1 /* SPDX-License-Identifier: GPL-2.0 */
2 #ifndef LINUX_PID_SYSCTL_H
3 #define LINUX_PID_SYSCTL_H
4
5 #include <linux/pid_namespace.h>
6
7 #if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE)
pid_mfd_noexec_dointvec_minmax(struct ctl_table * table,int write,void * buf,size_t * lenp,loff_t * ppos)8 static int pid_mfd_noexec_dointvec_minmax(struct ctl_table *table,
9 int write, void *buf, size_t *lenp, loff_t *ppos)
10 {
11 struct pid_namespace *ns = task_active_pid_ns(current);
12 struct ctl_table table_copy;
13 int err, scope, parent_scope;
14
15 if (write && !ns_capable(ns->user_ns, CAP_SYS_ADMIN))
16 return -EPERM;
17
18 table_copy = *table;
19
20 /* You cannot set a lower enforcement value than your parent. */
21 parent_scope = pidns_memfd_noexec_scope(ns->parent);
22 /* Equivalent to pidns_memfd_noexec_scope(ns). */
23 scope = max(READ_ONCE(ns->memfd_noexec_scope), parent_scope);
24
25 table_copy.data = &scope;
26 table_copy.extra1 = &parent_scope;
27
28 err = proc_dointvec_minmax(&table_copy, write, buf, lenp, ppos);
29 if (!err && write)
30 WRITE_ONCE(ns->memfd_noexec_scope, scope);
31 return err;
32 }
33
34 static struct ctl_table pid_ns_ctl_table_vm[] = {
35 {
36 .procname = "memfd_noexec",
37 .data = &init_pid_ns.memfd_noexec_scope,
38 .maxlen = sizeof(init_pid_ns.memfd_noexec_scope),
39 .mode = 0644,
40 .proc_handler = pid_mfd_noexec_dointvec_minmax,
41 .extra1 = SYSCTL_ZERO,
42 .extra2 = SYSCTL_TWO,
43 },
44 { }
45 };
register_pid_ns_sysctl_table_vm(void)46 static inline void register_pid_ns_sysctl_table_vm(void)
47 {
48 register_sysctl("vm", pid_ns_ctl_table_vm);
49 }
50 #else
register_pid_ns_sysctl_table_vm(void)51 static inline void register_pid_ns_sysctl_table_vm(void) {}
52 #endif
53
54 #endif /* LINUX_PID_SYSCTL_H */
55