2ee41a3a1dfdee623261c86e89116a968d548825
[platform/kernel/linux-starfive.git] / pid_sysctl.h
1 /* SPDX-License-Identifier: GPL-2.0 */
2 #ifndef LINUX_PID_SYSCTL_H
3 #define LINUX_PID_SYSCTL_H
4
5 #include <linux/pid_namespace.h>
6
7 #if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE)
8 static int pid_mfd_noexec_dointvec_minmax(struct ctl_table *table,
9         int write, void *buf, size_t *lenp, loff_t *ppos)
10 {
11         struct pid_namespace *ns = task_active_pid_ns(current);
12         struct ctl_table table_copy;
13         int err, scope, parent_scope;
14
15         if (write && !ns_capable(ns->user_ns, CAP_SYS_ADMIN))
16                 return -EPERM;
17
18         table_copy = *table;
19
20         /* You cannot set a lower enforcement value than your parent. */
21         parent_scope = pidns_memfd_noexec_scope(ns->parent);
22         /* Equivalent to pidns_memfd_noexec_scope(ns). */
23         scope = max(READ_ONCE(ns->memfd_noexec_scope), parent_scope);
24
25         table_copy.data = &scope;
26         table_copy.extra1 = &parent_scope;
27
28         err = proc_dointvec_minmax(&table_copy, write, buf, lenp, ppos);
29         if (!err && write)
30                 WRITE_ONCE(ns->memfd_noexec_scope, scope);
31         return err;
32 }
33
34 static struct ctl_table pid_ns_ctl_table_vm[] = {
35         {
36                 .procname       = "memfd_noexec",
37                 .data           = &init_pid_ns.memfd_noexec_scope,
38                 .maxlen         = sizeof(init_pid_ns.memfd_noexec_scope),
39                 .mode           = 0644,
40                 .proc_handler   = pid_mfd_noexec_dointvec_minmax,
41                 .extra1         = SYSCTL_ZERO,
42                 .extra2         = SYSCTL_TWO,
43         },
44         { }
45 };
46 static inline void register_pid_ns_sysctl_table_vm(void)
47 {
48         register_sysctl("vm", pid_ns_ctl_table_vm);
49 }
50 #else
51 static inline void register_pid_ns_sysctl_table_vm(void) {}
52 #endif
53
54 #endif /* LINUX_PID_SYSCTL_H */