 313                         pr_err("Invalid mount options\n");
 314                         return -EINVAL;
 315                 }
 316         }
 317 
 318         return 0;
 319 }
 320 
 321 static int binderfs_remount(struct super_block *sb, int *flags, char *data)
 322 {
 323         int prev_stats_mode, ret;
 324         struct binderfs_info *info = sb->s_fs_info;
 325 
 326         prev_stats_mode = info->mount_opts.stats_mode;
 327         ret = binderfs_parse_mount_opts(data, &info->mount_opts);
 328         if (ret)
 329                 return ret;
 330 
 331         if (prev_stats_mode != info->mount_opts.stats_mode) {
 332                 pr_err("Binderfs stats mode cannot be changed during a remount\n");
 333                 info->mount_opts.stats_mode = prev_stats_mode;
 334                 return -EINVAL;
 335         }
 336 
 337         return 0;
 338 }
 339 
 340 static int binderfs_show_mount_opts(struct seq_file *seq, struct dentry *root)
 341 {
 342         struct binderfs_info *info;
 343 
 344         info = root->d_sb->s_fs_info;
 345         if (info->mount_opts.max <= BINDERFS_MAX_MINOR)
 346                 seq_printf(seq, ",max=%d", info->mount_opts.max);
 347         if (info->mount_opts.stats_mode == STATS_GLOBAL)
 348                 seq_printf(seq, ",stats=global");
 349 
 350         return 0;
 351 }
 352 
 353 static const struct super_operations binderfs_super_ops = {
 354         .evict_inode    = binderfs_evict_inode,
 355         .remount_fs     = binderfs_remount,
 356         .show_options   = binderfs_show_mount_opts,
 357         .statfs         = simple_statfs,
 358 };
 359 
 360 static inline bool is_binderfs_control_device(const struct dentry *dentry)
 361 {
 362         struct binderfs_info *info = dentry->d_sb->s_fs_info;
 363         return info->control_dentry == dentry;
 364 }
 365 
 366 static int binderfs_rename(struct inode *old_dir, struct dentry *old_dentry,
 367                            struct inode *new_dir, struct dentry *new_dentry,
 368                            unsigned int flags)
 369 {
 370         if (is_binderfs_control_device(old_dentry) ||
 371             is_binderfs_control_device(new_dentry))
 372                 return -EPERM;
 373 
 374         return simple_rename(old_dir, old_dentry, new_dir, new_dentry, flags);
 375 }
 376 
 377 static int binderfs_unlink(struct inode *dir, struct dentry *dentry)
 378 {
 379         if (is_binderfs_control_device(dentry))
 380                 return -EPERM;
 381 
 382         return simple_unlink(dir, dentry);
 383 }
 384 
 385 static const struct file_operations binder_ctl_fops = {
 386         .owner          = THIS_MODULE,
 387         .open           = nonseekable_open,
 388         .unlocked_ioctl = binder_ctl_ioctl,
 389         .compat_ioctl   = binder_ctl_ioctl,
 390         .llseek         = noop_llseek,
 391 };
 392 
 393 /**
 394  * binderfs_binder_ctl_create - create a new binder-control device
 395  * @sb: super block of the binderfs mount
 396  *
 397  * This function creates a new binder-control device node in the binderfs mount
 398  * referred to by @sb.
 399  *
 400  * Return: 0 on success, negative errno on failure
 401  */
 402 static int binderfs_binder_ctl_create(struct super_block *sb)
 403 {
 404         int minor, ret;
 405         struct dentry *dentry;
 406         struct binder_device *device;
 407         struct inode *inode = NULL;
 408         struct dentry *root = sb->s_root;
 409         struct binderfs_info *info = sb->s_fs_info;
 410 #if defined(CONFIG_IPC_NS)
 411         bool use_reserve = (info->ipc_ns == &init_ipc_ns);
 412 #else
 413         bool use_reserve = true;
 414 #endif
 415 
 416         device = kzalloc(sizeof(*device), GFP_KERNEL);
 417         if (!device)
 418                 return -ENOMEM;
 419 
 420         /* If we have already created a binder-control node, return. */
 421         if (info->control_dentry) {
 422                 ret = 0;
 423                 goto out;
 424         }
 425 
 426         ret = -ENOMEM;
 427         inode = new_inode(sb);
 428         if (!inode)
 429                 goto out;
 430 
 431         /* Reserve a new minor number for the new device. */
 432         mutex_lock(&binderfs_minors_mutex);
 433         minor = ida_alloc_max(&binderfs_minors,
 434                               use_reserve ? BINDERFS_MAX_MINOR :
 435                                             BINDERFS_MAX_MINOR_CAPPED,
 436                               GFP_KERNEL);
 437         mutex_unlock(&binderfs_minors_mutex);
 438         if (minor < 0) {
 439                 ret = minor;
 440                 goto out;
 441         }
 442 
 443         inode->i_ino = SECOND_INODE;
 444         inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
 445         init_special_inode(inode, S_IFCHR | 0600,
 446                            MKDEV(MAJOR(binderfs_dev), minor));
 447         inode->i_fop = &binder_ctl_fops;
 448         inode->i_uid = info->root_uid;
 449         inode->i_gid = info->root_gid;
 450 
 451         refcount_set(&device->ref, 1);
 452         device->binderfs_inode = inode;
 453         device->miscdev.minor = minor;
 454 
 455         dentry = d_alloc_name(root, "binder-control");
 456         if (!dentry)
 457                 goto out;
 458 
 459         inode->i_private = device;
 460         info->control_dentry = dentry;
 461         d_add(dentry, inode);
 462 
 463         return 0;
 464 
 465 out:
 466         kfree(device);
 467         iput(inode);
 468 
 469         return ret;
 470 }
 471 
 472 static const struct inode_operations binderfs_dir_inode_operations = {
 473         .lookup = simple_lookup,
 474         .rename = binderfs_rename,
 475         .unlink = binderfs_unlink,
 476 };
 477 
 478 static struct inode *binderfs_make_inode(struct super_block *sb, int mode)
 479 {
 480         struct inode *ret;
 481 
 482         ret = new_inode(sb);
 483         if (ret) {
 484                 ret->i_ino = iunique(sb, BINDERFS_MAX_MINOR + INODE_OFFSET);
 485                 ret->i_mode = mode;
 486                 ret->i_atime = ret->i_mtime = ret->i_ctime = current_time(ret);
 487         }
 488         return ret;
 489 }
 490 
 491 static struct dentry *binderfs_create_dentry(struct dentry *parent,
 492                                              const char *name)
 493 {
 494         struct dentry *dentry;
 495 
 496         dentry = lookup_one_len(name, parent, strlen(name));
 497         if (IS_ERR(dentry))
 498                 return dentry;
 499 
 500         /* Return error if the file/dir already exists. */
 501         if (d_really_is_positive(dentry)) {
 502                 dput(dentry);
 503                 return ERR_PTR(-EEXIST);
 504         }
 505 
 506         return dentry;
 507 }
 508 
 509 void binderfs_remove_file(struct dentry *dentry)
 510 {
 511         struct inode *parent_inode;
 512 
 513         parent_inode = d_inode(dentry->d_parent);
 514         inode_lock(parent_inode);
 515         if (simple_positive(dentry)) {
 516                 dget(dentry);
 517                 simple_unlink(parent_inode, dentry);
 518                 d_delete(dentry);
 519                 dput(dentry);
 520         }
 521         inode_unlock(parent_inode);
 522 }
 523 
 524 struct dentry *binderfs_create_file(struct dentry *parent, const char *name,
 525                                     const struct file_operations *fops,
 526                                     void *data)
 527 {
 528         struct dentry *dentry;
 529         struct inode *new_inode, *parent_inode;
 530         struct super_block *sb;
 531 
 532         parent_inode = d_inode(parent);
 533         inode_lock(parent_inode);
 534 
 535         dentry = binderfs_create_dentry(parent, name);
 536         if (IS_ERR(dentry))
 537                 goto out;
 538 
 539         sb = parent_inode->i_sb;
 540         new_inode = binderfs_make_inode(sb, S_IFREG | 0444);
 541         if (!new_inode) {
 542                 dput(dentry);
 543                 dentry = ERR_PTR(-ENOMEM);
 544                 goto out;
 545         }
 546 
 547         new_inode->i_fop = fops;
 548         new_inode->i_private = data;
 549         d_instantiate(dentry, new_inode);
 550         fsnotify_create(parent_inode, dentry);
 551 
 552 out:
 553         inode_unlock(parent_inode);
 554         return dentry;
 555 }
 556 
 557 static struct dentry *binderfs_create_dir(struct dentry *parent,
 558                                           const char *name)
 559 {
 560         struct dentry *dentry;
 561         struct inode *new_inode, *parent_inode;
 562         struct super_block *sb;
 563 
 564         parent_inode = d_inode(parent);
 565         inode_lock(parent_inode);
 566 
 567         dentry = binderfs_create_dentry(parent, name);
 568         if (IS_ERR(dentry))
 569                 goto out;
 570 
 571         sb = parent_inode->i_sb;
 572         new_inode = binderfs_make_inode(sb, S_IFDIR | 0755);
 573         if (!new_inode) {
 574                 dput(dentry);
 575                 dentry = ERR_PTR(-ENOMEM);
 576                 goto out;
 577         }
 578 
 579         new_inode->i_fop = &simple_dir_operations;
 580         new_inode->i_op = &simple_dir_inode_operations;
 581 
 582         set_nlink(new_inode, 2);
 583         d_instantiate(dentry, new_inode);
 584         inc_nlink(parent_inode);
 585         fsnotify_mkdir(parent_inode, dentry);
 586 
 587 out:
 588         inode_unlock(parent_inode);
 589         return dentry;
 590 }
 591 
 592 static int init_binder_logs(struct super_block *sb)
 593 {
 594         struct dentry *binder_logs_root_dir, *dentry, *proc_log_dir;
 595         struct binderfs_info *info;
 596         int ret = 0;
 597 
 598         binder_logs_root_dir = binderfs_create_dir(sb->s_root,
 599                                                    "binder_logs");
 600         if (IS_ERR(binder_logs_root_dir)) {
 601                 ret = PTR_ERR(binder_logs_root_dir);
 602                 goto out;
 603         }
 604 
 605         dentry = binderfs_create_file(binder_logs_root_dir, "stats",
 606                                       &binder_stats_fops, NULL);
 607         if (IS_ERR(dentry)) {
 608                 ret = PTR_ERR(dentry);
 609                 goto out;
 610         }
 611 
 612         dentry = binderfs_create_file(binder_logs_root_dir, "state",
 613                                       &binder_state_fops, NULL);
 614         if (IS_ERR(dentry)) {
 615                 ret = PTR_ERR(dentry);
 616                 goto out;
 617         }
 618 
 619         dentry = binderfs_create_file(binder_logs_root_dir, "transactions",
 620                                       &binder_transactions_fops, NULL);
 621         if (IS_ERR(dentry)) {
 622                 ret = PTR_ERR(dentry);
 623                 goto out;
 624         }
 625 
 626         dentry = binderfs_create_file(binder_logs_root_dir,
 627                                       "transaction_log",
 628                                       &binder_transaction_log_fops,
 629                                       &binder_transaction_log);
 630         if (IS_ERR(dentry)) {
 631                 ret = PTR_ERR(dentry);
 632                 goto out;
 633         }
 634 
 635         dentry = binderfs_create_file(binder_logs_root_dir,
 636                                       "failed_transaction_log",
 637                                       &binder_transaction_log_fops,
 638                                       &binder_transaction_log_failed);
 639         if (IS_ERR(dentry)) {
 640                 ret = PTR_ERR(dentry);
 641                 goto out;
 642         }
 643 
 644         proc_log_dir = binderfs_create_dir(binder_logs_root_dir, "proc");
 645         if (IS_ERR(proc_log_dir)) {
 646                 ret = PTR_ERR(proc_log_dir);
 647                 goto out;
 648         }
 649         info = sb->s_fs_info;
 650         info->proc_log_dir = proc_log_dir;
 651 
 652 out:
 653         return ret;
 654 }
 655 
 656 static int binderfs_fill_super(struct super_block *sb, void *data, int silent)
 657 {
 658         int ret;
 659         struct binderfs_info *info;
 660         struct inode *inode = NULL;
 661         struct binderfs_device device_info = { 0 };
 662         const char *name;
 663         size_t len;
 664 
 665         sb->s_blocksize = PAGE_SIZE;
 666         sb->s_blocksize_bits = PAGE_SHIFT;
 667 
 668         /*
 669          * The binderfs filesystem can be mounted by userns root in a
 670          * non-initial userns. By default such mounts have the SB_I_NODEV flag
 671          * set in s_iflags to prevent security issues where userns root can
 672          * just create random device nodes via mknod() since it owns the
 673          * filesystem mount. But binderfs does not allow to create any files
 674          * including devices nodes. The only way to create binder devices nodes
 675          * is through the binder-control device which userns root is explicitly
 676          * allowed to do. So removing the SB_I_NODEV flag from s_iflags is both
 677          * necessary and safe.
 678          */
 679         sb->s_iflags &= ~SB_I_NODEV;
 680         sb->s_iflags |= SB_I_NOEXEC;
 681         sb->s_magic = BINDERFS_SUPER_MAGIC;
 682         sb->s_op = &binderfs_super_ops;
 683         sb->s_time_gran = 1;
 684 
 685         sb->s_fs_info = kzalloc(sizeof(struct binderfs_info), GFP_KERNEL);
 686         if (!sb->s_fs_info)
 687                 return -ENOMEM;
 688         info = sb->s_fs_info;
 689 
 690         info->ipc_ns = get_ipc_ns(current->nsproxy->ipc_ns);
 691 
 692         ret = binderfs_parse_mount_opts(data, &info->mount_opts);
 693         if (ret)
 694                 return ret;
 695 
 696         info->root_gid = make_kgid(sb->s_user_ns, 0);
 697         if (!gid_valid(info->root_gid))
 698                 info->root_gid = GLOBAL_ROOT_GID;
 699         info->root_uid = make_kuid(sb->s_user_ns, 0);
 700         if (!uid_valid(info->root_uid))
 701                 info->root_uid = GLOBAL_ROOT_UID;
 702 
 703         inode = new_inode(sb);
 704         if (!inode)
 705                 return -ENOMEM;
 706 
 707         inode->i_ino = FIRST_INODE;
 708         inode->i_fop = &simple_dir_operations;
 709         inode->i_mode = S_IFDIR | 0755;
 710         inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
 711         inode->i_op = &binderfs_dir_inode_operations;
 712         set_nlink(inode, 2);
 713 
 714         sb->s_root = d_make_root(inode);
 715         if (!sb->s_root)
 716                 return -ENOMEM;
 717 
 718         ret = binderfs_binder_ctl_create(sb);
 719         if (ret)
 720                 return ret;
 721 
 722         name = binder_devices_param;
 723         for (len = strcspn(name, ","); len > 0; len = strcspn(name, ",")) {
 724                 strscpy(device_info.name, name, len + 1);
 725                 ret = binderfs_binder_device_create(inode, NULL, &device_info);
 726                 if (ret)
 727                         return ret;
 728                 name += len;
 729                 if (*name == ',')
 730                         name++;
 731         }
 732 
 733         if (info->mount_opts.stats_mode == STATS_GLOBAL)
 734                 return init_binder_logs(sb);
 735 
 736         return 0;
 737 }
 738 
 739 static struct dentry *binderfs_mount(struct file_system_type *fs_type,
 740                                      int flags, const char *dev_name,
 741                                      void *data)
 742 {
 743         return mount_nodev(fs_type, flags, data, binderfs_fill_super);
 744 }
 745 
 746 static void binderfs_kill_super(struct super_block *sb)
 747 {
 748         struct binderfs_info *info = sb->s_fs_info;
 749 
 750         kill_litter_super(sb);
 751 
 752         if (info && info->ipc_ns)
 753                 put_ipc_ns(info->ipc_ns);
 754 
 755         kfree(info);
 756 }
 757 
 758 static struct file_system_type binder_fs_type = {
 759         .name           = "binder",
 760         .mount          = binderfs_mount,
 761         .kill_sb        = binderfs_kill_super,
 762         .fs_flags       = FS_USERNS_MOUNT,
 763 };
 764 
 765 int __init init_binderfs(void)
 766 {
 767         int ret;
 768         const char *name;
 769         size_t len;
 770 
 771         /* Verify that the default binderfs device names are valid. */
 772         name = binder_devices_param;
 773         for (len = strcspn(name, ","); len > 0; len = strcspn(name, ",")) {
 774                 if (len > BINDERFS_MAX_NAME)
 775                         return -E2BIG;
 776                 name += len;
 777                 if (*name == ',')
 778                         name++;
 779         }
 780 
 781         /* Allocate new major number for binderfs. */
 782         ret = alloc_chrdev_region(&binderfs_dev, 0, BINDERFS_MAX_MINOR,
 783                                   "binder");
 784         if (ret)
 785                 return ret;
 786 
 787         ret = register_filesystem(&binder_fs_type);
 788         if (ret) {
 789                 unregister_chrdev_region(binderfs_dev, BINDERFS_MAX_MINOR);
 790                 return ret;
 791         }
 792 
 793         return ret;
 794 }

/* [<][>][^][v][top][bottom][index][help] */