[mirror_ubuntu-artful-kernel.git] / kernel / cgroup / namespace.c

#include "cgroup-internal.h"

#include <linux/sched/task.h>
#include <linux/slab.h>
#include <linux/nsproxy.h>
#include <linux/proc_ns.h>


/* cgroup namespaces */

static struct ucounts *inc_cgroup_namespaces(struct user_namespace *ns)
{
	return inc_ucount(ns, current_euid(), UCOUNT_CGROUP_NAMESPACES);
}

static void dec_cgroup_namespaces(struct ucounts *ucounts)
{
	dec_ucount(ucounts, UCOUNT_CGROUP_NAMESPACES);
}

static struct cgroup_namespace *alloc_cgroup_ns(void)
{
	struct cgroup_namespace *new_ns;
	int ret;

	new_ns = kzalloc(sizeof(struct cgroup_namespace), GFP_KERNEL);
	if (!new_ns)
		return ERR_PTR(-ENOMEM);
	ret = ns_alloc_inum(&new_ns->ns);
	if (ret) {
		kfree(new_ns);
		return ERR_PTR(ret);
	}
	refcount_set(&new_ns->count, 1);
	new_ns->ns.ops = &cgroupns_operations;
	return new_ns;
}

void free_cgroup_ns(struct cgroup_namespace *ns)
{
	put_css_set(ns->root_cset);
	dec_cgroup_namespaces(ns->ucounts);
	put_user_ns(ns->user_ns);
	ns_free_inum(&ns->ns);
	kfree(ns);
}
EXPORT_SYMBOL(free_cgroup_ns);

struct cgroup_namespace *copy_cgroup_ns(unsigned long flags,
					struct user_namespace *user_ns,
					struct cgroup_namespace *old_ns)
{
	struct cgroup_namespace *new_ns;
	struct ucounts *ucounts;
	struct css_set *cset;

	BUG_ON(!old_ns);

	if (!(flags & CLONE_NEWCGROUP)) {
		get_cgroup_ns(old_ns);
		return old_ns;
	}

	/* Allow only sysadmin to create cgroup namespace. */
	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
		return ERR_PTR(-EPERM);

	ucounts = inc_cgroup_namespaces(user_ns);
	if (!ucounts)
		return ERR_PTR(-ENOSPC);

	/* It is not safe to take cgroup_mutex here */
	spin_lock_irq(&css_set_lock);
	cset = task_css_set(current);
	get_css_set(cset);
	spin_unlock_irq(&css_set_lock);

	new_ns = alloc_cgroup_ns();
	if (IS_ERR(new_ns)) {
		put_css_set(cset);
		dec_cgroup_namespaces(ucounts);
		return new_ns;
	}

	new_ns->user_ns = get_user_ns(user_ns);
	new_ns->ucounts = ucounts;
	new_ns->root_cset = cset;

	return new_ns;
}

static inline struct cgroup_namespace *to_cg_ns(struct ns_common *ns)
{
	return container_of(ns, struct cgroup_namespace, ns);
}

static int cgroupns_install(struct nsproxy *nsproxy, struct ns_common *ns)
{
	struct cgroup_namespace *cgroup_ns = to_cg_ns(ns);

	if (!ns_capable(current_user_ns(), CAP_SYS_ADMIN) ||
	    !ns_capable(cgroup_ns->user_ns, CAP_SYS_ADMIN))
		return -EPERM;

	/* Don't need to do anything if we are attaching to our own cgroupns. */
	if (cgroup_ns == nsproxy->cgroup_ns)
		return 0;

	get_cgroup_ns(cgroup_ns);
	put_cgroup_ns(nsproxy->cgroup_ns);
	nsproxy->cgroup_ns = cgroup_ns;

	return 0;
}

static struct ns_common *cgroupns_get(struct task_struct *task)
{
	struct cgroup_namespace *ns = NULL;
	struct nsproxy *nsproxy;

	task_lock(task);
	nsproxy = task->nsproxy;
	if (nsproxy) {
		ns = nsproxy->cgroup_ns;
		get_cgroup_ns(ns);
	}
	task_unlock(task);

	return ns ? &ns->ns : NULL;
}

static void cgroupns_put(struct ns_common *ns)
{
	put_cgroup_ns(to_cg_ns(ns));
}

static struct user_namespace *cgroupns_owner(struct ns_common *ns)
{
	return to_cg_ns(ns)->user_ns;
}

const struct proc_ns_operations cgroupns_operations = {
	.name		= "cgroup",
	.type		= CLONE_NEWCGROUP,
	.get		= cgroupns_get,
	.put		= cgroupns_put,
	.install	= cgroupns_install,
	.owner		= cgroupns_owner,
};

static __init int cgroup_namespaces_init(void)
{
	return 0;
}
subsys_initcall(cgroup_namespaces_init);
Commit	Line	Data
dcfe149b TH	1	#include "cgroup-internal.h"
dcfe149b TH	2
56cd6973	3	#include <linux/sched/task.h>
dcfe149b TH	4	#include <linux/slab.h>
	5	#include <linux/nsproxy.h>
	6	#include <linux/proc_ns.h>
	7
	8
	9	/* cgroup namespaces */
	10
	11	static struct ucounts inc_cgroup_namespaces(struct user_namespace ns)
	12	{
	13	return inc_ucount(ns, current_euid(), UCOUNT_CGROUP_NAMESPACES);
	14	}
	15
	16	static void dec_cgroup_namespaces(struct ucounts *ucounts)
	17	{
	18	dec_ucount(ucounts, UCOUNT_CGROUP_NAMESPACES);
	19	}
	20
	21	static struct cgroup_namespace *alloc_cgroup_ns(void)
	22	{
	23	struct cgroup_namespace *new_ns;
	24	int ret;
	25
	26	new_ns = kzalloc(sizeof(struct cgroup_namespace), GFP_KERNEL);
	27	if (!new_ns)
	28	return ERR_PTR(-ENOMEM);
	29	ret = ns_alloc_inum(&new_ns->ns);
	30	if (ret) {
	31	kfree(new_ns);
	32	return ERR_PTR(ret);
	33	}
387ad967	34	refcount_set(&new_ns->count, 1);
dcfe149b TH	35	new_ns->ns.ops = &cgroupns_operations;
	36	return new_ns;
	37	}
	38
	39	void free_cgroup_ns(struct cgroup_namespace *ns)
	40	{
	41	put_css_set(ns->root_cset);
	42	dec_cgroup_namespaces(ns->ucounts);
	43	put_user_ns(ns->user_ns);
	44	ns_free_inum(&ns->ns);
	45	kfree(ns);
	46	}
	47	EXPORT_SYMBOL(free_cgroup_ns);
	48
	49	struct cgroup_namespace *copy_cgroup_ns(unsigned long flags,
	50	struct user_namespace *user_ns,
	51	struct cgroup_namespace *old_ns)
	52	{
	53	struct cgroup_namespace *new_ns;
	54	struct ucounts *ucounts;
	55	struct css_set *cset;
	56
	57	BUG_ON(!old_ns);
	58
	59	if (!(flags & CLONE_NEWCGROUP)) {
	60	get_cgroup_ns(old_ns);
	61	return old_ns;
	62	}
	63
	64	/* Allow only sysadmin to create cgroup namespace. */
	65	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
	66	return ERR_PTR(-EPERM);
	67
	68	ucounts = inc_cgroup_namespaces(user_ns);
	69	if (!ucounts)
	70	return ERR_PTR(-ENOSPC);
	71
	72	/* It is not safe to take cgroup_mutex here */
	73	spin_lock_irq(&css_set_lock);
	74	cset = task_css_set(current);
	75	get_css_set(cset);
	76	spin_unlock_irq(&css_set_lock);
	77
	78	new_ns = alloc_cgroup_ns();
	79	if (IS_ERR(new_ns)) {
	80	put_css_set(cset);
	81	dec_cgroup_namespaces(ucounts);
	82	return new_ns;
	83	}
	84
	85	new_ns->user_ns = get_user_ns(user_ns);
	86	new_ns->ucounts = ucounts;
	87	new_ns->root_cset = cset;
	88
	89	return new_ns;
	90	}
	91
	92	static inline struct cgroup_namespace to_cg_ns(struct ns_common ns)
	93	{
	94	return container_of(ns, struct cgroup_namespace, ns);
	95	}
	96
	97	static int cgroupns_install(struct nsproxy nsproxy, struct ns_common ns)
	98	{
99	struct cgroup_namespace *cgroup_ns = to_cg_ns(ns);
100
101	if (!ns_capable(current_user_ns(), CAP_SYS_ADMIN) \|\|
102	!ns_capable(cgroup_ns->user_ns, CAP_SYS_ADMIN))
103	return -EPERM;
104
105	/* Don't need to do anything if we are attaching to our own cgroupns. */
106	if (cgroup_ns == nsproxy->cgroup_ns)
107	return 0;
108
109	get_cgroup_ns(cgroup_ns);
110	put_cgroup_ns(nsproxy->cgroup_ns);
111	nsproxy->cgroup_ns = cgroup_ns;
112
113	return 0;
114	}
115
116	static struct ns_common cgroupns_get(struct task_struct task)
117	{
118	struct cgroup_namespace *ns = NULL;
119	struct nsproxy *nsproxy;
120
121	task_lock(task);
122	nsproxy = task->nsproxy;
123	if (nsproxy) {
124	ns = nsproxy->cgroup_ns;
125	get_cgroup_ns(ns);
126	}
127	task_unlock(task);
128
129	return ns ? &ns->ns : NULL;
130	}
131
132	static void cgroupns_put(struct ns_common *ns)
133	{
134	put_cgroup_ns(to_cg_ns(ns));
135	}
136
137	static struct user_namespace cgroupns_owner(struct ns_common ns)
138	{
139	return to_cg_ns(ns)->user_ns;
140	}
141
142	const struct proc_ns_operations cgroupns_operations = {
143	.name = "cgroup",
144	.type = CLONE_NEWCGROUP,
145	.get = cgroupns_get,
146	.put = cgroupns_put,
147	.install = cgroupns_install,
148	.owner = cgroupns_owner,
149	};
150
151	static __init int cgroup_namespaces_init(void)
152	{
153	return 0;
154	}
155	subsys_initcall(cgroup_namespaces_init);