search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Linux 3.12.39
[linux/fpc-iii.git] / kernel / user_namespace.c
blobc09fe8b87cb01c1302aeca8af263de46ec8a7047
1 /*
2 * This program is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU General Public License as
4 * published by the Free Software Foundation, version 2 of the
5 * License.
6 */
7
8 #include <linux/export.h>
9 #include <linux/nsproxy.h>
10 #include <linux/slab.h>
11 #include <linux/user_namespace.h>
12 #include <linux/proc_ns.h>
13 #include <linux/highuid.h>
14 #include <linux/cred.h>
15 #include <linux/securebits.h>
16 #include <linux/keyctl.h>
17 #include <linux/key-type.h>
18 #include <keys/user-type.h>
19 #include <linux/seq_file.h>
20 #include <linux/fs.h>
21 #include <linux/uaccess.h>
22 #include <linux/ctype.h>
23 #include <linux/projid.h>
24 #include <linux/fs_struct.h>
25
26 static struct kmem_cache *user_ns_cachep __read_mostly;
27 static DEFINE_MUTEX(userns_state_mutex);
28
29 static bool new_idmap_permitted(const struct file *file,
30 struct user_namespace *ns, int cap_setid,
31 struct uid_gid_map *map);
32
33 static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
34 {
35 /* Start with the same capabilities as init but useless for doing
36 * anything as the capabilities are bound to the new user namespace.
37 */
38 cred->securebits = SECUREBITS_DEFAULT;
39 cred->cap_inheritable = CAP_EMPTY_SET;
40 cred->cap_permitted = CAP_FULL_SET;
41 cred->cap_effective = CAP_FULL_SET;
42 cred->cap_bset = CAP_FULL_SET;
43 #ifdef CONFIG_KEYS
44 key_put(cred->request_key_auth);
45 cred->request_key_auth = NULL;
46 #endif
47 /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
48 cred->user_ns = user_ns;
49 }
50
51 /*
52 * Create a new user namespace, deriving the creator from the user in the
53 * passed credentials, and replacing that user with the new root user for the
54 * new namespace.
55 *
56 * This is called by copy_creds(), which will finish setting the target task's
57 * credentials.
58 */
59 int create_user_ns(struct cred *new)
60 {
61 struct user_namespace *ns, *parent_ns = new->user_ns;
62 kuid_t owner = new->euid;
63 kgid_t group = new->egid;
64 int ret;
65
66 if (parent_ns->level > 32)
67 return -EUSERS;
68
69 /*
70 * Verify that we can not violate the policy of which files
71 * may be accessed that is specified by the root directory,
72 * by verifing that the root directory is at the root of the
73 * mount namespace which allows all files to be accessed.
74 */
75 if (current_chrooted())
76 return -EPERM;
77
78 /* The creator needs a mapping in the parent user namespace
79 * or else we won't be able to reasonably tell userspace who
80 * created a user_namespace.
81 */
82 if (!kuid_has_mapping(parent_ns, owner) ||
83 !kgid_has_mapping(parent_ns, group))
84 return -EPERM;
85
86 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
87 if (!ns)
88 return -ENOMEM;
89
90 ret = proc_alloc_inum(&ns->proc_inum);
91 if (ret) {
92 kmem_cache_free(user_ns_cachep, ns);
93 return ret;
94 }
95
96 atomic_set(&ns->count, 1);
97 /* Leave the new->user_ns reference with the new user namespace. */
98 ns->parent = parent_ns;
99 ns->level = parent_ns->level + 1;
100 ns->owner = owner;
101 ns->group = group;
102
103 /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
104 mutex_lock(&userns_state_mutex);
105 ns->flags = parent_ns->flags;
106 mutex_unlock(&userns_state_mutex);
107
108 set_cred_user_ns(new, ns);
109
110 return 0;
111 }
112
113 int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
114 {
115 struct cred *cred;
116 int err = -ENOMEM;
117
118 if (!(unshare_flags & CLONE_NEWUSER))
119 return 0;
120
121 cred = prepare_creds();
122 if (cred) {
123 err = create_user_ns(cred);
124 if (err)
125 put_cred(cred);
126 else
127 *new_cred = cred;
128 }
129
130 return err;
131 }
132
133 void free_user_ns(struct user_namespace *ns)
134 {
135 struct user_namespace *parent;
136
137 do {
138 parent = ns->parent;
139 proc_free_inum(ns->proc_inum);
140 kmem_cache_free(user_ns_cachep, ns);
141 ns = parent;
142 } while (atomic_dec_and_test(&parent->count));
143 }
144 EXPORT_SYMBOL(free_user_ns);
145
146 static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
147 {
148 unsigned idx, extents;
149 u32 first, last, id2;
150
151 id2 = id + count - 1;
152
153 /* Find the matching extent */
154 extents = map->nr_extents;
155 smp_rmb();
156 for (idx = 0; idx < extents; idx++) {
157 first = map->extent[idx].first;
158 last = first + map->extent[idx].count - 1;
159 if (id >= first && id <= last &&
160 (id2 >= first && id2 <= last))
161 break;
162 }
163 /* Map the id or note failure */
164 if (idx < extents)
165 id = (id - first) + map->extent[idx].lower_first;
166 else
167 id = (u32) -1;
168
169 return id;
170 }
171
172 static u32 map_id_down(struct uid_gid_map *map, u32 id)
173 {
174 unsigned idx, extents;
175 u32 first, last;
176
177 /* Find the matching extent */
178 extents = map->nr_extents;
179 smp_rmb();
180 for (idx = 0; idx < extents; idx++) {
181 first = map->extent[idx].first;
182 last = first + map->extent[idx].count - 1;
183 if (id >= first && id <= last)
184 break;
185 }
186 /* Map the id or note failure */
187 if (idx < extents)
188 id = (id - first) + map->extent[idx].lower_first;
189 else
190 id = (u32) -1;
191
192 return id;
193 }
194
195 static u32 map_id_up(struct uid_gid_map *map, u32 id)
196 {
197 unsigned idx, extents;
198 u32 first, last;
199
200 /* Find the matching extent */
201 extents = map->nr_extents;
202 smp_rmb();
203 for (idx = 0; idx < extents; idx++) {
204 first = map->extent[idx].lower_first;
205 last = first + map->extent[idx].count - 1;
206 if (id >= first && id <= last)
207 break;
208 }
209 /* Map the id or note failure */
210 if (idx < extents)
211 id = (id - first) + map->extent[idx].first;
212 else
213 id = (u32) -1;
214
215 return id;
216 }
217
218 /**
219 * make_kuid - Map a user-namespace uid pair into a kuid.
220 * @ns: User namespace that the uid is in
221 * @uid: User identifier
222 *
223 * Maps a user-namespace uid pair into a kernel internal kuid,
224 * and returns that kuid.
225 *
226 * When there is no mapping defined for the user-namespace uid
227 * pair INVALID_UID is returned. Callers are expected to test
228 * for and handle handle INVALID_UID being returned. INVALID_UID
229 * may be tested for using uid_valid().
230 */
231 kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
232 {
233 /* Map the uid to a global kernel uid */
234 return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
235 }
236 EXPORT_SYMBOL(make_kuid);
237
238 /**
239 * from_kuid - Create a uid from a kuid user-namespace pair.
240 * @targ: The user namespace we want a uid in.
241 * @kuid: The kernel internal uid to start with.
242 *
243 * Map @kuid into the user-namespace specified by @targ and
244 * return the resulting uid.
245 *
246 * There is always a mapping into the initial user_namespace.
247 *
248 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
249 */
250 uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
251 {
252 /* Map the uid from a global kernel uid */
253 return map_id_up(&targ->uid_map, __kuid_val(kuid));
254 }
255 EXPORT_SYMBOL(from_kuid);
256
257 /**
258 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
259 * @targ: The user namespace we want a uid in.
260 * @kuid: The kernel internal uid to start with.
261 *
262 * Map @kuid into the user-namespace specified by @targ and
263 * return the resulting uid.
264 *
265 * There is always a mapping into the initial user_namespace.
266 *
267 * Unlike from_kuid from_kuid_munged never fails and always
268 * returns a valid uid. This makes from_kuid_munged appropriate
269 * for use in syscalls like stat and getuid where failing the
270 * system call and failing to provide a valid uid are not an
271 * options.
272 *
273 * If @kuid has no mapping in @targ overflowuid is returned.
274 */
275 uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
276 {
277 uid_t uid;
278 uid = from_kuid(targ, kuid);
279
280 if (uid == (uid_t) -1)
281 uid = overflowuid;
282 return uid;
283 }
284 EXPORT_SYMBOL(from_kuid_munged);
285
286 /**
287 * make_kgid - Map a user-namespace gid pair into a kgid.
288 * @ns: User namespace that the gid is in
289 * @uid: group identifier
290 *
291 * Maps a user-namespace gid pair into a kernel internal kgid,
292 * and returns that kgid.
293 *
294 * When there is no mapping defined for the user-namespace gid
295 * pair INVALID_GID is returned. Callers are expected to test
296 * for and handle INVALID_GID being returned. INVALID_GID may be
297 * tested for using gid_valid().
298 */
299 kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
300 {
301 /* Map the gid to a global kernel gid */
302 return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
303 }
304 EXPORT_SYMBOL(make_kgid);
305
306 /**
307 * from_kgid - Create a gid from a kgid user-namespace pair.
308 * @targ: The user namespace we want a gid in.
309 * @kgid: The kernel internal gid to start with.
310 *
311 * Map @kgid into the user-namespace specified by @targ and
312 * return the resulting gid.
313 *
314 * There is always a mapping into the initial user_namespace.
315 *
316 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
317 */
318 gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
319 {
320 /* Map the gid from a global kernel gid */
321 return map_id_up(&targ->gid_map, __kgid_val(kgid));
322 }
323 EXPORT_SYMBOL(from_kgid);
324
325 /**
326 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
327 * @targ: The user namespace we want a gid in.
328 * @kgid: The kernel internal gid to start with.
329 *
330 * Map @kgid into the user-namespace specified by @targ and
331 * return the resulting gid.
332 *
333 * There is always a mapping into the initial user_namespace.
334 *
335 * Unlike from_kgid from_kgid_munged never fails and always
336 * returns a valid gid. This makes from_kgid_munged appropriate
337 * for use in syscalls like stat and getgid where failing the
338 * system call and failing to provide a valid gid are not options.
339 *
340 * If @kgid has no mapping in @targ overflowgid is returned.
341 */
342 gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
343 {
344 gid_t gid;
345 gid = from_kgid(targ, kgid);
346
347 if (gid == (gid_t) -1)
348 gid = overflowgid;
349 return gid;
350 }
351 EXPORT_SYMBOL(from_kgid_munged);
352
353 /**
354 * make_kprojid - Map a user-namespace projid pair into a kprojid.
355 * @ns: User namespace that the projid is in
356 * @projid: Project identifier
357 *
358 * Maps a user-namespace uid pair into a kernel internal kuid,
359 * and returns that kuid.
360 *
361 * When there is no mapping defined for the user-namespace projid
362 * pair INVALID_PROJID is returned. Callers are expected to test
363 * for and handle handle INVALID_PROJID being returned. INVALID_PROJID
364 * may be tested for using projid_valid().
365 */
366 kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
367 {
368 /* Map the uid to a global kernel uid */
369 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
370 }
371 EXPORT_SYMBOL(make_kprojid);
372
373 /**
374 * from_kprojid - Create a projid from a kprojid user-namespace pair.
375 * @targ: The user namespace we want a projid in.
376 * @kprojid: The kernel internal project identifier to start with.
377 *
378 * Map @kprojid into the user-namespace specified by @targ and
379 * return the resulting projid.
380 *
381 * There is always a mapping into the initial user_namespace.
382 *
383 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
384 */
385 projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
386 {
387 /* Map the uid from a global kernel uid */
388 return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
389 }
390 EXPORT_SYMBOL(from_kprojid);
391
392 /**
393 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
394 * @targ: The user namespace we want a projid in.
395 * @kprojid: The kernel internal projid to start with.
396 *
397 * Map @kprojid into the user-namespace specified by @targ and
398 * return the resulting projid.
399 *
400 * There is always a mapping into the initial user_namespace.
401 *
402 * Unlike from_kprojid from_kprojid_munged never fails and always
403 * returns a valid projid. This makes from_kprojid_munged
404 * appropriate for use in syscalls like stat and where
405 * failing the system call and failing to provide a valid projid are
406 * not an options.
407 *
408 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
409 */
410 projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
411 {
412 projid_t projid;
413 projid = from_kprojid(targ, kprojid);
414
415 if (projid == (projid_t) -1)
416 projid = OVERFLOW_PROJID;
417 return projid;
418 }
419 EXPORT_SYMBOL(from_kprojid_munged);
420
421
422 static int uid_m_show(struct seq_file *seq, void *v)
423 {
424 struct user_namespace *ns = seq->private;
425 struct uid_gid_extent *extent = v;
426 struct user_namespace *lower_ns;
427 uid_t lower;
428
429 lower_ns = seq_user_ns(seq);
430 if ((lower_ns == ns) && lower_ns->parent)
431 lower_ns = lower_ns->parent;
432
433 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
434
435 seq_printf(seq, "%10u %10u %10u\n",
436 extent->first,
437 lower,
438 extent->count);
439
440 return 0;
441 }
442
443 static int gid_m_show(struct seq_file *seq, void *v)
444 {
445 struct user_namespace *ns = seq->private;
446 struct uid_gid_extent *extent = v;
447 struct user_namespace *lower_ns;
448 gid_t lower;
449
450 lower_ns = seq_user_ns(seq);
451 if ((lower_ns == ns) && lower_ns->parent)
452 lower_ns = lower_ns->parent;
453
454 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
455
456 seq_printf(seq, "%10u %10u %10u\n",
457 extent->first,
458 lower,
459 extent->count);
460
461 return 0;
462 }
463
464 static int projid_m_show(struct seq_file *seq, void *v)
465 {
466 struct user_namespace *ns = seq->private;
467 struct uid_gid_extent *extent = v;
468 struct user_namespace *lower_ns;
469 projid_t lower;
470
471 lower_ns = seq_user_ns(seq);
472 if ((lower_ns == ns) && lower_ns->parent)
473 lower_ns = lower_ns->parent;
474
475 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
476
477 seq_printf(seq, "%10u %10u %10u\n",
478 extent->first,
479 lower,
480 extent->count);
481
482 return 0;
483 }
484
485 static void *m_start(struct seq_file *seq, loff_t *ppos, struct uid_gid_map *map)
486 {
487 struct uid_gid_extent *extent = NULL;
488 loff_t pos = *ppos;
489
490 if (pos < map->nr_extents)
491 extent = &map->extent[pos];
492
493 return extent;
494 }
495
496 static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
497 {
498 struct user_namespace *ns = seq->private;
499
500 return m_start(seq, ppos, &ns->uid_map);
501 }
502
503 static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
504 {
505 struct user_namespace *ns = seq->private;
506
507 return m_start(seq, ppos, &ns->gid_map);
508 }
509
510 static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
511 {
512 struct user_namespace *ns = seq->private;
513
514 return m_start(seq, ppos, &ns->projid_map);
515 }
516
517 static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
518 {
519 (*pos)++;
520 return seq->op->start(seq, pos);
521 }
522
523 static void m_stop(struct seq_file *seq, void *v)
524 {
525 return;
526 }
527
528 struct seq_operations proc_uid_seq_operations = {
529 .start = uid_m_start,
530 .stop = m_stop,
531 .next = m_next,
532 .show = uid_m_show,
533 };
534
535 struct seq_operations proc_gid_seq_operations = {
536 .start = gid_m_start,
537 .stop = m_stop,
538 .next = m_next,
539 .show = gid_m_show,
540 };
541
542 struct seq_operations proc_projid_seq_operations = {
543 .start = projid_m_start,
544 .stop = m_stop,
545 .next = m_next,
546 .show = projid_m_show,
547 };
548
549 static bool mappings_overlap(struct uid_gid_map *new_map, struct uid_gid_extent *extent)
550 {
551 u32 upper_first, lower_first, upper_last, lower_last;
552 unsigned idx;
553
554 upper_first = extent->first;
555 lower_first = extent->lower_first;
556 upper_last = upper_first + extent->count - 1;
557 lower_last = lower_first + extent->count - 1;
558
559 for (idx = 0; idx < new_map->nr_extents; idx++) {
560 u32 prev_upper_first, prev_lower_first;
561 u32 prev_upper_last, prev_lower_last;
562 struct uid_gid_extent *prev;
563
564 prev = &new_map->extent[idx];
565
566 prev_upper_first = prev->first;
567 prev_lower_first = prev->lower_first;
568 prev_upper_last = prev_upper_first + prev->count - 1;
569 prev_lower_last = prev_lower_first + prev->count - 1;
570
571 /* Does the upper range intersect a previous extent? */
572 if ((prev_upper_first <= upper_last) &&
573 (prev_upper_last >= upper_first))
574 return true;
575
576 /* Does the lower range intersect a previous extent? */
577 if ((prev_lower_first <= lower_last) &&
578 (prev_lower_last >= lower_first))
579 return true;
580 }
581 return false;
582 }
583
584 static ssize_t map_write(struct file *file, const char __user *buf,
585 size_t count, loff_t *ppos,
586 int cap_setid,
587 struct uid_gid_map *map,
588 struct uid_gid_map *parent_map)
589 {
590 struct seq_file *seq = file->private_data;
591 struct user_namespace *ns = seq->private;
592 struct uid_gid_map new_map;
593 unsigned idx;
594 struct uid_gid_extent *extent = NULL;
595 unsigned long page = 0;
596 char *kbuf, *pos, *next_line;
597 ssize_t ret = -EINVAL;
598
599 /*
600 * The userns_state_mutex serializes all writes to any given map.
601 *
602 * Any map is only ever written once.
603 *
604 * An id map fits within 1 cache line on most architectures.
605 *
606 * On read nothing needs to be done unless you are on an
607 * architecture with a crazy cache coherency model like alpha.
608 *
609 * There is a one time data dependency between reading the
610 * count of the extents and the values of the extents. The
611 * desired behavior is to see the values of the extents that
612 * were written before the count of the extents.
613 *
614 * To achieve this smp_wmb() is used on guarantee the write
615 * order and smp_rmb() is guaranteed that we don't have crazy
616 * architectures returning stale data.
617 */
618 mutex_lock(&userns_state_mutex);
619
620 ret = -EPERM;
621 /* Only allow one successful write to the map */
622 if (map->nr_extents != 0)
623 goto out;
624
625 /*
626 * Adjusting namespace settings requires capabilities on the target.
627 */
628 if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
629 goto out;
630
631 /* Get a buffer */
632 ret = -ENOMEM;
633 page = __get_free_page(GFP_TEMPORARY);
634 kbuf = (char *) page;
635 if (!page)
636 goto out;
637
638 /* Only allow <= page size writes at the beginning of the file */
639 ret = -EINVAL;
640 if ((*ppos != 0) || (count >= PAGE_SIZE))
641 goto out;
642
643 /* Slurp in the user data */
644 ret = -EFAULT;
645 if (copy_from_user(kbuf, buf, count))
646 goto out;
647 kbuf[count] = '\0';
648
649 /* Parse the user data */
650 ret = -EINVAL;
651 pos = kbuf;
652 new_map.nr_extents = 0;
653 for (;pos; pos = next_line) {
654 extent = &new_map.extent[new_map.nr_extents];
655
656 /* Find the end of line and ensure I don't look past it */
657 next_line = strchr(pos, '\n');
658 if (next_line) {
659 *next_line = '\0';
660 next_line++;
661 if (*next_line == '\0')
662 next_line = NULL;
663 }
664
665 pos = skip_spaces(pos);
666 extent->first = simple_strtoul(pos, &pos, 10);
667 if (!isspace(*pos))
668 goto out;
669
670 pos = skip_spaces(pos);
671 extent->lower_first = simple_strtoul(pos, &pos, 10);
672 if (!isspace(*pos))
673 goto out;
674
675 pos = skip_spaces(pos);
676 extent->count = simple_strtoul(pos, &pos, 10);
677 if (*pos && !isspace(*pos))
678 goto out;
679
680 /* Verify there is not trailing junk on the line */
681 pos = skip_spaces(pos);
682 if (*pos != '\0')
683 goto out;
684
685 /* Verify we have been given valid starting values */
686 if ((extent->first == (u32) -1) ||
687 (extent->lower_first == (u32) -1 ))
688 goto out;
689
690 /* Verify count is not zero and does not cause the extent to wrap */
691 if ((extent->first + extent->count) <= extent->first)
692 goto out;
693 if ((extent->lower_first + extent->count) <= extent->lower_first)
694 goto out;
695
696 /* Do the ranges in extent overlap any previous extents? */
697 if (mappings_overlap(&new_map, extent))
698 goto out;
699
700 new_map.nr_extents++;
701
702 /* Fail if the file contains too many extents */
703 if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) &&
704 (next_line != NULL))
705 goto out;
706 }
707 /* Be very certaint the new map actually exists */
708 if (new_map.nr_extents == 0)
709 goto out;
710
711 ret = -EPERM;
712 /* Validate the user is allowed to use user id's mapped to. */
713 if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
714 goto out;
715
716 /* Map the lower ids from the parent user namespace to the
717 * kernel global id space.
718 */
719 for (idx = 0; idx < new_map.nr_extents; idx++) {
720 u32 lower_first;
721 extent = &new_map.extent[idx];
722
723 lower_first = map_id_range_down(parent_map,
724 extent->lower_first,
725 extent->count);
726
727 /* Fail if we can not map the specified extent to
728 * the kernel global id space.
729 */
730 if (lower_first == (u32) -1)
731 goto out;
732
733 extent->lower_first = lower_first;
734 }
735
736 /* Install the map */
737 memcpy(map->extent, new_map.extent,
738 new_map.nr_extents*sizeof(new_map.extent[0]));
739 smp_wmb();
740 map->nr_extents = new_map.nr_extents;
741
742 *ppos = count;
743 ret = count;
744 out:
745 mutex_unlock(&userns_state_mutex);
746 if (page)
747 free_page(page);
748 return ret;
749 }
750
751 ssize_t proc_uid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
752 {
753 struct seq_file *seq = file->private_data;
754 struct user_namespace *ns = seq->private;
755 struct user_namespace *seq_ns = seq_user_ns(seq);
756
757 if (!ns->parent)
758 return -EPERM;
759
760 if ((seq_ns != ns) && (seq_ns != ns->parent))
761 return -EPERM;
762
763 return map_write(file, buf, size, ppos, CAP_SETUID,
764 &ns->uid_map, &ns->parent->uid_map);
765 }
766
767 ssize_t proc_gid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
768 {
769 struct seq_file *seq = file->private_data;
770 struct user_namespace *ns = seq->private;
771 struct user_namespace *seq_ns = seq_user_ns(seq);
772
773 if (!ns->parent)
774 return -EPERM;
775
776 if ((seq_ns != ns) && (seq_ns != ns->parent))
777 return -EPERM;
778
779 return map_write(file, buf, size, ppos, CAP_SETGID,
780 &ns->gid_map, &ns->parent->gid_map);
781 }
782
783 ssize_t proc_projid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
784 {
785 struct seq_file *seq = file->private_data;
786 struct user_namespace *ns = seq->private;
787 struct user_namespace *seq_ns = seq_user_ns(seq);
788
789 if (!ns->parent)
790 return -EPERM;
791
792 if ((seq_ns != ns) && (seq_ns != ns->parent))
793 return -EPERM;
794
795 /* Anyone can set any valid project id no capability needed */
796 return map_write(file, buf, size, ppos, -1,
797 &ns->projid_map, &ns->parent->projid_map);
798 }
799
800 static bool new_idmap_permitted(const struct file *file,
801 struct user_namespace *ns, int cap_setid,
802 struct uid_gid_map *new_map)
803 {
804 const struct cred *cred = file->f_cred;
805 /* Don't allow mappings that would allow anything that wouldn't
806 * be allowed without the establishment of unprivileged mappings.
807 */
808 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
809 uid_eq(ns->owner, cred->euid)) {
810 u32 id = new_map->extent[0].lower_first;
811 if (cap_setid == CAP_SETUID) {
812 kuid_t uid = make_kuid(ns->parent, id);
813 if (uid_eq(uid, cred->euid))
814 return true;
815 } else if (cap_setid == CAP_SETGID) {
816 kgid_t gid = make_kgid(ns->parent, id);
817 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
818 gid_eq(gid, cred->egid))
819 return true;
820 }
821 }
822
823 /* Allow anyone to set a mapping that doesn't require privilege */
824 if (!cap_valid(cap_setid))
825 return true;
826
827 /* Allow the specified ids if we have the appropriate capability
828 * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
829 * And the opener of the id file also had the approprpiate capability.
830 */
831 if (ns_capable(ns->parent, cap_setid) &&
832 file_ns_capable(file, ns->parent, cap_setid))
833 return true;
834
835 return false;
836 }
837
838 int proc_setgroups_show(struct seq_file *seq, void *v)
839 {
840 struct user_namespace *ns = seq->private;
841 unsigned long userns_flags = ACCESS_ONCE(ns->flags);
842
843 seq_printf(seq, "%s\n",
844 (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
845 "allow" : "deny");
846 return 0;
847 }
848
849 ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
850 size_t count, loff_t *ppos)
851 {
852 struct seq_file *seq = file->private_data;
853 struct user_namespace *ns = seq->private;
854 char kbuf[8], *pos;
855 bool setgroups_allowed;
856 ssize_t ret;
857
858 /* Only allow a very narrow range of strings to be written */
859 ret = -EINVAL;
860 if ((*ppos != 0) || (count >= sizeof(kbuf)))
861 goto out;
862
863 /* What was written? */
864 ret = -EFAULT;
865 if (copy_from_user(kbuf, buf, count))
866 goto out;
867 kbuf[count] = '\0';
868 pos = kbuf;
869
870 /* What is being requested? */
871 ret = -EINVAL;
872 if (strncmp(pos, "allow", 5) == 0) {
873 pos += 5;
874 setgroups_allowed = true;
875 }
876 else if (strncmp(pos, "deny", 4) == 0) {
877 pos += 4;
878 setgroups_allowed = false;
879 }
880 else
881 goto out;
882
883 /* Verify there is not trailing junk on the line */
884 pos = skip_spaces(pos);
885 if (*pos != '\0')
886 goto out;
887
888 ret = -EPERM;
889 mutex_lock(&userns_state_mutex);
890 if (setgroups_allowed) {
891 /* Enabling setgroups after setgroups has been disabled
892 * is not allowed.
893 */
894 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
895 goto out_unlock;
896 } else {
897 /* Permanently disabling setgroups after setgroups has
898 * been enabled by writing the gid_map is not allowed.
899 */
900 if (ns->gid_map.nr_extents != 0)
901 goto out_unlock;
902 ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
903 }
904 mutex_unlock(&userns_state_mutex);
905
906 /* Report a successful write */
907 *ppos = count;
908 ret = count;
909 out:
910 return ret;
911 out_unlock:
912 mutex_unlock(&userns_state_mutex);
913 goto out;
914 }
915
916 bool userns_may_setgroups(const struct user_namespace *ns)
917 {
918 bool allowed;
919
920 mutex_lock(&userns_state_mutex);
921 /* It is not safe to use setgroups until a gid mapping in
922 * the user namespace has been established.
923 */
924 allowed = ns->gid_map.nr_extents != 0;
925 /* Is setgroups allowed? */
926 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
927 mutex_unlock(&userns_state_mutex);
928
929 return allowed;
930 }
931
932 static void *userns_get(struct task_struct *task)
933 {
934 struct user_namespace *user_ns;
935
936 rcu_read_lock();
937 user_ns = get_user_ns(__task_cred(task)->user_ns);
938 rcu_read_unlock();
939
940 return user_ns;
941 }
942
943 static void userns_put(void *ns)
944 {
945 put_user_ns(ns);
946 }
947
948 static int userns_install(struct nsproxy *nsproxy, void *ns)
949 {
950 struct user_namespace *user_ns = ns;
951 struct cred *cred;
952
953 /* Don't allow gaining capabilities by reentering
954 * the same user namespace.
955 */
956 if (user_ns == current_user_ns())
957 return -EINVAL;
958
959 /* Threaded processes may not enter a different user namespace */
960 if (atomic_read(&current->mm->mm_users) > 1)
961 return -EINVAL;
962
963 if (current->fs->users != 1)
964 return -EINVAL;
965
966 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
967 return -EPERM;
968
969 cred = prepare_creds();
970 if (!cred)
971 return -ENOMEM;
972
973 put_user_ns(cred->user_ns);
974 set_cred_user_ns(cred, get_user_ns(user_ns));
975
976 return commit_creds(cred);
977 }
978
979 static unsigned int userns_inum(void *ns)
980 {
981 struct user_namespace *user_ns = ns;
982 return user_ns->proc_inum;
983 }
984
985 const struct proc_ns_operations userns_operations = {
986 .name = "user",
987 .type = CLONE_NEWUSER,
988 .get = userns_get,
989 .put = userns_put,
990 .install = userns_install,
991 .inum = userns_inum,
992 };
993
994 static __init int user_namespaces_init(void)
995 {
996 user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC);
997 return 0;
998 }
999 module_init(user_namespaces_init);
Linux with added FPC-III support