xref: /linux-6.15/kernel/pid_sysctl.h (revision 1751f872) 
1105ff533SJeff Xu /* SPDX-License-Identifier: GPL-2.0 */
2105ff533SJeff Xu #ifndef LINUX_PID_SYSCTL_H
3105ff533SJeff Xu #define LINUX_PID_SYSCTL_H
4105ff533SJeff Xu 
5105ff533SJeff Xu #include <linux/pid_namespace.h>
6105ff533SJeff Xu 
7105ff533SJeff Xu #if defined(CONFIG_SYSCTL) && defined(CONFIG_MEMFD_CREATE)
pid_mfd_noexec_dointvec_minmax(const struct ctl_table * table,int write,void * buf,size_t * lenp,loff_t * ppos)878eb4ea2SJoel Granados static int pid_mfd_noexec_dointvec_minmax(const struct ctl_table *table,
9105ff533SJeff Xu 	int write, void *buf, size_t *lenp, loff_t *ppos)
10105ff533SJeff Xu {
11105ff533SJeff Xu 	struct pid_namespace *ns = task_active_pid_ns(current);
12105ff533SJeff Xu 	struct ctl_table table_copy;
139876cfe8SAleksa Sarai 	int err, scope, parent_scope;
14105ff533SJeff Xu 
15105ff533SJeff Xu 	if (write && !ns_capable(ns->user_ns, CAP_SYS_ADMIN))
16105ff533SJeff Xu 		return -EPERM;
17105ff533SJeff Xu 
18105ff533SJeff Xu 	table_copy = *table;
19105ff533SJeff Xu 
209876cfe8SAleksa Sarai 	/* You cannot set a lower enforcement value than your parent. */
219876cfe8SAleksa Sarai 	parent_scope = pidns_memfd_noexec_scope(ns->parent);
229876cfe8SAleksa Sarai 	/* Equivalent to pidns_memfd_noexec_scope(ns). */
239876cfe8SAleksa Sarai 	scope = max(READ_ONCE(ns->memfd_noexec_scope), parent_scope);
24105ff533SJeff Xu 
259876cfe8SAleksa Sarai 	table_copy.data = &scope;
269876cfe8SAleksa Sarai 	table_copy.extra1 = &parent_scope;
279876cfe8SAleksa Sarai 
289876cfe8SAleksa Sarai 	err = proc_dointvec_minmax(&table_copy, write, buf, lenp, ppos);
299876cfe8SAleksa Sarai 	if (!err && write)
309876cfe8SAleksa Sarai 		WRITE_ONCE(ns->memfd_noexec_scope, scope);
319876cfe8SAleksa Sarai 	return err;
32105ff533SJeff Xu }
33105ff533SJeff Xu 
34*1751f872SJoel Granados static const struct ctl_table pid_ns_ctl_table_vm[] = {
35105ff533SJeff Xu 	{
36105ff533SJeff Xu 		.procname	= "memfd_noexec",
37105ff533SJeff Xu 		.data		= &init_pid_ns.memfd_noexec_scope,
38105ff533SJeff Xu 		.maxlen		= sizeof(init_pid_ns.memfd_noexec_scope),
39105ff533SJeff Xu 		.mode		= 0644,
40105ff533SJeff Xu 		.proc_handler	= pid_mfd_noexec_dointvec_minmax,
41105ff533SJeff Xu 		.extra1		= SYSCTL_ZERO,
42105ff533SJeff Xu 		.extra2		= SYSCTL_TWO,
43105ff533SJeff Xu 	},
44105ff533SJeff Xu };
register_pid_ns_sysctl_table_vm(void)45105ff533SJeff Xu static inline void register_pid_ns_sysctl_table_vm(void)
46105ff533SJeff Xu {
479e7c73c0SLuis Chamberlain 	register_sysctl("vm", pid_ns_ctl_table_vm);
48105ff533SJeff Xu }
49105ff533SJeff Xu #else
register_pid_ns_sysctl_table_vm(void)50105ff533SJeff Xu static inline void register_pid_ns_sysctl_table_vm(void) {}
51105ff533SJeff Xu #endif
52105ff533SJeff Xu 
53105ff533SJeff Xu #endif /* LINUX_PID_SYSCTL_H */
54