search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ACPI / power: Avoid maybe-uninitialized warning
[linux/fpc-iii.git] / kernel / user_namespace.c
bloba2e37c5d2f63035d4cee00bb12a565f9bf8be774
1 /*
2 * This program is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU General Public License as
4 * published by the Free Software Foundation, version 2 of the
5 * License.
6 */
7
8 #include <linux/export.h>
9 #include <linux/nsproxy.h>
10 #include <linux/slab.h>
11 #include <linux/user_namespace.h>
12 #include <linux/proc_ns.h>
13 #include <linux/highuid.h>
14 #include <linux/cred.h>
15 #include <linux/securebits.h>
16 #include <linux/keyctl.h>
17 #include <linux/key-type.h>
18 #include <keys/user-type.h>
19 #include <linux/seq_file.h>
20 #include <linux/fs.h>
21 #include <linux/uaccess.h>
22 #include <linux/ctype.h>
23 #include <linux/projid.h>
24 #include <linux/fs_struct.h>
25
26 static struct kmem_cache *user_ns_cachep __read_mostly;
27 static DEFINE_MUTEX(userns_state_mutex);
28
29 static bool new_idmap_permitted(const struct file *file,
30 struct user_namespace *ns, int cap_setid,
31 struct uid_gid_map *map);
32
33 static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
34 {
35 /* Start with the same capabilities as init but useless for doing
36 * anything as the capabilities are bound to the new user namespace.
37 */
38 cred->securebits = SECUREBITS_DEFAULT;
39 cred->cap_inheritable = CAP_EMPTY_SET;
40 cred->cap_permitted = CAP_FULL_SET;
41 cred->cap_effective = CAP_FULL_SET;
42 cred->cap_bset = CAP_FULL_SET;
43 #ifdef CONFIG_KEYS
44 key_put(cred->request_key_auth);
45 cred->request_key_auth = NULL;
46 #endif
47 /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
48 cred->user_ns = user_ns;
49 }
50
51 /*
52 * Create a new user namespace, deriving the creator from the user in the
53 * passed credentials, and replacing that user with the new root user for the
54 * new namespace.
55 *
56 * This is called by copy_creds(), which will finish setting the target task's
57 * credentials.
58 */
59 int create_user_ns(struct cred *new)
60 {
61 struct user_namespace *ns, *parent_ns = new->user_ns;
62 kuid_t owner = new->euid;
63 kgid_t group = new->egid;
64 int ret;
65
66 if (parent_ns->level > 32)
67 return -EUSERS;
68
69 /*
70 * Verify that we can not violate the policy of which files
71 * may be accessed that is specified by the root directory,
72 * by verifing that the root directory is at the root of the
73 * mount namespace which allows all files to be accessed.
74 */
75 if (current_chrooted())
76 return -EPERM;
77
78 /* The creator needs a mapping in the parent user namespace
79 * or else we won't be able to reasonably tell userspace who
80 * created a user_namespace.
81 */
82 if (!kuid_has_mapping(parent_ns, owner) ||
83 !kgid_has_mapping(parent_ns, group))
84 return -EPERM;
85
86 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
87 if (!ns)
88 return -ENOMEM;
89
90 ret = proc_alloc_inum(&ns->proc_inum);
91 if (ret) {
92 kmem_cache_free(user_ns_cachep, ns);
93 return ret;
94 }
95
96 atomic_set(&ns->count, 1);
97 /* Leave the new->user_ns reference with the new user namespace. */
98 ns->parent = parent_ns;
99 ns->level = parent_ns->level + 1;
100 ns->owner = owner;
101 ns->group = group;
102
103 /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
104 mutex_lock(&userns_state_mutex);
105 ns->flags = parent_ns->flags;
106 mutex_unlock(&userns_state_mutex);
107
108 set_cred_user_ns(new, ns);
109
110 #ifdef CONFIG_PERSISTENT_KEYRINGS
111 init_rwsem(&ns->persistent_keyring_register_sem);
112 #endif
113 return 0;
114 }
115
116 int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
117 {
118 struct cred *cred;
119 int err = -ENOMEM;
120
121 if (!(unshare_flags & CLONE_NEWUSER))
122 return 0;
123
124 cred = prepare_creds();
125 if (cred) {
126 err = create_user_ns(cred);
127 if (err)
128 put_cred(cred);
129 else
130 *new_cred = cred;
131 }
132
133 return err;
134 }
135
136 void free_user_ns(struct user_namespace *ns)
137 {
138 struct user_namespace *parent;
139
140 do {
141 parent = ns->parent;
142 #ifdef CONFIG_PERSISTENT_KEYRINGS
143 key_put(ns->persistent_keyring_register);
144 #endif
145 proc_free_inum(ns->proc_inum);
146 kmem_cache_free(user_ns_cachep, ns);
147 ns = parent;
148 } while (atomic_dec_and_test(&parent->count));
149 }
150 EXPORT_SYMBOL(free_user_ns);
151
152 static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
153 {
154 unsigned idx, extents;
155 u32 first, last, id2;
156
157 id2 = id + count - 1;
158
159 /* Find the matching extent */
160 extents = map->nr_extents;
161 smp_rmb();
162 for (idx = 0; idx < extents; idx++) {
163 first = map->extent[idx].first;
164 last = first + map->extent[idx].count - 1;
165 if (id >= first && id <= last &&
166 (id2 >= first && id2 <= last))
167 break;
168 }
169 /* Map the id or note failure */
170 if (idx < extents)
171 id = (id - first) + map->extent[idx].lower_first;
172 else
173 id = (u32) -1;
174
175 return id;
176 }
177
178 static u32 map_id_down(struct uid_gid_map *map, u32 id)
179 {
180 unsigned idx, extents;
181 u32 first, last;
182
183 /* Find the matching extent */
184 extents = map->nr_extents;
185 smp_rmb();
186 for (idx = 0; idx < extents; idx++) {
187 first = map->extent[idx].first;
188 last = first + map->extent[idx].count - 1;
189 if (id >= first && id <= last)
190 break;
191 }
192 /* Map the id or note failure */
193 if (idx < extents)
194 id = (id - first) + map->extent[idx].lower_first;
195 else
196 id = (u32) -1;
197
198 return id;
199 }
200
201 static u32 map_id_up(struct uid_gid_map *map, u32 id)
202 {
203 unsigned idx, extents;
204 u32 first, last;
205
206 /* Find the matching extent */
207 extents = map->nr_extents;
208 smp_rmb();
209 for (idx = 0; idx < extents; idx++) {
210 first = map->extent[idx].lower_first;
211 last = first + map->extent[idx].count - 1;
212 if (id >= first && id <= last)
213 break;
214 }
215 /* Map the id or note failure */
216 if (idx < extents)
217 id = (id - first) + map->extent[idx].first;
218 else
219 id = (u32) -1;
220
221 return id;
222 }
223
224 /**
225 * make_kuid - Map a user-namespace uid pair into a kuid.
226 * @ns: User namespace that the uid is in
227 * @uid: User identifier
228 *
229 * Maps a user-namespace uid pair into a kernel internal kuid,
230 * and returns that kuid.
231 *
232 * When there is no mapping defined for the user-namespace uid
233 * pair INVALID_UID is returned. Callers are expected to test
234 * for and handle INVALID_UID being returned. INVALID_UID
235 * may be tested for using uid_valid().
236 */
237 kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
238 {
239 /* Map the uid to a global kernel uid */
240 return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
241 }
242 EXPORT_SYMBOL(make_kuid);
243
244 /**
245 * from_kuid - Create a uid from a kuid user-namespace pair.
246 * @targ: The user namespace we want a uid in.
247 * @kuid: The kernel internal uid to start with.
248 *
249 * Map @kuid into the user-namespace specified by @targ and
250 * return the resulting uid.
251 *
252 * There is always a mapping into the initial user_namespace.
253 *
254 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
255 */
256 uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
257 {
258 /* Map the uid from a global kernel uid */
259 return map_id_up(&targ->uid_map, __kuid_val(kuid));
260 }
261 EXPORT_SYMBOL(from_kuid);
262
263 /**
264 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
265 * @targ: The user namespace we want a uid in.
266 * @kuid: The kernel internal uid to start with.
267 *
268 * Map @kuid into the user-namespace specified by @targ and
269 * return the resulting uid.
270 *
271 * There is always a mapping into the initial user_namespace.
272 *
273 * Unlike from_kuid from_kuid_munged never fails and always
274 * returns a valid uid. This makes from_kuid_munged appropriate
275 * for use in syscalls like stat and getuid where failing the
276 * system call and failing to provide a valid uid are not an
277 * options.
278 *
279 * If @kuid has no mapping in @targ overflowuid is returned.
280 */
281 uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
282 {
283 uid_t uid;
284 uid = from_kuid(targ, kuid);
285
286 if (uid == (uid_t) -1)
287 uid = overflowuid;
288 return uid;
289 }
290 EXPORT_SYMBOL(from_kuid_munged);
291
292 /**
293 * make_kgid - Map a user-namespace gid pair into a kgid.
294 * @ns: User namespace that the gid is in
295 * @gid: group identifier
296 *
297 * Maps a user-namespace gid pair into a kernel internal kgid,
298 * and returns that kgid.
299 *
300 * When there is no mapping defined for the user-namespace gid
301 * pair INVALID_GID is returned. Callers are expected to test
302 * for and handle INVALID_GID being returned. INVALID_GID may be
303 * tested for using gid_valid().
304 */
305 kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
306 {
307 /* Map the gid to a global kernel gid */
308 return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
309 }
310 EXPORT_SYMBOL(make_kgid);
311
312 /**
313 * from_kgid - Create a gid from a kgid user-namespace pair.
314 * @targ: The user namespace we want a gid in.
315 * @kgid: The kernel internal gid to start with.
316 *
317 * Map @kgid into the user-namespace specified by @targ and
318 * return the resulting gid.
319 *
320 * There is always a mapping into the initial user_namespace.
321 *
322 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
323 */
324 gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
325 {
326 /* Map the gid from a global kernel gid */
327 return map_id_up(&targ->gid_map, __kgid_val(kgid));
328 }
329 EXPORT_SYMBOL(from_kgid);
330
331 /**
332 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
333 * @targ: The user namespace we want a gid in.
334 * @kgid: The kernel internal gid to start with.
335 *
336 * Map @kgid into the user-namespace specified by @targ and
337 * return the resulting gid.
338 *
339 * There is always a mapping into the initial user_namespace.
340 *
341 * Unlike from_kgid from_kgid_munged never fails and always
342 * returns a valid gid. This makes from_kgid_munged appropriate
343 * for use in syscalls like stat and getgid where failing the
344 * system call and failing to provide a valid gid are not options.
345 *
346 * If @kgid has no mapping in @targ overflowgid is returned.
347 */
348 gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
349 {
350 gid_t gid;
351 gid = from_kgid(targ, kgid);
352
353 if (gid == (gid_t) -1)
354 gid = overflowgid;
355 return gid;
356 }
357 EXPORT_SYMBOL(from_kgid_munged);
358
359 /**
360 * make_kprojid - Map a user-namespace projid pair into a kprojid.
361 * @ns: User namespace that the projid is in
362 * @projid: Project identifier
363 *
364 * Maps a user-namespace uid pair into a kernel internal kuid,
365 * and returns that kuid.
366 *
367 * When there is no mapping defined for the user-namespace projid
368 * pair INVALID_PROJID is returned. Callers are expected to test
369 * for and handle handle INVALID_PROJID being returned. INVALID_PROJID
370 * may be tested for using projid_valid().
371 */
372 kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
373 {
374 /* Map the uid to a global kernel uid */
375 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
376 }
377 EXPORT_SYMBOL(make_kprojid);
378
379 /**
380 * from_kprojid - Create a projid from a kprojid user-namespace pair.
381 * @targ: The user namespace we want a projid in.
382 * @kprojid: The kernel internal project identifier to start with.
383 *
384 * Map @kprojid into the user-namespace specified by @targ and
385 * return the resulting projid.
386 *
387 * There is always a mapping into the initial user_namespace.
388 *
389 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
390 */
391 projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
392 {
393 /* Map the uid from a global kernel uid */
394 return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
395 }
396 EXPORT_SYMBOL(from_kprojid);
397
398 /**
399 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
400 * @targ: The user namespace we want a projid in.
401 * @kprojid: The kernel internal projid to start with.
402 *
403 * Map @kprojid into the user-namespace specified by @targ and
404 * return the resulting projid.
405 *
406 * There is always a mapping into the initial user_namespace.
407 *
408 * Unlike from_kprojid from_kprojid_munged never fails and always
409 * returns a valid projid. This makes from_kprojid_munged
410 * appropriate for use in syscalls like stat and where
411 * failing the system call and failing to provide a valid projid are
412 * not an options.
413 *
414 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
415 */
416 projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
417 {
418 projid_t projid;
419 projid = from_kprojid(targ, kprojid);
420
421 if (projid == (projid_t) -1)
422 projid = OVERFLOW_PROJID;
423 return projid;
424 }
425 EXPORT_SYMBOL(from_kprojid_munged);
426
427
428 static int uid_m_show(struct seq_file *seq, void *v)
429 {
430 struct user_namespace *ns = seq->private;
431 struct uid_gid_extent *extent = v;
432 struct user_namespace *lower_ns;
433 uid_t lower;
434
435 lower_ns = seq_user_ns(seq);
436 if ((lower_ns == ns) && lower_ns->parent)
437 lower_ns = lower_ns->parent;
438
439 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
440
441 seq_printf(seq, "%10u %10u %10u\n",
442 extent->first,
443 lower,
444 extent->count);
445
446 return 0;
447 }
448
449 static int gid_m_show(struct seq_file *seq, void *v)
450 {
451 struct user_namespace *ns = seq->private;
452 struct uid_gid_extent *extent = v;
453 struct user_namespace *lower_ns;
454 gid_t lower;
455
456 lower_ns = seq_user_ns(seq);
457 if ((lower_ns == ns) && lower_ns->parent)
458 lower_ns = lower_ns->parent;
459
460 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
461
462 seq_printf(seq, "%10u %10u %10u\n",
463 extent->first,
464 lower,
465 extent->count);
466
467 return 0;
468 }
469
470 static int projid_m_show(struct seq_file *seq, void *v)
471 {
472 struct user_namespace *ns = seq->private;
473 struct uid_gid_extent *extent = v;
474 struct user_namespace *lower_ns;
475 projid_t lower;
476
477 lower_ns = seq_user_ns(seq);
478 if ((lower_ns == ns) && lower_ns->parent)
479 lower_ns = lower_ns->parent;
480
481 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
482
483 seq_printf(seq, "%10u %10u %10u\n",
484 extent->first,
485 lower,
486 extent->count);
487
488 return 0;
489 }
490
491 static void *m_start(struct seq_file *seq, loff_t *ppos,
492 struct uid_gid_map *map)
493 {
494 struct uid_gid_extent *extent = NULL;
495 loff_t pos = *ppos;
496
497 if (pos < map->nr_extents)
498 extent = &map->extent[pos];
499
500 return extent;
501 }
502
503 static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
504 {
505 struct user_namespace *ns = seq->private;
506
507 return m_start(seq, ppos, &ns->uid_map);
508 }
509
510 static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
511 {
512 struct user_namespace *ns = seq->private;
513
514 return m_start(seq, ppos, &ns->gid_map);
515 }
516
517 static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
518 {
519 struct user_namespace *ns = seq->private;
520
521 return m_start(seq, ppos, &ns->projid_map);
522 }
523
524 static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
525 {
526 (*pos)++;
527 return seq->op->start(seq, pos);
528 }
529
530 static void m_stop(struct seq_file *seq, void *v)
531 {
532 return;
533 }
534
535 const struct seq_operations proc_uid_seq_operations = {
536 .start = uid_m_start,
537 .stop = m_stop,
538 .next = m_next,
539 .show = uid_m_show,
540 };
541
542 const struct seq_operations proc_gid_seq_operations = {
543 .start = gid_m_start,
544 .stop = m_stop,
545 .next = m_next,
546 .show = gid_m_show,
547 };
548
549 const struct seq_operations proc_projid_seq_operations = {
550 .start = projid_m_start,
551 .stop = m_stop,
552 .next = m_next,
553 .show = projid_m_show,
554 };
555
556 static bool mappings_overlap(struct uid_gid_map *new_map,
557 struct uid_gid_extent *extent)
558 {
559 u32 upper_first, lower_first, upper_last, lower_last;
560 unsigned idx;
561
562 upper_first = extent->first;
563 lower_first = extent->lower_first;
564 upper_last = upper_first + extent->count - 1;
565 lower_last = lower_first + extent->count - 1;
566
567 for (idx = 0; idx < new_map->nr_extents; idx++) {
568 u32 prev_upper_first, prev_lower_first;
569 u32 prev_upper_last, prev_lower_last;
570 struct uid_gid_extent *prev;
571
572 prev = &new_map->extent[idx];
573
574 prev_upper_first = prev->first;
575 prev_lower_first = prev->lower_first;
576 prev_upper_last = prev_upper_first + prev->count - 1;
577 prev_lower_last = prev_lower_first + prev->count - 1;
578
579 /* Does the upper range intersect a previous extent? */
580 if ((prev_upper_first <= upper_last) &&
581 (prev_upper_last >= upper_first))
582 return true;
583
584 /* Does the lower range intersect a previous extent? */
585 if ((prev_lower_first <= lower_last) &&
586 (prev_lower_last >= lower_first))
587 return true;
588 }
589 return false;
590 }
591
592 static ssize_t map_write(struct file *file, const char __user *buf,
593 size_t count, loff_t *ppos,
594 int cap_setid,
595 struct uid_gid_map *map,
596 struct uid_gid_map *parent_map)
597 {
598 struct seq_file *seq = file->private_data;
599 struct user_namespace *ns = seq->private;
600 struct uid_gid_map new_map;
601 unsigned idx;
602 struct uid_gid_extent *extent = NULL;
603 unsigned long page = 0;
604 char *kbuf, *pos, *next_line;
605 ssize_t ret = -EINVAL;
606
607 /*
608 * The userns_state_mutex serializes all writes to any given map.
609 *
610 * Any map is only ever written once.
611 *
612 * An id map fits within 1 cache line on most architectures.
613 *
614 * On read nothing needs to be done unless you are on an
615 * architecture with a crazy cache coherency model like alpha.
616 *
617 * There is a one time data dependency between reading the
618 * count of the extents and the values of the extents. The
619 * desired behavior is to see the values of the extents that
620 * were written before the count of the extents.
621 *
622 * To achieve this smp_wmb() is used on guarantee the write
623 * order and smp_rmb() is guaranteed that we don't have crazy
624 * architectures returning stale data.
625 */
626 mutex_lock(&userns_state_mutex);
627
628 ret = -EPERM;
629 /* Only allow one successful write to the map */
630 if (map->nr_extents != 0)
631 goto out;
632
633 /*
634 * Adjusting namespace settings requires capabilities on the target.
635 */
636 if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
637 goto out;
638
639 /* Get a buffer */
640 ret = -ENOMEM;
641 page = __get_free_page(GFP_TEMPORARY);
642 kbuf = (char *) page;
643 if (!page)
644 goto out;
645
646 /* Only allow <= page size writes at the beginning of the file */
647 ret = -EINVAL;
648 if ((*ppos != 0) || (count >= PAGE_SIZE))
649 goto out;
650
651 /* Slurp in the user data */
652 ret = -EFAULT;
653 if (copy_from_user(kbuf, buf, count))
654 goto out;
655 kbuf[count] = '\0';
656
657 /* Parse the user data */
658 ret = -EINVAL;
659 pos = kbuf;
660 new_map.nr_extents = 0;
661 for (; pos; pos = next_line) {
662 extent = &new_map.extent[new_map.nr_extents];
663
664 /* Find the end of line and ensure I don't look past it */
665 next_line = strchr(pos, '\n');
666 if (next_line) {
667 *next_line = '\0';
668 next_line++;
669 if (*next_line == '\0')
670 next_line = NULL;
671 }
672
673 pos = skip_spaces(pos);
674 extent->first = simple_strtoul(pos, &pos, 10);
675 if (!isspace(*pos))
676 goto out;
677
678 pos = skip_spaces(pos);
679 extent->lower_first = simple_strtoul(pos, &pos, 10);
680 if (!isspace(*pos))
681 goto out;
682
683 pos = skip_spaces(pos);
684 extent->count = simple_strtoul(pos, &pos, 10);
685 if (*pos && !isspace(*pos))
686 goto out;
687
688 /* Verify there is not trailing junk on the line */
689 pos = skip_spaces(pos);
690 if (*pos != '\0')
691 goto out;
692
693 /* Verify we have been given valid starting values */
694 if ((extent->first == (u32) -1) ||
695 (extent->lower_first == (u32) -1))
696 goto out;
697
698 /* Verify count is not zero and does not cause the
699 * extent to wrap
700 */
701 if ((extent->first + extent->count) <= extent->first)
702 goto out;
703 if ((extent->lower_first + extent->count) <=
704 extent->lower_first)
705 goto out;
706
707 /* Do the ranges in extent overlap any previous extents? */
708 if (mappings_overlap(&new_map, extent))
709 goto out;
710
711 new_map.nr_extents++;
712
713 /* Fail if the file contains too many extents */
714 if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) &&
715 (next_line != NULL))
716 goto out;
717 }
718 /* Be very certaint the new map actually exists */
719 if (new_map.nr_extents == 0)
720 goto out;
721
722 ret = -EPERM;
723 /* Validate the user is allowed to use user id's mapped to. */
724 if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
725 goto out;
726
727 /* Map the lower ids from the parent user namespace to the
728 * kernel global id space.
729 */
730 for (idx = 0; idx < new_map.nr_extents; idx++) {
731 u32 lower_first;
732 extent = &new_map.extent[idx];
733
734 lower_first = map_id_range_down(parent_map,
735 extent->lower_first,
736 extent->count);
737
738 /* Fail if we can not map the specified extent to
739 * the kernel global id space.
740 */
741 if (lower_first == (u32) -1)
742 goto out;
743
744 extent->lower_first = lower_first;
745 }
746
747 /* Install the map */
748 memcpy(map->extent, new_map.extent,
749 new_map.nr_extents*sizeof(new_map.extent[0]));
750 smp_wmb();
751 map->nr_extents = new_map.nr_extents;
752
753 *ppos = count;
754 ret = count;
755 out:
756 mutex_unlock(&userns_state_mutex);
757 if (page)
758 free_page(page);
759 return ret;
760 }
761
762 ssize_t proc_uid_map_write(struct file *file, const char __user *buf,
763 size_t size, loff_t *ppos)
764 {
765 struct seq_file *seq = file->private_data;
766 struct user_namespace *ns = seq->private;
767 struct user_namespace *seq_ns = seq_user_ns(seq);
768
769 if (!ns->parent)
770 return -EPERM;
771
772 if ((seq_ns != ns) && (seq_ns != ns->parent))
773 return -EPERM;
774
775 return map_write(file, buf, size, ppos, CAP_SETUID,
776 &ns->uid_map, &ns->parent->uid_map);
777 }
778
779 ssize_t proc_gid_map_write(struct file *file, const char __user *buf,
780 size_t size, loff_t *ppos)
781 {
782 struct seq_file *seq = file->private_data;
783 struct user_namespace *ns = seq->private;
784 struct user_namespace *seq_ns = seq_user_ns(seq);
785
786 if (!ns->parent)
787 return -EPERM;
788
789 if ((seq_ns != ns) && (seq_ns != ns->parent))
790 return -EPERM;
791
792 return map_write(file, buf, size, ppos, CAP_SETGID,
793 &ns->gid_map, &ns->parent->gid_map);
794 }
795
796 ssize_t proc_projid_map_write(struct file *file, const char __user *buf,
797 size_t size, loff_t *ppos)
798 {
799 struct seq_file *seq = file->private_data;
800 struct user_namespace *ns = seq->private;
801 struct user_namespace *seq_ns = seq_user_ns(seq);
802
803 if (!ns->parent)
804 return -EPERM;
805
806 if ((seq_ns != ns) && (seq_ns != ns->parent))
807 return -EPERM;
808
809 /* Anyone can set any valid project id no capability needed */
810 return map_write(file, buf, size, ppos, -1,
811 &ns->projid_map, &ns->parent->projid_map);
812 }
813
814 static bool new_idmap_permitted(const struct file *file,
815 struct user_namespace *ns, int cap_setid,
816 struct uid_gid_map *new_map)
817 {
818 const struct cred *cred = file->f_cred;
819 /* Don't allow mappings that would allow anything that wouldn't
820 * be allowed without the establishment of unprivileged mappings.
821 */
822 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
823 uid_eq(ns->owner, cred->euid)) {
824 u32 id = new_map->extent[0].lower_first;
825 if (cap_setid == CAP_SETUID) {
826 kuid_t uid = make_kuid(ns->parent, id);
827 if (uid_eq(uid, cred->euid))
828 return true;
829 } else if (cap_setid == CAP_SETGID) {
830 kgid_t gid = make_kgid(ns->parent, id);
831 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
832 gid_eq(gid, cred->egid))
833 return true;
834 }
835 }
836
837 /* Allow anyone to set a mapping that doesn't require privilege */
838 if (!cap_valid(cap_setid))
839 return true;
840
841 /* Allow the specified ids if we have the appropriate capability
842 * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
843 * And the opener of the id file also had the approprpiate capability.
844 */
845 if (ns_capable(ns->parent, cap_setid) &&
846 file_ns_capable(file, ns->parent, cap_setid))
847 return true;
848
849 return false;
850 }
851
852 int proc_setgroups_show(struct seq_file *seq, void *v)
853 {
854 struct user_namespace *ns = seq->private;
855 unsigned long userns_flags = ACCESS_ONCE(ns->flags);
856
857 seq_printf(seq, "%s\n",
858 (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
859 "allow" : "deny");
860 return 0;
861 }
862
863 ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
864 size_t count, loff_t *ppos)
865 {
866 struct seq_file *seq = file->private_data;
867 struct user_namespace *ns = seq->private;
868 char kbuf[8], *pos;
869 bool setgroups_allowed;
870 ssize_t ret;
871
872 /* Only allow a very narrow range of strings to be written */
873 ret = -EINVAL;
874 if ((*ppos != 0) || (count >= sizeof(kbuf)))
875 goto out;
876
877 /* What was written? */
878 ret = -EFAULT;
879 if (copy_from_user(kbuf, buf, count))
880 goto out;
881 kbuf[count] = '\0';
882 pos = kbuf;
883
884 /* What is being requested? */
885 ret = -EINVAL;
886 if (strncmp(pos, "allow", 5) == 0) {
887 pos += 5;
888 setgroups_allowed = true;
889 }
890 else if (strncmp(pos, "deny", 4) == 0) {
891 pos += 4;
892 setgroups_allowed = false;
893 }
894 else
895 goto out;
896
897 /* Verify there is not trailing junk on the line */
898 pos = skip_spaces(pos);
899 if (*pos != '\0')
900 goto out;
901
902 ret = -EPERM;
903 mutex_lock(&userns_state_mutex);
904 if (setgroups_allowed) {
905 /* Enabling setgroups after setgroups has been disabled
906 * is not allowed.
907 */
908 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
909 goto out_unlock;
910 } else {
911 /* Permanently disabling setgroups after setgroups has
912 * been enabled by writing the gid_map is not allowed.
913 */
914 if (ns->gid_map.nr_extents != 0)
915 goto out_unlock;
916 ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
917 }
918 mutex_unlock(&userns_state_mutex);
919
920 /* Report a successful write */
921 *ppos = count;
922 ret = count;
923 out:
924 return ret;
925 out_unlock:
926 mutex_unlock(&userns_state_mutex);
927 goto out;
928 }
929
930 bool userns_may_setgroups(const struct user_namespace *ns)
931 {
932 bool allowed;
933
934 mutex_lock(&userns_state_mutex);
935 /* It is not safe to use setgroups until a gid mapping in
936 * the user namespace has been established.
937 */
938 allowed = ns->gid_map.nr_extents != 0;
939 /* Is setgroups allowed? */
940 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
941 mutex_unlock(&userns_state_mutex);
942
943 return allowed;
944 }
945
946 static void *userns_get(struct task_struct *task)
947 {
948 struct user_namespace *user_ns;
949
950 rcu_read_lock();
951 user_ns = get_user_ns(__task_cred(task)->user_ns);
952 rcu_read_unlock();
953
954 return user_ns;
955 }
956
957 static void userns_put(void *ns)
958 {
959 put_user_ns(ns);
960 }
961
962 static int userns_install(struct nsproxy *nsproxy, void *ns)
963 {
964 struct user_namespace *user_ns = ns;
965 struct cred *cred;
966
967 /* Don't allow gaining capabilities by reentering
968 * the same user namespace.
969 */
970 if (user_ns == current_user_ns())
971 return -EINVAL;
972
973 /* Threaded processes may not enter a different user namespace */
974 if (atomic_read(&current->mm->mm_users) > 1)
975 return -EINVAL;
976
977 if (current->fs->users != 1)
978 return -EINVAL;
979
980 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
981 return -EPERM;
982
983 cred = prepare_creds();
984 if (!cred)
985 return -ENOMEM;
986
987 put_user_ns(cred->user_ns);
988 set_cred_user_ns(cred, get_user_ns(user_ns));
989
990 return commit_creds(cred);
991 }
992
993 static unsigned int userns_inum(void *ns)
994 {
995 struct user_namespace *user_ns = ns;
996 return user_ns->proc_inum;
997 }
998
999 const struct proc_ns_operations userns_operations = {
1000 .name = "user",
1001 .type = CLONE_NEWUSER,
1002 .get = userns_get,
1003 .put = userns_put,
1004 .install = userns_install,
1005 .inum = userns_inum,
1006 };
1007
1008 static __init int user_namespaces_init(void)
1009 {
1010 user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC);
1011 return 0;
1012 }
1013 subsys_initcall(user_namespaces_init);
Linux with added FPC-III support