Root/kernel/user_namespace.c

1/*
2 * This program is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU General Public License as
4 * published by the Free Software Foundation, version 2 of the
5 * License.
6 */
7
8#include <linux/export.h>
9#include <linux/nsproxy.h>
10#include <linux/slab.h>
11#include <linux/user_namespace.h>
12#include <linux/proc_ns.h>
13#include <linux/highuid.h>
14#include <linux/cred.h>
15#include <linux/securebits.h>
16#include <linux/keyctl.h>
17#include <linux/key-type.h>
18#include <keys/user-type.h>
19#include <linux/seq_file.h>
20#include <linux/fs.h>
21#include <linux/uaccess.h>
22#include <linux/ctype.h>
23#include <linux/projid.h>
24#include <linux/fs_struct.h>
25
26static struct kmem_cache *user_ns_cachep __read_mostly;
27
28static bool new_idmap_permitted(const struct file *file,
29                struct user_namespace *ns, int cap_setid,
30                struct uid_gid_map *map);
31
32static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
33{
34    /* Start with the same capabilities as init but useless for doing
35     * anything as the capabilities are bound to the new user namespace.
36     */
37    cred->securebits = SECUREBITS_DEFAULT;
38    cred->cap_inheritable = CAP_EMPTY_SET;
39    cred->cap_permitted = CAP_FULL_SET;
40    cred->cap_effective = CAP_FULL_SET;
41    cred->cap_bset = CAP_FULL_SET;
42#ifdef CONFIG_KEYS
43    key_put(cred->request_key_auth);
44    cred->request_key_auth = NULL;
45#endif
46    /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
47    cred->user_ns = user_ns;
48}
49
50/*
51 * Create a new user namespace, deriving the creator from the user in the
52 * passed credentials, and replacing that user with the new root user for the
53 * new namespace.
54 *
55 * This is called by copy_creds(), which will finish setting the target task's
56 * credentials.
57 */
58int create_user_ns(struct cred *new)
59{
60    struct user_namespace *ns, *parent_ns = new->user_ns;
61    kuid_t owner = new->euid;
62    kgid_t group = new->egid;
63    int ret;
64
65    if (parent_ns->level > 32)
66        return -EUSERS;
67
68    /*
69     * Verify that we can not violate the policy of which files
70     * may be accessed that is specified by the root directory,
71     * by verifing that the root directory is at the root of the
72     * mount namespace which allows all files to be accessed.
73     */
74    if (current_chrooted())
75        return -EPERM;
76
77    /* The creator needs a mapping in the parent user namespace
78     * or else we won't be able to reasonably tell userspace who
79     * created a user_namespace.
80     */
81    if (!kuid_has_mapping(parent_ns, owner) ||
82        !kgid_has_mapping(parent_ns, group))
83        return -EPERM;
84
85    ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
86    if (!ns)
87        return -ENOMEM;
88
89    ret = proc_alloc_inum(&ns->proc_inum);
90    if (ret) {
91        kmem_cache_free(user_ns_cachep, ns);
92        return ret;
93    }
94
95    atomic_set(&ns->count, 1);
96    /* Leave the new->user_ns reference with the new user namespace. */
97    ns->parent = parent_ns;
98    ns->level = parent_ns->level + 1;
99    ns->owner = owner;
100    ns->group = group;
101
102    set_cred_user_ns(new, ns);
103
104#ifdef CONFIG_PERSISTENT_KEYRINGS
105    init_rwsem(&ns->persistent_keyring_register_sem);
106#endif
107    return 0;
108}
109
110int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
111{
112    struct cred *cred;
113    int err = -ENOMEM;
114
115    if (!(unshare_flags & CLONE_NEWUSER))
116        return 0;
117
118    cred = prepare_creds();
119    if (cred) {
120        err = create_user_ns(cred);
121        if (err)
122            put_cred(cred);
123        else
124            *new_cred = cred;
125    }
126
127    return err;
128}
129
130void free_user_ns(struct user_namespace *ns)
131{
132    struct user_namespace *parent;
133
134    do {
135        parent = ns->parent;
136#ifdef CONFIG_PERSISTENT_KEYRINGS
137        key_put(ns->persistent_keyring_register);
138#endif
139        proc_free_inum(ns->proc_inum);
140        kmem_cache_free(user_ns_cachep, ns);
141        ns = parent;
142    } while (atomic_dec_and_test(&parent->count));
143}
144EXPORT_SYMBOL(free_user_ns);
145
146static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
147{
148    unsigned idx, extents;
149    u32 first, last, id2;
150
151    id2 = id + count - 1;
152
153    /* Find the matching extent */
154    extents = map->nr_extents;
155    smp_rmb();
156    for (idx = 0; idx < extents; idx++) {
157        first = map->extent[idx].first;
158        last = first + map->extent[idx].count - 1;
159        if (id >= first && id <= last &&
160            (id2 >= first && id2 <= last))
161            break;
162    }
163    /* Map the id or note failure */
164    if (idx < extents)
165        id = (id - first) + map->extent[idx].lower_first;
166    else
167        id = (u32) -1;
168
169    return id;
170}
171
172static u32 map_id_down(struct uid_gid_map *map, u32 id)
173{
174    unsigned idx, extents;
175    u32 first, last;
176
177    /* Find the matching extent */
178    extents = map->nr_extents;
179    smp_rmb();
180    for (idx = 0; idx < extents; idx++) {
181        first = map->extent[idx].first;
182        last = first + map->extent[idx].count - 1;
183        if (id >= first && id <= last)
184            break;
185    }
186    /* Map the id or note failure */
187    if (idx < extents)
188        id = (id - first) + map->extent[idx].lower_first;
189    else
190        id = (u32) -1;
191
192    return id;
193}
194
195static u32 map_id_up(struct uid_gid_map *map, u32 id)
196{
197    unsigned idx, extents;
198    u32 first, last;
199
200    /* Find the matching extent */
201    extents = map->nr_extents;
202    smp_rmb();
203    for (idx = 0; idx < extents; idx++) {
204        first = map->extent[idx].lower_first;
205        last = first + map->extent[idx].count - 1;
206        if (id >= first && id <= last)
207            break;
208    }
209    /* Map the id or note failure */
210    if (idx < extents)
211        id = (id - first) + map->extent[idx].first;
212    else
213        id = (u32) -1;
214
215    return id;
216}
217
218/**
219 * make_kuid - Map a user-namespace uid pair into a kuid.
220 * @ns: User namespace that the uid is in
221 * @uid: User identifier
222 *
223 * Maps a user-namespace uid pair into a kernel internal kuid,
224 * and returns that kuid.
225 *
226 * When there is no mapping defined for the user-namespace uid
227 * pair INVALID_UID is returned. Callers are expected to test
228 * for and handle INVALID_UID being returned. INVALID_UID
229 * may be tested for using uid_valid().
230 */
231kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
232{
233    /* Map the uid to a global kernel uid */
234    return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
235}
236EXPORT_SYMBOL(make_kuid);
237
238/**
239 * from_kuid - Create a uid from a kuid user-namespace pair.
240 * @targ: The user namespace we want a uid in.
241 * @kuid: The kernel internal uid to start with.
242 *
243 * Map @kuid into the user-namespace specified by @targ and
244 * return the resulting uid.
245 *
246 * There is always a mapping into the initial user_namespace.
247 *
248 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
249 */
250uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
251{
252    /* Map the uid from a global kernel uid */
253    return map_id_up(&targ->uid_map, __kuid_val(kuid));
254}
255EXPORT_SYMBOL(from_kuid);
256
257/**
258 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
259 * @targ: The user namespace we want a uid in.
260 * @kuid: The kernel internal uid to start with.
261 *
262 * Map @kuid into the user-namespace specified by @targ and
263 * return the resulting uid.
264 *
265 * There is always a mapping into the initial user_namespace.
266 *
267 * Unlike from_kuid from_kuid_munged never fails and always
268 * returns a valid uid. This makes from_kuid_munged appropriate
269 * for use in syscalls like stat and getuid where failing the
270 * system call and failing to provide a valid uid are not an
271 * options.
272 *
273 * If @kuid has no mapping in @targ overflowuid is returned.
274 */
275uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
276{
277    uid_t uid;
278    uid = from_kuid(targ, kuid);
279
280    if (uid == (uid_t) -1)
281        uid = overflowuid;
282    return uid;
283}
284EXPORT_SYMBOL(from_kuid_munged);
285
286/**
287 * make_kgid - Map a user-namespace gid pair into a kgid.
288 * @ns: User namespace that the gid is in
289 * @uid: group identifier
290 *
291 * Maps a user-namespace gid pair into a kernel internal kgid,
292 * and returns that kgid.
293 *
294 * When there is no mapping defined for the user-namespace gid
295 * pair INVALID_GID is returned. Callers are expected to test
296 * for and handle INVALID_GID being returned. INVALID_GID may be
297 * tested for using gid_valid().
298 */
299kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
300{
301    /* Map the gid to a global kernel gid */
302    return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
303}
304EXPORT_SYMBOL(make_kgid);
305
306/**
307 * from_kgid - Create a gid from a kgid user-namespace pair.
308 * @targ: The user namespace we want a gid in.
309 * @kgid: The kernel internal gid to start with.
310 *
311 * Map @kgid into the user-namespace specified by @targ and
312 * return the resulting gid.
313 *
314 * There is always a mapping into the initial user_namespace.
315 *
316 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
317 */
318gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
319{
320    /* Map the gid from a global kernel gid */
321    return map_id_up(&targ->gid_map, __kgid_val(kgid));
322}
323EXPORT_SYMBOL(from_kgid);
324
325/**
326 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
327 * @targ: The user namespace we want a gid in.
328 * @kgid: The kernel internal gid to start with.
329 *
330 * Map @kgid into the user-namespace specified by @targ and
331 * return the resulting gid.
332 *
333 * There is always a mapping into the initial user_namespace.
334 *
335 * Unlike from_kgid from_kgid_munged never fails and always
336 * returns a valid gid. This makes from_kgid_munged appropriate
337 * for use in syscalls like stat and getgid where failing the
338 * system call and failing to provide a valid gid are not options.
339 *
340 * If @kgid has no mapping in @targ overflowgid is returned.
341 */
342gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
343{
344    gid_t gid;
345    gid = from_kgid(targ, kgid);
346
347    if (gid == (gid_t) -1)
348        gid = overflowgid;
349    return gid;
350}
351EXPORT_SYMBOL(from_kgid_munged);
352
353/**
354 * make_kprojid - Map a user-namespace projid pair into a kprojid.
355 * @ns: User namespace that the projid is in
356 * @projid: Project identifier
357 *
358 * Maps a user-namespace uid pair into a kernel internal kuid,
359 * and returns that kuid.
360 *
361 * When there is no mapping defined for the user-namespace projid
362 * pair INVALID_PROJID is returned. Callers are expected to test
363 * for and handle handle INVALID_PROJID being returned. INVALID_PROJID
364 * may be tested for using projid_valid().
365 */
366kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
367{
368    /* Map the uid to a global kernel uid */
369    return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
370}
371EXPORT_SYMBOL(make_kprojid);
372
373/**
374 * from_kprojid - Create a projid from a kprojid user-namespace pair.
375 * @targ: The user namespace we want a projid in.
376 * @kprojid: The kernel internal project identifier to start with.
377 *
378 * Map @kprojid into the user-namespace specified by @targ and
379 * return the resulting projid.
380 *
381 * There is always a mapping into the initial user_namespace.
382 *
383 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
384 */
385projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
386{
387    /* Map the uid from a global kernel uid */
388    return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
389}
390EXPORT_SYMBOL(from_kprojid);
391
392/**
393 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
394 * @targ: The user namespace we want a projid in.
395 * @kprojid: The kernel internal projid to start with.
396 *
397 * Map @kprojid into the user-namespace specified by @targ and
398 * return the resulting projid.
399 *
400 * There is always a mapping into the initial user_namespace.
401 *
402 * Unlike from_kprojid from_kprojid_munged never fails and always
403 * returns a valid projid. This makes from_kprojid_munged
404 * appropriate for use in syscalls like stat and where
405 * failing the system call and failing to provide a valid projid are
406 * not an options.
407 *
408 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
409 */
410projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
411{
412    projid_t projid;
413    projid = from_kprojid(targ, kprojid);
414
415    if (projid == (projid_t) -1)
416        projid = OVERFLOW_PROJID;
417    return projid;
418}
419EXPORT_SYMBOL(from_kprojid_munged);
420
421
422static int uid_m_show(struct seq_file *seq, void *v)
423{
424    struct user_namespace *ns = seq->private;
425    struct uid_gid_extent *extent = v;
426    struct user_namespace *lower_ns;
427    uid_t lower;
428
429    lower_ns = seq_user_ns(seq);
430    if ((lower_ns == ns) && lower_ns->parent)
431        lower_ns = lower_ns->parent;
432
433    lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
434
435    seq_printf(seq, "%10u %10u %10u\n",
436        extent->first,
437        lower,
438        extent->count);
439
440    return 0;
441}
442
443static int gid_m_show(struct seq_file *seq, void *v)
444{
445    struct user_namespace *ns = seq->private;
446    struct uid_gid_extent *extent = v;
447    struct user_namespace *lower_ns;
448    gid_t lower;
449
450    lower_ns = seq_user_ns(seq);
451    if ((lower_ns == ns) && lower_ns->parent)
452        lower_ns = lower_ns->parent;
453
454    lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
455
456    seq_printf(seq, "%10u %10u %10u\n",
457        extent->first,
458        lower,
459        extent->count);
460
461    return 0;
462}
463
464static int projid_m_show(struct seq_file *seq, void *v)
465{
466    struct user_namespace *ns = seq->private;
467    struct uid_gid_extent *extent = v;
468    struct user_namespace *lower_ns;
469    projid_t lower;
470
471    lower_ns = seq_user_ns(seq);
472    if ((lower_ns == ns) && lower_ns->parent)
473        lower_ns = lower_ns->parent;
474
475    lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
476
477    seq_printf(seq, "%10u %10u %10u\n",
478        extent->first,
479        lower,
480        extent->count);
481
482    return 0;
483}
484
485static void *m_start(struct seq_file *seq, loff_t *ppos, struct uid_gid_map *map)
486{
487    struct uid_gid_extent *extent = NULL;
488    loff_t pos = *ppos;
489
490    if (pos < map->nr_extents)
491        extent = &map->extent[pos];
492
493    return extent;
494}
495
496static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
497{
498    struct user_namespace *ns = seq->private;
499
500    return m_start(seq, ppos, &ns->uid_map);
501}
502
503static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
504{
505    struct user_namespace *ns = seq->private;
506
507    return m_start(seq, ppos, &ns->gid_map);
508}
509
510static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
511{
512    struct user_namespace *ns = seq->private;
513
514    return m_start(seq, ppos, &ns->projid_map);
515}
516
517static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
518{
519    (*pos)++;
520    return seq->op->start(seq, pos);
521}
522
523static void m_stop(struct seq_file *seq, void *v)
524{
525    return;
526}
527
528struct seq_operations proc_uid_seq_operations = {
529    .start = uid_m_start,
530    .stop = m_stop,
531    .next = m_next,
532    .show = uid_m_show,
533};
534
535struct seq_operations proc_gid_seq_operations = {
536    .start = gid_m_start,
537    .stop = m_stop,
538    .next = m_next,
539    .show = gid_m_show,
540};
541
542struct seq_operations proc_projid_seq_operations = {
543    .start = projid_m_start,
544    .stop = m_stop,
545    .next = m_next,
546    .show = projid_m_show,
547};
548
549static bool mappings_overlap(struct uid_gid_map *new_map, struct uid_gid_extent *extent)
550{
551    u32 upper_first, lower_first, upper_last, lower_last;
552    unsigned idx;
553
554    upper_first = extent->first;
555    lower_first = extent->lower_first;
556    upper_last = upper_first + extent->count - 1;
557    lower_last = lower_first + extent->count - 1;
558
559    for (idx = 0; idx < new_map->nr_extents; idx++) {
560        u32 prev_upper_first, prev_lower_first;
561        u32 prev_upper_last, prev_lower_last;
562        struct uid_gid_extent *prev;
563
564        prev = &new_map->extent[idx];
565
566        prev_upper_first = prev->first;
567        prev_lower_first = prev->lower_first;
568        prev_upper_last = prev_upper_first + prev->count - 1;
569        prev_lower_last = prev_lower_first + prev->count - 1;
570
571        /* Does the upper range intersect a previous extent? */
572        if ((prev_upper_first <= upper_last) &&
573            (prev_upper_last >= upper_first))
574            return true;
575
576        /* Does the lower range intersect a previous extent? */
577        if ((prev_lower_first <= lower_last) &&
578            (prev_lower_last >= lower_first))
579            return true;
580    }
581    return false;
582}
583
584
585static DEFINE_MUTEX(id_map_mutex);
586
587static ssize_t map_write(struct file *file, const char __user *buf,
588             size_t count, loff_t *ppos,
589             int cap_setid,
590             struct uid_gid_map *map,
591             struct uid_gid_map *parent_map)
592{
593    struct seq_file *seq = file->private_data;
594    struct user_namespace *ns = seq->private;
595    struct uid_gid_map new_map;
596    unsigned idx;
597    struct uid_gid_extent *extent = NULL;
598    unsigned long page = 0;
599    char *kbuf, *pos, *next_line;
600    ssize_t ret = -EINVAL;
601
602    /*
603     * The id_map_mutex serializes all writes to any given map.
604     *
605     * Any map is only ever written once.
606     *
607     * An id map fits within 1 cache line on most architectures.
608     *
609     * On read nothing needs to be done unless you are on an
610     * architecture with a crazy cache coherency model like alpha.
611     *
612     * There is a one time data dependency between reading the
613     * count of the extents and the values of the extents. The
614     * desired behavior is to see the values of the extents that
615     * were written before the count of the extents.
616     *
617     * To achieve this smp_wmb() is used on guarantee the write
618     * order and smp_rmb() is guaranteed that we don't have crazy
619     * architectures returning stale data.
620     */
621    mutex_lock(&id_map_mutex);
622
623    ret = -EPERM;
624    /* Only allow one successful write to the map */
625    if (map->nr_extents != 0)
626        goto out;
627
628    /*
629     * Adjusting namespace settings requires capabilities on the target.
630     */
631    if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
632        goto out;
633
634    /* Get a buffer */
635    ret = -ENOMEM;
636    page = __get_free_page(GFP_TEMPORARY);
637    kbuf = (char *) page;
638    if (!page)
639        goto out;
640
641    /* Only allow <= page size writes at the beginning of the file */
642    ret = -EINVAL;
643    if ((*ppos != 0) || (count >= PAGE_SIZE))
644        goto out;
645
646    /* Slurp in the user data */
647    ret = -EFAULT;
648    if (copy_from_user(kbuf, buf, count))
649        goto out;
650    kbuf[count] = '\0';
651
652    /* Parse the user data */
653    ret = -EINVAL;
654    pos = kbuf;
655    new_map.nr_extents = 0;
656    for (;pos; pos = next_line) {
657        extent = &new_map.extent[new_map.nr_extents];
658
659        /* Find the end of line and ensure I don't look past it */
660        next_line = strchr(pos, '\n');
661        if (next_line) {
662            *next_line = '\0';
663            next_line++;
664            if (*next_line == '\0')
665                next_line = NULL;
666        }
667
668        pos = skip_spaces(pos);
669        extent->first = simple_strtoul(pos, &pos, 10);
670        if (!isspace(*pos))
671            goto out;
672
673        pos = skip_spaces(pos);
674        extent->lower_first = simple_strtoul(pos, &pos, 10);
675        if (!isspace(*pos))
676            goto out;
677
678        pos = skip_spaces(pos);
679        extent->count = simple_strtoul(pos, &pos, 10);
680        if (*pos && !isspace(*pos))
681            goto out;
682
683        /* Verify there is not trailing junk on the line */
684        pos = skip_spaces(pos);
685        if (*pos != '\0')
686            goto out;
687
688        /* Verify we have been given valid starting values */
689        if ((extent->first == (u32) -1) ||
690            (extent->lower_first == (u32) -1 ))
691            goto out;
692
693        /* Verify count is not zero and does not cause the extent to wrap */
694        if ((extent->first + extent->count) <= extent->first)
695            goto out;
696        if ((extent->lower_first + extent->count) <= extent->lower_first)
697            goto out;
698
699        /* Do the ranges in extent overlap any previous extents? */
700        if (mappings_overlap(&new_map, extent))
701            goto out;
702
703        new_map.nr_extents++;
704
705        /* Fail if the file contains too many extents */
706        if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) &&
707            (next_line != NULL))
708            goto out;
709    }
710    /* Be very certaint the new map actually exists */
711    if (new_map.nr_extents == 0)
712        goto out;
713
714    ret = -EPERM;
715    /* Validate the user is allowed to use user id's mapped to. */
716    if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
717        goto out;
718
719    /* Map the lower ids from the parent user namespace to the
720     * kernel global id space.
721     */
722    for (idx = 0; idx < new_map.nr_extents; idx++) {
723        u32 lower_first;
724        extent = &new_map.extent[idx];
725
726        lower_first = map_id_range_down(parent_map,
727                        extent->lower_first,
728                        extent->count);
729
730        /* Fail if we can not map the specified extent to
731         * the kernel global id space.
732         */
733        if (lower_first == (u32) -1)
734            goto out;
735
736        extent->lower_first = lower_first;
737    }
738
739    /* Install the map */
740    memcpy(map->extent, new_map.extent,
741        new_map.nr_extents*sizeof(new_map.extent[0]));
742    smp_wmb();
743    map->nr_extents = new_map.nr_extents;
744
745    *ppos = count;
746    ret = count;
747out:
748    mutex_unlock(&id_map_mutex);
749    if (page)
750        free_page(page);
751    return ret;
752}
753
754ssize_t proc_uid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
755{
756    struct seq_file *seq = file->private_data;
757    struct user_namespace *ns = seq->private;
758    struct user_namespace *seq_ns = seq_user_ns(seq);
759
760    if (!ns->parent)
761        return -EPERM;
762
763    if ((seq_ns != ns) && (seq_ns != ns->parent))
764        return -EPERM;
765
766    return map_write(file, buf, size, ppos, CAP_SETUID,
767             &ns->uid_map, &ns->parent->uid_map);
768}
769
770ssize_t proc_gid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
771{
772    struct seq_file *seq = file->private_data;
773    struct user_namespace *ns = seq->private;
774    struct user_namespace *seq_ns = seq_user_ns(seq);
775
776    if (!ns->parent)
777        return -EPERM;
778
779    if ((seq_ns != ns) && (seq_ns != ns->parent))
780        return -EPERM;
781
782    return map_write(file, buf, size, ppos, CAP_SETGID,
783             &ns->gid_map, &ns->parent->gid_map);
784}
785
786ssize_t proc_projid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
787{
788    struct seq_file *seq = file->private_data;
789    struct user_namespace *ns = seq->private;
790    struct user_namespace *seq_ns = seq_user_ns(seq);
791
792    if (!ns->parent)
793        return -EPERM;
794
795    if ((seq_ns != ns) && (seq_ns != ns->parent))
796        return -EPERM;
797
798    /* Anyone can set any valid project id no capability needed */
799    return map_write(file, buf, size, ppos, -1,
800             &ns->projid_map, &ns->parent->projid_map);
801}
802
803static bool new_idmap_permitted(const struct file *file,
804                struct user_namespace *ns, int cap_setid,
805                struct uid_gid_map *new_map)
806{
807    /* Allow mapping to your own filesystem ids */
808    if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) {
809        u32 id = new_map->extent[0].lower_first;
810        if (cap_setid == CAP_SETUID) {
811            kuid_t uid = make_kuid(ns->parent, id);
812            if (uid_eq(uid, file->f_cred->fsuid))
813                return true;
814        }
815        else if (cap_setid == CAP_SETGID) {
816            kgid_t gid = make_kgid(ns->parent, id);
817            if (gid_eq(gid, file->f_cred->fsgid))
818                return true;
819        }
820    }
821
822    /* Allow anyone to set a mapping that doesn't require privilege */
823    if (!cap_valid(cap_setid))
824        return true;
825
826    /* Allow the specified ids if we have the appropriate capability
827     * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
828     * And the opener of the id file also had the approprpiate capability.
829     */
830    if (ns_capable(ns->parent, cap_setid) &&
831        file_ns_capable(file, ns->parent, cap_setid))
832        return true;
833
834    return false;
835}
836
837static void *userns_get(struct task_struct *task)
838{
839    struct user_namespace *user_ns;
840
841    rcu_read_lock();
842    user_ns = get_user_ns(__task_cred(task)->user_ns);
843    rcu_read_unlock();
844
845    return user_ns;
846}
847
848static void userns_put(void *ns)
849{
850    put_user_ns(ns);
851}
852
853static int userns_install(struct nsproxy *nsproxy, void *ns)
854{
855    struct user_namespace *user_ns = ns;
856    struct cred *cred;
857
858    /* Don't allow gaining capabilities by reentering
859     * the same user namespace.
860     */
861    if (user_ns == current_user_ns())
862        return -EINVAL;
863
864    /* Threaded processes may not enter a different user namespace */
865    if (atomic_read(&current->mm->mm_users) > 1)
866        return -EINVAL;
867
868    if (current->fs->users != 1)
869        return -EINVAL;
870
871    if (!ns_capable(user_ns, CAP_SYS_ADMIN))
872        return -EPERM;
873
874    cred = prepare_creds();
875    if (!cred)
876        return -ENOMEM;
877
878    put_user_ns(cred->user_ns);
879    set_cred_user_ns(cred, get_user_ns(user_ns));
880
881    return commit_creds(cred);
882}
883
884static unsigned int userns_inum(void *ns)
885{
886    struct user_namespace *user_ns = ns;
887    return user_ns->proc_inum;
888}
889
890const struct proc_ns_operations userns_operations = {
891    .name = "user",
892    .type = CLONE_NEWUSER,
893    .get = userns_get,
894    .put = userns_put,
895    .install = userns_install,
896    .inum = userns_inum,
897};
898
899static __init int user_namespaces_init(void)
900{
901    user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC);
902    return 0;
903}
904subsys_initcall(user_namespaces_init);
905

Archive Download this file



interactive