]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - kernel/user_namespace.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
UBUNTU: Start new release
[mirror_ubuntu-artful-kernel.git] / kernel / user_namespace.c
1 /*
2 * This program is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU General Public License as
4 * published by the Free Software Foundation, version 2 of the
5 * License.
6 */
7
8 #include <linux/export.h>
9 #include <linux/nsproxy.h>
10 #include <linux/slab.h>
11 #include <linux/user_namespace.h>
12 #include <linux/proc_ns.h>
13 #include <linux/highuid.h>
14 #include <linux/cred.h>
15 #include <linux/securebits.h>
16 #include <linux/keyctl.h>
17 #include <linux/key-type.h>
18 #include <keys/user-type.h>
19 #include <linux/seq_file.h>
20 #include <linux/fs.h>
21 #include <linux/uaccess.h>
22 #include <linux/ctype.h>
23 #include <linux/projid.h>
24 #include <linux/fs_struct.h>
25
26 /*
27 * sysctl determining whether unprivileged users may unshare a new
28 * userns. Allowed by default
29 */
30 int unprivileged_userns_clone = 1;
31
32 static struct kmem_cache *user_ns_cachep __read_mostly;
33 static DEFINE_MUTEX(userns_state_mutex);
34
35 static bool new_idmap_permitted(const struct file *file,
36 struct user_namespace *ns, int cap_setid,
37 struct uid_gid_map *map);
38
39 static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
40 {
41 /* Start with the same capabilities as init but useless for doing
42 * anything as the capabilities are bound to the new user namespace.
43 */
44 cred->securebits = SECUREBITS_DEFAULT;
45 cred->cap_inheritable = CAP_EMPTY_SET;
46 cred->cap_permitted = CAP_FULL_SET;
47 cred->cap_effective = CAP_FULL_SET;
48 cred->cap_ambient = CAP_EMPTY_SET;
49 cred->cap_bset = CAP_FULL_SET;
50 #ifdef CONFIG_KEYS
51 key_put(cred->request_key_auth);
52 cred->request_key_auth = NULL;
53 #endif
54 /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
55 cred->user_ns = user_ns;
56 }
57
58 /*
59 * Create a new user namespace, deriving the creator from the user in the
60 * passed credentials, and replacing that user with the new root user for the
61 * new namespace.
62 *
63 * This is called by copy_creds(), which will finish setting the target task's
64 * credentials.
65 */
66 int create_user_ns(struct cred *new)
67 {
68 struct user_namespace *ns, *parent_ns = new->user_ns;
69 kuid_t owner = new->euid;
70 kgid_t group = new->egid;
71 int ret;
72
73 if (parent_ns->level > 32)
74 return -EUSERS;
75
76 /*
77 * Verify that we can not violate the policy of which files
78 * may be accessed that is specified by the root directory,
79 * by verifing that the root directory is at the root of the
80 * mount namespace which allows all files to be accessed.
81 */
82 if (current_chrooted())
83 return -EPERM;
84
85 /* The creator needs a mapping in the parent user namespace
86 * or else we won't be able to reasonably tell userspace who
87 * created a user_namespace.
88 */
89 if (!kuid_has_mapping(parent_ns, owner) ||
90 !kgid_has_mapping(parent_ns, group))
91 return -EPERM;
92
93 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
94 if (!ns)
95 return -ENOMEM;
96
97 ret = ns_alloc_inum(&ns->ns);
98 if (ret) {
99 kmem_cache_free(user_ns_cachep, ns);
100 return ret;
101 }
102 ns->ns.ops = &userns_operations;
103
104 atomic_set(&ns->count, 1);
105 /* Leave the new->user_ns reference with the new user namespace. */
106 ns->parent = parent_ns;
107 ns->level = parent_ns->level + 1;
108 ns->owner = owner;
109 ns->group = group;
110
111 /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
112 mutex_lock(&userns_state_mutex);
113 ns->flags = parent_ns->flags;
114 mutex_unlock(&userns_state_mutex);
115
116 set_cred_user_ns(new, ns);
117
118 #ifdef CONFIG_PERSISTENT_KEYRINGS
119 init_rwsem(&ns->persistent_keyring_register_sem);
120 #endif
121 return 0;
122 }
123
124 int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
125 {
126 struct cred *cred;
127 int err = -ENOMEM;
128
129 if (!(unshare_flags & CLONE_NEWUSER))
130 return 0;
131
132 cred = prepare_creds();
133 if (cred) {
134 err = create_user_ns(cred);
135 if (err)
136 put_cred(cred);
137 else
138 *new_cred = cred;
139 }
140
141 return err;
142 }
143
144 void free_user_ns(struct user_namespace *ns)
145 {
146 struct user_namespace *parent;
147
148 do {
149 parent = ns->parent;
150 #ifdef CONFIG_PERSISTENT_KEYRINGS
151 key_put(ns->persistent_keyring_register);
152 #endif
153 ns_free_inum(&ns->ns);
154 kmem_cache_free(user_ns_cachep, ns);
155 ns = parent;
156 } while (atomic_dec_and_test(&parent->count));
157 }
158 EXPORT_SYMBOL(free_user_ns);
159
160 static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
161 {
162 unsigned idx, extents;
163 u32 first, last, id2;
164
165 id2 = id + count - 1;
166
167 /* Find the matching extent */
168 extents = map->nr_extents;
169 smp_rmb();
170 for (idx = 0; idx < extents; idx++) {
171 first = map->extent[idx].first;
172 last = first + map->extent[idx].count - 1;
173 if (id >= first && id <= last &&
174 (id2 >= first && id2 <= last))
175 break;
176 }
177 /* Map the id or note failure */
178 if (idx < extents)
179 id = (id - first) + map->extent[idx].lower_first;
180 else
181 id = (u32) -1;
182
183 return id;
184 }
185
186 static u32 map_id_down(struct uid_gid_map *map, u32 id)
187 {
188 unsigned idx, extents;
189 u32 first, last;
190
191 /* Find the matching extent */
192 extents = map->nr_extents;
193 smp_rmb();
194 for (idx = 0; idx < extents; idx++) {
195 first = map->extent[idx].first;
196 last = first + map->extent[idx].count - 1;
197 if (id >= first && id <= last)
198 break;
199 }
200 /* Map the id or note failure */
201 if (idx < extents)
202 id = (id - first) + map->extent[idx].lower_first;
203 else
204 id = (u32) -1;
205
206 return id;
207 }
208
209 static u32 map_id_up(struct uid_gid_map *map, u32 id)
210 {
211 unsigned idx, extents;
212 u32 first, last;
213
214 /* Find the matching extent */
215 extents = map->nr_extents;
216 smp_rmb();
217 for (idx = 0; idx < extents; idx++) {
218 first = map->extent[idx].lower_first;
219 last = first + map->extent[idx].count - 1;
220 if (id >= first && id <= last)
221 break;
222 }
223 /* Map the id or note failure */
224 if (idx < extents)
225 id = (id - first) + map->extent[idx].first;
226 else
227 id = (u32) -1;
228
229 return id;
230 }
231
232 /**
233 * make_kuid - Map a user-namespace uid pair into a kuid.
234 * @ns: User namespace that the uid is in
235 * @uid: User identifier
236 *
237 * Maps a user-namespace uid pair into a kernel internal kuid,
238 * and returns that kuid.
239 *
240 * When there is no mapping defined for the user-namespace uid
241 * pair INVALID_UID is returned. Callers are expected to test
242 * for and handle INVALID_UID being returned. INVALID_UID
243 * may be tested for using uid_valid().
244 */
245 kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
246 {
247 /* Map the uid to a global kernel uid */
248 return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
249 }
250 EXPORT_SYMBOL(make_kuid);
251
252 /**
253 * from_kuid - Create a uid from a kuid user-namespace pair.
254 * @targ: The user namespace we want a uid in.
255 * @kuid: The kernel internal uid to start with.
256 *
257 * Map @kuid into the user-namespace specified by @targ and
258 * return the resulting uid.
259 *
260 * There is always a mapping into the initial user_namespace.
261 *
262 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
263 */
264 uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
265 {
266 /* Map the uid from a global kernel uid */
267 return map_id_up(&targ->uid_map, __kuid_val(kuid));
268 }
269 EXPORT_SYMBOL(from_kuid);
270
271 /**
272 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
273 * @targ: The user namespace we want a uid in.
274 * @kuid: The kernel internal uid to start with.
275 *
276 * Map @kuid into the user-namespace specified by @targ and
277 * return the resulting uid.
278 *
279 * There is always a mapping into the initial user_namespace.
280 *
281 * Unlike from_kuid from_kuid_munged never fails and always
282 * returns a valid uid. This makes from_kuid_munged appropriate
283 * for use in syscalls like stat and getuid where failing the
284 * system call and failing to provide a valid uid are not an
285 * options.
286 *
287 * If @kuid has no mapping in @targ overflowuid is returned.
288 */
289 uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
290 {
291 uid_t uid;
292 uid = from_kuid(targ, kuid);
293
294 if (uid == (uid_t) -1)
295 uid = overflowuid;
296 return uid;
297 }
298 EXPORT_SYMBOL(from_kuid_munged);
299
300 /**
301 * make_kgid - Map a user-namespace gid pair into a kgid.
302 * @ns: User namespace that the gid is in
303 * @gid: group identifier
304 *
305 * Maps a user-namespace gid pair into a kernel internal kgid,
306 * and returns that kgid.
307 *
308 * When there is no mapping defined for the user-namespace gid
309 * pair INVALID_GID is returned. Callers are expected to test
310 * for and handle INVALID_GID being returned. INVALID_GID may be
311 * tested for using gid_valid().
312 */
313 kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
314 {
315 /* Map the gid to a global kernel gid */
316 return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
317 }
318 EXPORT_SYMBOL(make_kgid);
319
320 /**
321 * from_kgid - Create a gid from a kgid user-namespace pair.
322 * @targ: The user namespace we want a gid in.
323 * @kgid: The kernel internal gid to start with.
324 *
325 * Map @kgid into the user-namespace specified by @targ and
326 * return the resulting gid.
327 *
328 * There is always a mapping into the initial user_namespace.
329 *
330 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
331 */
332 gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
333 {
334 /* Map the gid from a global kernel gid */
335 return map_id_up(&targ->gid_map, __kgid_val(kgid));
336 }
337 EXPORT_SYMBOL(from_kgid);
338
339 /**
340 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
341 * @targ: The user namespace we want a gid in.
342 * @kgid: The kernel internal gid to start with.
343 *
344 * Map @kgid into the user-namespace specified by @targ and
345 * return the resulting gid.
346 *
347 * There is always a mapping into the initial user_namespace.
348 *
349 * Unlike from_kgid from_kgid_munged never fails and always
350 * returns a valid gid. This makes from_kgid_munged appropriate
351 * for use in syscalls like stat and getgid where failing the
352 * system call and failing to provide a valid gid are not options.
353 *
354 * If @kgid has no mapping in @targ overflowgid is returned.
355 */
356 gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
357 {
358 gid_t gid;
359 gid = from_kgid(targ, kgid);
360
361 if (gid == (gid_t) -1)
362 gid = overflowgid;
363 return gid;
364 }
365 EXPORT_SYMBOL(from_kgid_munged);
366
367 /**
368 * make_kprojid - Map a user-namespace projid pair into a kprojid.
369 * @ns: User namespace that the projid is in
370 * @projid: Project identifier
371 *
372 * Maps a user-namespace uid pair into a kernel internal kuid,
373 * and returns that kuid.
374 *
375 * When there is no mapping defined for the user-namespace projid
376 * pair INVALID_PROJID is returned. Callers are expected to test
377 * for and handle handle INVALID_PROJID being returned. INVALID_PROJID
378 * may be tested for using projid_valid().
379 */
380 kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
381 {
382 /* Map the uid to a global kernel uid */
383 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
384 }
385 EXPORT_SYMBOL(make_kprojid);
386
387 /**
388 * from_kprojid - Create a projid from a kprojid user-namespace pair.
389 * @targ: The user namespace we want a projid in.
390 * @kprojid: The kernel internal project identifier to start with.
391 *
392 * Map @kprojid into the user-namespace specified by @targ and
393 * return the resulting projid.
394 *
395 * There is always a mapping into the initial user_namespace.
396 *
397 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
398 */
399 projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
400 {
401 /* Map the uid from a global kernel uid */
402 return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
403 }
404 EXPORT_SYMBOL(from_kprojid);
405
406 /**
407 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
408 * @targ: The user namespace we want a projid in.
409 * @kprojid: The kernel internal projid to start with.
410 *
411 * Map @kprojid into the user-namespace specified by @targ and
412 * return the resulting projid.
413 *
414 * There is always a mapping into the initial user_namespace.
415 *
416 * Unlike from_kprojid from_kprojid_munged never fails and always
417 * returns a valid projid. This makes from_kprojid_munged
418 * appropriate for use in syscalls like stat and where
419 * failing the system call and failing to provide a valid projid are
420 * not an options.
421 *
422 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
423 */
424 projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
425 {
426 projid_t projid;
427 projid = from_kprojid(targ, kprojid);
428
429 if (projid == (projid_t) -1)
430 projid = OVERFLOW_PROJID;
431 return projid;
432 }
433 EXPORT_SYMBOL(from_kprojid_munged);
434
435
436 static int uid_m_show(struct seq_file *seq, void *v)
437 {
438 struct user_namespace *ns = seq->private;
439 struct uid_gid_extent *extent = v;
440 struct user_namespace *lower_ns;
441 uid_t lower;
442
443 lower_ns = seq_user_ns(seq);
444 if ((lower_ns == ns) && lower_ns->parent)
445 lower_ns = lower_ns->parent;
446
447 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
448
449 seq_printf(seq, "%10u %10u %10u\n",
450 extent->first,
451 lower,
452 extent->count);
453
454 return 0;
455 }
456
457 static int gid_m_show(struct seq_file *seq, void *v)
458 {
459 struct user_namespace *ns = seq->private;
460 struct uid_gid_extent *extent = v;
461 struct user_namespace *lower_ns;
462 gid_t lower;
463
464 lower_ns = seq_user_ns(seq);
465 if ((lower_ns == ns) && lower_ns->parent)
466 lower_ns = lower_ns->parent;
467
468 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
469
470 seq_printf(seq, "%10u %10u %10u\n",
471 extent->first,
472 lower,
473 extent->count);
474
475 return 0;
476 }
477
478 static int projid_m_show(struct seq_file *seq, void *v)
479 {
480 struct user_namespace *ns = seq->private;
481 struct uid_gid_extent *extent = v;
482 struct user_namespace *lower_ns;
483 projid_t lower;
484
485 lower_ns = seq_user_ns(seq);
486 if ((lower_ns == ns) && lower_ns->parent)
487 lower_ns = lower_ns->parent;
488
489 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
490
491 seq_printf(seq, "%10u %10u %10u\n",
492 extent->first,
493 lower,
494 extent->count);
495
496 return 0;
497 }
498
499 static void *m_start(struct seq_file *seq, loff_t *ppos,
500 struct uid_gid_map *map)
501 {
502 struct uid_gid_extent *extent = NULL;
503 loff_t pos = *ppos;
504
505 if (pos < map->nr_extents) {
506 osb();
507 extent = &map->extent[pos];
508 }
509
510 return extent;
511 }
512
513 static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
514 {
515 struct user_namespace *ns = seq->private;
516
517 return m_start(seq, ppos, &ns->uid_map);
518 }
519
520 static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
521 {
522 struct user_namespace *ns = seq->private;
523
524 return m_start(seq, ppos, &ns->gid_map);
525 }
526
527 static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
528 {
529 struct user_namespace *ns = seq->private;
530
531 return m_start(seq, ppos, &ns->projid_map);
532 }
533
534 static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
535 {
536 (*pos)++;
537 return seq->op->start(seq, pos);
538 }
539
540 static void m_stop(struct seq_file *seq, void *v)
541 {
542 return;
543 }
544
545 const struct seq_operations proc_uid_seq_operations = {
546 .start = uid_m_start,
547 .stop = m_stop,
548 .next = m_next,
549 .show = uid_m_show,
550 };
551
552 const struct seq_operations proc_gid_seq_operations = {
553 .start = gid_m_start,
554 .stop = m_stop,
555 .next = m_next,
556 .show = gid_m_show,
557 };
558
559 const struct seq_operations proc_projid_seq_operations = {
560 .start = projid_m_start,
561 .stop = m_stop,
562 .next = m_next,
563 .show = projid_m_show,
564 };
565
566 static bool mappings_overlap(struct uid_gid_map *new_map,
567 struct uid_gid_extent *extent)
568 {
569 u32 upper_first, lower_first, upper_last, lower_last;
570 unsigned idx;
571
572 upper_first = extent->first;
573 lower_first = extent->lower_first;
574 upper_last = upper_first + extent->count - 1;
575 lower_last = lower_first + extent->count - 1;
576
577 for (idx = 0; idx < new_map->nr_extents; idx++) {
578 u32 prev_upper_first, prev_lower_first;
579 u32 prev_upper_last, prev_lower_last;
580 struct uid_gid_extent *prev;
581
582 prev = &new_map->extent[idx];
583
584 prev_upper_first = prev->first;
585 prev_lower_first = prev->lower_first;
586 prev_upper_last = prev_upper_first + prev->count - 1;
587 prev_lower_last = prev_lower_first + prev->count - 1;
588
589 /* Does the upper range intersect a previous extent? */
590 if ((prev_upper_first <= upper_last) &&
591 (prev_upper_last >= upper_first))
592 return true;
593
594 /* Does the lower range intersect a previous extent? */
595 if ((prev_lower_first <= lower_last) &&
596 (prev_lower_last >= lower_first))
597 return true;
598 }
599 return false;
600 }
601
602 static ssize_t map_write(struct file *file, const char __user *buf,
603 size_t count, loff_t *ppos,
604 int cap_setid,
605 struct uid_gid_map *map,
606 struct uid_gid_map *parent_map)
607 {
608 struct seq_file *seq = file->private_data;
609 struct user_namespace *ns = seq->private;
610 struct uid_gid_map new_map;
611 unsigned idx;
612 struct uid_gid_extent *extent = NULL;
613 unsigned long page = 0;
614 char *kbuf, *pos, *next_line;
615 ssize_t ret = -EINVAL;
616
617 /*
618 * The userns_state_mutex serializes all writes to any given map.
619 *
620 * Any map is only ever written once.
621 *
622 * An id map fits within 1 cache line on most architectures.
623 *
624 * On read nothing needs to be done unless you are on an
625 * architecture with a crazy cache coherency model like alpha.
626 *
627 * There is a one time data dependency between reading the
628 * count of the extents and the values of the extents. The
629 * desired behavior is to see the values of the extents that
630 * were written before the count of the extents.
631 *
632 * To achieve this smp_wmb() is used on guarantee the write
633 * order and smp_rmb() is guaranteed that we don't have crazy
634 * architectures returning stale data.
635 */
636 mutex_lock(&userns_state_mutex);
637
638 ret = -EPERM;
639 /* Only allow one successful write to the map */
640 if (map->nr_extents != 0)
641 goto out;
642
643 /*
644 * Adjusting namespace settings requires capabilities on the target.
645 */
646 if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
647 goto out;
648
649 /* Get a buffer */
650 ret = -ENOMEM;
651 page = __get_free_page(GFP_TEMPORARY);
652 kbuf = (char *) page;
653 if (!page)
654 goto out;
655
656 /* Only allow < page size writes at the beginning of the file */
657 ret = -EINVAL;
658 if ((*ppos != 0) || (count >= PAGE_SIZE))
659 goto out;
660
661 /* Slurp in the user data */
662 ret = -EFAULT;
663 if (copy_from_user(kbuf, buf, count))
664 goto out;
665 kbuf[count] = '\0';
666
667 /* Parse the user data */
668 ret = -EINVAL;
669 pos = kbuf;
670 new_map.nr_extents = 0;
671 for (; pos; pos = next_line) {
672 extent = &new_map.extent[new_map.nr_extents];
673
674 /* Find the end of line and ensure I don't look past it */
675 next_line = strchr(pos, '\n');
676 if (next_line) {
677 *next_line = '\0';
678 next_line++;
679 if (*next_line == '\0')
680 next_line = NULL;
681 }
682
683 pos = skip_spaces(pos);
684 extent->first = simple_strtoul(pos, &pos, 10);
685 if (!isspace(*pos))
686 goto out;
687
688 pos = skip_spaces(pos);
689 extent->lower_first = simple_strtoul(pos, &pos, 10);
690 if (!isspace(*pos))
691 goto out;
692
693 pos = skip_spaces(pos);
694 extent->count = simple_strtoul(pos, &pos, 10);
695 if (*pos && !isspace(*pos))
696 goto out;
697
698 /* Verify there is not trailing junk on the line */
699 pos = skip_spaces(pos);
700 if (*pos != '\0')
701 goto out;
702
703 /* Verify we have been given valid starting values */
704 if ((extent->first == (u32) -1) ||
705 (extent->lower_first == (u32) -1))
706 goto out;
707
708 /* Verify count is not zero and does not cause the
709 * extent to wrap
710 */
711 if ((extent->first + extent->count) <= extent->first)
712 goto out;
713 if ((extent->lower_first + extent->count) <=
714 extent->lower_first)
715 goto out;
716
717 /* Do the ranges in extent overlap any previous extents? */
718 if (mappings_overlap(&new_map, extent))
719 goto out;
720
721 new_map.nr_extents++;
722
723 /* Fail if the file contains too many extents */
724 if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) &&
725 (next_line != NULL))
726 goto out;
727 }
728 /* Be very certaint the new map actually exists */
729 if (new_map.nr_extents == 0)
730 goto out;
731
732 ret = -EPERM;
733 /* Validate the user is allowed to use user id's mapped to. */
734 if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
735 goto out;
736
737 /* Map the lower ids from the parent user namespace to the
738 * kernel global id space.
739 */
740 for (idx = 0; idx < new_map.nr_extents; idx++) {
741 u32 lower_first;
742 extent = &new_map.extent[idx];
743
744 lower_first = map_id_range_down(parent_map,
745 extent->lower_first,
746 extent->count);
747
748 /* Fail if we can not map the specified extent to
749 * the kernel global id space.
750 */
751 if (lower_first == (u32) -1)
752 goto out;
753
754 extent->lower_first = lower_first;
755 }
756
757 /* Install the map */
758 memcpy(map->extent, new_map.extent,
759 new_map.nr_extents*sizeof(new_map.extent[0]));
760 smp_wmb();
761 map->nr_extents = new_map.nr_extents;
762
763 *ppos = count;
764 ret = count;
765 out:
766 mutex_unlock(&userns_state_mutex);
767 if (page)
768 free_page(page);
769 return ret;
770 }
771
772 ssize_t proc_uid_map_write(struct file *file, const char __user *buf,
773 size_t size, loff_t *ppos)
774 {
775 struct seq_file *seq = file->private_data;
776 struct user_namespace *ns = seq->private;
777 struct user_namespace *seq_ns = seq_user_ns(seq);
778
779 if (!ns->parent)
780 return -EPERM;
781
782 if ((seq_ns != ns) && (seq_ns != ns->parent))
783 return -EPERM;
784
785 return map_write(file, buf, size, ppos, CAP_SETUID,
786 &ns->uid_map, &ns->parent->uid_map);
787 }
788
789 ssize_t proc_gid_map_write(struct file *file, const char __user *buf,
790 size_t size, loff_t *ppos)
791 {
792 struct seq_file *seq = file->private_data;
793 struct user_namespace *ns = seq->private;
794 struct user_namespace *seq_ns = seq_user_ns(seq);
795
796 if (!ns->parent)
797 return -EPERM;
798
799 if ((seq_ns != ns) && (seq_ns != ns->parent))
800 return -EPERM;
801
802 return map_write(file, buf, size, ppos, CAP_SETGID,
803 &ns->gid_map, &ns->parent->gid_map);
804 }
805
806 ssize_t proc_projid_map_write(struct file *file, const char __user *buf,
807 size_t size, loff_t *ppos)
808 {
809 struct seq_file *seq = file->private_data;
810 struct user_namespace *ns = seq->private;
811 struct user_namespace *seq_ns = seq_user_ns(seq);
812
813 if (!ns->parent)
814 return -EPERM;
815
816 if ((seq_ns != ns) && (seq_ns != ns->parent))
817 return -EPERM;
818
819 /* Anyone can set any valid project id no capability needed */
820 return map_write(file, buf, size, ppos, -1,
821 &ns->projid_map, &ns->parent->projid_map);
822 }
823
824 static bool new_idmap_permitted(const struct file *file,
825 struct user_namespace *ns, int cap_setid,
826 struct uid_gid_map *new_map)
827 {
828 const struct cred *cred = file->f_cred;
829 /* Don't allow mappings that would allow anything that wouldn't
830 * be allowed without the establishment of unprivileged mappings.
831 */
832 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
833 uid_eq(ns->owner, cred->euid)) {
834 u32 id = new_map->extent[0].lower_first;
835 if (cap_setid == CAP_SETUID) {
836 kuid_t uid = make_kuid(ns->parent, id);
837 if (uid_eq(uid, cred->euid))
838 return true;
839 } else if (cap_setid == CAP_SETGID) {
840 kgid_t gid = make_kgid(ns->parent, id);
841 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
842 gid_eq(gid, cred->egid))
843 return true;
844 }
845 }
846
847 /* Allow anyone to set a mapping that doesn't require privilege */
848 if (!cap_valid(cap_setid))
849 return true;
850
851 /* Allow the specified ids if we have the appropriate capability
852 * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
853 * And the opener of the id file also had the approprpiate capability.
854 */
855 if (ns_capable(ns->parent, cap_setid) &&
856 file_ns_capable(file, ns->parent, cap_setid))
857 return true;
858
859 return false;
860 }
861
862 int proc_setgroups_show(struct seq_file *seq, void *v)
863 {
864 struct user_namespace *ns = seq->private;
865 unsigned long userns_flags = ACCESS_ONCE(ns->flags);
866
867 seq_printf(seq, "%s\n",
868 (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
869 "allow" : "deny");
870 return 0;
871 }
872
873 ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
874 size_t count, loff_t *ppos)
875 {
876 struct seq_file *seq = file->private_data;
877 struct user_namespace *ns = seq->private;
878 char kbuf[8], *pos;
879 bool setgroups_allowed;
880 ssize_t ret;
881
882 /* Only allow a very narrow range of strings to be written */
883 ret = -EINVAL;
884 if ((*ppos != 0) || (count >= sizeof(kbuf)))
885 goto out;
886
887 /* What was written? */
888 ret = -EFAULT;
889 if (copy_from_user(kbuf, buf, count))
890 goto out;
891 kbuf[count] = '\0';
892 pos = kbuf;
893
894 /* What is being requested? */
895 ret = -EINVAL;
896 if (strncmp(pos, "allow", 5) == 0) {
897 pos += 5;
898 setgroups_allowed = true;
899 }
900 else if (strncmp(pos, "deny", 4) == 0) {
901 pos += 4;
902 setgroups_allowed = false;
903 }
904 else
905 goto out;
906
907 /* Verify there is not trailing junk on the line */
908 pos = skip_spaces(pos);
909 if (*pos != '\0')
910 goto out;
911
912 ret = -EPERM;
913 mutex_lock(&userns_state_mutex);
914 if (setgroups_allowed) {
915 /* Enabling setgroups after setgroups has been disabled
916 * is not allowed.
917 */
918 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
919 goto out_unlock;
920 } else {
921 /* Permanently disabling setgroups after setgroups has
922 * been enabled by writing the gid_map is not allowed.
923 */
924 if (ns->gid_map.nr_extents != 0)
925 goto out_unlock;
926 ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
927 }
928 mutex_unlock(&userns_state_mutex);
929
930 /* Report a successful write */
931 *ppos = count;
932 ret = count;
933 out:
934 return ret;
935 out_unlock:
936 mutex_unlock(&userns_state_mutex);
937 goto out;
938 }
939
940 bool userns_may_setgroups(const struct user_namespace *ns)
941 {
942 bool allowed;
943
944 mutex_lock(&userns_state_mutex);
945 /* It is not safe to use setgroups until a gid mapping in
946 * the user namespace has been established.
947 */
948 allowed = ns->gid_map.nr_extents != 0;
949 /* Is setgroups allowed? */
950 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
951 mutex_unlock(&userns_state_mutex);
952
953 return allowed;
954 }
955
956 /*
957 * Returns true if @ns is the same namespace as or a descendant of
958 * @target_ns.
959 */
960 bool current_in_userns(const struct user_namespace *target_ns)
961 {
962 struct user_namespace *ns;
963 for (ns = current_user_ns(); ns; ns = ns->parent) {
964 if (ns == target_ns)
965 return true;
966 }
967 return false;
968 }
969 EXPORT_SYMBOL(current_in_userns);
970
971 static inline struct user_namespace *to_user_ns(struct ns_common *ns)
972 {
973 return container_of(ns, struct user_namespace, ns);
974 }
975
976 static struct ns_common *userns_get(struct task_struct *task)
977 {
978 struct user_namespace *user_ns;
979
980 rcu_read_lock();
981 user_ns = get_user_ns(__task_cred(task)->user_ns);
982 rcu_read_unlock();
983
984 return user_ns ? &user_ns->ns : NULL;
985 }
986
987 static void userns_put(struct ns_common *ns)
988 {
989 put_user_ns(to_user_ns(ns));
990 }
991
992 static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
993 {
994 struct user_namespace *user_ns = to_user_ns(ns);
995 struct cred *cred;
996
997 /* Don't allow gaining capabilities by reentering
998 * the same user namespace.
999 */
1000 if (user_ns == current_user_ns())
1001 return -EINVAL;
1002
1003 /* Tasks that share a thread group must share a user namespace */
1004 if (!thread_group_empty(current))
1005 return -EINVAL;
1006
1007 if (current->fs->users != 1)
1008 return -EINVAL;
1009
1010 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
1011 return -EPERM;
1012
1013 cred = prepare_creds();
1014 if (!cred)
1015 return -ENOMEM;
1016
1017 put_user_ns(cred->user_ns);
1018 set_cred_user_ns(cred, get_user_ns(user_ns));
1019
1020 return commit_creds(cred);
1021 }
1022
1023 const struct proc_ns_operations userns_operations = {
1024 .name = "user",
1025 .type = CLONE_NEWUSER,
1026 .get = userns_get,
1027 .put = userns_put,
1028 .install = userns_install,
1029 };
1030
1031 static __init int user_namespaces_init(void)
1032 {
1033 user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC);
1034 return 0;
1035 }
1036 subsys_initcall(user_namespaces_init);
Ubuntu Artful kernel mirror