1 /*
2 * Copyright (C) 2008 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <cutils/ashmem.h>
18
19 /*
20 * Implementation of the user-space ashmem API for devices, which have our
21 * ashmem-enabled kernel. See ashmem-sim.c for the "fake" tmp-based version,
22 * used by the simulator.
23 */
24 #define LOG_TAG "ashmem"
25
26 #ifndef __ANDROID_VNDK__
27 #include <dlfcn.h>
28 #endif
29 #include <errno.h>
30 #include <fcntl.h>
31 #include <linux/ashmem.h>
32 #include <linux/memfd.h>
33 #include <log/log.h>
34 #include <pthread.h>
35 #include <stdio.h>
36 #include <string.h>
37 #include <sys/ioctl.h>
38 #include <sys/mman.h>
39 #include <sys/stat.h>
40 #include <sys/syscall.h>
41 #include <sys/sysmacros.h>
42 #include <sys/types.h>
43 #include <unistd.h>
44
45 #include <android-base/properties.h>
46 #include <android-base/unique_fd.h>
47
48 #define ASHMEM_DEVICE "/dev/ashmem"
49
50 /* Will be added to UAPI once upstream change is merged */
51 #define F_SEAL_FUTURE_WRITE 0x0010
52
53 /*
54 * The minimum vendor API level at and after which it is safe to use memfd.
55 * This is to facilitate deprecation of ashmem.
56 */
57 #define MIN_MEMFD_VENDOR_API_LEVEL 29
58 #define MIN_MEMFD_VENDOR_API_LEVEL_CHAR 'Q'
59
60 /* ashmem identity */
61 static dev_t __ashmem_rdev;
62 /*
63 * If we trigger a signal handler in the middle of locked activity and the
64 * signal handler calls ashmem, we could get into a deadlock state.
65 */
66 static pthread_mutex_t __ashmem_lock = PTHREAD_MUTEX_INITIALIZER;
67
68 /*
69 * We use ashmemd to enforce that apps don't open /dev/ashmem directly. Vendor
70 * code can't access system aidl services per Treble requirements. So we limit
71 * ashmemd access to the system variant of libcutils.
72 */
73 #ifndef __ANDROID_VNDK__
74 using openFdType = int (*)();
75
76 static openFdType openFd;
77
initOpenAshmemFd()78 openFdType initOpenAshmemFd() {
79 openFdType openFd = nullptr;
80 void* handle = dlopen("libashmemd_client.so", RTLD_NOW);
81 if (!handle) {
82 ALOGE("Failed to dlopen() libashmemd_client.so: %s", dlerror());
83 return openFd;
84 }
85
86 openFd = reinterpret_cast<openFdType>(dlsym(handle, "openAshmemdFd"));
87 if (!openFd) {
88 ALOGE("Failed to dlsym() openAshmemdFd() function: %s", dlerror());
89 }
90 return openFd;
91 }
92 #endif
93
94 /*
95 * has_memfd_support() determines if the device can use memfd. memfd support
96 * has been there for long time, but certain things in it may be missing. We
97 * check for needed support in it. Also we check if the VNDK version of
98 * libcutils being used is new enough, if its not, then we cannot use memfd
99 * since the older copies may be using ashmem so we just use ashmem. Once all
100 * Android devices that are getting updates are new enough (ex, they were
101 * originally shipped with Android release > P), then we can just use memfd and
102 * delete all ashmem code from libcutils (while preserving the interface).
103 *
104 * NOTE:
105 * The sys.use_memfd property is set by default to false in Android
106 * to temporarily disable memfd, till vendor and apps are ready for it.
107 * The main issue: either apps or vendor processes can directly make ashmem
108 * IOCTLs on FDs they receive by assuming they are ashmem, without going
109 * through libcutils. Such fds could have very well be originally created with
110 * libcutils hence they could be memfd. Thus the IOCTLs will break.
111 *
112 * Set default value of sys.use_memfd property to true once the issue is
113 * resolved, so that the code can then self-detect if kernel support is present
114 * on the device. The property can also set to true from adb shell, for
115 * debugging.
116 */
117
118 static bool debug_log = false; /* set to true for verbose logging and other debug */
119 static bool pin_deprecation_warn = true; /* Log the pin deprecation warning only once */
120
121 /* Determine if vendor processes would be ok with memfd in the system:
122 *
123 * If VNDK is using older libcutils, don't use memfd. This is so that the
124 * same shared memory mechanism is used across binder transactions between
125 * vendor partition processes and system partition processes.
126 */
check_vendor_memfd_allowed()127 static bool check_vendor_memfd_allowed() {
128 std::string vndk_version = android::base::GetProperty("ro.vndk.version", "");
129
130 if (vndk_version == "") {
131 ALOGE("memfd: ro.vndk.version not defined or invalid (%s), this is mandated since P.\n",
132 vndk_version.c_str());
133 return false;
134 }
135
136 /* No issues if vendor is targetting current Dessert */
137 if (vndk_version == "current") {
138 return false;
139 }
140
141 /* Check if VNDK version is a number and act on it */
142 char* p;
143 long int vers = strtol(vndk_version.c_str(), &p, 10);
144 if (*p == 0) {
145 if (vers < MIN_MEMFD_VENDOR_API_LEVEL) {
146 ALOGI("memfd: device VNDK version (%s) is < Q so using ashmem.\n",
147 vndk_version.c_str());
148 return false;
149 }
150
151 return true;
152 }
153
154 /* If its not a number, assume string, but check if its a sane string */
155 if (tolower(vndk_version[0]) < 'a' || tolower(vndk_version[0]) > 'z') {
156 ALOGE("memfd: ro.vndk.version not defined or invalid (%s), this is mandated since P.\n",
157 vndk_version.c_str());
158 return false;
159 }
160
161 if (tolower(vndk_version[0]) < tolower(MIN_MEMFD_VENDOR_API_LEVEL_CHAR)) {
162 ALOGI("memfd: device is using VNDK version (%s) which is less than Q. Use ashmem only.\n",
163 vndk_version.c_str());
164 return false;
165 }
166
167 return true;
168 }
169
170
171 /* Determine if memfd can be supported. This is just one-time hardwork
172 * which will be cached by the caller.
173 */
__has_memfd_support()174 static bool __has_memfd_support() {
175 if (check_vendor_memfd_allowed() == false) {
176 return false;
177 }
178
179 /* Used to turn on/off the detection at runtime, in the future this
180 * property will be removed once we switch everything over to ashmem.
181 * Currently it is used only for debugging to switch the system over.
182 */
183 if (!android::base::GetBoolProperty("sys.use_memfd", false)) {
184 if (debug_log) {
185 ALOGD("sys.use_memfd=false so memfd disabled\n");
186 }
187 return false;
188 }
189
190 /* Check if kernel support exists, otherwise fall back to ashmem */
191 android::base::unique_fd fd(
192 syscall(__NR_memfd_create, "test_android_memfd", MFD_ALLOW_SEALING));
193 if (fd == -1) {
194 ALOGE("memfd_create failed: %s, no memfd support.\n", strerror(errno));
195 return false;
196 }
197
198 if (fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE) == -1) {
199 ALOGE("fcntl(F_ADD_SEALS) failed: %s, no memfd support.\n", strerror(errno));
200 return false;
201 }
202
203 if (debug_log) {
204 ALOGD("memfd: device has memfd support, using it\n");
205 }
206 return true;
207 }
208
has_memfd_support()209 static bool has_memfd_support() {
210 /* memfd_supported is the initial global per-process state of what is known
211 * about memfd.
212 */
213 static bool memfd_supported = __has_memfd_support();
214
215 return memfd_supported;
216 }
217
218 /* logistics of getting file descriptor for ashmem */
__ashmem_open_locked()219 static int __ashmem_open_locked()
220 {
221 int ret;
222 struct stat st;
223
224 int fd = -1;
225 #ifndef __ANDROID_VNDK__
226 if (!openFd) {
227 openFd = initOpenAshmemFd();
228 }
229
230 if (openFd) {
231 fd = openFd();
232 }
233 #endif
234 if (fd < 0) {
235 fd = TEMP_FAILURE_RETRY(open(ASHMEM_DEVICE, O_RDWR | O_CLOEXEC));
236 }
237 if (fd < 0) {
238 return fd;
239 }
240
241 ret = TEMP_FAILURE_RETRY(fstat(fd, &st));
242 if (ret < 0) {
243 int save_errno = errno;
244 close(fd);
245 errno = save_errno;
246 return ret;
247 }
248 if (!S_ISCHR(st.st_mode) || !st.st_rdev) {
249 close(fd);
250 errno = ENOTTY;
251 return -1;
252 }
253
254 __ashmem_rdev = st.st_rdev;
255 return fd;
256 }
257
__ashmem_open()258 static int __ashmem_open()
259 {
260 int fd;
261
262 pthread_mutex_lock(&__ashmem_lock);
263 fd = __ashmem_open_locked();
264 pthread_mutex_unlock(&__ashmem_lock);
265
266 return fd;
267 }
268
269 /* Make sure file descriptor references ashmem, negative number means false */
__ashmem_is_ashmem(int fd,int fatal)270 static int __ashmem_is_ashmem(int fd, int fatal)
271 {
272 dev_t rdev;
273 struct stat st;
274
275 if (fstat(fd, &st) < 0) {
276 return -1;
277 }
278
279 rdev = 0; /* Too much complexity to sniff __ashmem_rdev */
280 if (S_ISCHR(st.st_mode) && st.st_rdev) {
281 pthread_mutex_lock(&__ashmem_lock);
282 rdev = __ashmem_rdev;
283 if (rdev) {
284 pthread_mutex_unlock(&__ashmem_lock);
285 } else {
286 int fd = __ashmem_open_locked();
287 if (fd < 0) {
288 pthread_mutex_unlock(&__ashmem_lock);
289 return -1;
290 }
291 rdev = __ashmem_rdev;
292 pthread_mutex_unlock(&__ashmem_lock);
293
294 close(fd);
295 }
296
297 if (st.st_rdev == rdev) {
298 return 0;
299 }
300 }
301
302 if (fatal) {
303 if (rdev) {
304 LOG_ALWAYS_FATAL("illegal fd=%d mode=0%o rdev=%d:%d expected 0%o %d:%d",
305 fd, st.st_mode, major(st.st_rdev), minor(st.st_rdev),
306 S_IFCHR | S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IRGRP,
307 major(rdev), minor(rdev));
308 } else {
309 LOG_ALWAYS_FATAL("illegal fd=%d mode=0%o rdev=%d:%d expected 0%o",
310 fd, st.st_mode, major(st.st_rdev), minor(st.st_rdev),
311 S_IFCHR | S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IRGRP);
312 }
313 /* NOTREACHED */
314 }
315
316 errno = ENOTTY;
317 return -1;
318 }
319
__ashmem_check_failure(int fd,int result)320 static int __ashmem_check_failure(int fd, int result)
321 {
322 if (result == -1 && errno == ENOTTY) __ashmem_is_ashmem(fd, 1);
323 return result;
324 }
325
memfd_is_ashmem(int fd)326 static bool memfd_is_ashmem(int fd) {
327 static bool fd_check_error_once = false;
328
329 if (__ashmem_is_ashmem(fd, 0) == 0) {
330 if (!fd_check_error_once) {
331 ALOGE("memfd: memfd expected but ashmem fd used - please use libcutils.\n");
332 fd_check_error_once = true;
333 }
334
335 return true;
336 }
337
338 return false;
339 }
340
ashmem_valid(int fd)341 int ashmem_valid(int fd)
342 {
343 if (has_memfd_support() && !memfd_is_ashmem(fd)) {
344 return 1;
345 }
346
347 return __ashmem_is_ashmem(fd, 0) >= 0;
348 }
349
memfd_create_region(const char * name,size_t size)350 static int memfd_create_region(const char* name, size_t size) {
351 android::base::unique_fd fd(syscall(__NR_memfd_create, name, MFD_ALLOW_SEALING));
352
353 if (fd == -1) {
354 ALOGE("memfd_create(%s, %zd) failed: %s\n", name, size, strerror(errno));
355 return -1;
356 }
357
358 if (ftruncate(fd, size) == -1) {
359 ALOGE("ftruncate(%s, %zd) failed for memfd creation: %s\n", name, size, strerror(errno));
360 return -1;
361 }
362
363 if (debug_log) {
364 ALOGE("memfd_create(%s, %zd) success. fd=%d\n", name, size, fd.get());
365 }
366 return fd.release();
367 }
368
369 /*
370 * ashmem_create_region - creates a new ashmem region and returns the file
371 * descriptor, or <0 on error
372 *
373 * `name' is an optional label to give the region (visible in /proc/pid/maps)
374 * `size' is the size of the region, in page-aligned bytes
375 */
ashmem_create_region(const char * name,size_t size)376 int ashmem_create_region(const char *name, size_t size)
377 {
378 int ret, save_errno;
379
380 if (has_memfd_support()) {
381 return memfd_create_region(name ? name : "none", size);
382 }
383
384 int fd = __ashmem_open();
385 if (fd < 0) {
386 return fd;
387 }
388
389 if (name) {
390 char buf[ASHMEM_NAME_LEN] = {0};
391
392 strlcpy(buf, name, sizeof(buf));
393 ret = TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_SET_NAME, buf));
394 if (ret < 0) {
395 goto error;
396 }
397 }
398
399 ret = TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_SET_SIZE, size));
400 if (ret < 0) {
401 goto error;
402 }
403
404 return fd;
405
406 error:
407 save_errno = errno;
408 close(fd);
409 errno = save_errno;
410 return ret;
411 }
412
memfd_set_prot_region(int fd,int prot)413 static int memfd_set_prot_region(int fd, int prot) {
414 /* Only proceed if an fd needs to be write-protected */
415 if (prot & PROT_WRITE) {
416 return 0;
417 }
418
419 if (fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE) == -1) {
420 ALOGE("memfd_set_prot_region(%d, %d): F_SEAL_FUTURE_WRITE seal failed: %s\n", fd, prot,
421 strerror(errno));
422 return -1;
423 }
424
425 return 0;
426 }
427
ashmem_set_prot_region(int fd,int prot)428 int ashmem_set_prot_region(int fd, int prot)
429 {
430 if (has_memfd_support() && !memfd_is_ashmem(fd)) {
431 return memfd_set_prot_region(fd, prot);
432 }
433
434 return __ashmem_check_failure(fd, TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_SET_PROT_MASK, prot)));
435 }
436
ashmem_pin_region(int fd,size_t offset,size_t len)437 int ashmem_pin_region(int fd, size_t offset, size_t len)
438 {
439 if (!pin_deprecation_warn || debug_log) {
440 ALOGE("Pinning is deprecated since Android Q. Please use trim or other methods.\n");
441 pin_deprecation_warn = true;
442 }
443
444 if (has_memfd_support() && !memfd_is_ashmem(fd)) {
445 return 0;
446 }
447
448 // TODO: should LP64 reject too-large offset/len?
449 ashmem_pin pin = { static_cast<uint32_t>(offset), static_cast<uint32_t>(len) };
450 return __ashmem_check_failure(fd, TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_PIN, &pin)));
451 }
452
ashmem_unpin_region(int fd,size_t offset,size_t len)453 int ashmem_unpin_region(int fd, size_t offset, size_t len)
454 {
455 if (!pin_deprecation_warn || debug_log) {
456 ALOGE("Pinning is deprecated since Android Q. Please use trim or other methods.\n");
457 pin_deprecation_warn = true;
458 }
459
460 if (has_memfd_support() && !memfd_is_ashmem(fd)) {
461 return 0;
462 }
463
464 // TODO: should LP64 reject too-large offset/len?
465 ashmem_pin pin = { static_cast<uint32_t>(offset), static_cast<uint32_t>(len) };
466 return __ashmem_check_failure(fd, TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_UNPIN, &pin)));
467 }
468
ashmem_get_size_region(int fd)469 int ashmem_get_size_region(int fd)
470 {
471 if (has_memfd_support() && !memfd_is_ashmem(fd)) {
472 struct stat sb;
473
474 if (fstat(fd, &sb) == -1) {
475 ALOGE("ashmem_get_size_region(%d): fstat failed: %s\n", fd, strerror(errno));
476 return -1;
477 }
478
479 if (debug_log) {
480 ALOGD("ashmem_get_size_region(%d): %d\n", fd, static_cast<int>(sb.st_size));
481 }
482
483 return sb.st_size;
484 }
485
486 return __ashmem_check_failure(fd, TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_GET_SIZE, NULL)));
487 }
488
ashmem_init()489 void ashmem_init() {
490 #ifndef __ANDROID_VNDK__
491 pthread_mutex_lock(&__ashmem_lock);
492 openFd = initOpenAshmemFd();
493 pthread_mutex_unlock(&__ashmem_lock);
494 #endif //__ANDROID_VNDK__
495 }
496