2 * This program is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU General Public License as
4 * published by the Free Software Foundation, version 2 of the
8 #include <linux/export.h>
9 #include <linux/nsproxy.h>
10 #include <linux/slab.h>
11 #include <linux/user_namespace.h>
12 #include <linux/proc_ns.h>
13 #include <linux/highuid.h>
14 #include <linux/cred.h>
15 #include <linux/securebits.h>
16 #include <linux/keyctl.h>
17 #include <linux/key-type.h>
18 #include <keys/user-type.h>
19 #include <linux/seq_file.h>
21 #include <linux/uaccess.h>
22 #include <linux/ctype.h>
23 #include <linux/projid.h>
24 #include <linux/fs_struct.h>
26 static struct kmem_cache
*user_ns_cachep __read_mostly
;
27 static DEFINE_MUTEX(userns_state_mutex
);
29 static bool new_idmap_permitted(const struct file
*file
,
30 struct user_namespace
*ns
, int cap_setid
,
31 struct uid_gid_map
*map
);
33 static void set_cred_user_ns(struct cred
*cred
, struct user_namespace
*user_ns
)
35 /* Start with the same capabilities as init but useless for doing
36 * anything as the capabilities are bound to the new user namespace.
38 cred
->securebits
= SECUREBITS_DEFAULT
;
39 cred
->cap_inheritable
= CAP_EMPTY_SET
;
40 cred
->cap_permitted
= CAP_FULL_SET
;
41 cred
->cap_effective
= CAP_FULL_SET
;
42 cred
->cap_ambient
= CAP_EMPTY_SET
;
43 cred
->cap_bset
= CAP_FULL_SET
;
45 key_put(cred
->request_key_auth
);
46 cred
->request_key_auth
= NULL
;
48 /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
49 cred
->user_ns
= user_ns
;
53 * Create a new user namespace, deriving the creator from the user in the
54 * passed credentials, and replacing that user with the new root user for the
57 * This is called by copy_creds(), which will finish setting the target task's
60 int create_user_ns(struct cred
*new)
62 struct user_namespace
*ns
, *parent_ns
= new->user_ns
;
63 kuid_t owner
= new->euid
;
64 kgid_t group
= new->egid
;
67 if (parent_ns
->level
> 32)
71 * Verify that we can not violate the policy of which files
72 * may be accessed that is specified by the root directory,
73 * by verifing that the root directory is at the root of the
74 * mount namespace which allows all files to be accessed.
76 if (current_chrooted())
79 /* The creator needs a mapping in the parent user namespace
80 * or else we won't be able to reasonably tell userspace who
81 * created a user_namespace.
83 if (!kuid_has_mapping(parent_ns
, owner
) ||
84 !kgid_has_mapping(parent_ns
, group
))
87 ns
= kmem_cache_zalloc(user_ns_cachep
, GFP_KERNEL
);
91 ret
= ns_alloc_inum(&ns
->ns
);
93 kmem_cache_free(user_ns_cachep
, ns
);
96 ns
->ns
.ops
= &userns_operations
;
98 atomic_set(&ns
->count
, 1);
99 /* Leave the new->user_ns reference with the new user namespace. */
100 ns
->parent
= parent_ns
;
101 ns
->level
= parent_ns
->level
+ 1;
105 /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
106 mutex_lock(&userns_state_mutex
);
107 ns
->flags
= parent_ns
->flags
;
108 mutex_unlock(&userns_state_mutex
);
110 set_cred_user_ns(new, ns
);
112 #ifdef CONFIG_PERSISTENT_KEYRINGS
113 init_rwsem(&ns
->persistent_keyring_register_sem
);
118 int unshare_userns(unsigned long unshare_flags
, struct cred
**new_cred
)
123 if (!(unshare_flags
& CLONE_NEWUSER
))
126 cred
= prepare_creds();
128 err
= create_user_ns(cred
);
138 void free_user_ns(struct user_namespace
*ns
)
140 struct user_namespace
*parent
;
144 #ifdef CONFIG_PERSISTENT_KEYRINGS
145 key_put(ns
->persistent_keyring_register
);
147 ns_free_inum(&ns
->ns
);
148 kmem_cache_free(user_ns_cachep
, ns
);
150 } while (atomic_dec_and_test(&parent
->count
));
152 EXPORT_SYMBOL(free_user_ns
);
154 static u32
map_id_range_down(struct uid_gid_map
*map
, u32 id
, u32 count
)
156 unsigned idx
, extents
;
157 u32 first
, last
, id2
;
159 id2
= id
+ count
- 1;
161 /* Find the matching extent */
162 extents
= map
->nr_extents
;
164 for (idx
= 0; idx
< extents
; idx
++) {
165 first
= map
->extent
[idx
].first
;
166 last
= first
+ map
->extent
[idx
].count
- 1;
167 if (id
>= first
&& id
<= last
&&
168 (id2
>= first
&& id2
<= last
))
171 /* Map the id or note failure */
173 id
= (id
- first
) + map
->extent
[idx
].lower_first
;
180 static u32
map_id_down(struct uid_gid_map
*map
, u32 id
)
182 unsigned idx
, extents
;
185 /* Find the matching extent */
186 extents
= map
->nr_extents
;
188 for (idx
= 0; idx
< extents
; idx
++) {
189 first
= map
->extent
[idx
].first
;
190 last
= first
+ map
->extent
[idx
].count
- 1;
191 if (id
>= first
&& id
<= last
)
194 /* Map the id or note failure */
196 id
= (id
- first
) + map
->extent
[idx
].lower_first
;
203 static u32
map_id_up(struct uid_gid_map
*map
, u32 id
)
205 unsigned idx
, extents
;
208 /* Find the matching extent */
209 extents
= map
->nr_extents
;
211 for (idx
= 0; idx
< extents
; idx
++) {
212 first
= map
->extent
[idx
].lower_first
;
213 last
= first
+ map
->extent
[idx
].count
- 1;
214 if (id
>= first
&& id
<= last
)
217 /* Map the id or note failure */
219 id
= (id
- first
) + map
->extent
[idx
].first
;
227 * make_kuid - Map a user-namespace uid pair into a kuid.
228 * @ns: User namespace that the uid is in
229 * @uid: User identifier
231 * Maps a user-namespace uid pair into a kernel internal kuid,
232 * and returns that kuid.
234 * When there is no mapping defined for the user-namespace uid
235 * pair INVALID_UID is returned. Callers are expected to test
236 * for and handle INVALID_UID being returned. INVALID_UID
237 * may be tested for using uid_valid().
239 kuid_t
make_kuid(struct user_namespace
*ns
, uid_t uid
)
241 /* Map the uid to a global kernel uid */
242 return KUIDT_INIT(map_id_down(&ns
->uid_map
, uid
));
244 EXPORT_SYMBOL(make_kuid
);
247 * from_kuid - Create a uid from a kuid user-namespace pair.
248 * @targ: The user namespace we want a uid in.
249 * @kuid: The kernel internal uid to start with.
251 * Map @kuid into the user-namespace specified by @targ and
252 * return the resulting uid.
254 * There is always a mapping into the initial user_namespace.
256 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
258 uid_t
from_kuid(struct user_namespace
*targ
, kuid_t kuid
)
260 /* Map the uid from a global kernel uid */
261 return map_id_up(&targ
->uid_map
, __kuid_val(kuid
));
263 EXPORT_SYMBOL(from_kuid
);
266 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
267 * @targ: The user namespace we want a uid in.
268 * @kuid: The kernel internal uid to start with.
270 * Map @kuid into the user-namespace specified by @targ and
271 * return the resulting uid.
273 * There is always a mapping into the initial user_namespace.
275 * Unlike from_kuid from_kuid_munged never fails and always
276 * returns a valid uid. This makes from_kuid_munged appropriate
277 * for use in syscalls like stat and getuid where failing the
278 * system call and failing to provide a valid uid are not an
281 * If @kuid has no mapping in @targ overflowuid is returned.
283 uid_t
from_kuid_munged(struct user_namespace
*targ
, kuid_t kuid
)
286 uid
= from_kuid(targ
, kuid
);
288 if (uid
== (uid_t
) -1)
292 EXPORT_SYMBOL(from_kuid_munged
);
295 * make_kgid - Map a user-namespace gid pair into a kgid.
296 * @ns: User namespace that the gid is in
297 * @gid: group identifier
299 * Maps a user-namespace gid pair into a kernel internal kgid,
300 * and returns that kgid.
302 * When there is no mapping defined for the user-namespace gid
303 * pair INVALID_GID is returned. Callers are expected to test
304 * for and handle INVALID_GID being returned. INVALID_GID may be
305 * tested for using gid_valid().
307 kgid_t
make_kgid(struct user_namespace
*ns
, gid_t gid
)
309 /* Map the gid to a global kernel gid */
310 return KGIDT_INIT(map_id_down(&ns
->gid_map
, gid
));
312 EXPORT_SYMBOL(make_kgid
);
315 * from_kgid - Create a gid from a kgid user-namespace pair.
316 * @targ: The user namespace we want a gid in.
317 * @kgid: The kernel internal gid to start with.
319 * Map @kgid into the user-namespace specified by @targ and
320 * return the resulting gid.
322 * There is always a mapping into the initial user_namespace.
324 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
326 gid_t
from_kgid(struct user_namespace
*targ
, kgid_t kgid
)
328 /* Map the gid from a global kernel gid */
329 return map_id_up(&targ
->gid_map
, __kgid_val(kgid
));
331 EXPORT_SYMBOL(from_kgid
);
334 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
335 * @targ: The user namespace we want a gid in.
336 * @kgid: The kernel internal gid to start with.
338 * Map @kgid into the user-namespace specified by @targ and
339 * return the resulting gid.
341 * There is always a mapping into the initial user_namespace.
343 * Unlike from_kgid from_kgid_munged never fails and always
344 * returns a valid gid. This makes from_kgid_munged appropriate
345 * for use in syscalls like stat and getgid where failing the
346 * system call and failing to provide a valid gid are not options.
348 * If @kgid has no mapping in @targ overflowgid is returned.
350 gid_t
from_kgid_munged(struct user_namespace
*targ
, kgid_t kgid
)
353 gid
= from_kgid(targ
, kgid
);
355 if (gid
== (gid_t
) -1)
359 EXPORT_SYMBOL(from_kgid_munged
);
362 * make_kprojid - Map a user-namespace projid pair into a kprojid.
363 * @ns: User namespace that the projid is in
364 * @projid: Project identifier
366 * Maps a user-namespace uid pair into a kernel internal kuid,
367 * and returns that kuid.
369 * When there is no mapping defined for the user-namespace projid
370 * pair INVALID_PROJID is returned. Callers are expected to test
371 * for and handle handle INVALID_PROJID being returned. INVALID_PROJID
372 * may be tested for using projid_valid().
374 kprojid_t
make_kprojid(struct user_namespace
*ns
, projid_t projid
)
376 /* Map the uid to a global kernel uid */
377 return KPROJIDT_INIT(map_id_down(&ns
->projid_map
, projid
));
379 EXPORT_SYMBOL(make_kprojid
);
382 * from_kprojid - Create a projid from a kprojid user-namespace pair.
383 * @targ: The user namespace we want a projid in.
384 * @kprojid: The kernel internal project identifier to start with.
386 * Map @kprojid into the user-namespace specified by @targ and
387 * return the resulting projid.
389 * There is always a mapping into the initial user_namespace.
391 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
393 projid_t
from_kprojid(struct user_namespace
*targ
, kprojid_t kprojid
)
395 /* Map the uid from a global kernel uid */
396 return map_id_up(&targ
->projid_map
, __kprojid_val(kprojid
));
398 EXPORT_SYMBOL(from_kprojid
);
401 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
402 * @targ: The user namespace we want a projid in.
403 * @kprojid: The kernel internal projid to start with.
405 * Map @kprojid into the user-namespace specified by @targ and
406 * return the resulting projid.
408 * There is always a mapping into the initial user_namespace.
410 * Unlike from_kprojid from_kprojid_munged never fails and always
411 * returns a valid projid. This makes from_kprojid_munged
412 * appropriate for use in syscalls like stat and where
413 * failing the system call and failing to provide a valid projid are
416 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
418 projid_t
from_kprojid_munged(struct user_namespace
*targ
, kprojid_t kprojid
)
421 projid
= from_kprojid(targ
, kprojid
);
423 if (projid
== (projid_t
) -1)
424 projid
= OVERFLOW_PROJID
;
427 EXPORT_SYMBOL(from_kprojid_munged
);
430 static int uid_m_show(struct seq_file
*seq
, void *v
)
432 struct user_namespace
*ns
= seq
->private;
433 struct uid_gid_extent
*extent
= v
;
434 struct user_namespace
*lower_ns
;
437 lower_ns
= seq_user_ns(seq
);
438 if ((lower_ns
== ns
) && lower_ns
->parent
)
439 lower_ns
= lower_ns
->parent
;
441 lower
= from_kuid(lower_ns
, KUIDT_INIT(extent
->lower_first
));
443 seq_printf(seq
, "%10u %10u %10u\n",
451 static int gid_m_show(struct seq_file
*seq
, void *v
)
453 struct user_namespace
*ns
= seq
->private;
454 struct uid_gid_extent
*extent
= v
;
455 struct user_namespace
*lower_ns
;
458 lower_ns
= seq_user_ns(seq
);
459 if ((lower_ns
== ns
) && lower_ns
->parent
)
460 lower_ns
= lower_ns
->parent
;
462 lower
= from_kgid(lower_ns
, KGIDT_INIT(extent
->lower_first
));
464 seq_printf(seq
, "%10u %10u %10u\n",
472 static int projid_m_show(struct seq_file
*seq
, void *v
)
474 struct user_namespace
*ns
= seq
->private;
475 struct uid_gid_extent
*extent
= v
;
476 struct user_namespace
*lower_ns
;
479 lower_ns
= seq_user_ns(seq
);
480 if ((lower_ns
== ns
) && lower_ns
->parent
)
481 lower_ns
= lower_ns
->parent
;
483 lower
= from_kprojid(lower_ns
, KPROJIDT_INIT(extent
->lower_first
));
485 seq_printf(seq
, "%10u %10u %10u\n",
493 static void *m_start(struct seq_file
*seq
, loff_t
*ppos
,
494 struct uid_gid_map
*map
)
496 struct uid_gid_extent
*extent
= NULL
;
499 if (pos
< map
->nr_extents
)
500 extent
= &map
->extent
[pos
];
505 static void *uid_m_start(struct seq_file
*seq
, loff_t
*ppos
)
507 struct user_namespace
*ns
= seq
->private;
509 return m_start(seq
, ppos
, &ns
->uid_map
);
512 static void *gid_m_start(struct seq_file
*seq
, loff_t
*ppos
)
514 struct user_namespace
*ns
= seq
->private;
516 return m_start(seq
, ppos
, &ns
->gid_map
);
519 static void *projid_m_start(struct seq_file
*seq
, loff_t
*ppos
)
521 struct user_namespace
*ns
= seq
->private;
523 return m_start(seq
, ppos
, &ns
->projid_map
);
526 static void *m_next(struct seq_file
*seq
, void *v
, loff_t
*pos
)
529 return seq
->op
->start(seq
, pos
);
532 static void m_stop(struct seq_file
*seq
, void *v
)
537 const struct seq_operations proc_uid_seq_operations
= {
538 .start
= uid_m_start
,
544 const struct seq_operations proc_gid_seq_operations
= {
545 .start
= gid_m_start
,
551 const struct seq_operations proc_projid_seq_operations
= {
552 .start
= projid_m_start
,
555 .show
= projid_m_show
,
558 static bool mappings_overlap(struct uid_gid_map
*new_map
,
559 struct uid_gid_extent
*extent
)
561 u32 upper_first
, lower_first
, upper_last
, lower_last
;
564 upper_first
= extent
->first
;
565 lower_first
= extent
->lower_first
;
566 upper_last
= upper_first
+ extent
->count
- 1;
567 lower_last
= lower_first
+ extent
->count
- 1;
569 for (idx
= 0; idx
< new_map
->nr_extents
; idx
++) {
570 u32 prev_upper_first
, prev_lower_first
;
571 u32 prev_upper_last
, prev_lower_last
;
572 struct uid_gid_extent
*prev
;
574 prev
= &new_map
->extent
[idx
];
576 prev_upper_first
= prev
->first
;
577 prev_lower_first
= prev
->lower_first
;
578 prev_upper_last
= prev_upper_first
+ prev
->count
- 1;
579 prev_lower_last
= prev_lower_first
+ prev
->count
- 1;
581 /* Does the upper range intersect a previous extent? */
582 if ((prev_upper_first
<= upper_last
) &&
583 (prev_upper_last
>= upper_first
))
586 /* Does the lower range intersect a previous extent? */
587 if ((prev_lower_first
<= lower_last
) &&
588 (prev_lower_last
>= lower_first
))
594 static ssize_t
map_write(struct file
*file
, const char __user
*buf
,
595 size_t count
, loff_t
*ppos
,
597 struct uid_gid_map
*map
,
598 struct uid_gid_map
*parent_map
)
600 struct seq_file
*seq
= file
->private_data
;
601 struct user_namespace
*ns
= seq
->private;
602 struct uid_gid_map new_map
;
604 struct uid_gid_extent
*extent
= NULL
;
605 char *kbuf
= NULL
, *pos
, *next_line
;
606 ssize_t ret
= -EINVAL
;
609 * The userns_state_mutex serializes all writes to any given map.
611 * Any map is only ever written once.
613 * An id map fits within 1 cache line on most architectures.
615 * On read nothing needs to be done unless you are on an
616 * architecture with a crazy cache coherency model like alpha.
618 * There is a one time data dependency between reading the
619 * count of the extents and the values of the extents. The
620 * desired behavior is to see the values of the extents that
621 * were written before the count of the extents.
623 * To achieve this smp_wmb() is used on guarantee the write
624 * order and smp_rmb() is guaranteed that we don't have crazy
625 * architectures returning stale data.
627 mutex_lock(&userns_state_mutex
);
630 /* Only allow one successful write to the map */
631 if (map
->nr_extents
!= 0)
635 * Adjusting namespace settings requires capabilities on the target.
637 if (cap_valid(cap_setid
) && !file_ns_capable(file
, ns
, CAP_SYS_ADMIN
))
640 /* Only allow < page size writes at the beginning of the file */
642 if ((*ppos
!= 0) || (count
>= PAGE_SIZE
))
645 /* Slurp in the user data */
646 kbuf
= memdup_user_nul(buf
, count
);
653 /* Parse the user data */
656 new_map
.nr_extents
= 0;
657 for (; pos
; pos
= next_line
) {
658 extent
= &new_map
.extent
[new_map
.nr_extents
];
660 /* Find the end of line and ensure I don't look past it */
661 next_line
= strchr(pos
, '\n');
665 if (*next_line
== '\0')
669 pos
= skip_spaces(pos
);
670 extent
->first
= simple_strtoul(pos
, &pos
, 10);
674 pos
= skip_spaces(pos
);
675 extent
->lower_first
= simple_strtoul(pos
, &pos
, 10);
679 pos
= skip_spaces(pos
);
680 extent
->count
= simple_strtoul(pos
, &pos
, 10);
681 if (*pos
&& !isspace(*pos
))
684 /* Verify there is not trailing junk on the line */
685 pos
= skip_spaces(pos
);
689 /* Verify we have been given valid starting values */
690 if ((extent
->first
== (u32
) -1) ||
691 (extent
->lower_first
== (u32
) -1))
694 /* Verify count is not zero and does not cause the
697 if ((extent
->first
+ extent
->count
) <= extent
->first
)
699 if ((extent
->lower_first
+ extent
->count
) <=
703 /* Do the ranges in extent overlap any previous extents? */
704 if (mappings_overlap(&new_map
, extent
))
707 new_map
.nr_extents
++;
709 /* Fail if the file contains too many extents */
710 if ((new_map
.nr_extents
== UID_GID_MAP_MAX_EXTENTS
) &&
714 /* Be very certaint the new map actually exists */
715 if (new_map
.nr_extents
== 0)
719 /* Validate the user is allowed to use user id's mapped to. */
720 if (!new_idmap_permitted(file
, ns
, cap_setid
, &new_map
))
723 /* Map the lower ids from the parent user namespace to the
724 * kernel global id space.
726 for (idx
= 0; idx
< new_map
.nr_extents
; idx
++) {
728 extent
= &new_map
.extent
[idx
];
730 lower_first
= map_id_range_down(parent_map
,
734 /* Fail if we can not map the specified extent to
735 * the kernel global id space.
737 if (lower_first
== (u32
) -1)
740 extent
->lower_first
= lower_first
;
743 /* Install the map */
744 memcpy(map
->extent
, new_map
.extent
,
745 new_map
.nr_extents
*sizeof(new_map
.extent
[0]));
747 map
->nr_extents
= new_map
.nr_extents
;
752 mutex_unlock(&userns_state_mutex
);
757 ssize_t
proc_uid_map_write(struct file
*file
, const char __user
*buf
,
758 size_t size
, loff_t
*ppos
)
760 struct seq_file
*seq
= file
->private_data
;
761 struct user_namespace
*ns
= seq
->private;
762 struct user_namespace
*seq_ns
= seq_user_ns(seq
);
767 if ((seq_ns
!= ns
) && (seq_ns
!= ns
->parent
))
770 return map_write(file
, buf
, size
, ppos
, CAP_SETUID
,
771 &ns
->uid_map
, &ns
->parent
->uid_map
);
774 ssize_t
proc_gid_map_write(struct file
*file
, const char __user
*buf
,
775 size_t size
, loff_t
*ppos
)
777 struct seq_file
*seq
= file
->private_data
;
778 struct user_namespace
*ns
= seq
->private;
779 struct user_namespace
*seq_ns
= seq_user_ns(seq
);
784 if ((seq_ns
!= ns
) && (seq_ns
!= ns
->parent
))
787 return map_write(file
, buf
, size
, ppos
, CAP_SETGID
,
788 &ns
->gid_map
, &ns
->parent
->gid_map
);
791 ssize_t
proc_projid_map_write(struct file
*file
, const char __user
*buf
,
792 size_t size
, loff_t
*ppos
)
794 struct seq_file
*seq
= file
->private_data
;
795 struct user_namespace
*ns
= seq
->private;
796 struct user_namespace
*seq_ns
= seq_user_ns(seq
);
801 if ((seq_ns
!= ns
) && (seq_ns
!= ns
->parent
))
804 /* Anyone can set any valid project id no capability needed */
805 return map_write(file
, buf
, size
, ppos
, -1,
806 &ns
->projid_map
, &ns
->parent
->projid_map
);
809 static bool new_idmap_permitted(const struct file
*file
,
810 struct user_namespace
*ns
, int cap_setid
,
811 struct uid_gid_map
*new_map
)
813 const struct cred
*cred
= file
->f_cred
;
814 /* Don't allow mappings that would allow anything that wouldn't
815 * be allowed without the establishment of unprivileged mappings.
817 if ((new_map
->nr_extents
== 1) && (new_map
->extent
[0].count
== 1) &&
818 uid_eq(ns
->owner
, cred
->euid
)) {
819 u32 id
= new_map
->extent
[0].lower_first
;
820 if (cap_setid
== CAP_SETUID
) {
821 kuid_t uid
= make_kuid(ns
->parent
, id
);
822 if (uid_eq(uid
, cred
->euid
))
824 } else if (cap_setid
== CAP_SETGID
) {
825 kgid_t gid
= make_kgid(ns
->parent
, id
);
826 if (!(ns
->flags
& USERNS_SETGROUPS_ALLOWED
) &&
827 gid_eq(gid
, cred
->egid
))
832 /* Allow anyone to set a mapping that doesn't require privilege */
833 if (!cap_valid(cap_setid
))
836 /* Allow the specified ids if we have the appropriate capability
837 * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
838 * And the opener of the id file also had the approprpiate capability.
840 if (ns_capable(ns
->parent
, cap_setid
) &&
841 file_ns_capable(file
, ns
->parent
, cap_setid
))
847 int proc_setgroups_show(struct seq_file
*seq
, void *v
)
849 struct user_namespace
*ns
= seq
->private;
850 unsigned long userns_flags
= ACCESS_ONCE(ns
->flags
);
852 seq_printf(seq
, "%s\n",
853 (userns_flags
& USERNS_SETGROUPS_ALLOWED
) ?
858 ssize_t
proc_setgroups_write(struct file
*file
, const char __user
*buf
,
859 size_t count
, loff_t
*ppos
)
861 struct seq_file
*seq
= file
->private_data
;
862 struct user_namespace
*ns
= seq
->private;
864 bool setgroups_allowed
;
867 /* Only allow a very narrow range of strings to be written */
869 if ((*ppos
!= 0) || (count
>= sizeof(kbuf
)))
872 /* What was written? */
874 if (copy_from_user(kbuf
, buf
, count
))
879 /* What is being requested? */
881 if (strncmp(pos
, "allow", 5) == 0) {
883 setgroups_allowed
= true;
885 else if (strncmp(pos
, "deny", 4) == 0) {
887 setgroups_allowed
= false;
892 /* Verify there is not trailing junk on the line */
893 pos
= skip_spaces(pos
);
898 mutex_lock(&userns_state_mutex
);
899 if (setgroups_allowed
) {
900 /* Enabling setgroups after setgroups has been disabled
903 if (!(ns
->flags
& USERNS_SETGROUPS_ALLOWED
))
906 /* Permanently disabling setgroups after setgroups has
907 * been enabled by writing the gid_map is not allowed.
909 if (ns
->gid_map
.nr_extents
!= 0)
911 ns
->flags
&= ~USERNS_SETGROUPS_ALLOWED
;
913 mutex_unlock(&userns_state_mutex
);
915 /* Report a successful write */
921 mutex_unlock(&userns_state_mutex
);
925 bool userns_may_setgroups(const struct user_namespace
*ns
)
929 mutex_lock(&userns_state_mutex
);
930 /* It is not safe to use setgroups until a gid mapping in
931 * the user namespace has been established.
933 allowed
= ns
->gid_map
.nr_extents
!= 0;
934 /* Is setgroups allowed? */
935 allowed
= allowed
&& (ns
->flags
& USERNS_SETGROUPS_ALLOWED
);
936 mutex_unlock(&userns_state_mutex
);
941 static inline struct user_namespace
*to_user_ns(struct ns_common
*ns
)
943 return container_of(ns
, struct user_namespace
, ns
);
946 static struct ns_common
*userns_get(struct task_struct
*task
)
948 struct user_namespace
*user_ns
;
951 user_ns
= get_user_ns(__task_cred(task
)->user_ns
);
954 return user_ns
? &user_ns
->ns
: NULL
;
957 static void userns_put(struct ns_common
*ns
)
959 put_user_ns(to_user_ns(ns
));
962 static int userns_install(struct nsproxy
*nsproxy
, struct ns_common
*ns
)
964 struct user_namespace
*user_ns
= to_user_ns(ns
);
967 /* Don't allow gaining capabilities by reentering
968 * the same user namespace.
970 if (user_ns
== current_user_ns())
973 /* Tasks that share a thread group must share a user namespace */
974 if (!thread_group_empty(current
))
977 if (current
->fs
->users
!= 1)
980 if (!ns_capable(user_ns
, CAP_SYS_ADMIN
))
983 cred
= prepare_creds();
987 put_user_ns(cred
->user_ns
);
988 set_cred_user_ns(cred
, get_user_ns(user_ns
));
990 return commit_creds(cred
);
993 const struct proc_ns_operations userns_operations
= {
995 .type
= CLONE_NEWUSER
,
998 .install
= userns_install
,
1001 static __init
int user_namespaces_init(void)
1003 user_ns_cachep
= KMEM_CACHE(user_namespace
, SLAB_PANIC
);
1006 subsys_initcall(user_namespaces_init
);