xfrm: policy: check policy direction value
[linux/fpc-iii.git] / kernel / user_namespace.c
blob86b7854fec8ee0df88e3bf7d499859993915b8c0
1 /*
2 * This program is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU General Public License as
4 * published by the Free Software Foundation, version 2 of the
5 * License.
6 */
8 #include <linux/export.h>
9 #include <linux/nsproxy.h>
10 #include <linux/slab.h>
11 #include <linux/user_namespace.h>
12 #include <linux/proc_ns.h>
13 #include <linux/highuid.h>
14 #include <linux/cred.h>
15 #include <linux/securebits.h>
16 #include <linux/keyctl.h>
17 #include <linux/key-type.h>
18 #include <keys/user-type.h>
19 #include <linux/seq_file.h>
20 #include <linux/fs.h>
21 #include <linux/uaccess.h>
22 #include <linux/ctype.h>
23 #include <linux/projid.h>
24 #include <linux/fs_struct.h>
26 static struct kmem_cache *user_ns_cachep __read_mostly;
27 static DEFINE_MUTEX(userns_state_mutex);
29 static bool new_idmap_permitted(const struct file *file,
30 struct user_namespace *ns, int cap_setid,
31 struct uid_gid_map *map);
32 static void free_user_ns(struct work_struct *work);
34 static struct ucounts *inc_user_namespaces(struct user_namespace *ns, kuid_t uid)
36 return inc_ucount(ns, uid, UCOUNT_USER_NAMESPACES);
39 static void dec_user_namespaces(struct ucounts *ucounts)
41 return dec_ucount(ucounts, UCOUNT_USER_NAMESPACES);
44 static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
46 /* Start with the same capabilities as init but useless for doing
47 * anything as the capabilities are bound to the new user namespace.
49 cred->securebits = SECUREBITS_DEFAULT;
50 cred->cap_inheritable = CAP_EMPTY_SET;
51 cred->cap_permitted = CAP_FULL_SET;
52 cred->cap_effective = CAP_FULL_SET;
53 cred->cap_ambient = CAP_EMPTY_SET;
54 cred->cap_bset = CAP_FULL_SET;
55 #ifdef CONFIG_KEYS
56 key_put(cred->request_key_auth);
57 cred->request_key_auth = NULL;
58 #endif
59 /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
60 cred->user_ns = user_ns;
64 * Create a new user namespace, deriving the creator from the user in the
65 * passed credentials, and replacing that user with the new root user for the
66 * new namespace.
68 * This is called by copy_creds(), which will finish setting the target task's
69 * credentials.
71 int create_user_ns(struct cred *new)
73 struct user_namespace *ns, *parent_ns = new->user_ns;
74 kuid_t owner = new->euid;
75 kgid_t group = new->egid;
76 struct ucounts *ucounts;
77 int ret, i;
79 ret = -ENOSPC;
80 if (parent_ns->level > 32)
81 goto fail;
83 ucounts = inc_user_namespaces(parent_ns, owner);
84 if (!ucounts)
85 goto fail;
88 * Verify that we can not violate the policy of which files
89 * may be accessed that is specified by the root directory,
90 * by verifing that the root directory is at the root of the
91 * mount namespace which allows all files to be accessed.
93 ret = -EPERM;
94 if (current_chrooted())
95 goto fail_dec;
97 /* The creator needs a mapping in the parent user namespace
98 * or else we won't be able to reasonably tell userspace who
99 * created a user_namespace.
101 ret = -EPERM;
102 if (!kuid_has_mapping(parent_ns, owner) ||
103 !kgid_has_mapping(parent_ns, group))
104 goto fail_dec;
106 ret = -ENOMEM;
107 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
108 if (!ns)
109 goto fail_dec;
111 ret = ns_alloc_inum(&ns->ns);
112 if (ret)
113 goto fail_free;
114 ns->ns.ops = &userns_operations;
116 atomic_set(&ns->count, 1);
117 /* Leave the new->user_ns reference with the new user namespace. */
118 ns->parent = parent_ns;
119 ns->level = parent_ns->level + 1;
120 ns->owner = owner;
121 ns->group = group;
122 INIT_WORK(&ns->work, free_user_ns);
123 for (i = 0; i < UCOUNT_COUNTS; i++) {
124 ns->ucount_max[i] = INT_MAX;
126 ns->ucounts = ucounts;
128 /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
129 mutex_lock(&userns_state_mutex);
130 ns->flags = parent_ns->flags;
131 mutex_unlock(&userns_state_mutex);
133 #ifdef CONFIG_PERSISTENT_KEYRINGS
134 init_rwsem(&ns->persistent_keyring_register_sem);
135 #endif
136 ret = -ENOMEM;
137 if (!setup_userns_sysctls(ns))
138 goto fail_keyring;
140 set_cred_user_ns(new, ns);
141 return 0;
142 fail_keyring:
143 #ifdef CONFIG_PERSISTENT_KEYRINGS
144 key_put(ns->persistent_keyring_register);
145 #endif
146 ns_free_inum(&ns->ns);
147 fail_free:
148 kmem_cache_free(user_ns_cachep, ns);
149 fail_dec:
150 dec_user_namespaces(ucounts);
151 fail:
152 return ret;
155 int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
157 struct cred *cred;
158 int err = -ENOMEM;
160 if (!(unshare_flags & CLONE_NEWUSER))
161 return 0;
163 cred = prepare_creds();
164 if (cred) {
165 err = create_user_ns(cred);
166 if (err)
167 put_cred(cred);
168 else
169 *new_cred = cred;
172 return err;
175 static void free_user_ns(struct work_struct *work)
177 struct user_namespace *parent, *ns =
178 container_of(work, struct user_namespace, work);
180 do {
181 struct ucounts *ucounts = ns->ucounts;
182 parent = ns->parent;
183 retire_userns_sysctls(ns);
184 #ifdef CONFIG_PERSISTENT_KEYRINGS
185 key_put(ns->persistent_keyring_register);
186 #endif
187 ns_free_inum(&ns->ns);
188 kmem_cache_free(user_ns_cachep, ns);
189 dec_user_namespaces(ucounts);
190 ns = parent;
191 } while (atomic_dec_and_test(&parent->count));
194 void __put_user_ns(struct user_namespace *ns)
196 schedule_work(&ns->work);
198 EXPORT_SYMBOL(__put_user_ns);
200 static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
202 unsigned idx, extents;
203 u32 first, last, id2;
205 id2 = id + count - 1;
207 /* Find the matching extent */
208 extents = map->nr_extents;
209 smp_rmb();
210 for (idx = 0; idx < extents; idx++) {
211 first = map->extent[idx].first;
212 last = first + map->extent[idx].count - 1;
213 if (id >= first && id <= last &&
214 (id2 >= first && id2 <= last))
215 break;
217 /* Map the id or note failure */
218 if (idx < extents)
219 id = (id - first) + map->extent[idx].lower_first;
220 else
221 id = (u32) -1;
223 return id;
226 static u32 map_id_down(struct uid_gid_map *map, u32 id)
228 unsigned idx, extents;
229 u32 first, last;
231 /* Find the matching extent */
232 extents = map->nr_extents;
233 smp_rmb();
234 for (idx = 0; idx < extents; idx++) {
235 first = map->extent[idx].first;
236 last = first + map->extent[idx].count - 1;
237 if (id >= first && id <= last)
238 break;
240 /* Map the id or note failure */
241 if (idx < extents)
242 id = (id - first) + map->extent[idx].lower_first;
243 else
244 id = (u32) -1;
246 return id;
249 static u32 map_id_up(struct uid_gid_map *map, u32 id)
251 unsigned idx, extents;
252 u32 first, last;
254 /* Find the matching extent */
255 extents = map->nr_extents;
256 smp_rmb();
257 for (idx = 0; idx < extents; idx++) {
258 first = map->extent[idx].lower_first;
259 last = first + map->extent[idx].count - 1;
260 if (id >= first && id <= last)
261 break;
263 /* Map the id or note failure */
264 if (idx < extents)
265 id = (id - first) + map->extent[idx].first;
266 else
267 id = (u32) -1;
269 return id;
273 * make_kuid - Map a user-namespace uid pair into a kuid.
274 * @ns: User namespace that the uid is in
275 * @uid: User identifier
277 * Maps a user-namespace uid pair into a kernel internal kuid,
278 * and returns that kuid.
280 * When there is no mapping defined for the user-namespace uid
281 * pair INVALID_UID is returned. Callers are expected to test
282 * for and handle INVALID_UID being returned. INVALID_UID
283 * may be tested for using uid_valid().
285 kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
287 /* Map the uid to a global kernel uid */
288 return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
290 EXPORT_SYMBOL(make_kuid);
293 * from_kuid - Create a uid from a kuid user-namespace pair.
294 * @targ: The user namespace we want a uid in.
295 * @kuid: The kernel internal uid to start with.
297 * Map @kuid into the user-namespace specified by @targ and
298 * return the resulting uid.
300 * There is always a mapping into the initial user_namespace.
302 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
304 uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
306 /* Map the uid from a global kernel uid */
307 return map_id_up(&targ->uid_map, __kuid_val(kuid));
309 EXPORT_SYMBOL(from_kuid);
312 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
313 * @targ: The user namespace we want a uid in.
314 * @kuid: The kernel internal uid to start with.
316 * Map @kuid into the user-namespace specified by @targ and
317 * return the resulting uid.
319 * There is always a mapping into the initial user_namespace.
321 * Unlike from_kuid from_kuid_munged never fails and always
322 * returns a valid uid. This makes from_kuid_munged appropriate
323 * for use in syscalls like stat and getuid where failing the
324 * system call and failing to provide a valid uid are not an
325 * options.
327 * If @kuid has no mapping in @targ overflowuid is returned.
329 uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
331 uid_t uid;
332 uid = from_kuid(targ, kuid);
334 if (uid == (uid_t) -1)
335 uid = overflowuid;
336 return uid;
338 EXPORT_SYMBOL(from_kuid_munged);
341 * make_kgid - Map a user-namespace gid pair into a kgid.
342 * @ns: User namespace that the gid is in
343 * @gid: group identifier
345 * Maps a user-namespace gid pair into a kernel internal kgid,
346 * and returns that kgid.
348 * When there is no mapping defined for the user-namespace gid
349 * pair INVALID_GID is returned. Callers are expected to test
350 * for and handle INVALID_GID being returned. INVALID_GID may be
351 * tested for using gid_valid().
353 kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
355 /* Map the gid to a global kernel gid */
356 return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
358 EXPORT_SYMBOL(make_kgid);
361 * from_kgid - Create a gid from a kgid user-namespace pair.
362 * @targ: The user namespace we want a gid in.
363 * @kgid: The kernel internal gid to start with.
365 * Map @kgid into the user-namespace specified by @targ and
366 * return the resulting gid.
368 * There is always a mapping into the initial user_namespace.
370 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
372 gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
374 /* Map the gid from a global kernel gid */
375 return map_id_up(&targ->gid_map, __kgid_val(kgid));
377 EXPORT_SYMBOL(from_kgid);
380 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
381 * @targ: The user namespace we want a gid in.
382 * @kgid: The kernel internal gid to start with.
384 * Map @kgid into the user-namespace specified by @targ and
385 * return the resulting gid.
387 * There is always a mapping into the initial user_namespace.
389 * Unlike from_kgid from_kgid_munged never fails and always
390 * returns a valid gid. This makes from_kgid_munged appropriate
391 * for use in syscalls like stat and getgid where failing the
392 * system call and failing to provide a valid gid are not options.
394 * If @kgid has no mapping in @targ overflowgid is returned.
396 gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
398 gid_t gid;
399 gid = from_kgid(targ, kgid);
401 if (gid == (gid_t) -1)
402 gid = overflowgid;
403 return gid;
405 EXPORT_SYMBOL(from_kgid_munged);
408 * make_kprojid - Map a user-namespace projid pair into a kprojid.
409 * @ns: User namespace that the projid is in
410 * @projid: Project identifier
412 * Maps a user-namespace uid pair into a kernel internal kuid,
413 * and returns that kuid.
415 * When there is no mapping defined for the user-namespace projid
416 * pair INVALID_PROJID is returned. Callers are expected to test
417 * for and handle handle INVALID_PROJID being returned. INVALID_PROJID
418 * may be tested for using projid_valid().
420 kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
422 /* Map the uid to a global kernel uid */
423 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
425 EXPORT_SYMBOL(make_kprojid);
428 * from_kprojid - Create a projid from a kprojid user-namespace pair.
429 * @targ: The user namespace we want a projid in.
430 * @kprojid: The kernel internal project identifier to start with.
432 * Map @kprojid into the user-namespace specified by @targ and
433 * return the resulting projid.
435 * There is always a mapping into the initial user_namespace.
437 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
439 projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
441 /* Map the uid from a global kernel uid */
442 return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
444 EXPORT_SYMBOL(from_kprojid);
447 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
448 * @targ: The user namespace we want a projid in.
449 * @kprojid: The kernel internal projid to start with.
451 * Map @kprojid into the user-namespace specified by @targ and
452 * return the resulting projid.
454 * There is always a mapping into the initial user_namespace.
456 * Unlike from_kprojid from_kprojid_munged never fails and always
457 * returns a valid projid. This makes from_kprojid_munged
458 * appropriate for use in syscalls like stat and where
459 * failing the system call and failing to provide a valid projid are
460 * not an options.
462 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
464 projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
466 projid_t projid;
467 projid = from_kprojid(targ, kprojid);
469 if (projid == (projid_t) -1)
470 projid = OVERFLOW_PROJID;
471 return projid;
473 EXPORT_SYMBOL(from_kprojid_munged);
476 static int uid_m_show(struct seq_file *seq, void *v)
478 struct user_namespace *ns = seq->private;
479 struct uid_gid_extent *extent = v;
480 struct user_namespace *lower_ns;
481 uid_t lower;
483 lower_ns = seq_user_ns(seq);
484 if ((lower_ns == ns) && lower_ns->parent)
485 lower_ns = lower_ns->parent;
487 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
489 seq_printf(seq, "%10u %10u %10u\n",
490 extent->first,
491 lower,
492 extent->count);
494 return 0;
497 static int gid_m_show(struct seq_file *seq, void *v)
499 struct user_namespace *ns = seq->private;
500 struct uid_gid_extent *extent = v;
501 struct user_namespace *lower_ns;
502 gid_t lower;
504 lower_ns = seq_user_ns(seq);
505 if ((lower_ns == ns) && lower_ns->parent)
506 lower_ns = lower_ns->parent;
508 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
510 seq_printf(seq, "%10u %10u %10u\n",
511 extent->first,
512 lower,
513 extent->count);
515 return 0;
518 static int projid_m_show(struct seq_file *seq, void *v)
520 struct user_namespace *ns = seq->private;
521 struct uid_gid_extent *extent = v;
522 struct user_namespace *lower_ns;
523 projid_t lower;
525 lower_ns = seq_user_ns(seq);
526 if ((lower_ns == ns) && lower_ns->parent)
527 lower_ns = lower_ns->parent;
529 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
531 seq_printf(seq, "%10u %10u %10u\n",
532 extent->first,
533 lower,
534 extent->count);
536 return 0;
539 static void *m_start(struct seq_file *seq, loff_t *ppos,
540 struct uid_gid_map *map)
542 struct uid_gid_extent *extent = NULL;
543 loff_t pos = *ppos;
545 if (pos < map->nr_extents)
546 extent = &map->extent[pos];
548 return extent;
551 static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
553 struct user_namespace *ns = seq->private;
555 return m_start(seq, ppos, &ns->uid_map);
558 static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
560 struct user_namespace *ns = seq->private;
562 return m_start(seq, ppos, &ns->gid_map);
565 static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
567 struct user_namespace *ns = seq->private;
569 return m_start(seq, ppos, &ns->projid_map);
572 static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
574 (*pos)++;
575 return seq->op->start(seq, pos);
578 static void m_stop(struct seq_file *seq, void *v)
580 return;
583 const struct seq_operations proc_uid_seq_operations = {
584 .start = uid_m_start,
585 .stop = m_stop,
586 .next = m_next,
587 .show = uid_m_show,
590 const struct seq_operations proc_gid_seq_operations = {
591 .start = gid_m_start,
592 .stop = m_stop,
593 .next = m_next,
594 .show = gid_m_show,
597 const struct seq_operations proc_projid_seq_operations = {
598 .start = projid_m_start,
599 .stop = m_stop,
600 .next = m_next,
601 .show = projid_m_show,
604 static bool mappings_overlap(struct uid_gid_map *new_map,
605 struct uid_gid_extent *extent)
607 u32 upper_first, lower_first, upper_last, lower_last;
608 unsigned idx;
610 upper_first = extent->first;
611 lower_first = extent->lower_first;
612 upper_last = upper_first + extent->count - 1;
613 lower_last = lower_first + extent->count - 1;
615 for (idx = 0; idx < new_map->nr_extents; idx++) {
616 u32 prev_upper_first, prev_lower_first;
617 u32 prev_upper_last, prev_lower_last;
618 struct uid_gid_extent *prev;
620 prev = &new_map->extent[idx];
622 prev_upper_first = prev->first;
623 prev_lower_first = prev->lower_first;
624 prev_upper_last = prev_upper_first + prev->count - 1;
625 prev_lower_last = prev_lower_first + prev->count - 1;
627 /* Does the upper range intersect a previous extent? */
628 if ((prev_upper_first <= upper_last) &&
629 (prev_upper_last >= upper_first))
630 return true;
632 /* Does the lower range intersect a previous extent? */
633 if ((prev_lower_first <= lower_last) &&
634 (prev_lower_last >= lower_first))
635 return true;
637 return false;
640 static ssize_t map_write(struct file *file, const char __user *buf,
641 size_t count, loff_t *ppos,
642 int cap_setid,
643 struct uid_gid_map *map,
644 struct uid_gid_map *parent_map)
646 struct seq_file *seq = file->private_data;
647 struct user_namespace *ns = seq->private;
648 struct uid_gid_map new_map;
649 unsigned idx;
650 struct uid_gid_extent *extent = NULL;
651 char *kbuf = NULL, *pos, *next_line;
652 ssize_t ret = -EINVAL;
655 * The userns_state_mutex serializes all writes to any given map.
657 * Any map is only ever written once.
659 * An id map fits within 1 cache line on most architectures.
661 * On read nothing needs to be done unless you are on an
662 * architecture with a crazy cache coherency model like alpha.
664 * There is a one time data dependency between reading the
665 * count of the extents and the values of the extents. The
666 * desired behavior is to see the values of the extents that
667 * were written before the count of the extents.
669 * To achieve this smp_wmb() is used on guarantee the write
670 * order and smp_rmb() is guaranteed that we don't have crazy
671 * architectures returning stale data.
673 mutex_lock(&userns_state_mutex);
675 ret = -EPERM;
676 /* Only allow one successful write to the map */
677 if (map->nr_extents != 0)
678 goto out;
681 * Adjusting namespace settings requires capabilities on the target.
683 if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
684 goto out;
686 /* Only allow < page size writes at the beginning of the file */
687 ret = -EINVAL;
688 if ((*ppos != 0) || (count >= PAGE_SIZE))
689 goto out;
691 /* Slurp in the user data */
692 kbuf = memdup_user_nul(buf, count);
693 if (IS_ERR(kbuf)) {
694 ret = PTR_ERR(kbuf);
695 kbuf = NULL;
696 goto out;
699 /* Parse the user data */
700 ret = -EINVAL;
701 pos = kbuf;
702 new_map.nr_extents = 0;
703 for (; pos; pos = next_line) {
704 extent = &new_map.extent[new_map.nr_extents];
706 /* Find the end of line and ensure I don't look past it */
707 next_line = strchr(pos, '\n');
708 if (next_line) {
709 *next_line = '\0';
710 next_line++;
711 if (*next_line == '\0')
712 next_line = NULL;
715 pos = skip_spaces(pos);
716 extent->first = simple_strtoul(pos, &pos, 10);
717 if (!isspace(*pos))
718 goto out;
720 pos = skip_spaces(pos);
721 extent->lower_first = simple_strtoul(pos, &pos, 10);
722 if (!isspace(*pos))
723 goto out;
725 pos = skip_spaces(pos);
726 extent->count = simple_strtoul(pos, &pos, 10);
727 if (*pos && !isspace(*pos))
728 goto out;
730 /* Verify there is not trailing junk on the line */
731 pos = skip_spaces(pos);
732 if (*pos != '\0')
733 goto out;
735 /* Verify we have been given valid starting values */
736 if ((extent->first == (u32) -1) ||
737 (extent->lower_first == (u32) -1))
738 goto out;
740 /* Verify count is not zero and does not cause the
741 * extent to wrap
743 if ((extent->first + extent->count) <= extent->first)
744 goto out;
745 if ((extent->lower_first + extent->count) <=
746 extent->lower_first)
747 goto out;
749 /* Do the ranges in extent overlap any previous extents? */
750 if (mappings_overlap(&new_map, extent))
751 goto out;
753 new_map.nr_extents++;
755 /* Fail if the file contains too many extents */
756 if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) &&
757 (next_line != NULL))
758 goto out;
760 /* Be very certaint the new map actually exists */
761 if (new_map.nr_extents == 0)
762 goto out;
764 ret = -EPERM;
765 /* Validate the user is allowed to use user id's mapped to. */
766 if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
767 goto out;
769 /* Map the lower ids from the parent user namespace to the
770 * kernel global id space.
772 for (idx = 0; idx < new_map.nr_extents; idx++) {
773 u32 lower_first;
774 extent = &new_map.extent[idx];
776 lower_first = map_id_range_down(parent_map,
777 extent->lower_first,
778 extent->count);
780 /* Fail if we can not map the specified extent to
781 * the kernel global id space.
783 if (lower_first == (u32) -1)
784 goto out;
786 extent->lower_first = lower_first;
789 /* Install the map */
790 memcpy(map->extent, new_map.extent,
791 new_map.nr_extents*sizeof(new_map.extent[0]));
792 smp_wmb();
793 map->nr_extents = new_map.nr_extents;
795 *ppos = count;
796 ret = count;
797 out:
798 mutex_unlock(&userns_state_mutex);
799 kfree(kbuf);
800 return ret;
803 ssize_t proc_uid_map_write(struct file *file, const char __user *buf,
804 size_t size, loff_t *ppos)
806 struct seq_file *seq = file->private_data;
807 struct user_namespace *ns = seq->private;
808 struct user_namespace *seq_ns = seq_user_ns(seq);
810 if (!ns->parent)
811 return -EPERM;
813 if ((seq_ns != ns) && (seq_ns != ns->parent))
814 return -EPERM;
816 return map_write(file, buf, size, ppos, CAP_SETUID,
817 &ns->uid_map, &ns->parent->uid_map);
820 ssize_t proc_gid_map_write(struct file *file, const char __user *buf,
821 size_t size, loff_t *ppos)
823 struct seq_file *seq = file->private_data;
824 struct user_namespace *ns = seq->private;
825 struct user_namespace *seq_ns = seq_user_ns(seq);
827 if (!ns->parent)
828 return -EPERM;
830 if ((seq_ns != ns) && (seq_ns != ns->parent))
831 return -EPERM;
833 return map_write(file, buf, size, ppos, CAP_SETGID,
834 &ns->gid_map, &ns->parent->gid_map);
837 ssize_t proc_projid_map_write(struct file *file, const char __user *buf,
838 size_t size, loff_t *ppos)
840 struct seq_file *seq = file->private_data;
841 struct user_namespace *ns = seq->private;
842 struct user_namespace *seq_ns = seq_user_ns(seq);
844 if (!ns->parent)
845 return -EPERM;
847 if ((seq_ns != ns) && (seq_ns != ns->parent))
848 return -EPERM;
850 /* Anyone can set any valid project id no capability needed */
851 return map_write(file, buf, size, ppos, -1,
852 &ns->projid_map, &ns->parent->projid_map);
855 static bool new_idmap_permitted(const struct file *file,
856 struct user_namespace *ns, int cap_setid,
857 struct uid_gid_map *new_map)
859 const struct cred *cred = file->f_cred;
860 /* Don't allow mappings that would allow anything that wouldn't
861 * be allowed without the establishment of unprivileged mappings.
863 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
864 uid_eq(ns->owner, cred->euid)) {
865 u32 id = new_map->extent[0].lower_first;
866 if (cap_setid == CAP_SETUID) {
867 kuid_t uid = make_kuid(ns->parent, id);
868 if (uid_eq(uid, cred->euid))
869 return true;
870 } else if (cap_setid == CAP_SETGID) {
871 kgid_t gid = make_kgid(ns->parent, id);
872 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
873 gid_eq(gid, cred->egid))
874 return true;
878 /* Allow anyone to set a mapping that doesn't require privilege */
879 if (!cap_valid(cap_setid))
880 return true;
882 /* Allow the specified ids if we have the appropriate capability
883 * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
884 * And the opener of the id file also had the approprpiate capability.
886 if (ns_capable(ns->parent, cap_setid) &&
887 file_ns_capable(file, ns->parent, cap_setid))
888 return true;
890 return false;
893 int proc_setgroups_show(struct seq_file *seq, void *v)
895 struct user_namespace *ns = seq->private;
896 unsigned long userns_flags = ACCESS_ONCE(ns->flags);
898 seq_printf(seq, "%s\n",
899 (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
900 "allow" : "deny");
901 return 0;
904 ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
905 size_t count, loff_t *ppos)
907 struct seq_file *seq = file->private_data;
908 struct user_namespace *ns = seq->private;
909 char kbuf[8], *pos;
910 bool setgroups_allowed;
911 ssize_t ret;
913 /* Only allow a very narrow range of strings to be written */
914 ret = -EINVAL;
915 if ((*ppos != 0) || (count >= sizeof(kbuf)))
916 goto out;
918 /* What was written? */
919 ret = -EFAULT;
920 if (copy_from_user(kbuf, buf, count))
921 goto out;
922 kbuf[count] = '\0';
923 pos = kbuf;
925 /* What is being requested? */
926 ret = -EINVAL;
927 if (strncmp(pos, "allow", 5) == 0) {
928 pos += 5;
929 setgroups_allowed = true;
931 else if (strncmp(pos, "deny", 4) == 0) {
932 pos += 4;
933 setgroups_allowed = false;
935 else
936 goto out;
938 /* Verify there is not trailing junk on the line */
939 pos = skip_spaces(pos);
940 if (*pos != '\0')
941 goto out;
943 ret = -EPERM;
944 mutex_lock(&userns_state_mutex);
945 if (setgroups_allowed) {
946 /* Enabling setgroups after setgroups has been disabled
947 * is not allowed.
949 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
950 goto out_unlock;
951 } else {
952 /* Permanently disabling setgroups after setgroups has
953 * been enabled by writing the gid_map is not allowed.
955 if (ns->gid_map.nr_extents != 0)
956 goto out_unlock;
957 ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
959 mutex_unlock(&userns_state_mutex);
961 /* Report a successful write */
962 *ppos = count;
963 ret = count;
964 out:
965 return ret;
966 out_unlock:
967 mutex_unlock(&userns_state_mutex);
968 goto out;
971 bool userns_may_setgroups(const struct user_namespace *ns)
973 bool allowed;
975 mutex_lock(&userns_state_mutex);
976 /* It is not safe to use setgroups until a gid mapping in
977 * the user namespace has been established.
979 allowed = ns->gid_map.nr_extents != 0;
980 /* Is setgroups allowed? */
981 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
982 mutex_unlock(&userns_state_mutex);
984 return allowed;
988 * Returns true if @ns is the same namespace as or a descendant of
989 * @target_ns.
991 bool current_in_userns(const struct user_namespace *target_ns)
993 struct user_namespace *ns;
994 for (ns = current_user_ns(); ns; ns = ns->parent) {
995 if (ns == target_ns)
996 return true;
998 return false;
1001 static inline struct user_namespace *to_user_ns(struct ns_common *ns)
1003 return container_of(ns, struct user_namespace, ns);
1006 static struct ns_common *userns_get(struct task_struct *task)
1008 struct user_namespace *user_ns;
1010 rcu_read_lock();
1011 user_ns = get_user_ns(__task_cred(task)->user_ns);
1012 rcu_read_unlock();
1014 return user_ns ? &user_ns->ns : NULL;
1017 static void userns_put(struct ns_common *ns)
1019 put_user_ns(to_user_ns(ns));
1022 static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
1024 struct user_namespace *user_ns = to_user_ns(ns);
1025 struct cred *cred;
1027 /* Don't allow gaining capabilities by reentering
1028 * the same user namespace.
1030 if (user_ns == current_user_ns())
1031 return -EINVAL;
1033 /* Tasks that share a thread group must share a user namespace */
1034 if (!thread_group_empty(current))
1035 return -EINVAL;
1037 if (current->fs->users != 1)
1038 return -EINVAL;
1040 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
1041 return -EPERM;
1043 cred = prepare_creds();
1044 if (!cred)
1045 return -ENOMEM;
1047 put_user_ns(cred->user_ns);
1048 set_cred_user_ns(cred, get_user_ns(user_ns));
1050 return commit_creds(cred);
1053 struct ns_common *ns_get_owner(struct ns_common *ns)
1055 struct user_namespace *my_user_ns = current_user_ns();
1056 struct user_namespace *owner, *p;
1058 /* See if the owner is in the current user namespace */
1059 owner = p = ns->ops->owner(ns);
1060 for (;;) {
1061 if (!p)
1062 return ERR_PTR(-EPERM);
1063 if (p == my_user_ns)
1064 break;
1065 p = p->parent;
1068 return &get_user_ns(owner)->ns;
1071 static struct user_namespace *userns_owner(struct ns_common *ns)
1073 return to_user_ns(ns)->parent;
1076 const struct proc_ns_operations userns_operations = {
1077 .name = "user",
1078 .type = CLONE_NEWUSER,
1079 .get = userns_get,
1080 .put = userns_put,
1081 .install = userns_install,
1082 .owner = userns_owner,
1083 .get_parent = ns_get_owner,
1086 static __init int user_namespaces_init(void)
1088 user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC);
1089 return 0;
1091 subsys_initcall(user_namespaces_init);