1 // SPDX-License-Identifier: GPL-2.0
12 #include <sys/fsuid.h>
13 #include <sys/ioctl.h>
14 #include <sys/mount.h>
15 #include <sys/socket.h>
17 #include <sys/sysinfo.h>
18 #include <sys/types.h>
21 #include <linux/android/binder.h>
22 #include <linux/android/binderfs.h>
24 #include "../../kselftest_harness.h"
26 #define DEFAULT_THREADS 4
28 #define PTR_TO_INT(p) ((int)((intptr_t)(p)))
29 #define INT_TO_PTR(u) ((void *)((intptr_t)(u)))
31 #define close_prot_errno_disarm(fd) \
39 static void change_mountns(struct __test_metadata *_metadata)
43 ret = unshare(CLONE_NEWNS);
45 TH_LOG("%s - Failed to unshare mount namespace",
49 ret = mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, 0);
51 TH_LOG("%s - Failed to mount / as private",
56 static int __do_binderfs_test(struct __test_metadata *_metadata)
58 int fd, ret, saved_errno, result = 1;
60 struct binderfs_device device = { 0 };
61 struct binder_version version = { 0 };
62 char binderfs_mntpt[] = P_tmpdir "/binderfs_XXXXXX",
63 device_path[sizeof(P_tmpdir "/binderfs_XXXXXX/") + BINDERFS_MAX_NAME];
64 static const char * const binder_features[] = {
65 "oneway_spam_detection",
67 "freeze_notification",
70 change_mountns(_metadata);
72 EXPECT_NE(mkdtemp(binderfs_mntpt), NULL) {
73 TH_LOG("%s - Failed to create binderfs mountpoint",
78 ret = mount(NULL, binderfs_mntpt, "binder", 0, 0);
81 SKIP(goto out, "binderfs missing");
82 TH_LOG("%s - Failed to mount binderfs", strerror(errno));
86 /* success: binderfs mounted */
88 memcpy(device.name, "my-binder", strlen("my-binder"));
90 snprintf(device_path, sizeof(device_path), "%s/binder-control", binderfs_mntpt);
91 fd = open(device_path, O_RDONLY | O_CLOEXEC);
93 TH_LOG("%s - Failed to open binder-control device",
98 ret = ioctl(fd, BINDER_CTL_ADD, &device);
103 TH_LOG("%s - Failed to allocate new binder device",
108 TH_LOG("Allocated new binder device with major %d, minor %d, and name %s",
109 device.major, device.minor, device.name);
111 /* success: binder device allocation */
113 snprintf(device_path, sizeof(device_path), "%s/my-binder", binderfs_mntpt);
114 fd = open(device_path, O_CLOEXEC | O_RDONLY);
116 TH_LOG("%s - Failed to open my-binder device",
121 ret = ioctl(fd, BINDER_VERSION, &version);
126 TH_LOG("%s - Failed to open perform BINDER_VERSION request",
131 TH_LOG("Detected binder version: %d", version.protocol_version);
133 /* success: binder transaction with binderfs binder device */
135 ret = unlink(device_path);
137 TH_LOG("%s - Failed to delete binder device",
142 /* success: binder device removal */
144 snprintf(device_path, sizeof(device_path), "%s/binder-control", binderfs_mntpt);
145 ret = unlink(device_path);
147 TH_LOG("Managed to delete binder-control device");
150 EXPECT_EQ(errno, EPERM) {
151 TH_LOG("%s - Failed to delete binder-control device but exited with unexpected error code",
156 /* success: binder-control device removal failed as expected */
158 for (int i = 0; i < ARRAY_SIZE(binder_features); i++) {
159 snprintf(device_path, sizeof(device_path), "%s/features/%s",
160 binderfs_mntpt, binder_features[i]);
161 fd = open(device_path, O_CLOEXEC | O_RDONLY);
163 TH_LOG("%s - Failed to open binder feature: %s",
164 strerror(errno), binder_features[i]);
170 /* success: binder feature files found */
174 ret = umount2(binderfs_mntpt, MNT_DETACH);
176 TH_LOG("%s - Failed to unmount binderfs", strerror(errno));
179 ret = rmdir(binderfs_mntpt);
181 TH_LOG("%s - Failed to rmdir binderfs mount", strerror(errno));
187 static int wait_for_pid(pid_t pid)
192 ret = waitpid(pid, &status, 0);
200 if (!WIFEXITED(status))
203 return WEXITSTATUS(status);
206 static int setid_userns_root(void)
224 static ssize_t read_nointr(int fd, void *buf, size_t count)
228 ret = read(fd, buf, count);
229 if (ret < 0 && errno == EINTR)
235 static ssize_t write_nointr(int fd, const void *buf, size_t count)
239 ret = write(fd, buf, count);
240 if (ret < 0 && errno == EINTR)
246 static int write_id_mapping(enum idmap_type type, pid_t pid, const char *buf,
253 if (type == GID_MAP) {
256 snprintf(path, sizeof(path), "/proc/%d/setgroups", pid);
257 setgroups_fd = open(path, O_WRONLY | O_CLOEXEC | O_NOFOLLOW);
258 if (setgroups_fd < 0 && errno != ENOENT)
261 if (setgroups_fd >= 0) {
262 ret = write_nointr(setgroups_fd, "deny", sizeof("deny") - 1);
263 close_prot_errno_disarm(setgroups_fd);
264 if (ret != sizeof("deny") - 1)
271 ret = snprintf(path, sizeof(path), "/proc/%d/uid_map", pid);
274 ret = snprintf(path, sizeof(path), "/proc/%d/gid_map", pid);
279 if (ret < 0 || ret >= sizeof(path))
282 fd = open(path, O_WRONLY | O_CLOEXEC | O_NOFOLLOW);
286 ret = write_nointr(fd, buf, buf_size);
287 close_prot_errno_disarm(fd);
294 static void change_userns(struct __test_metadata *_metadata, int syncfds[2])
299 close_prot_errno_disarm(syncfds[1]);
301 ret = unshare(CLONE_NEWUSER);
303 TH_LOG("%s - Failed to unshare user namespace",
307 ret = write_nointr(syncfds[0], "1", 1);
309 TH_LOG("write_nointr() failed");
312 ret = read_nointr(syncfds[0], &buf, 1);
314 TH_LOG("read_nointr() failed");
317 close_prot_errno_disarm(syncfds[0]);
319 ASSERT_EQ(setid_userns_root(), 0) {
320 TH_LOG("setid_userns_root() failed");
324 static void change_idmaps(struct __test_metadata *_metadata, int syncfds[2], pid_t pid)
330 close_prot_errno_disarm(syncfds[0]);
332 ret = read_nointr(syncfds[1], &buf, 1);
334 TH_LOG("read_nointr() failed");
337 snprintf(id_map, sizeof(id_map), "0 %d 1\n", getuid());
338 ret = write_id_mapping(UID_MAP, pid, id_map, strlen(id_map));
340 TH_LOG("write_id_mapping(UID_MAP) failed");
343 snprintf(id_map, sizeof(id_map), "0 %d 1\n", getgid());
344 ret = write_id_mapping(GID_MAP, pid, id_map, strlen(id_map));
346 TH_LOG("write_id_mapping(GID_MAP) failed");
349 ret = write_nointr(syncfds[1], "1", 1);
351 TH_LOG("write_nointr() failed");
354 close_prot_errno_disarm(syncfds[1]);
357 struct __test_metadata *_thread_metadata;
358 static void *binder_version_thread(void *data)
360 struct __test_metadata *_metadata = _thread_metadata;
361 int fd = PTR_TO_INT(data);
362 struct binder_version version = { 0 };
365 ret = ioctl(fd, BINDER_VERSION, &version);
367 TH_LOG("%s - Failed to open perform BINDER_VERSION request\n",
375 * 2669b8b0c798 ("binder: prevent UAF for binderfs devices")
376 * f0fe2c0f050d ("binder: prevent UAF for binderfs devices II")
377 * 211b64e4b5b6 ("binderfs: use refcount for binder control devices too")
379 TEST(binderfs_stress)
386 struct binderfs_device device = { 0 };
387 char binderfs_mntpt[] = P_tmpdir "/binderfs_XXXXXX",
388 device_path[sizeof(P_tmpdir "/binderfs_XXXXXX/") + BINDERFS_MAX_NAME];
390 ret = socketpair(PF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, syncfds);
392 TH_LOG("%s - Failed to create socket pair", strerror(errno));
397 TH_LOG("%s - Failed to fork", strerror(errno));
398 close_prot_errno_disarm(syncfds[0]);
399 close_prot_errno_disarm(syncfds[1]);
403 int i, j, k, nthreads;
405 pthread_t threads[DEFAULT_THREADS];
406 change_userns(_metadata, syncfds);
407 change_mountns(_metadata);
409 ASSERT_NE(mkdtemp(binderfs_mntpt), NULL) {
410 TH_LOG("%s - Failed to create binderfs mountpoint",
414 ret = mount(NULL, binderfs_mntpt, "binder", 0, 0);
416 TH_LOG("%s - Failed to mount binderfs, check if CONFIG_ANDROID_BINDERFS is enabled in the running kernel",
420 for (int i = 0; i < ARRAY_SIZE(fds); i++) {
422 snprintf(device_path, sizeof(device_path),
423 "%s/binder-control", binderfs_mntpt);
424 fd = open(device_path, O_RDONLY | O_CLOEXEC);
426 TH_LOG("%s - Failed to open binder-control device",
430 memset(&device, 0, sizeof(device));
431 snprintf(device.name, sizeof(device.name), "%d", i);
432 ret = ioctl(fd, BINDER_CTL_ADD, &device);
433 close_prot_errno_disarm(fd);
435 TH_LOG("%s - Failed to allocate new binder device",
439 snprintf(device_path, sizeof(device_path), "%s/%d",
441 fds[i] = open(device_path, O_RDONLY | O_CLOEXEC);
442 ASSERT_GE(fds[i], 0) {
443 TH_LOG("%s - Failed to open binder device", strerror(errno));
447 ret = umount2(binderfs_mntpt, MNT_DETACH);
449 TH_LOG("%s - Failed to unmount binderfs", strerror(errno));
450 rmdir(binderfs_mntpt);
453 nthreads = get_nprocs_conf();
454 if (nthreads > DEFAULT_THREADS)
455 nthreads = DEFAULT_THREADS;
457 _thread_metadata = _metadata;
458 pthread_attr_init(&attr);
459 for (k = 0; k < ARRAY_SIZE(fds); k++) {
460 for (i = 0; i < nthreads; i++) {
461 ret = pthread_create(&threads[i], &attr, binder_version_thread, INT_TO_PTR(fds[k]));
463 TH_LOG("%s - Failed to create thread %d",
469 for (j = 0; j < i; j++) {
472 ret = pthread_join(threads[j], &fdptr);
474 TH_LOG("%s - Failed to join thread %d for fd %d",
475 strerror(errno), j, PTR_TO_INT(fdptr));
478 pthread_attr_destroy(&attr);
480 for (k = 0; k < ARRAY_SIZE(fds); k++)
486 change_idmaps(_metadata, syncfds, pid);
488 ret = wait_for_pid(pid);
490 TH_LOG("wait_for_pid() failed");
494 TEST(binderfs_test_privileged)
497 SKIP(return, "Tests are not run as root. Skipping privileged tests");
499 if (__do_binderfs_test(_metadata))
500 SKIP(return, "The Android binderfs filesystem is not available");
503 TEST(binderfs_test_unprivileged)
509 ret = socketpair(PF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, syncfds);
511 TH_LOG("%s - Failed to create socket pair", strerror(errno));
516 close_prot_errno_disarm(syncfds[0]);
517 close_prot_errno_disarm(syncfds[1]);
518 TH_LOG("%s - Failed to fork", strerror(errno));
522 change_userns(_metadata, syncfds);
523 if (__do_binderfs_test(_metadata))
528 change_idmaps(_metadata, syncfds, pid);
530 ret = wait_for_pid(pid);
533 SKIP(return, "The Android binderfs filesystem is not available");
535 TH_LOG("wait_for_pid() failed");