search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
target: Allow Write Exclusive non-reservation holders to READ
[linux/fpc-iii.git] / kernel / user_namespace.c
blob153971e4798a1248623e5d6a9d7b7432e8329be5
1 /*
2 * This program is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU General Public License as
4 * published by the Free Software Foundation, version 2 of the
5 * License.
6 */
7
8 #include <linux/export.h>
9 #include <linux/nsproxy.h>
10 #include <linux/slab.h>
11 #include <linux/user_namespace.h>
12 #include <linux/proc_ns.h>
13 #include <linux/highuid.h>
14 #include <linux/cred.h>
15 #include <linux/securebits.h>
16 #include <linux/keyctl.h>
17 #include <linux/key-type.h>
18 #include <keys/user-type.h>
19 #include <linux/seq_file.h>
20 #include <linux/fs.h>
21 #include <linux/uaccess.h>
22 #include <linux/ctype.h>
23 #include <linux/projid.h>
24 #include <linux/fs_struct.h>
25
26 static struct kmem_cache *user_ns_cachep __read_mostly;
27 static DEFINE_MUTEX(userns_state_mutex);
28
29 static bool new_idmap_permitted(const struct file *file,
30 struct user_namespace *ns, int cap_setid,
31 struct uid_gid_map *map);
32
33 static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
34 {
35 /* Start with the same capabilities as init but useless for doing
36 * anything as the capabilities are bound to the new user namespace.
37 */
38 cred->securebits = SECUREBITS_DEFAULT;
39 cred->cap_inheritable = CAP_EMPTY_SET;
40 cred->cap_permitted = CAP_FULL_SET;
41 cred->cap_effective = CAP_FULL_SET;
42 cred->cap_bset = CAP_FULL_SET;
43 #ifdef CONFIG_KEYS
44 key_put(cred->request_key_auth);
45 cred->request_key_auth = NULL;
46 #endif
47 /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
48 cred->user_ns = user_ns;
49 }
50
51 /*
52 * Create a new user namespace, deriving the creator from the user in the
53 * passed credentials, and replacing that user with the new root user for the
54 * new namespace.
55 *
56 * This is called by copy_creds(), which will finish setting the target task's
57 * credentials.
58 */
59 int create_user_ns(struct cred *new)
60 {
61 struct user_namespace *ns, *parent_ns = new->user_ns;
62 kuid_t owner = new->euid;
63 kgid_t group = new->egid;
64 int ret;
65
66 if (parent_ns->level > 32)
67 return -EUSERS;
68
69 /*
70 * Verify that we can not violate the policy of which files
71 * may be accessed that is specified by the root directory,
72 * by verifing that the root directory is at the root of the
73 * mount namespace which allows all files to be accessed.
74 */
75 if (current_chrooted())
76 return -EPERM;
77
78 /* The creator needs a mapping in the parent user namespace
79 * or else we won't be able to reasonably tell userspace who
80 * created a user_namespace.
81 */
82 if (!kuid_has_mapping(parent_ns, owner) ||
83 !kgid_has_mapping(parent_ns, group))
84 return -EPERM;
85
86 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
87 if (!ns)
88 return -ENOMEM;
89
90 ret = proc_alloc_inum(&ns->proc_inum);
91 if (ret) {
92 kmem_cache_free(user_ns_cachep, ns);
93 return ret;
94 }
95
96 atomic_set(&ns->count, 1);
97 /* Leave the new->user_ns reference with the new user namespace. */
98 ns->parent = parent_ns;
99 ns->level = parent_ns->level + 1;
100 ns->owner = owner;
101 ns->group = group;
102
103 /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
104 mutex_lock(&userns_state_mutex);
105 ns->flags = parent_ns->flags;
106 mutex_unlock(&userns_state_mutex);
107
108 set_cred_user_ns(new, ns);
109
110 #ifdef CONFIG_PERSISTENT_KEYRINGS
111 init_rwsem(&ns->persistent_keyring_register_sem);
112 #endif
113 return 0;
114 }
115
116 int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
117 {
118 struct cred *cred;
119 int err = -ENOMEM;
120
121 if (!(unshare_flags & CLONE_NEWUSER))
122 return 0;
123
124 cred = prepare_creds();
125 if (cred) {
126 err = create_user_ns(cred);
127 if (err)
128 put_cred(cred);
129 else
130 *new_cred = cred;
131 }
132
133 return err;
134 }
135
136 void free_user_ns(struct user_namespace *ns)
137 {
138 struct user_namespace *parent;
139
140 do {
141 parent = ns->parent;
142 #ifdef CONFIG_PERSISTENT_KEYRINGS
143 key_put(ns->persistent_keyring_register);
144 #endif
145 proc_free_inum(ns->proc_inum);
146 kmem_cache_free(user_ns_cachep, ns);
147 ns = parent;
148 } while (atomic_dec_and_test(&parent->count));
149 }
150 EXPORT_SYMBOL(free_user_ns);
151
152 static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
153 {
154 unsigned idx, extents;
155 u32 first, last, id2;
156
157 id2 = id + count - 1;
158
159 /* Find the matching extent */
160 extents = map->nr_extents;
161 smp_rmb();
162 for (idx = 0; idx < extents; idx++) {
163 first = map->extent[idx].first;
164 last = first + map->extent[idx].count - 1;
165 if (id >= first && id <= last &&
166 (id2 >= first && id2 <= last))
167 break;
168 }
169 /* Map the id or note failure */
170 if (idx < extents)
171 id = (id - first) + map->extent[idx].lower_first;
172 else
173 id = (u32) -1;
174
175 return id;
176 }
177
178 static u32 map_id_down(struct uid_gid_map *map, u32 id)
179 {
180 unsigned idx, extents;
181 u32 first, last;
182
183 /* Find the matching extent */
184 extents = map->nr_extents;
185 smp_rmb();
186 for (idx = 0; idx < extents; idx++) {
187 first = map->extent[idx].first;
188 last = first + map->extent[idx].count - 1;
189 if (id >= first && id <= last)
190 break;
191 }
192 /* Map the id or note failure */
193 if (idx < extents)
194 id = (id - first) + map->extent[idx].lower_first;
195 else
196 id = (u32) -1;
197
198 return id;
199 }
200
201 static u32 map_id_up(struct uid_gid_map *map, u32 id)
202 {
203 unsigned idx, extents;
204 u32 first, last;
205
206 /* Find the matching extent */
207 extents = map->nr_extents;
208 smp_rmb();
209 for (idx = 0; idx < extents; idx++) {
210 first = map->extent[idx].lower_first;
211 last = first + map->extent[idx].count - 1;
212 if (id >= first && id <= last)
213 break;
214 }
215 /* Map the id or note failure */
216 if (idx < extents)
217 id = (id - first) + map->extent[idx].first;
218 else
219 id = (u32) -1;
220
221 return id;
222 }
223
224 /**
225 * make_kuid - Map a user-namespace uid pair into a kuid.
226 * @ns: User namespace that the uid is in
227 * @uid: User identifier
228 *
229 * Maps a user-namespace uid pair into a kernel internal kuid,
230 * and returns that kuid.
231 *
232 * When there is no mapping defined for the user-namespace uid
233 * pair INVALID_UID is returned. Callers are expected to test
234 * for and handle INVALID_UID being returned. INVALID_UID
235 * may be tested for using uid_valid().
236 */
237 kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
238 {
239 /* Map the uid to a global kernel uid */
240 return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
241 }
242 EXPORT_SYMBOL(make_kuid);
243
244 /**
245 * from_kuid - Create a uid from a kuid user-namespace pair.
246 * @targ: The user namespace we want a uid in.
247 * @kuid: The kernel internal uid to start with.
248 *
249 * Map @kuid into the user-namespace specified by @targ and
250 * return the resulting uid.
251 *
252 * There is always a mapping into the initial user_namespace.
253 *
254 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
255 */
256 uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
257 {
258 /* Map the uid from a global kernel uid */
259 return map_id_up(&targ->uid_map, __kuid_val(kuid));
260 }
261 EXPORT_SYMBOL(from_kuid);
262
263 /**
264 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
265 * @targ: The user namespace we want a uid in.
266 * @kuid: The kernel internal uid to start with.
267 *
268 * Map @kuid into the user-namespace specified by @targ and
269 * return the resulting uid.
270 *
271 * There is always a mapping into the initial user_namespace.
272 *
273 * Unlike from_kuid from_kuid_munged never fails and always
274 * returns a valid uid. This makes from_kuid_munged appropriate
275 * for use in syscalls like stat and getuid where failing the
276 * system call and failing to provide a valid uid are not an
277 * options.
278 *
279 * If @kuid has no mapping in @targ overflowuid is returned.
280 */
281 uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
282 {
283 uid_t uid;
284 uid = from_kuid(targ, kuid);
285
286 if (uid == (uid_t) -1)
287 uid = overflowuid;
288 return uid;
289 }
290 EXPORT_SYMBOL(from_kuid_munged);
291
292 /**
293 * make_kgid - Map a user-namespace gid pair into a kgid.
294 * @ns: User namespace that the gid is in
295 * @uid: group identifier
296 *
297 * Maps a user-namespace gid pair into a kernel internal kgid,
298 * and returns that kgid.
299 *
300 * When there is no mapping defined for the user-namespace gid
301 * pair INVALID_GID is returned. Callers are expected to test
302 * for and handle INVALID_GID being returned. INVALID_GID may be
303 * tested for using gid_valid().
304 */
305 kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
306 {
307 /* Map the gid to a global kernel gid */
308 return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
309 }
310 EXPORT_SYMBOL(make_kgid);
311
312 /**
313 * from_kgid - Create a gid from a kgid user-namespace pair.
314 * @targ: The user namespace we want a gid in.
315 * @kgid: The kernel internal gid to start with.
316 *
317 * Map @kgid into the user-namespace specified by @targ and
318 * return the resulting gid.
319 *
320 * There is always a mapping into the initial user_namespace.
321 *
322 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
323 */
324 gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
325 {
326 /* Map the gid from a global kernel gid */
327 return map_id_up(&targ->gid_map, __kgid_val(kgid));
328 }
329 EXPORT_SYMBOL(from_kgid);
330
331 /**
332 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
333 * @targ: The user namespace we want a gid in.
334 * @kgid: The kernel internal gid to start with.
335 *
336 * Map @kgid into the user-namespace specified by @targ and
337 * return the resulting gid.
338 *
339 * There is always a mapping into the initial user_namespace.
340 *
341 * Unlike from_kgid from_kgid_munged never fails and always
342 * returns a valid gid. This makes from_kgid_munged appropriate
343 * for use in syscalls like stat and getgid where failing the
344 * system call and failing to provide a valid gid are not options.
345 *
346 * If @kgid has no mapping in @targ overflowgid is returned.
347 */
348 gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
349 {
350 gid_t gid;
351 gid = from_kgid(targ, kgid);
352
353 if (gid == (gid_t) -1)
354 gid = overflowgid;
355 return gid;
356 }
357 EXPORT_SYMBOL(from_kgid_munged);
358
359 /**
360 * make_kprojid - Map a user-namespace projid pair into a kprojid.
361 * @ns: User namespace that the projid is in
362 * @projid: Project identifier
363 *
364 * Maps a user-namespace uid pair into a kernel internal kuid,
365 * and returns that kuid.
366 *
367 * When there is no mapping defined for the user-namespace projid
368 * pair INVALID_PROJID is returned. Callers are expected to test
369 * for and handle handle INVALID_PROJID being returned. INVALID_PROJID
370 * may be tested for using projid_valid().
371 */
372 kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
373 {
374 /* Map the uid to a global kernel uid */
375 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
376 }
377 EXPORT_SYMBOL(make_kprojid);
378
379 /**
380 * from_kprojid - Create a projid from a kprojid user-namespace pair.
381 * @targ: The user namespace we want a projid in.
382 * @kprojid: The kernel internal project identifier to start with.
383 *
384 * Map @kprojid into the user-namespace specified by @targ and
385 * return the resulting projid.
386 *
387 * There is always a mapping into the initial user_namespace.
388 *
389 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
390 */
391 projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
392 {
393 /* Map the uid from a global kernel uid */
394 return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
395 }
396 EXPORT_SYMBOL(from_kprojid);
397
398 /**
399 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
400 * @targ: The user namespace we want a projid in.
401 * @kprojid: The kernel internal projid to start with.
402 *
403 * Map @kprojid into the user-namespace specified by @targ and
404 * return the resulting projid.
405 *
406 * There is always a mapping into the initial user_namespace.
407 *
408 * Unlike from_kprojid from_kprojid_munged never fails and always
409 * returns a valid projid. This makes from_kprojid_munged
410 * appropriate for use in syscalls like stat and where
411 * failing the system call and failing to provide a valid projid are
412 * not an options.
413 *
414 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
415 */
416 projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
417 {
418 projid_t projid;
419 projid = from_kprojid(targ, kprojid);
420
421 if (projid == (projid_t) -1)
422 projid = OVERFLOW_PROJID;
423 return projid;
424 }
425 EXPORT_SYMBOL(from_kprojid_munged);
426
427
428 static int uid_m_show(struct seq_file *seq, void *v)
429 {
430 struct user_namespace *ns = seq->private;
431 struct uid_gid_extent *extent = v;
432 struct user_namespace *lower_ns;
433 uid_t lower;
434
435 lower_ns = seq_user_ns(seq);
436 if ((lower_ns == ns) && lower_ns->parent)
437 lower_ns = lower_ns->parent;
438
439 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
440
441 seq_printf(seq, "%10u %10u %10u\n",
442 extent->first,
443 lower,
444 extent->count);
445
446 return 0;
447 }
448
449 static int gid_m_show(struct seq_file *seq, void *v)
450 {
451 struct user_namespace *ns = seq->private;
452 struct uid_gid_extent *extent = v;
453 struct user_namespace *lower_ns;
454 gid_t lower;
455
456 lower_ns = seq_user_ns(seq);
457 if ((lower_ns == ns) && lower_ns->parent)
458 lower_ns = lower_ns->parent;
459
460 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
461
462 seq_printf(seq, "%10u %10u %10u\n",
463 extent->first,
464 lower,
465 extent->count);
466
467 return 0;
468 }
469
470 static int projid_m_show(struct seq_file *seq, void *v)
471 {
472 struct user_namespace *ns = seq->private;
473 struct uid_gid_extent *extent = v;
474 struct user_namespace *lower_ns;
475 projid_t lower;
476
477 lower_ns = seq_user_ns(seq);
478 if ((lower_ns == ns) && lower_ns->parent)
479 lower_ns = lower_ns->parent;
480
481 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
482
483 seq_printf(seq, "%10u %10u %10u\n",
484 extent->first,
485 lower,
486 extent->count);
487
488 return 0;
489 }
490
491 static void *m_start(struct seq_file *seq, loff_t *ppos, struct uid_gid_map *map)
492 {
493 struct uid_gid_extent *extent = NULL;
494 loff_t pos = *ppos;
495
496 if (pos < map->nr_extents)
497 extent = &map->extent[pos];
498
499 return extent;
500 }
501
502 static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
503 {
504 struct user_namespace *ns = seq->private;
505
506 return m_start(seq, ppos, &ns->uid_map);
507 }
508
509 static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
510 {
511 struct user_namespace *ns = seq->private;
512
513 return m_start(seq, ppos, &ns->gid_map);
514 }
515
516 static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
517 {
518 struct user_namespace *ns = seq->private;
519
520 return m_start(seq, ppos, &ns->projid_map);
521 }
522
523 static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
524 {
525 (*pos)++;
526 return seq->op->start(seq, pos);
527 }
528
529 static void m_stop(struct seq_file *seq, void *v)
530 {
531 return;
532 }
533
534 struct seq_operations proc_uid_seq_operations = {
535 .start = uid_m_start,
536 .stop = m_stop,
537 .next = m_next,
538 .show = uid_m_show,
539 };
540
541 struct seq_operations proc_gid_seq_operations = {
542 .start = gid_m_start,
543 .stop = m_stop,
544 .next = m_next,
545 .show = gid_m_show,
546 };
547
548 struct seq_operations proc_projid_seq_operations = {
549 .start = projid_m_start,
550 .stop = m_stop,
551 .next = m_next,
552 .show = projid_m_show,
553 };
554
555 static bool mappings_overlap(struct uid_gid_map *new_map, struct uid_gid_extent *extent)
556 {
557 u32 upper_first, lower_first, upper_last, lower_last;
558 unsigned idx;
559
560 upper_first = extent->first;
561 lower_first = extent->lower_first;
562 upper_last = upper_first + extent->count - 1;
563 lower_last = lower_first + extent->count - 1;
564
565 for (idx = 0; idx < new_map->nr_extents; idx++) {
566 u32 prev_upper_first, prev_lower_first;
567 u32 prev_upper_last, prev_lower_last;
568 struct uid_gid_extent *prev;
569
570 prev = &new_map->extent[idx];
571
572 prev_upper_first = prev->first;
573 prev_lower_first = prev->lower_first;
574 prev_upper_last = prev_upper_first + prev->count - 1;
575 prev_lower_last = prev_lower_first + prev->count - 1;
576
577 /* Does the upper range intersect a previous extent? */
578 if ((prev_upper_first <= upper_last) &&
579 (prev_upper_last >= upper_first))
580 return true;
581
582 /* Does the lower range intersect a previous extent? */
583 if ((prev_lower_first <= lower_last) &&
584 (prev_lower_last >= lower_first))
585 return true;
586 }
587 return false;
588 }
589
590 static ssize_t map_write(struct file *file, const char __user *buf,
591 size_t count, loff_t *ppos,
592 int cap_setid,
593 struct uid_gid_map *map,
594 struct uid_gid_map *parent_map)
595 {
596 struct seq_file *seq = file->private_data;
597 struct user_namespace *ns = seq->private;
598 struct uid_gid_map new_map;
599 unsigned idx;
600 struct uid_gid_extent *extent = NULL;
601 unsigned long page = 0;
602 char *kbuf, *pos, *next_line;
603 ssize_t ret = -EINVAL;
604
605 /*
606 * The userns_state_mutex serializes all writes to any given map.
607 *
608 * Any map is only ever written once.
609 *
610 * An id map fits within 1 cache line on most architectures.
611 *
612 * On read nothing needs to be done unless you are on an
613 * architecture with a crazy cache coherency model like alpha.
614 *
615 * There is a one time data dependency between reading the
616 * count of the extents and the values of the extents. The
617 * desired behavior is to see the values of the extents that
618 * were written before the count of the extents.
619 *
620 * To achieve this smp_wmb() is used on guarantee the write
621 * order and smp_rmb() is guaranteed that we don't have crazy
622 * architectures returning stale data.
623 */
624 mutex_lock(&userns_state_mutex);
625
626 ret = -EPERM;
627 /* Only allow one successful write to the map */
628 if (map->nr_extents != 0)
629 goto out;
630
631 /*
632 * Adjusting namespace settings requires capabilities on the target.
633 */
634 if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
635 goto out;
636
637 /* Get a buffer */
638 ret = -ENOMEM;
639 page = __get_free_page(GFP_TEMPORARY);
640 kbuf = (char *) page;
641 if (!page)
642 goto out;
643
644 /* Only allow <= page size writes at the beginning of the file */
645 ret = -EINVAL;
646 if ((*ppos != 0) || (count >= PAGE_SIZE))
647 goto out;
648
649 /* Slurp in the user data */
650 ret = -EFAULT;
651 if (copy_from_user(kbuf, buf, count))
652 goto out;
653 kbuf[count] = '\0';
654
655 /* Parse the user data */
656 ret = -EINVAL;
657 pos = kbuf;
658 new_map.nr_extents = 0;
659 for (;pos; pos = next_line) {
660 extent = &new_map.extent[new_map.nr_extents];
661
662 /* Find the end of line and ensure I don't look past it */
663 next_line = strchr(pos, '\n');
664 if (next_line) {
665 *next_line = '\0';
666 next_line++;
667 if (*next_line == '\0')
668 next_line = NULL;
669 }
670
671 pos = skip_spaces(pos);
672 extent->first = simple_strtoul(pos, &pos, 10);
673 if (!isspace(*pos))
674 goto out;
675
676 pos = skip_spaces(pos);
677 extent->lower_first = simple_strtoul(pos, &pos, 10);
678 if (!isspace(*pos))
679 goto out;
680
681 pos = skip_spaces(pos);
682 extent->count = simple_strtoul(pos, &pos, 10);
683 if (*pos && !isspace(*pos))
684 goto out;
685
686 /* Verify there is not trailing junk on the line */
687 pos = skip_spaces(pos);
688 if (*pos != '\0')
689 goto out;
690
691 /* Verify we have been given valid starting values */
692 if ((extent->first == (u32) -1) ||
693 (extent->lower_first == (u32) -1 ))
694 goto out;
695
696 /* Verify count is not zero and does not cause the extent to wrap */
697 if ((extent->first + extent->count) <= extent->first)
698 goto out;
699 if ((extent->lower_first + extent->count) <= extent->lower_first)
700 goto out;
701
702 /* Do the ranges in extent overlap any previous extents? */
703 if (mappings_overlap(&new_map, extent))
704 goto out;
705
706 new_map.nr_extents++;
707
708 /* Fail if the file contains too many extents */
709 if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) &&
710 (next_line != NULL))
711 goto out;
712 }
713 /* Be very certaint the new map actually exists */
714 if (new_map.nr_extents == 0)
715 goto out;
716
717 ret = -EPERM;
718 /* Validate the user is allowed to use user id's mapped to. */
719 if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
720 goto out;
721
722 /* Map the lower ids from the parent user namespace to the
723 * kernel global id space.
724 */
725 for (idx = 0; idx < new_map.nr_extents; idx++) {
726 u32 lower_first;
727 extent = &new_map.extent[idx];
728
729 lower_first = map_id_range_down(parent_map,
730 extent->lower_first,
731 extent->count);
732
733 /* Fail if we can not map the specified extent to
734 * the kernel global id space.
735 */
736 if (lower_first == (u32) -1)
737 goto out;
738
739 extent->lower_first = lower_first;
740 }
741
742 /* Install the map */
743 memcpy(map->extent, new_map.extent,
744 new_map.nr_extents*sizeof(new_map.extent[0]));
745 smp_wmb();
746 map->nr_extents = new_map.nr_extents;
747
748 *ppos = count;
749 ret = count;
750 out:
751 mutex_unlock(&userns_state_mutex);
752 if (page)
753 free_page(page);
754 return ret;
755 }
756
757 ssize_t proc_uid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
758 {
759 struct seq_file *seq = file->private_data;
760 struct user_namespace *ns = seq->private;
761 struct user_namespace *seq_ns = seq_user_ns(seq);
762
763 if (!ns->parent)
764 return -EPERM;
765
766 if ((seq_ns != ns) && (seq_ns != ns->parent))
767 return -EPERM;
768
769 return map_write(file, buf, size, ppos, CAP_SETUID,
770 &ns->uid_map, &ns->parent->uid_map);
771 }
772
773 ssize_t proc_gid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
774 {
775 struct seq_file *seq = file->private_data;
776 struct user_namespace *ns = seq->private;
777 struct user_namespace *seq_ns = seq_user_ns(seq);
778
779 if (!ns->parent)
780 return -EPERM;
781
782 if ((seq_ns != ns) && (seq_ns != ns->parent))
783 return -EPERM;
784
785 return map_write(file, buf, size, ppos, CAP_SETGID,
786 &ns->gid_map, &ns->parent->gid_map);
787 }
788
789 ssize_t proc_projid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
790 {
791 struct seq_file *seq = file->private_data;
792 struct user_namespace *ns = seq->private;
793 struct user_namespace *seq_ns = seq_user_ns(seq);
794
795 if (!ns->parent)
796 return -EPERM;
797
798 if ((seq_ns != ns) && (seq_ns != ns->parent))
799 return -EPERM;
800
801 /* Anyone can set any valid project id no capability needed */
802 return map_write(file, buf, size, ppos, -1,
803 &ns->projid_map, &ns->parent->projid_map);
804 }
805
806 static bool new_idmap_permitted(const struct file *file,
807 struct user_namespace *ns, int cap_setid,
808 struct uid_gid_map *new_map)
809 {
810 const struct cred *cred = file->f_cred;
811 /* Don't allow mappings that would allow anything that wouldn't
812 * be allowed without the establishment of unprivileged mappings.
813 */
814 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
815 uid_eq(ns->owner, cred->euid)) {
816 u32 id = new_map->extent[0].lower_first;
817 if (cap_setid == CAP_SETUID) {
818 kuid_t uid = make_kuid(ns->parent, id);
819 if (uid_eq(uid, cred->euid))
820 return true;
821 } else if (cap_setid == CAP_SETGID) {
822 kgid_t gid = make_kgid(ns->parent, id);
823 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
824 gid_eq(gid, cred->egid))
825 return true;
826 }
827 }
828
829 /* Allow anyone to set a mapping that doesn't require privilege */
830 if (!cap_valid(cap_setid))
831 return true;
832
833 /* Allow the specified ids if we have the appropriate capability
834 * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
835 * And the opener of the id file also had the approprpiate capability.
836 */
837 if (ns_capable(ns->parent, cap_setid) &&
838 file_ns_capable(file, ns->parent, cap_setid))
839 return true;
840
841 return false;
842 }
843
844 int proc_setgroups_show(struct seq_file *seq, void *v)
845 {
846 struct user_namespace *ns = seq->private;
847 unsigned long userns_flags = ACCESS_ONCE(ns->flags);
848
849 seq_printf(seq, "%s\n",
850 (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
851 "allow" : "deny");
852 return 0;
853 }
854
855 ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
856 size_t count, loff_t *ppos)
857 {
858 struct seq_file *seq = file->private_data;
859 struct user_namespace *ns = seq->private;
860 char kbuf[8], *pos;
861 bool setgroups_allowed;
862 ssize_t ret;
863
864 /* Only allow a very narrow range of strings to be written */
865 ret = -EINVAL;
866 if ((*ppos != 0) || (count >= sizeof(kbuf)))
867 goto out;
868
869 /* What was written? */
870 ret = -EFAULT;
871 if (copy_from_user(kbuf, buf, count))
872 goto out;
873 kbuf[count] = '\0';
874 pos = kbuf;
875
876 /* What is being requested? */
877 ret = -EINVAL;
878 if (strncmp(pos, "allow", 5) == 0) {
879 pos += 5;
880 setgroups_allowed = true;
881 }
882 else if (strncmp(pos, "deny", 4) == 0) {
883 pos += 4;
884 setgroups_allowed = false;
885 }
886 else
887 goto out;
888
889 /* Verify there is not trailing junk on the line */
890 pos = skip_spaces(pos);
891 if (*pos != '\0')
892 goto out;
893
894 ret = -EPERM;
895 mutex_lock(&userns_state_mutex);
896 if (setgroups_allowed) {
897 /* Enabling setgroups after setgroups has been disabled
898 * is not allowed.
899 */
900 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
901 goto out_unlock;
902 } else {
903 /* Permanently disabling setgroups after setgroups has
904 * been enabled by writing the gid_map is not allowed.
905 */
906 if (ns->gid_map.nr_extents != 0)
907 goto out_unlock;
908 ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
909 }
910 mutex_unlock(&userns_state_mutex);
911
912 /* Report a successful write */
913 *ppos = count;
914 ret = count;
915 out:
916 return ret;
917 out_unlock:
918 mutex_unlock(&userns_state_mutex);
919 goto out;
920 }
921
922 bool userns_may_setgroups(const struct user_namespace *ns)
923 {
924 bool allowed;
925
926 mutex_lock(&userns_state_mutex);
927 /* It is not safe to use setgroups until a gid mapping in
928 * the user namespace has been established.
929 */
930 allowed = ns->gid_map.nr_extents != 0;
931 /* Is setgroups allowed? */
932 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
933 mutex_unlock(&userns_state_mutex);
934
935 return allowed;
936 }
937
938 static void *userns_get(struct task_struct *task)
939 {
940 struct user_namespace *user_ns;
941
942 rcu_read_lock();
943 user_ns = get_user_ns(__task_cred(task)->user_ns);
944 rcu_read_unlock();
945
946 return user_ns;
947 }
948
949 static void userns_put(void *ns)
950 {
951 put_user_ns(ns);
952 }
953
954 static int userns_install(struct nsproxy *nsproxy, void *ns)
955 {
956 struct user_namespace *user_ns = ns;
957 struct cred *cred;
958
959 /* Don't allow gaining capabilities by reentering
960 * the same user namespace.
961 */
962 if (user_ns == current_user_ns())
963 return -EINVAL;
964
965 /* Threaded processes may not enter a different user namespace */
966 if (atomic_read(&current->mm->mm_users) > 1)
967 return -EINVAL;
968
969 if (current->fs->users != 1)
970 return -EINVAL;
971
972 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
973 return -EPERM;
974
975 cred = prepare_creds();
976 if (!cred)
977 return -ENOMEM;
978
979 put_user_ns(cred->user_ns);
980 set_cred_user_ns(cred, get_user_ns(user_ns));
981
982 return commit_creds(cred);
983 }
984
985 static unsigned int userns_inum(void *ns)
986 {
987 struct user_namespace *user_ns = ns;
988 return user_ns->proc_inum;
989 }
990
991 const struct proc_ns_operations userns_operations = {
992 .name = "user",
993 .type = CLONE_NEWUSER,
994 .get = userns_get,
995 .put = userns_put,
996 .install = userns_install,
997 .inum = userns_inum,
998 };
999
1000 static __init int user_namespaces_init(void)
1001 {
1002 user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC);
1003 return 0;
1004 }
1005 module_init(user_namespaces_init);
Linux with added FPC-III support