1 /*
2 * Copyright (C) 2008 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <cutils/ashmem.h>
18
19 /*
20 * Implementation of the user-space ashmem API for devices, which have our
21 * ashmem-enabled kernel. See ashmem-sim.c for the "fake" tmp-based version,
22 * used by the simulator.
23 */
24 #define LOG_TAG "ashmem"
25
26 #include <errno.h>
27 #include <fcntl.h>
28 #include <linux/ashmem.h>
29 #include <linux/memfd.h>
30 #include <log/log.h>
31 #include <pthread.h>
32 #include <stdio.h>
33 #include <string.h>
34 #include <sys/ioctl.h>
35 #include <sys/mman.h>
36 #include <sys/stat.h>
37 #include <sys/syscall.h>
38 #include <sys/sysmacros.h>
39 #include <sys/types.h>
40 #include <unistd.h>
41
42 #include <android-base/file.h>
43 #include <android-base/properties.h>
44 #include <android-base/strings.h>
45 #include <android-base/unique_fd.h>
46
47 /* ashmem identity */
48 static dev_t __ashmem_rdev;
49 /*
50 * If we trigger a signal handler in the middle of locked activity and the
51 * signal handler calls ashmem, we could get into a deadlock state.
52 */
53 static pthread_mutex_t __ashmem_lock = PTHREAD_MUTEX_INITIALIZER;
54
55 /*
56 * has_memfd_support() determines if the device can use memfd. memfd support
57 * has been there for long time, but certain things in it may be missing. We
58 * check for needed support in it. Also we check if the VNDK version of
59 * libcutils being used is new enough, if its not, then we cannot use memfd
60 * since the older copies may be using ashmem so we just use ashmem. Once all
61 * Android devices that are getting updates are new enough (ex, they were
62 * originally shipped with Android release > P), then we can just use memfd and
63 * delete all ashmem code from libcutils (while preserving the interface).
64 *
65 * NOTE:
66 * The sys.use_memfd property is set by default to false in Android
67 * to temporarily disable memfd, till vendor and apps are ready for it.
68 * The main issue: either apps or vendor processes can directly make ashmem
69 * IOCTLs on FDs they receive by assuming they are ashmem, without going
70 * through libcutils. Such fds could have very well be originally created with
71 * libcutils hence they could be memfd. Thus the IOCTLs will break.
72 *
73 * Set default value of sys.use_memfd property to true once the issue is
74 * resolved, so that the code can then self-detect if kernel support is present
75 * on the device. The property can also set to true from adb shell, for
76 * debugging.
77 */
78
79 static bool debug_log = false; /* set to true for verbose logging and other debug */
80 static bool pin_deprecation_warn = true; /* Log the pin deprecation warning only once */
81
82 /* Determine if vendor processes would be ok with memfd in the system:
83 *
84 * Previously this function checked if memfd is supported by checking if
85 * vendor VNDK version is greater than Q. As we can assume all treblelized
86 * device using this code is up to date enough to use memfd, memfd is allowed
87 * if the device is treblelized.
88 */
check_vendor_memfd_allowed()89 static bool check_vendor_memfd_allowed() {
90 static bool is_treblelized = android::base::GetBoolProperty("ro.treble.enabled", false);
91
92 return is_treblelized;
93 }
94
95 /* Determine if memfd can be supported. This is just one-time hardwork
96 * which will be cached by the caller.
97 */
__has_memfd_support()98 static bool __has_memfd_support() {
99 if (check_vendor_memfd_allowed() == false) {
100 return false;
101 }
102
103 /* Used to turn on/off the detection at runtime, in the future this
104 * property will be removed once we switch everything over to ashmem.
105 * Currently it is used only for debugging to switch the system over.
106 */
107 if (!android::base::GetBoolProperty("sys.use_memfd", false)) {
108 if (debug_log) {
109 ALOGD("sys.use_memfd=false so memfd disabled\n");
110 }
111 return false;
112 }
113
114 // Check if kernel support exists, otherwise fall back to ashmem.
115 // This code needs to build on old API levels, so we can't use the libc
116 // wrapper.
117 //
118 // MFD_NOEXEC_SEAL is used to match the semantics of the ashmem device,
119 // which did not have executable permissions. This also seals the executable
120 // permissions of the buffer (i.e. they cannot be changed by fchmod()).
121 //
122 // MFD_NOEXEC_SEAL implies MFD_ALLOW_SEALING.
123 android::base::unique_fd fd(
124 syscall(__NR_memfd_create, "test_android_memfd", MFD_CLOEXEC | MFD_NOEXEC_SEAL));
125 if (fd == -1) {
126 ALOGE("memfd_create failed: %s, no memfd support.\n", strerror(errno));
127 return false;
128 }
129
130 if (fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE) == -1) {
131 ALOGE("fcntl(F_ADD_SEALS) failed: %s, no memfd support.\n", strerror(errno));
132 return false;
133 }
134
135 if (debug_log) {
136 ALOGD("memfd: device has memfd support, using it\n");
137 }
138 return true;
139 }
140
has_memfd_support()141 static bool has_memfd_support() {
142 /* memfd_supported is the initial global per-process state of what is known
143 * about memfd.
144 */
145 static bool memfd_supported = __has_memfd_support();
146
147 return memfd_supported;
148 }
149
get_ashmem_device_path()150 static std::string get_ashmem_device_path() {
151 static const std::string boot_id_path = "/proc/sys/kernel/random/boot_id";
152 std::string boot_id;
153 if (!android::base::ReadFileToString(boot_id_path, &boot_id)) {
154 ALOGE("Failed to read %s: %s.\n", boot_id_path.c_str(), strerror(errno));
155 return "";
156 };
157 boot_id = android::base::Trim(boot_id);
158
159 return "/dev/ashmem" + boot_id;
160 }
161
162 /* logistics of getting file descriptor for ashmem */
__ashmem_open_locked()163 static int __ashmem_open_locked()
164 {
165 static const std::string ashmem_device_path = get_ashmem_device_path();
166
167 if (ashmem_device_path.empty()) {
168 return -1;
169 }
170
171 int fd = TEMP_FAILURE_RETRY(open(ashmem_device_path.c_str(), O_RDWR | O_CLOEXEC));
172
173 // fallback for APEX w/ use_vendor on Q, which would have still used /dev/ashmem
174 if (fd < 0) {
175 int saved_errno = errno;
176 fd = TEMP_FAILURE_RETRY(open("/dev/ashmem", O_RDWR | O_CLOEXEC));
177 if (fd < 0) {
178 /* Q launching devices and newer must not reach here since they should have been
179 * able to open ashmem_device_path */
180 ALOGE("Unable to open ashmem device %s (error = %s) and /dev/ashmem(error = %s)",
181 ashmem_device_path.c_str(), strerror(saved_errno), strerror(errno));
182 return fd;
183 }
184 }
185 struct stat st;
186 int ret = TEMP_FAILURE_RETRY(fstat(fd, &st));
187 if (ret < 0) {
188 int save_errno = errno;
189 close(fd);
190 errno = save_errno;
191 return ret;
192 }
193 if (!S_ISCHR(st.st_mode) || !st.st_rdev) {
194 close(fd);
195 errno = ENOTTY;
196 return -1;
197 }
198
199 __ashmem_rdev = st.st_rdev;
200 return fd;
201 }
202
__ashmem_open()203 static int __ashmem_open()
204 {
205 int fd;
206
207 pthread_mutex_lock(&__ashmem_lock);
208 fd = __ashmem_open_locked();
209 pthread_mutex_unlock(&__ashmem_lock);
210
211 return fd;
212 }
213
214 /* Make sure file descriptor references ashmem, negative number means false */
__ashmem_is_ashmem(int fd,int fatal)215 static int __ashmem_is_ashmem(int fd, int fatal)
216 {
217 dev_t rdev;
218 struct stat st;
219
220 if (fstat(fd, &st) < 0) {
221 return -1;
222 }
223
224 rdev = 0; /* Too much complexity to sniff __ashmem_rdev */
225 if (S_ISCHR(st.st_mode) && st.st_rdev) {
226 pthread_mutex_lock(&__ashmem_lock);
227 rdev = __ashmem_rdev;
228 if (rdev) {
229 pthread_mutex_unlock(&__ashmem_lock);
230 } else {
231 int fd = __ashmem_open_locked();
232 if (fd < 0) {
233 pthread_mutex_unlock(&__ashmem_lock);
234 return -1;
235 }
236 rdev = __ashmem_rdev;
237 pthread_mutex_unlock(&__ashmem_lock);
238
239 close(fd);
240 }
241
242 if (st.st_rdev == rdev) {
243 return 0;
244 }
245 }
246
247 if (fatal) {
248 if (rdev) {
249 LOG_ALWAYS_FATAL("illegal fd=%d mode=0%o rdev=%d:%d expected 0%o %d:%d",
250 fd, st.st_mode, major(st.st_rdev), minor(st.st_rdev),
251 S_IFCHR | S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IRGRP,
252 major(rdev), minor(rdev));
253 } else {
254 LOG_ALWAYS_FATAL("illegal fd=%d mode=0%o rdev=%d:%d expected 0%o",
255 fd, st.st_mode, major(st.st_rdev), minor(st.st_rdev),
256 S_IFCHR | S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IRGRP);
257 }
258 /* NOTREACHED */
259 }
260
261 errno = ENOTTY;
262 return -1;
263 }
264
__ashmem_check_failure(int fd,int result)265 static int __ashmem_check_failure(int fd, int result)
266 {
267 if (result == -1 && errno == ENOTTY) __ashmem_is_ashmem(fd, 1);
268 return result;
269 }
270
memfd_is_ashmem(int fd)271 static bool memfd_is_ashmem(int fd) {
272 static bool fd_check_error_once = false;
273
274 if (__ashmem_is_ashmem(fd, 0) == 0) {
275 if (!fd_check_error_once) {
276 ALOGE("memfd: memfd expected but ashmem fd used - please use libcutils.\n");
277 fd_check_error_once = true;
278 }
279
280 return true;
281 }
282
283 return false;
284 }
285
ashmem_valid(int fd)286 int ashmem_valid(int fd)
287 {
288 if (has_memfd_support() && !memfd_is_ashmem(fd)) {
289 return 1;
290 }
291
292 return __ashmem_is_ashmem(fd, 0) >= 0;
293 }
294
memfd_create_region(const char * name,size_t size)295 static int memfd_create_region(const char* name, size_t size) {
296 // This code needs to build on old API levels, so we can't use the libc
297 // wrapper.
298 //
299 // MFD_NOEXEC_SEAL to match the semantics of the ashmem device, which did
300 // not have executable permissions. This also seals the executable
301 // permissions of the buffer (i.e. they cannot be changed by fchmod()).
302 //
303 // MFD_NOEXEC_SEAL implies MFD_ALLOW_SEALING.
304 android::base::unique_fd fd(syscall(__NR_memfd_create, name, MFD_CLOEXEC | MFD_NOEXEC_SEAL));
305
306 if (fd == -1) {
307 ALOGE("memfd_create(%s, %zd) failed: %s\n", name, size, strerror(errno));
308 return -1;
309 }
310
311 if (ftruncate(fd, size) == -1) {
312 ALOGE("ftruncate(%s, %zd) failed for memfd creation: %s\n", name, size, strerror(errno));
313 return -1;
314 }
315
316 // forbid size changes to match ashmem behaviour
317 if (fcntl(fd, F_ADD_SEALS, F_SEAL_GROW | F_SEAL_SHRINK) == -1) {
318 ALOGE("memfd_create(%s, %zd) F_ADD_SEALS failed: %m", name, size);
319 return -1;
320 }
321
322 if (debug_log) {
323 ALOGE("memfd_create(%s, %zd) success. fd=%d\n", name, size, fd.get());
324 }
325 return fd.release();
326 }
327
328 /*
329 * ashmem_create_region - creates a new ashmem region and returns the file
330 * descriptor, or <0 on error
331 *
332 * `name' is an optional label to give the region (visible in /proc/pid/maps)
333 * `size' is the size of the region, in page-aligned bytes
334 */
ashmem_create_region(const char * name,size_t size)335 int ashmem_create_region(const char *name, size_t size)
336 {
337 int ret, save_errno;
338
339 if (has_memfd_support()) {
340 return memfd_create_region(name ? name : "none", size);
341 }
342
343 int fd = __ashmem_open();
344 if (fd < 0) {
345 return fd;
346 }
347
348 if (name) {
349 char buf[ASHMEM_NAME_LEN] = {0};
350
351 strlcpy(buf, name, sizeof(buf));
352 ret = TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_SET_NAME, buf));
353 if (ret < 0) {
354 goto error;
355 }
356 }
357
358 ret = TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_SET_SIZE, size));
359 if (ret < 0) {
360 goto error;
361 }
362
363 return fd;
364
365 error:
366 save_errno = errno;
367 close(fd);
368 errno = save_errno;
369 return ret;
370 }
371
memfd_set_prot_region(int fd,int prot)372 static int memfd_set_prot_region(int fd, int prot) {
373 int seals = fcntl(fd, F_GET_SEALS);
374 if (seals == -1) {
375 ALOGE("memfd_set_prot_region(%d, %d): F_GET_SEALS failed: %s\n", fd, prot, strerror(errno));
376 return -1;
377 }
378
379 if (prot & PROT_WRITE) {
380 /* Now we want the buffer to be read-write, let's check if the buffer
381 * has been previously marked as read-only before, if so return error
382 */
383 if (seals & F_SEAL_FUTURE_WRITE) {
384 ALOGE("memfd_set_prot_region(%d, %d): region is write protected\n", fd, prot);
385 errno = EINVAL; // inline with ashmem error code, if already in
386 // read-only mode
387 return -1;
388 }
389 return 0;
390 }
391
392 /* We would only allow read-only for any future file operations */
393 if (fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE | F_SEAL_SEAL) == -1) {
394 ALOGE("memfd_set_prot_region(%d, %d): F_SEAL_FUTURE_WRITE | F_SEAL_SEAL seal failed: %s\n",
395 fd, prot, strerror(errno));
396 return -1;
397 }
398
399 return 0;
400 }
401
ashmem_set_prot_region(int fd,int prot)402 int ashmem_set_prot_region(int fd, int prot)
403 {
404 if (has_memfd_support() && !memfd_is_ashmem(fd)) {
405 return memfd_set_prot_region(fd, prot);
406 }
407
408 return __ashmem_check_failure(fd, TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_SET_PROT_MASK, prot)));
409 }
410
ashmem_pin_region(int fd,size_t offset,size_t len)411 int ashmem_pin_region(int fd, size_t offset, size_t len)
412 {
413 if (!pin_deprecation_warn || debug_log) {
414 ALOGE("Pinning is deprecated since Android Q. Please use trim or other methods.\n");
415 pin_deprecation_warn = true;
416 }
417
418 if (has_memfd_support() && !memfd_is_ashmem(fd)) {
419 return 0;
420 }
421
422 // TODO: should LP64 reject too-large offset/len?
423 ashmem_pin pin = { static_cast<uint32_t>(offset), static_cast<uint32_t>(len) };
424 return __ashmem_check_failure(fd, TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_PIN, &pin)));
425 }
426
ashmem_unpin_region(int fd,size_t offset,size_t len)427 int ashmem_unpin_region(int fd, size_t offset, size_t len)
428 {
429 if (!pin_deprecation_warn || debug_log) {
430 ALOGE("Pinning is deprecated since Android Q. Please use trim or other methods.\n");
431 pin_deprecation_warn = true;
432 }
433
434 if (has_memfd_support() && !memfd_is_ashmem(fd)) {
435 return 0;
436 }
437
438 // TODO: should LP64 reject too-large offset/len?
439 ashmem_pin pin = { static_cast<uint32_t>(offset), static_cast<uint32_t>(len) };
440 return __ashmem_check_failure(fd, TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_UNPIN, &pin)));
441 }
442
ashmem_get_size_region(int fd)443 int ashmem_get_size_region(int fd)
444 {
445 if (has_memfd_support() && !memfd_is_ashmem(fd)) {
446 struct stat sb;
447
448 if (fstat(fd, &sb) == -1) {
449 ALOGE("ashmem_get_size_region(%d): fstat failed: %s\n", fd, strerror(errno));
450 return -1;
451 }
452
453 if (debug_log) {
454 ALOGD("ashmem_get_size_region(%d): %d\n", fd, static_cast<int>(sb.st_size));
455 }
456
457 return sb.st_size;
458 }
459
460 return __ashmem_check_failure(fd, TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_GET_SIZE, NULL)));
461 }
462