user_namespace.c 36 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. #include <linux/export.h>
  3. #include <linux/nsproxy.h>
  4. #include <linux/slab.h>
  5. #include <linux/sched/signal.h>
  6. #include <linux/user_namespace.h>
  7. #include <linux/proc_ns.h>
  8. #include <linux/highuid.h>
  9. #include <linux/cred.h>
  10. #include <linux/securebits.h>
  11. #include <linux/security.h>
  12. #include <linux/keyctl.h>
  13. #include <linux/key-type.h>
  14. #include <keys/user-type.h>
  15. #include <linux/seq_file.h>
  16. #include <linux/fs.h>
  17. #include <linux/uaccess.h>
  18. #include <linux/ctype.h>
  19. #include <linux/projid.h>
  20. #include <linux/fs_struct.h>
  21. #include <linux/bsearch.h>
  22. #include <linux/sort.h>
  23. static struct kmem_cache *user_ns_cachep __read_mostly;
  24. static DEFINE_MUTEX(userns_state_mutex);
  25. static bool new_idmap_permitted(const struct file *file,
  26. struct user_namespace *ns, int cap_setid,
  27. struct uid_gid_map *map);
  28. static void free_user_ns(struct work_struct *work);
  29. static struct ucounts *inc_user_namespaces(struct user_namespace *ns, kuid_t uid)
  30. {
  31. return inc_ucount(ns, uid, UCOUNT_USER_NAMESPACES);
  32. }
  33. static void dec_user_namespaces(struct ucounts *ucounts)
  34. {
  35. return dec_ucount(ucounts, UCOUNT_USER_NAMESPACES);
  36. }
  37. static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
  38. {
  39. /* Start with the same capabilities as init but useless for doing
  40. * anything as the capabilities are bound to the new user namespace.
  41. */
  42. cred->securebits = SECUREBITS_DEFAULT;
  43. cred->cap_inheritable = CAP_EMPTY_SET;
  44. cred->cap_permitted = CAP_FULL_SET;
  45. cred->cap_effective = CAP_FULL_SET;
  46. cred->cap_ambient = CAP_EMPTY_SET;
  47. cred->cap_bset = CAP_FULL_SET;
  48. #ifdef CONFIG_KEYS
  49. key_put(cred->request_key_auth);
  50. cred->request_key_auth = NULL;
  51. #endif
  52. /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
  53. cred->user_ns = user_ns;
  54. }
  55. static unsigned long enforced_nproc_rlimit(void)
  56. {
  57. unsigned long limit = RLIM_INFINITY;
  58. /* Is RLIMIT_NPROC currently enforced? */
  59. if (!uid_eq(current_uid(), GLOBAL_ROOT_UID) ||
  60. (current_user_ns() != &init_user_ns))
  61. limit = rlimit(RLIMIT_NPROC);
  62. return limit;
  63. }
  64. /*
  65. * Create a new user namespace, deriving the creator from the user in the
  66. * passed credentials, and replacing that user with the new root user for the
  67. * new namespace.
  68. *
  69. * This is called by copy_creds(), which will finish setting the target task's
  70. * credentials.
  71. */
  72. int create_user_ns(struct cred *new)
  73. {
  74. struct user_namespace *ns, *parent_ns = new->user_ns;
  75. kuid_t owner = new->euid;
  76. kgid_t group = new->egid;
  77. struct ucounts *ucounts;
  78. int ret, i;
  79. ret = -ENOSPC;
  80. if (parent_ns->level > 32)
  81. goto fail;
  82. ucounts = inc_user_namespaces(parent_ns, owner);
  83. if (!ucounts)
  84. goto fail;
  85. /*
  86. * Verify that we can not violate the policy of which files
  87. * may be accessed that is specified by the root directory,
  88. * by verifying that the root directory is at the root of the
  89. * mount namespace which allows all files to be accessed.
  90. */
  91. ret = -EPERM;
  92. if (current_chrooted())
  93. goto fail_dec;
  94. /* The creator needs a mapping in the parent user namespace
  95. * or else we won't be able to reasonably tell userspace who
  96. * created a user_namespace.
  97. */
  98. ret = -EPERM;
  99. if (!kuid_has_mapping(parent_ns, owner) ||
  100. !kgid_has_mapping(parent_ns, group))
  101. goto fail_dec;
  102. ret = security_create_user_ns(new);
  103. if (ret < 0)
  104. goto fail_dec;
  105. ret = -ENOMEM;
  106. ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
  107. if (!ns)
  108. goto fail_dec;
  109. ns->parent_could_setfcap = cap_raised(new->cap_effective, CAP_SETFCAP);
  110. ret = ns_alloc_inum(&ns->ns);
  111. if (ret)
  112. goto fail_free;
  113. ns->ns.ops = &userns_operations;
  114. refcount_set(&ns->ns.count, 1);
  115. /* Leave the new->user_ns reference with the new user namespace. */
  116. ns->parent = parent_ns;
  117. ns->level = parent_ns->level + 1;
  118. ns->owner = owner;
  119. ns->group = group;
  120. INIT_WORK(&ns->work, free_user_ns);
  121. for (i = 0; i < UCOUNT_COUNTS; i++) {
  122. ns->ucount_max[i] = INT_MAX;
  123. }
  124. set_userns_rlimit_max(ns, UCOUNT_RLIMIT_NPROC, enforced_nproc_rlimit());
  125. set_userns_rlimit_max(ns, UCOUNT_RLIMIT_MSGQUEUE, rlimit(RLIMIT_MSGQUEUE));
  126. set_userns_rlimit_max(ns, UCOUNT_RLIMIT_SIGPENDING, rlimit(RLIMIT_SIGPENDING));
  127. set_userns_rlimit_max(ns, UCOUNT_RLIMIT_MEMLOCK, rlimit(RLIMIT_MEMLOCK));
  128. ns->ucounts = ucounts;
  129. /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
  130. mutex_lock(&userns_state_mutex);
  131. ns->flags = parent_ns->flags;
  132. mutex_unlock(&userns_state_mutex);
  133. #ifdef CONFIG_KEYS
  134. INIT_LIST_HEAD(&ns->keyring_name_list);
  135. init_rwsem(&ns->keyring_sem);
  136. #endif
  137. ret = -ENOMEM;
  138. if (!setup_userns_sysctls(ns))
  139. goto fail_keyring;
  140. set_cred_user_ns(new, ns);
  141. return 0;
  142. fail_keyring:
  143. #ifdef CONFIG_PERSISTENT_KEYRINGS
  144. key_put(ns->persistent_keyring_register);
  145. #endif
  146. ns_free_inum(&ns->ns);
  147. fail_free:
  148. kmem_cache_free(user_ns_cachep, ns);
  149. fail_dec:
  150. dec_user_namespaces(ucounts);
  151. fail:
  152. return ret;
  153. }
  154. int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
  155. {
  156. struct cred *cred;
  157. int err = -ENOMEM;
  158. if (!(unshare_flags & CLONE_NEWUSER))
  159. return 0;
  160. cred = prepare_creds();
  161. if (cred) {
  162. err = create_user_ns(cred);
  163. if (err)
  164. put_cred(cred);
  165. else
  166. *new_cred = cred;
  167. }
  168. return err;
  169. }
  170. static void free_user_ns(struct work_struct *work)
  171. {
  172. struct user_namespace *parent, *ns =
  173. container_of(work, struct user_namespace, work);
  174. do {
  175. struct ucounts *ucounts = ns->ucounts;
  176. parent = ns->parent;
  177. if (ns->gid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
  178. kfree(ns->gid_map.forward);
  179. kfree(ns->gid_map.reverse);
  180. }
  181. if (ns->uid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
  182. kfree(ns->uid_map.forward);
  183. kfree(ns->uid_map.reverse);
  184. }
  185. if (ns->projid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
  186. kfree(ns->projid_map.forward);
  187. kfree(ns->projid_map.reverse);
  188. }
  189. retire_userns_sysctls(ns);
  190. key_free_user_ns(ns);
  191. ns_free_inum(&ns->ns);
  192. kmem_cache_free(user_ns_cachep, ns);
  193. dec_user_namespaces(ucounts);
  194. ns = parent;
  195. } while (refcount_dec_and_test(&parent->ns.count));
  196. }
  197. void __put_user_ns(struct user_namespace *ns)
  198. {
  199. schedule_work(&ns->work);
  200. }
  201. EXPORT_SYMBOL(__put_user_ns);
  202. /**
  203. * idmap_key struct holds the information necessary to find an idmapping in a
  204. * sorted idmap array. It is passed to cmp_map_id() as first argument.
  205. */
  206. struct idmap_key {
  207. bool map_up; /* true -> id from kid; false -> kid from id */
  208. u32 id; /* id to find */
  209. u32 count; /* == 0 unless used with map_id_range_down() */
  210. };
  211. /**
  212. * cmp_map_id - Function to be passed to bsearch() to find the requested
  213. * idmapping. Expects struct idmap_key to be passed via @k.
  214. */
  215. static int cmp_map_id(const void *k, const void *e)
  216. {
  217. u32 first, last, id2;
  218. const struct idmap_key *key = k;
  219. const struct uid_gid_extent *el = e;
  220. id2 = key->id + key->count - 1;
  221. /* handle map_id_{down,up}() */
  222. if (key->map_up)
  223. first = el->lower_first;
  224. else
  225. first = el->first;
  226. last = first + el->count - 1;
  227. if (key->id >= first && key->id <= last &&
  228. (id2 >= first && id2 <= last))
  229. return 0;
  230. if (key->id < first || id2 < first)
  231. return -1;
  232. return 1;
  233. }
  234. /**
  235. * map_id_range_down_max - Find idmap via binary search in ordered idmap array.
  236. * Can only be called if number of mappings exceeds UID_GID_MAP_MAX_BASE_EXTENTS.
  237. */
  238. static struct uid_gid_extent *
  239. map_id_range_down_max(unsigned extents, struct uid_gid_map *map, u32 id, u32 count)
  240. {
  241. struct idmap_key key;
  242. key.map_up = false;
  243. key.count = count;
  244. key.id = id;
  245. return bsearch(&key, map->forward, extents,
  246. sizeof(struct uid_gid_extent), cmp_map_id);
  247. }
  248. /**
  249. * map_id_range_down_base - Find idmap via binary search in static extent array.
  250. * Can only be called if number of mappings is equal or less than
  251. * UID_GID_MAP_MAX_BASE_EXTENTS.
  252. */
  253. static struct uid_gid_extent *
  254. map_id_range_down_base(unsigned extents, struct uid_gid_map *map, u32 id, u32 count)
  255. {
  256. unsigned idx;
  257. u32 first, last, id2;
  258. id2 = id + count - 1;
  259. /* Find the matching extent */
  260. for (idx = 0; idx < extents; idx++) {
  261. first = map->extent[idx].first;
  262. last = first + map->extent[idx].count - 1;
  263. if (id >= first && id <= last &&
  264. (id2 >= first && id2 <= last))
  265. return &map->extent[idx];
  266. }
  267. return NULL;
  268. }
  269. static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
  270. {
  271. struct uid_gid_extent *extent;
  272. unsigned extents = map->nr_extents;
  273. smp_rmb();
  274. if (extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
  275. extent = map_id_range_down_base(extents, map, id, count);
  276. else
  277. extent = map_id_range_down_max(extents, map, id, count);
  278. /* Map the id or note failure */
  279. if (extent)
  280. id = (id - extent->first) + extent->lower_first;
  281. else
  282. id = (u32) -1;
  283. return id;
  284. }
  285. static u32 map_id_down(struct uid_gid_map *map, u32 id)
  286. {
  287. return map_id_range_down(map, id, 1);
  288. }
  289. /**
  290. * map_id_up_base - Find idmap via binary search in static extent array.
  291. * Can only be called if number of mappings is equal or less than
  292. * UID_GID_MAP_MAX_BASE_EXTENTS.
  293. */
  294. static struct uid_gid_extent *
  295. map_id_up_base(unsigned extents, struct uid_gid_map *map, u32 id)
  296. {
  297. unsigned idx;
  298. u32 first, last;
  299. /* Find the matching extent */
  300. for (idx = 0; idx < extents; idx++) {
  301. first = map->extent[idx].lower_first;
  302. last = first + map->extent[idx].count - 1;
  303. if (id >= first && id <= last)
  304. return &map->extent[idx];
  305. }
  306. return NULL;
  307. }
  308. /**
  309. * map_id_up_max - Find idmap via binary search in ordered idmap array.
  310. * Can only be called if number of mappings exceeds UID_GID_MAP_MAX_BASE_EXTENTS.
  311. */
  312. static struct uid_gid_extent *
  313. map_id_up_max(unsigned extents, struct uid_gid_map *map, u32 id)
  314. {
  315. struct idmap_key key;
  316. key.map_up = true;
  317. key.count = 1;
  318. key.id = id;
  319. return bsearch(&key, map->reverse, extents,
  320. sizeof(struct uid_gid_extent), cmp_map_id);
  321. }
  322. static u32 map_id_up(struct uid_gid_map *map, u32 id)
  323. {
  324. struct uid_gid_extent *extent;
  325. unsigned extents = map->nr_extents;
  326. smp_rmb();
  327. if (extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
  328. extent = map_id_up_base(extents, map, id);
  329. else
  330. extent = map_id_up_max(extents, map, id);
  331. /* Map the id or note failure */
  332. if (extent)
  333. id = (id - extent->lower_first) + extent->first;
  334. else
  335. id = (u32) -1;
  336. return id;
  337. }
  338. /**
  339. * make_kuid - Map a user-namespace uid pair into a kuid.
  340. * @ns: User namespace that the uid is in
  341. * @uid: User identifier
  342. *
  343. * Maps a user-namespace uid pair into a kernel internal kuid,
  344. * and returns that kuid.
  345. *
  346. * When there is no mapping defined for the user-namespace uid
  347. * pair INVALID_UID is returned. Callers are expected to test
  348. * for and handle INVALID_UID being returned. INVALID_UID
  349. * may be tested for using uid_valid().
  350. */
  351. kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
  352. {
  353. /* Map the uid to a global kernel uid */
  354. return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
  355. }
  356. EXPORT_SYMBOL(make_kuid);
  357. /**
  358. * from_kuid - Create a uid from a kuid user-namespace pair.
  359. * @targ: The user namespace we want a uid in.
  360. * @kuid: The kernel internal uid to start with.
  361. *
  362. * Map @kuid into the user-namespace specified by @targ and
  363. * return the resulting uid.
  364. *
  365. * There is always a mapping into the initial user_namespace.
  366. *
  367. * If @kuid has no mapping in @targ (uid_t)-1 is returned.
  368. */
  369. uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
  370. {
  371. /* Map the uid from a global kernel uid */
  372. return map_id_up(&targ->uid_map, __kuid_val(kuid));
  373. }
  374. EXPORT_SYMBOL(from_kuid);
  375. /**
  376. * from_kuid_munged - Create a uid from a kuid user-namespace pair.
  377. * @targ: The user namespace we want a uid in.
  378. * @kuid: The kernel internal uid to start with.
  379. *
  380. * Map @kuid into the user-namespace specified by @targ and
  381. * return the resulting uid.
  382. *
  383. * There is always a mapping into the initial user_namespace.
  384. *
  385. * Unlike from_kuid from_kuid_munged never fails and always
  386. * returns a valid uid. This makes from_kuid_munged appropriate
  387. * for use in syscalls like stat and getuid where failing the
  388. * system call and failing to provide a valid uid are not an
  389. * options.
  390. *
  391. * If @kuid has no mapping in @targ overflowuid is returned.
  392. */
  393. uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
  394. {
  395. uid_t uid;
  396. uid = from_kuid(targ, kuid);
  397. if (uid == (uid_t) -1)
  398. uid = overflowuid;
  399. return uid;
  400. }
  401. EXPORT_SYMBOL(from_kuid_munged);
  402. /**
  403. * make_kgid - Map a user-namespace gid pair into a kgid.
  404. * @ns: User namespace that the gid is in
  405. * @gid: group identifier
  406. *
  407. * Maps a user-namespace gid pair into a kernel internal kgid,
  408. * and returns that kgid.
  409. *
  410. * When there is no mapping defined for the user-namespace gid
  411. * pair INVALID_GID is returned. Callers are expected to test
  412. * for and handle INVALID_GID being returned. INVALID_GID may be
  413. * tested for using gid_valid().
  414. */
  415. kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
  416. {
  417. /* Map the gid to a global kernel gid */
  418. return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
  419. }
  420. EXPORT_SYMBOL(make_kgid);
  421. /**
  422. * from_kgid - Create a gid from a kgid user-namespace pair.
  423. * @targ: The user namespace we want a gid in.
  424. * @kgid: The kernel internal gid to start with.
  425. *
  426. * Map @kgid into the user-namespace specified by @targ and
  427. * return the resulting gid.
  428. *
  429. * There is always a mapping into the initial user_namespace.
  430. *
  431. * If @kgid has no mapping in @targ (gid_t)-1 is returned.
  432. */
  433. gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
  434. {
  435. /* Map the gid from a global kernel gid */
  436. return map_id_up(&targ->gid_map, __kgid_val(kgid));
  437. }
  438. EXPORT_SYMBOL(from_kgid);
  439. /**
  440. * from_kgid_munged - Create a gid from a kgid user-namespace pair.
  441. * @targ: The user namespace we want a gid in.
  442. * @kgid: The kernel internal gid to start with.
  443. *
  444. * Map @kgid into the user-namespace specified by @targ and
  445. * return the resulting gid.
  446. *
  447. * There is always a mapping into the initial user_namespace.
  448. *
  449. * Unlike from_kgid from_kgid_munged never fails and always
  450. * returns a valid gid. This makes from_kgid_munged appropriate
  451. * for use in syscalls like stat and getgid where failing the
  452. * system call and failing to provide a valid gid are not options.
  453. *
  454. * If @kgid has no mapping in @targ overflowgid is returned.
  455. */
  456. gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
  457. {
  458. gid_t gid;
  459. gid = from_kgid(targ, kgid);
  460. if (gid == (gid_t) -1)
  461. gid = overflowgid;
  462. return gid;
  463. }
  464. EXPORT_SYMBOL(from_kgid_munged);
  465. /**
  466. * make_kprojid - Map a user-namespace projid pair into a kprojid.
  467. * @ns: User namespace that the projid is in
  468. * @projid: Project identifier
  469. *
  470. * Maps a user-namespace uid pair into a kernel internal kuid,
  471. * and returns that kuid.
  472. *
  473. * When there is no mapping defined for the user-namespace projid
  474. * pair INVALID_PROJID is returned. Callers are expected to test
  475. * for and handle INVALID_PROJID being returned. INVALID_PROJID
  476. * may be tested for using projid_valid().
  477. */
  478. kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
  479. {
  480. /* Map the uid to a global kernel uid */
  481. return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
  482. }
  483. EXPORT_SYMBOL(make_kprojid);
  484. /**
  485. * from_kprojid - Create a projid from a kprojid user-namespace pair.
  486. * @targ: The user namespace we want a projid in.
  487. * @kprojid: The kernel internal project identifier to start with.
  488. *
  489. * Map @kprojid into the user-namespace specified by @targ and
  490. * return the resulting projid.
  491. *
  492. * There is always a mapping into the initial user_namespace.
  493. *
  494. * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
  495. */
  496. projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
  497. {
  498. /* Map the uid from a global kernel uid */
  499. return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
  500. }
  501. EXPORT_SYMBOL(from_kprojid);
  502. /**
  503. * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
  504. * @targ: The user namespace we want a projid in.
  505. * @kprojid: The kernel internal projid to start with.
  506. *
  507. * Map @kprojid into the user-namespace specified by @targ and
  508. * return the resulting projid.
  509. *
  510. * There is always a mapping into the initial user_namespace.
  511. *
  512. * Unlike from_kprojid from_kprojid_munged never fails and always
  513. * returns a valid projid. This makes from_kprojid_munged
  514. * appropriate for use in syscalls like stat and where
  515. * failing the system call and failing to provide a valid projid are
  516. * not an options.
  517. *
  518. * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
  519. */
  520. projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
  521. {
  522. projid_t projid;
  523. projid = from_kprojid(targ, kprojid);
  524. if (projid == (projid_t) -1)
  525. projid = OVERFLOW_PROJID;
  526. return projid;
  527. }
  528. EXPORT_SYMBOL(from_kprojid_munged);
  529. static int uid_m_show(struct seq_file *seq, void *v)
  530. {
  531. struct user_namespace *ns = seq->private;
  532. struct uid_gid_extent *extent = v;
  533. struct user_namespace *lower_ns;
  534. uid_t lower;
  535. lower_ns = seq_user_ns(seq);
  536. if ((lower_ns == ns) && lower_ns->parent)
  537. lower_ns = lower_ns->parent;
  538. lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
  539. seq_printf(seq, "%10u %10u %10u\n",
  540. extent->first,
  541. lower,
  542. extent->count);
  543. return 0;
  544. }
  545. static int gid_m_show(struct seq_file *seq, void *v)
  546. {
  547. struct user_namespace *ns = seq->private;
  548. struct uid_gid_extent *extent = v;
  549. struct user_namespace *lower_ns;
  550. gid_t lower;
  551. lower_ns = seq_user_ns(seq);
  552. if ((lower_ns == ns) && lower_ns->parent)
  553. lower_ns = lower_ns->parent;
  554. lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
  555. seq_printf(seq, "%10u %10u %10u\n",
  556. extent->first,
  557. lower,
  558. extent->count);
  559. return 0;
  560. }
  561. static int projid_m_show(struct seq_file *seq, void *v)
  562. {
  563. struct user_namespace *ns = seq->private;
  564. struct uid_gid_extent *extent = v;
  565. struct user_namespace *lower_ns;
  566. projid_t lower;
  567. lower_ns = seq_user_ns(seq);
  568. if ((lower_ns == ns) && lower_ns->parent)
  569. lower_ns = lower_ns->parent;
  570. lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
  571. seq_printf(seq, "%10u %10u %10u\n",
  572. extent->first,
  573. lower,
  574. extent->count);
  575. return 0;
  576. }
  577. static void *m_start(struct seq_file *seq, loff_t *ppos,
  578. struct uid_gid_map *map)
  579. {
  580. loff_t pos = *ppos;
  581. unsigned extents = map->nr_extents;
  582. smp_rmb();
  583. if (pos >= extents)
  584. return NULL;
  585. if (extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
  586. return &map->extent[pos];
  587. return &map->forward[pos];
  588. }
  589. static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
  590. {
  591. struct user_namespace *ns = seq->private;
  592. return m_start(seq, ppos, &ns->uid_map);
  593. }
  594. static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
  595. {
  596. struct user_namespace *ns = seq->private;
  597. return m_start(seq, ppos, &ns->gid_map);
  598. }
  599. static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
  600. {
  601. struct user_namespace *ns = seq->private;
  602. return m_start(seq, ppos, &ns->projid_map);
  603. }
  604. static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
  605. {
  606. (*pos)++;
  607. return seq->op->start(seq, pos);
  608. }
  609. static void m_stop(struct seq_file *seq, void *v)
  610. {
  611. return;
  612. }
  613. const struct seq_operations proc_uid_seq_operations = {
  614. .start = uid_m_start,
  615. .stop = m_stop,
  616. .next = m_next,
  617. .show = uid_m_show,
  618. };
  619. const struct seq_operations proc_gid_seq_operations = {
  620. .start = gid_m_start,
  621. .stop = m_stop,
  622. .next = m_next,
  623. .show = gid_m_show,
  624. };
  625. const struct seq_operations proc_projid_seq_operations = {
  626. .start = projid_m_start,
  627. .stop = m_stop,
  628. .next = m_next,
  629. .show = projid_m_show,
  630. };
  631. static bool mappings_overlap(struct uid_gid_map *new_map,
  632. struct uid_gid_extent *extent)
  633. {
  634. u32 upper_first, lower_first, upper_last, lower_last;
  635. unsigned idx;
  636. upper_first = extent->first;
  637. lower_first = extent->lower_first;
  638. upper_last = upper_first + extent->count - 1;
  639. lower_last = lower_first + extent->count - 1;
  640. for (idx = 0; idx < new_map->nr_extents; idx++) {
  641. u32 prev_upper_first, prev_lower_first;
  642. u32 prev_upper_last, prev_lower_last;
  643. struct uid_gid_extent *prev;
  644. if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
  645. prev = &new_map->extent[idx];
  646. else
  647. prev = &new_map->forward[idx];
  648. prev_upper_first = prev->first;
  649. prev_lower_first = prev->lower_first;
  650. prev_upper_last = prev_upper_first + prev->count - 1;
  651. prev_lower_last = prev_lower_first + prev->count - 1;
  652. /* Does the upper range intersect a previous extent? */
  653. if ((prev_upper_first <= upper_last) &&
  654. (prev_upper_last >= upper_first))
  655. return true;
  656. /* Does the lower range intersect a previous extent? */
  657. if ((prev_lower_first <= lower_last) &&
  658. (prev_lower_last >= lower_first))
  659. return true;
  660. }
  661. return false;
  662. }
  663. /**
  664. * insert_extent - Safely insert a new idmap extent into struct uid_gid_map.
  665. * Takes care to allocate a 4K block of memory if the number of mappings exceeds
  666. * UID_GID_MAP_MAX_BASE_EXTENTS.
  667. */
  668. static int insert_extent(struct uid_gid_map *map, struct uid_gid_extent *extent)
  669. {
  670. struct uid_gid_extent *dest;
  671. if (map->nr_extents == UID_GID_MAP_MAX_BASE_EXTENTS) {
  672. struct uid_gid_extent *forward;
  673. /* Allocate memory for 340 mappings. */
  674. forward = kmalloc_array(UID_GID_MAP_MAX_EXTENTS,
  675. sizeof(struct uid_gid_extent),
  676. GFP_KERNEL);
  677. if (!forward)
  678. return -ENOMEM;
  679. /* Copy over memory. Only set up memory for the forward pointer.
  680. * Defer the memory setup for the reverse pointer.
  681. */
  682. memcpy(forward, map->extent,
  683. map->nr_extents * sizeof(map->extent[0]));
  684. map->forward = forward;
  685. map->reverse = NULL;
  686. }
  687. if (map->nr_extents < UID_GID_MAP_MAX_BASE_EXTENTS)
  688. dest = &map->extent[map->nr_extents];
  689. else
  690. dest = &map->forward[map->nr_extents];
  691. *dest = *extent;
  692. map->nr_extents++;
  693. return 0;
  694. }
  695. /* cmp function to sort() forward mappings */
  696. static int cmp_extents_forward(const void *a, const void *b)
  697. {
  698. const struct uid_gid_extent *e1 = a;
  699. const struct uid_gid_extent *e2 = b;
  700. if (e1->first < e2->first)
  701. return -1;
  702. if (e1->first > e2->first)
  703. return 1;
  704. return 0;
  705. }
  706. /* cmp function to sort() reverse mappings */
  707. static int cmp_extents_reverse(const void *a, const void *b)
  708. {
  709. const struct uid_gid_extent *e1 = a;
  710. const struct uid_gid_extent *e2 = b;
  711. if (e1->lower_first < e2->lower_first)
  712. return -1;
  713. if (e1->lower_first > e2->lower_first)
  714. return 1;
  715. return 0;
  716. }
  717. /**
  718. * sort_idmaps - Sorts an array of idmap entries.
  719. * Can only be called if number of mappings exceeds UID_GID_MAP_MAX_BASE_EXTENTS.
  720. */
  721. static int sort_idmaps(struct uid_gid_map *map)
  722. {
  723. if (map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
  724. return 0;
  725. /* Sort forward array. */
  726. sort(map->forward, map->nr_extents, sizeof(struct uid_gid_extent),
  727. cmp_extents_forward, NULL);
  728. /* Only copy the memory from forward we actually need. */
  729. map->reverse = kmemdup(map->forward,
  730. map->nr_extents * sizeof(struct uid_gid_extent),
  731. GFP_KERNEL);
  732. if (!map->reverse)
  733. return -ENOMEM;
  734. /* Sort reverse array. */
  735. sort(map->reverse, map->nr_extents, sizeof(struct uid_gid_extent),
  736. cmp_extents_reverse, NULL);
  737. return 0;
  738. }
  739. /**
  740. * verify_root_map() - check the uid 0 mapping
  741. * @file: idmapping file
  742. * @map_ns: user namespace of the target process
  743. * @new_map: requested idmap
  744. *
  745. * If a process requests mapping parent uid 0 into the new ns, verify that the
  746. * process writing the map had the CAP_SETFCAP capability as the target process
  747. * will be able to write fscaps that are valid in ancestor user namespaces.
  748. *
  749. * Return: true if the mapping is allowed, false if not.
  750. */
  751. static bool verify_root_map(const struct file *file,
  752. struct user_namespace *map_ns,
  753. struct uid_gid_map *new_map)
  754. {
  755. int idx;
  756. const struct user_namespace *file_ns = file->f_cred->user_ns;
  757. struct uid_gid_extent *extent0 = NULL;
  758. for (idx = 0; idx < new_map->nr_extents; idx++) {
  759. if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
  760. extent0 = &new_map->extent[idx];
  761. else
  762. extent0 = &new_map->forward[idx];
  763. if (extent0->lower_first == 0)
  764. break;
  765. extent0 = NULL;
  766. }
  767. if (!extent0)
  768. return true;
  769. if (map_ns == file_ns) {
  770. /* The process unshared its ns and is writing to its own
  771. * /proc/self/uid_map. User already has full capabilites in
  772. * the new namespace. Verify that the parent had CAP_SETFCAP
  773. * when it unshared.
  774. * */
  775. if (!file_ns->parent_could_setfcap)
  776. return false;
  777. } else {
  778. /* Process p1 is writing to uid_map of p2, who is in a child
  779. * user namespace to p1's. Verify that the opener of the map
  780. * file has CAP_SETFCAP against the parent of the new map
  781. * namespace */
  782. if (!file_ns_capable(file, map_ns->parent, CAP_SETFCAP))
  783. return false;
  784. }
  785. return true;
  786. }
  787. static ssize_t map_write(struct file *file, const char __user *buf,
  788. size_t count, loff_t *ppos,
  789. int cap_setid,
  790. struct uid_gid_map *map,
  791. struct uid_gid_map *parent_map)
  792. {
  793. struct seq_file *seq = file->private_data;
  794. struct user_namespace *map_ns = seq->private;
  795. struct uid_gid_map new_map;
  796. unsigned idx;
  797. struct uid_gid_extent extent;
  798. char *kbuf = NULL, *pos, *next_line;
  799. ssize_t ret;
  800. /* Only allow < page size writes at the beginning of the file */
  801. if ((*ppos != 0) || (count >= PAGE_SIZE))
  802. return -EINVAL;
  803. /* Slurp in the user data */
  804. kbuf = memdup_user_nul(buf, count);
  805. if (IS_ERR(kbuf))
  806. return PTR_ERR(kbuf);
  807. /*
  808. * The userns_state_mutex serializes all writes to any given map.
  809. *
  810. * Any map is only ever written once.
  811. *
  812. * An id map fits within 1 cache line on most architectures.
  813. *
  814. * On read nothing needs to be done unless you are on an
  815. * architecture with a crazy cache coherency model like alpha.
  816. *
  817. * There is a one time data dependency between reading the
  818. * count of the extents and the values of the extents. The
  819. * desired behavior is to see the values of the extents that
  820. * were written before the count of the extents.
  821. *
  822. * To achieve this smp_wmb() is used on guarantee the write
  823. * order and smp_rmb() is guaranteed that we don't have crazy
  824. * architectures returning stale data.
  825. */
  826. mutex_lock(&userns_state_mutex);
  827. memset(&new_map, 0, sizeof(struct uid_gid_map));
  828. ret = -EPERM;
  829. /* Only allow one successful write to the map */
  830. if (map->nr_extents != 0)
  831. goto out;
  832. /*
  833. * Adjusting namespace settings requires capabilities on the target.
  834. */
  835. if (cap_valid(cap_setid) && !file_ns_capable(file, map_ns, CAP_SYS_ADMIN))
  836. goto out;
  837. /* Parse the user data */
  838. ret = -EINVAL;
  839. pos = kbuf;
  840. for (; pos; pos = next_line) {
  841. /* Find the end of line and ensure I don't look past it */
  842. next_line = strchr(pos, '\n');
  843. if (next_line) {
  844. *next_line = '\0';
  845. next_line++;
  846. if (*next_line == '\0')
  847. next_line = NULL;
  848. }
  849. pos = skip_spaces(pos);
  850. extent.first = simple_strtoul(pos, &pos, 10);
  851. if (!isspace(*pos))
  852. goto out;
  853. pos = skip_spaces(pos);
  854. extent.lower_first = simple_strtoul(pos, &pos, 10);
  855. if (!isspace(*pos))
  856. goto out;
  857. pos = skip_spaces(pos);
  858. extent.count = simple_strtoul(pos, &pos, 10);
  859. if (*pos && !isspace(*pos))
  860. goto out;
  861. /* Verify there is not trailing junk on the line */
  862. pos = skip_spaces(pos);
  863. if (*pos != '\0')
  864. goto out;
  865. /* Verify we have been given valid starting values */
  866. if ((extent.first == (u32) -1) ||
  867. (extent.lower_first == (u32) -1))
  868. goto out;
  869. /* Verify count is not zero and does not cause the
  870. * extent to wrap
  871. */
  872. if ((extent.first + extent.count) <= extent.first)
  873. goto out;
  874. if ((extent.lower_first + extent.count) <=
  875. extent.lower_first)
  876. goto out;
  877. /* Do the ranges in extent overlap any previous extents? */
  878. if (mappings_overlap(&new_map, &extent))
  879. goto out;
  880. if ((new_map.nr_extents + 1) == UID_GID_MAP_MAX_EXTENTS &&
  881. (next_line != NULL))
  882. goto out;
  883. ret = insert_extent(&new_map, &extent);
  884. if (ret < 0)
  885. goto out;
  886. ret = -EINVAL;
  887. }
  888. /* Be very certain the new map actually exists */
  889. if (new_map.nr_extents == 0)
  890. goto out;
  891. ret = -EPERM;
  892. /* Validate the user is allowed to use user id's mapped to. */
  893. if (!new_idmap_permitted(file, map_ns, cap_setid, &new_map))
  894. goto out;
  895. ret = -EPERM;
  896. /* Map the lower ids from the parent user namespace to the
  897. * kernel global id space.
  898. */
  899. for (idx = 0; idx < new_map.nr_extents; idx++) {
  900. struct uid_gid_extent *e;
  901. u32 lower_first;
  902. if (new_map.nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
  903. e = &new_map.extent[idx];
  904. else
  905. e = &new_map.forward[idx];
  906. lower_first = map_id_range_down(parent_map,
  907. e->lower_first,
  908. e->count);
  909. /* Fail if we can not map the specified extent to
  910. * the kernel global id space.
  911. */
  912. if (lower_first == (u32) -1)
  913. goto out;
  914. e->lower_first = lower_first;
  915. }
  916. /*
  917. * If we want to use binary search for lookup, this clones the extent
  918. * array and sorts both copies.
  919. */
  920. ret = sort_idmaps(&new_map);
  921. if (ret < 0)
  922. goto out;
  923. /* Install the map */
  924. if (new_map.nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) {
  925. memcpy(map->extent, new_map.extent,
  926. new_map.nr_extents * sizeof(new_map.extent[0]));
  927. } else {
  928. map->forward = new_map.forward;
  929. map->reverse = new_map.reverse;
  930. }
  931. smp_wmb();
  932. map->nr_extents = new_map.nr_extents;
  933. *ppos = count;
  934. ret = count;
  935. out:
  936. if (ret < 0 && new_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
  937. kfree(new_map.forward);
  938. kfree(new_map.reverse);
  939. map->forward = NULL;
  940. map->reverse = NULL;
  941. map->nr_extents = 0;
  942. }
  943. mutex_unlock(&userns_state_mutex);
  944. kfree(kbuf);
  945. return ret;
  946. }
  947. ssize_t proc_uid_map_write(struct file *file, const char __user *buf,
  948. size_t size, loff_t *ppos)
  949. {
  950. struct seq_file *seq = file->private_data;
  951. struct user_namespace *ns = seq->private;
  952. struct user_namespace *seq_ns = seq_user_ns(seq);
  953. if (!ns->parent)
  954. return -EPERM;
  955. if ((seq_ns != ns) && (seq_ns != ns->parent))
  956. return -EPERM;
  957. return map_write(file, buf, size, ppos, CAP_SETUID,
  958. &ns->uid_map, &ns->parent->uid_map);
  959. }
  960. ssize_t proc_gid_map_write(struct file *file, const char __user *buf,
  961. size_t size, loff_t *ppos)
  962. {
  963. struct seq_file *seq = file->private_data;
  964. struct user_namespace *ns = seq->private;
  965. struct user_namespace *seq_ns = seq_user_ns(seq);
  966. if (!ns->parent)
  967. return -EPERM;
  968. if ((seq_ns != ns) && (seq_ns != ns->parent))
  969. return -EPERM;
  970. return map_write(file, buf, size, ppos, CAP_SETGID,
  971. &ns->gid_map, &ns->parent->gid_map);
  972. }
  973. ssize_t proc_projid_map_write(struct file *file, const char __user *buf,
  974. size_t size, loff_t *ppos)
  975. {
  976. struct seq_file *seq = file->private_data;
  977. struct user_namespace *ns = seq->private;
  978. struct user_namespace *seq_ns = seq_user_ns(seq);
  979. if (!ns->parent)
  980. return -EPERM;
  981. if ((seq_ns != ns) && (seq_ns != ns->parent))
  982. return -EPERM;
  983. /* Anyone can set any valid project id no capability needed */
  984. return map_write(file, buf, size, ppos, -1,
  985. &ns->projid_map, &ns->parent->projid_map);
  986. }
  987. static bool new_idmap_permitted(const struct file *file,
  988. struct user_namespace *ns, int cap_setid,
  989. struct uid_gid_map *new_map)
  990. {
  991. const struct cred *cred = file->f_cred;
  992. if (cap_setid == CAP_SETUID && !verify_root_map(file, ns, new_map))
  993. return false;
  994. /* Don't allow mappings that would allow anything that wouldn't
  995. * be allowed without the establishment of unprivileged mappings.
  996. */
  997. if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
  998. uid_eq(ns->owner, cred->euid)) {
  999. u32 id = new_map->extent[0].lower_first;
  1000. if (cap_setid == CAP_SETUID) {
  1001. kuid_t uid = make_kuid(ns->parent, id);
  1002. if (uid_eq(uid, cred->euid))
  1003. return true;
  1004. } else if (cap_setid == CAP_SETGID) {
  1005. kgid_t gid = make_kgid(ns->parent, id);
  1006. if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
  1007. gid_eq(gid, cred->egid))
  1008. return true;
  1009. }
  1010. }
  1011. /* Allow anyone to set a mapping that doesn't require privilege */
  1012. if (!cap_valid(cap_setid))
  1013. return true;
  1014. /* Allow the specified ids if we have the appropriate capability
  1015. * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
  1016. * And the opener of the id file also has the appropriate capability.
  1017. */
  1018. if (ns_capable(ns->parent, cap_setid) &&
  1019. file_ns_capable(file, ns->parent, cap_setid))
  1020. return true;
  1021. return false;
  1022. }
  1023. int proc_setgroups_show(struct seq_file *seq, void *v)
  1024. {
  1025. struct user_namespace *ns = seq->private;
  1026. unsigned long userns_flags = READ_ONCE(ns->flags);
  1027. seq_printf(seq, "%s\n",
  1028. (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
  1029. "allow" : "deny");
  1030. return 0;
  1031. }
  1032. ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
  1033. size_t count, loff_t *ppos)
  1034. {
  1035. struct seq_file *seq = file->private_data;
  1036. struct user_namespace *ns = seq->private;
  1037. char kbuf[8], *pos;
  1038. bool setgroups_allowed;
  1039. ssize_t ret;
  1040. /* Only allow a very narrow range of strings to be written */
  1041. ret = -EINVAL;
  1042. if ((*ppos != 0) || (count >= sizeof(kbuf)))
  1043. goto out;
  1044. /* What was written? */
  1045. ret = -EFAULT;
  1046. if (copy_from_user(kbuf, buf, count))
  1047. goto out;
  1048. kbuf[count] = '\0';
  1049. pos = kbuf;
  1050. /* What is being requested? */
  1051. ret = -EINVAL;
  1052. if (strncmp(pos, "allow", 5) == 0) {
  1053. pos += 5;
  1054. setgroups_allowed = true;
  1055. }
  1056. else if (strncmp(pos, "deny", 4) == 0) {
  1057. pos += 4;
  1058. setgroups_allowed = false;
  1059. }
  1060. else
  1061. goto out;
  1062. /* Verify there is not trailing junk on the line */
  1063. pos = skip_spaces(pos);
  1064. if (*pos != '\0')
  1065. goto out;
  1066. ret = -EPERM;
  1067. mutex_lock(&userns_state_mutex);
  1068. if (setgroups_allowed) {
  1069. /* Enabling setgroups after setgroups has been disabled
  1070. * is not allowed.
  1071. */
  1072. if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
  1073. goto out_unlock;
  1074. } else {
  1075. /* Permanently disabling setgroups after setgroups has
  1076. * been enabled by writing the gid_map is not allowed.
  1077. */
  1078. if (ns->gid_map.nr_extents != 0)
  1079. goto out_unlock;
  1080. ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
  1081. }
  1082. mutex_unlock(&userns_state_mutex);
  1083. /* Report a successful write */
  1084. *ppos = count;
  1085. ret = count;
  1086. out:
  1087. return ret;
  1088. out_unlock:
  1089. mutex_unlock(&userns_state_mutex);
  1090. goto out;
  1091. }
  1092. bool userns_may_setgroups(const struct user_namespace *ns)
  1093. {
  1094. bool allowed;
  1095. mutex_lock(&userns_state_mutex);
  1096. /* It is not safe to use setgroups until a gid mapping in
  1097. * the user namespace has been established.
  1098. */
  1099. allowed = ns->gid_map.nr_extents != 0;
  1100. /* Is setgroups allowed? */
  1101. allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
  1102. mutex_unlock(&userns_state_mutex);
  1103. return allowed;
  1104. }
  1105. /*
  1106. * Returns true if @child is the same namespace or a descendant of
  1107. * @ancestor.
  1108. */
  1109. bool in_userns(const struct user_namespace *ancestor,
  1110. const struct user_namespace *child)
  1111. {
  1112. const struct user_namespace *ns;
  1113. for (ns = child; ns->level > ancestor->level; ns = ns->parent)
  1114. ;
  1115. return (ns == ancestor);
  1116. }
  1117. bool current_in_userns(const struct user_namespace *target_ns)
  1118. {
  1119. return in_userns(target_ns, current_user_ns());
  1120. }
  1121. EXPORT_SYMBOL(current_in_userns);
  1122. static inline struct user_namespace *to_user_ns(struct ns_common *ns)
  1123. {
  1124. return container_of(ns, struct user_namespace, ns);
  1125. }
  1126. static struct ns_common *userns_get(struct task_struct *task)
  1127. {
  1128. struct user_namespace *user_ns;
  1129. rcu_read_lock();
  1130. user_ns = get_user_ns(__task_cred(task)->user_ns);
  1131. rcu_read_unlock();
  1132. return user_ns ? &user_ns->ns : NULL;
  1133. }
  1134. static void userns_put(struct ns_common *ns)
  1135. {
  1136. put_user_ns(to_user_ns(ns));
  1137. }
  1138. static int userns_install(struct nsset *nsset, struct ns_common *ns)
  1139. {
  1140. struct user_namespace *user_ns = to_user_ns(ns);
  1141. struct cred *cred;
  1142. /* Don't allow gaining capabilities by reentering
  1143. * the same user namespace.
  1144. */
  1145. if (user_ns == current_user_ns())
  1146. return -EINVAL;
  1147. /* Tasks that share a thread group must share a user namespace */
  1148. if (!thread_group_empty(current))
  1149. return -EINVAL;
  1150. if (current->fs->users != 1)
  1151. return -EINVAL;
  1152. if (!ns_capable(user_ns, CAP_SYS_ADMIN))
  1153. return -EPERM;
  1154. cred = nsset_cred(nsset);
  1155. if (!cred)
  1156. return -EINVAL;
  1157. put_user_ns(cred->user_ns);
  1158. set_cred_user_ns(cred, get_user_ns(user_ns));
  1159. if (set_cred_ucounts(cred) < 0)
  1160. return -EINVAL;
  1161. return 0;
  1162. }
  1163. struct ns_common *ns_get_owner(struct ns_common *ns)
  1164. {
  1165. struct user_namespace *my_user_ns = current_user_ns();
  1166. struct user_namespace *owner, *p;
  1167. /* See if the owner is in the current user namespace */
  1168. owner = p = ns->ops->owner(ns);
  1169. for (;;) {
  1170. if (!p)
  1171. return ERR_PTR(-EPERM);
  1172. if (p == my_user_ns)
  1173. break;
  1174. p = p->parent;
  1175. }
  1176. return &get_user_ns(owner)->ns;
  1177. }
  1178. static struct user_namespace *userns_owner(struct ns_common *ns)
  1179. {
  1180. return to_user_ns(ns)->parent;
  1181. }
  1182. const struct proc_ns_operations userns_operations = {
  1183. .name = "user",
  1184. .type = CLONE_NEWUSER,
  1185. .get = userns_get,
  1186. .put = userns_put,
  1187. .install = userns_install,
  1188. .owner = userns_owner,
  1189. .get_parent = ns_get_owner,
  1190. };
  1191. static __init int user_namespaces_init(void)
  1192. {
  1193. user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC | SLAB_ACCOUNT);
  1194. return 0;
  1195. }
  1196. subsys_initcall(user_namespaces_init);