]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blob - kernel/user_namespace.c
projects / mirror_ubuntu-jammy-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
yam: fix a memory leak in yam_siocdevprivate()
[mirror_ubuntu-jammy-kernel.git] / kernel / user_namespace.c
1 // SPDX-License-Identifier: GPL-2.0-only
2
3 #include <linux/export.h>
4 #include <linux/nsproxy.h>
5 #include <linux/slab.h>
6 #include <linux/sched/signal.h>
7 #include <linux/user_namespace.h>
8 #include <linux/proc_ns.h>
9 #include <linux/highuid.h>
10 #include <linux/cred.h>
11 #include <linux/securebits.h>
12 #include <linux/keyctl.h>
13 #include <linux/key-type.h>
14 #include <keys/user-type.h>
15 #include <linux/seq_file.h>
16 #include <linux/fs.h>
17 #include <linux/uaccess.h>
18 #include <linux/ctype.h>
19 #include <linux/projid.h>
20 #include <linux/fs_struct.h>
21 #include <linux/bsearch.h>
22 #include <linux/sort.h>
23
24 /*
25 * sysctl determining whether unprivileged users may unshare a new
26 * userns. Allowed by default
27 */
28 int unprivileged_userns_clone = 1;
29
30 static struct kmem_cache *user_ns_cachep __read_mostly;
31 static DEFINE_MUTEX(userns_state_mutex);
32
33 static bool new_idmap_permitted(const struct file *file,
34 struct user_namespace *ns, int cap_setid,
35 struct uid_gid_map *map);
36 static void free_user_ns(struct work_struct *work);
37
38 static struct ucounts *inc_user_namespaces(struct user_namespace *ns, kuid_t uid)
39 {
40 return inc_ucount(ns, uid, UCOUNT_USER_NAMESPACES);
41 }
42
43 static void dec_user_namespaces(struct ucounts *ucounts)
44 {
45 return dec_ucount(ucounts, UCOUNT_USER_NAMESPACES);
46 }
47
48 static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
49 {
50 /* Start with the same capabilities as init but useless for doing
51 * anything as the capabilities are bound to the new user namespace.
52 */
53 cred->securebits = SECUREBITS_DEFAULT;
54 cred->cap_inheritable = CAP_EMPTY_SET;
55 cred->cap_permitted = CAP_FULL_SET;
56 cred->cap_effective = CAP_FULL_SET;
57 cred->cap_ambient = CAP_EMPTY_SET;
58 cred->cap_bset = CAP_FULL_SET;
59 #ifdef CONFIG_KEYS
60 key_put(cred->request_key_auth);
61 cred->request_key_auth = NULL;
62 #endif
63 /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
64 cred->user_ns = user_ns;
65 }
66
67 /*
68 * Create a new user namespace, deriving the creator from the user in the
69 * passed credentials, and replacing that user with the new root user for the
70 * new namespace.
71 *
72 * This is called by copy_creds(), which will finish setting the target task's
73 * credentials.
74 */
75 int create_user_ns(struct cred *new)
76 {
77 struct user_namespace *ns, *parent_ns = new->user_ns;
78 kuid_t owner = new->euid;
79 kgid_t group = new->egid;
80 struct ucounts *ucounts;
81 int ret, i;
82
83 ret = -ENOSPC;
84 if (parent_ns->level > 32)
85 goto fail;
86
87 ucounts = inc_user_namespaces(parent_ns, owner);
88 if (!ucounts)
89 goto fail;
90
91 /*
92 * Verify that we can not violate the policy of which files
93 * may be accessed that is specified by the root directory,
94 * by verifying that the root directory is at the root of the
95 * mount namespace which allows all files to be accessed.
96 */
97 ret = -EPERM;
98 if (current_chrooted())
99 goto fail_dec;
100
101 /* The creator needs a mapping in the parent user namespace
102 * or else we won't be able to reasonably tell userspace who
103 * created a user_namespace.
104 */
105 ret = -EPERM;
106 if (!kuid_has_mapping(parent_ns, owner) ||
107 !kgid_has_mapping(parent_ns, group))
108 goto fail_dec;
109
110 ret = -ENOMEM;
111 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
112 if (!ns)
113 goto fail_dec;
114
115 ns->parent_could_setfcap = cap_raised(new->cap_effective, CAP_SETFCAP);
116 ret = ns_alloc_inum(&ns->ns);
117 if (ret)
118 goto fail_free;
119 ns->ns.ops = &userns_operations;
120
121 refcount_set(&ns->ns.count, 1);
122 /* Leave the new->user_ns reference with the new user namespace. */
123 ns->parent = parent_ns;
124 ns->level = parent_ns->level + 1;
125 ns->owner = owner;
126 ns->group = group;
127 INIT_WORK(&ns->work, free_user_ns);
128 for (i = 0; i < MAX_PER_NAMESPACE_UCOUNTS; i++) {
129 ns->ucount_max[i] = INT_MAX;
130 }
131 set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC));
132 set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_MSGQUEUE, rlimit(RLIMIT_MSGQUEUE));
133 set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_SIGPENDING, rlimit(RLIMIT_SIGPENDING));
134 set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_MEMLOCK, rlimit(RLIMIT_MEMLOCK));
135 ns->ucounts = ucounts;
136
137 /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
138 mutex_lock(&userns_state_mutex);
139 ns->flags = parent_ns->flags;
140 mutex_unlock(&userns_state_mutex);
141
142 #ifdef CONFIG_KEYS
143 INIT_LIST_HEAD(&ns->keyring_name_list);
144 init_rwsem(&ns->keyring_sem);
145 #endif
146 ret = -ENOMEM;
147 if (!setup_userns_sysctls(ns))
148 goto fail_keyring;
149
150 set_cred_user_ns(new, ns);
151 return 0;
152 fail_keyring:
153 #ifdef CONFIG_PERSISTENT_KEYRINGS
154 key_put(ns->persistent_keyring_register);
155 #endif
156 ns_free_inum(&ns->ns);
157 fail_free:
158 kmem_cache_free(user_ns_cachep, ns);
159 fail_dec:
160 dec_user_namespaces(ucounts);
161 fail:
162 return ret;
163 }
164
165 int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
166 {
167 struct cred *cred;
168 int err = -ENOMEM;
169
170 if (!(unshare_flags & CLONE_NEWUSER))
171 return 0;
172
173 cred = prepare_creds();
174 if (cred) {
175 err = create_user_ns(cred);
176 if (err)
177 put_cred(cred);
178 else
179 *new_cred = cred;
180 }
181
182 return err;
183 }
184
185 static void free_user_ns(struct work_struct *work)
186 {
187 struct user_namespace *parent, *ns =
188 container_of(work, struct user_namespace, work);
189
190 do {
191 struct ucounts *ucounts = ns->ucounts;
192 parent = ns->parent;
193 if (ns->gid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
194 kfree(ns->gid_map.forward);
195 kfree(ns->gid_map.reverse);
196 }
197 if (ns->uid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
198 kfree(ns->uid_map.forward);
199 kfree(ns->uid_map.reverse);
200 }
201 if (ns->projid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
202 kfree(ns->projid_map.forward);
203 kfree(ns->projid_map.reverse);
204 }
205 retire_userns_sysctls(ns);
206 key_free_user_ns(ns);
207 ns_free_inum(&ns->ns);
208 kmem_cache_free(user_ns_cachep, ns);
209 dec_user_namespaces(ucounts);
210 ns = parent;
211 } while (refcount_dec_and_test(&parent->ns.count));
212 }
213
214 void __put_user_ns(struct user_namespace *ns)
215 {
216 schedule_work(&ns->work);
217 }
218 EXPORT_SYMBOL(__put_user_ns);
219
220 /**
221 * idmap_key struct holds the information necessary to find an idmapping in a
222 * sorted idmap array. It is passed to cmp_map_id() as first argument.
223 */
224 struct idmap_key {
225 bool map_up; /* true -> id from kid; false -> kid from id */
226 u32 id; /* id to find */
227 u32 count; /* == 0 unless used with map_id_range_down() */
228 };
229
230 /**
231 * cmp_map_id - Function to be passed to bsearch() to find the requested
232 * idmapping. Expects struct idmap_key to be passed via @k.
233 */
234 static int cmp_map_id(const void *k, const void *e)
235 {
236 u32 first, last, id2;
237 const struct idmap_key *key = k;
238 const struct uid_gid_extent *el = e;
239
240 id2 = key->id + key->count - 1;
241
242 /* handle map_id_{down,up}() */
243 if (key->map_up)
244 first = el->lower_first;
245 else
246 first = el->first;
247
248 last = first + el->count - 1;
249
250 if (key->id >= first && key->id <= last &&
251 (id2 >= first && id2 <= last))
252 return 0;
253
254 if (key->id < first || id2 < first)
255 return -1;
256
257 return 1;
258 }
259
260 /**
261 * map_id_range_down_max - Find idmap via binary search in ordered idmap array.
262 * Can only be called if number of mappings exceeds UID_GID_MAP_MAX_BASE_EXTENTS.
263 */
264 static struct uid_gid_extent *
265 map_id_range_down_max(unsigned extents, struct uid_gid_map *map, u32 id, u32 count)
266 {
267 struct idmap_key key;
268
269 key.map_up = false;
270 key.count = count;
271 key.id = id;
272
273 return bsearch(&key, map->forward, extents,
274 sizeof(struct uid_gid_extent), cmp_map_id);
275 }
276
277 /**
278 * map_id_range_down_base - Find idmap via binary search in static extent array.
279 * Can only be called if number of mappings is equal or less than
280 * UID_GID_MAP_MAX_BASE_EXTENTS.
281 */
282 static struct uid_gid_extent *
283 map_id_range_down_base(unsigned extents, struct uid_gid_map *map, u32 id, u32 count)
284 {
285 unsigned idx;
286 u32 first, last, id2;
287
288 id2 = id + count - 1;
289
290 /* Find the matching extent */
291 for (idx = 0; idx < extents; idx++) {
292 first = map->extent[idx].first;
293 last = first + map->extent[idx].count - 1;
294 if (id >= first && id <= last &&
295 (id2 >= first && id2 <= last))
296 return &map->extent[idx];
297 }
298 return NULL;
299 }
300
301 static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
302 {
303 struct uid_gid_extent *extent;
304 unsigned extents = map->nr_extents;
305 smp_rmb();
306
307 if (extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
308 extent = map_id_range_down_base(extents, map, id, count);
309 else
310 extent = map_id_range_down_max(extents, map, id, count);
311
312 /* Map the id or note failure */
313 if (extent)
314 id = (id - extent->first) + extent->lower_first;
315 else
316 id = (u32) -1;
317
318 return id;
319 }
320
321 static u32 map_id_down(struct uid_gid_map *map, u32 id)
322 {
323 return map_id_range_down(map, id, 1);
324 }
325
326 /**
327 * map_id_up_base - Find idmap via binary search in static extent array.
328 * Can only be called if number of mappings is equal or less than
329 * UID_GID_MAP_MAX_BASE_EXTENTS.
330 */
331 static struct uid_gid_extent *
332 map_id_up_base(unsigned extents, struct uid_gid_map *map, u32 id)
333 {
334 unsigned idx;
335 u32 first, last;
336
337 /* Find the matching extent */
338 for (idx = 0; idx < extents; idx++) {
339 first = map->extent[idx].lower_first;
340 last = first + map->extent[idx].count - 1;
341 if (id >= first && id <= last)
342 return &map->extent[idx];
343 }
344 return NULL;
345 }
346
347 /**
348 * map_id_up_max - Find idmap via binary search in ordered idmap array.
349 * Can only be called if number of mappings exceeds UID_GID_MAP_MAX_BASE_EXTENTS.
350 */
351 static struct uid_gid_extent *
352 map_id_up_max(unsigned extents, struct uid_gid_map *map, u32 id)
353 {
354 struct idmap_key key;
355
356 key.map_up = true;
357 key.count = 1;
358 key.id = id;
359
360 return bsearch(&key, map->reverse, extents,
361 sizeof(struct uid_gid_extent), cmp_map_id);
362 }
363
364 static u32 map_id_up(struct uid_gid_map *map, u32 id)
365 {
366 struct uid_gid_extent *extent;
367 unsigned extents = map->nr_extents;
368 smp_rmb();
369
370 if (extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
371 extent = map_id_up_base(extents, map, id);
372 else
373 extent = map_id_up_max(extents, map, id);
374
375 /* Map the id or note failure */
376 if (extent)
377 id = (id - extent->lower_first) + extent->first;
378 else
379 id = (u32) -1;
380
381 return id;
382 }
383
384 /**
385 * make_kuid - Map a user-namespace uid pair into a kuid.
386 * @ns: User namespace that the uid is in
387 * @uid: User identifier
388 *
389 * Maps a user-namespace uid pair into a kernel internal kuid,
390 * and returns that kuid.
391 *
392 * When there is no mapping defined for the user-namespace uid
393 * pair INVALID_UID is returned. Callers are expected to test
394 * for and handle INVALID_UID being returned. INVALID_UID
395 * may be tested for using uid_valid().
396 */
397 kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
398 {
399 /* Map the uid to a global kernel uid */
400 return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
401 }
402 EXPORT_SYMBOL(make_kuid);
403
404 /**
405 * from_kuid - Create a uid from a kuid user-namespace pair.
406 * @targ: The user namespace we want a uid in.
407 * @kuid: The kernel internal uid to start with.
408 *
409 * Map @kuid into the user-namespace specified by @targ and
410 * return the resulting uid.
411 *
412 * There is always a mapping into the initial user_namespace.
413 *
414 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
415 */
416 uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
417 {
418 /* Map the uid from a global kernel uid */
419 return map_id_up(&targ->uid_map, __kuid_val(kuid));
420 }
421 EXPORT_SYMBOL(from_kuid);
422
423 /**
424 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
425 * @targ: The user namespace we want a uid in.
426 * @kuid: The kernel internal uid to start with.
427 *
428 * Map @kuid into the user-namespace specified by @targ and
429 * return the resulting uid.
430 *
431 * There is always a mapping into the initial user_namespace.
432 *
433 * Unlike from_kuid from_kuid_munged never fails and always
434 * returns a valid uid. This makes from_kuid_munged appropriate
435 * for use in syscalls like stat and getuid where failing the
436 * system call and failing to provide a valid uid are not an
437 * options.
438 *
439 * If @kuid has no mapping in @targ overflowuid is returned.
440 */
441 uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
442 {
443 uid_t uid;
444 uid = from_kuid(targ, kuid);
445
446 if (uid == (uid_t) -1)
447 uid = overflowuid;
448 return uid;
449 }
450 EXPORT_SYMBOL(from_kuid_munged);
451
452 /**
453 * make_kgid - Map a user-namespace gid pair into a kgid.
454 * @ns: User namespace that the gid is in
455 * @gid: group identifier
456 *
457 * Maps a user-namespace gid pair into a kernel internal kgid,
458 * and returns that kgid.
459 *
460 * When there is no mapping defined for the user-namespace gid
461 * pair INVALID_GID is returned. Callers are expected to test
462 * for and handle INVALID_GID being returned. INVALID_GID may be
463 * tested for using gid_valid().
464 */
465 kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
466 {
467 /* Map the gid to a global kernel gid */
468 return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
469 }
470 EXPORT_SYMBOL(make_kgid);
471
472 /**
473 * from_kgid - Create a gid from a kgid user-namespace pair.
474 * @targ: The user namespace we want a gid in.
475 * @kgid: The kernel internal gid to start with.
476 *
477 * Map @kgid into the user-namespace specified by @targ and
478 * return the resulting gid.
479 *
480 * There is always a mapping into the initial user_namespace.
481 *
482 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
483 */
484 gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
485 {
486 /* Map the gid from a global kernel gid */
487 return map_id_up(&targ->gid_map, __kgid_val(kgid));
488 }
489 EXPORT_SYMBOL(from_kgid);
490
491 /**
492 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
493 * @targ: The user namespace we want a gid in.
494 * @kgid: The kernel internal gid to start with.
495 *
496 * Map @kgid into the user-namespace specified by @targ and
497 * return the resulting gid.
498 *
499 * There is always a mapping into the initial user_namespace.
500 *
501 * Unlike from_kgid from_kgid_munged never fails and always
502 * returns a valid gid. This makes from_kgid_munged appropriate
503 * for use in syscalls like stat and getgid where failing the
504 * system call and failing to provide a valid gid are not options.
505 *
506 * If @kgid has no mapping in @targ overflowgid is returned.
507 */
508 gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
509 {
510 gid_t gid;
511 gid = from_kgid(targ, kgid);
512
513 if (gid == (gid_t) -1)
514 gid = overflowgid;
515 return gid;
516 }
517 EXPORT_SYMBOL(from_kgid_munged);
518
519 /**
520 * make_kprojid - Map a user-namespace projid pair into a kprojid.
521 * @ns: User namespace that the projid is in
522 * @projid: Project identifier
523 *
524 * Maps a user-namespace uid pair into a kernel internal kuid,
525 * and returns that kuid.
526 *
527 * When there is no mapping defined for the user-namespace projid
528 * pair INVALID_PROJID is returned. Callers are expected to test
529 * for and handle INVALID_PROJID being returned. INVALID_PROJID
530 * may be tested for using projid_valid().
531 */
532 kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
533 {
534 /* Map the uid to a global kernel uid */
535 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
536 }
537 EXPORT_SYMBOL(make_kprojid);
538
539 /**
540 * from_kprojid - Create a projid from a kprojid user-namespace pair.
541 * @targ: The user namespace we want a projid in.
542 * @kprojid: The kernel internal project identifier to start with.
543 *
544 * Map @kprojid into the user-namespace specified by @targ and
545 * return the resulting projid.
546 *
547 * There is always a mapping into the initial user_namespace.
548 *
549 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
550 */
551 projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
552 {
553 /* Map the uid from a global kernel uid */
554 return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
555 }
556 EXPORT_SYMBOL(from_kprojid);
557
558 /**
559 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
560 * @targ: The user namespace we want a projid in.
561 * @kprojid: The kernel internal projid to start with.
562 *
563 * Map @kprojid into the user-namespace specified by @targ and
564 * return the resulting projid.
565 *
566 * There is always a mapping into the initial user_namespace.
567 *
568 * Unlike from_kprojid from_kprojid_munged never fails and always
569 * returns a valid projid. This makes from_kprojid_munged
570 * appropriate for use in syscalls like stat and where
571 * failing the system call and failing to provide a valid projid are
572 * not an options.
573 *
574 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
575 */
576 projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
577 {
578 projid_t projid;
579 projid = from_kprojid(targ, kprojid);
580
581 if (projid == (projid_t) -1)
582 projid = OVERFLOW_PROJID;
583 return projid;
584 }
585 EXPORT_SYMBOL(from_kprojid_munged);
586
587
588 static int uid_m_show(struct seq_file *seq, void *v)
589 {
590 struct user_namespace *ns = seq->private;
591 struct uid_gid_extent *extent = v;
592 struct user_namespace *lower_ns;
593 uid_t lower;
594
595 lower_ns = seq_user_ns(seq);
596 if ((lower_ns == ns) && lower_ns->parent)
597 lower_ns = lower_ns->parent;
598
599 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
600
601 seq_printf(seq, "%10u %10u %10u\n",
602 extent->first,
603 lower,
604 extent->count);
605
606 return 0;
607 }
608
609 static int gid_m_show(struct seq_file *seq, void *v)
610 {
611 struct user_namespace *ns = seq->private;
612 struct uid_gid_extent *extent = v;
613 struct user_namespace *lower_ns;
614 gid_t lower;
615
616 lower_ns = seq_user_ns(seq);
617 if ((lower_ns == ns) && lower_ns->parent)
618 lower_ns = lower_ns->parent;
619
620 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
621
622 seq_printf(seq, "%10u %10u %10u\n",
623 extent->first,
624 lower,
625 extent->count);
626
627 return 0;
628 }
629
630 static int projid_m_show(struct seq_file *seq, void *v)
631 {
632 struct user_namespace *ns = seq->private;
633 struct uid_gid_extent *extent = v;
634 struct user_namespace *lower_ns;
635 projid_t lower;
636
637 lower_ns = seq_user_ns(seq);
638 if ((lower_ns == ns) && lower_ns->parent)
639 lower_ns = lower_ns->parent;
640
641 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
642
643 seq_printf(seq, "%10u %10u %10u\n",
644 extent->first,
645 lower,
646 extent->count);
647
648 return 0;
649 }
650
651 static void *m_start(struct seq_file *seq, loff_t *ppos,
652 struct uid_gid_map *map)
653 {
654 loff_t pos = *ppos;
655 unsigned extents = map->nr_extents;
656 smp_rmb();
657
658 if (pos >= extents)
659 return NULL;
660
661 if (extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
662 return &map->extent[pos];
663
664 return &map->forward[pos];
665 }
666
667 static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
668 {
669 struct user_namespace *ns = seq->private;
670
671 return m_start(seq, ppos, &ns->uid_map);
672 }
673
674 static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
675 {
676 struct user_namespace *ns = seq->private;
677
678 return m_start(seq, ppos, &ns->gid_map);
679 }
680
681 static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
682 {
683 struct user_namespace *ns = seq->private;
684
685 return m_start(seq, ppos, &ns->projid_map);
686 }
687
688 static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
689 {
690 (*pos)++;
691 return seq->op->start(seq, pos);
692 }
693
694 static void m_stop(struct seq_file *seq, void *v)
695 {
696 return;
697 }
698
699 const struct seq_operations proc_uid_seq_operations = {
700 .start = uid_m_start,
701 .stop = m_stop,
702 .next = m_next,
703 .show = uid_m_show,
704 };
705
706 const struct seq_operations proc_gid_seq_operations = {
707 .start = gid_m_start,
708 .stop = m_stop,
709 .next = m_next,
710 .show = gid_m_show,
711 };
712
713 const struct seq_operations proc_projid_seq_operations = {
714 .start = projid_m_start,
715 .stop = m_stop,
716 .next = m_next,
717 .show = projid_m_show,
718 };
719
720 static bool mappings_overlap(struct uid_gid_map *new_map,
721 struct uid_gid_extent *extent)
722 {
723 u32 upper_first, lower_first, upper_last, lower_last;
724 unsigned idx;
725
726 upper_first = extent->first;
727 lower_first = extent->lower_first;
728 upper_last = upper_first + extent->count - 1;
729 lower_last = lower_first + extent->count - 1;
730
731 for (idx = 0; idx < new_map->nr_extents; idx++) {
732 u32 prev_upper_first, prev_lower_first;
733 u32 prev_upper_last, prev_lower_last;
734 struct uid_gid_extent *prev;
735
736 if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
737 prev = &new_map->extent[idx];
738 else
739 prev = &new_map->forward[idx];
740
741 prev_upper_first = prev->first;
742 prev_lower_first = prev->lower_first;
743 prev_upper_last = prev_upper_first + prev->count - 1;
744 prev_lower_last = prev_lower_first + prev->count - 1;
745
746 /* Does the upper range intersect a previous extent? */
747 if ((prev_upper_first <= upper_last) &&
748 (prev_upper_last >= upper_first))
749 return true;
750
751 /* Does the lower range intersect a previous extent? */
752 if ((prev_lower_first <= lower_last) &&
753 (prev_lower_last >= lower_first))
754 return true;
755 }
756 return false;
757 }
758
759 /**
760 * insert_extent - Safely insert a new idmap extent into struct uid_gid_map.
761 * Takes care to allocate a 4K block of memory if the number of mappings exceeds
762 * UID_GID_MAP_MAX_BASE_EXTENTS.
763 */
764 static int insert_extent(struct uid_gid_map *map, struct uid_gid_extent *extent)
765 {
766 struct uid_gid_extent *dest;
767
768 if (map->nr_extents == UID_GID_MAP_MAX_BASE_EXTENTS) {
769 struct uid_gid_extent *forward;
770
771 /* Allocate memory for 340 mappings. */
772 forward = kmalloc_array(UID_GID_MAP_MAX_EXTENTS,
773 sizeof(struct uid_gid_extent),
774 GFP_KERNEL);
775 if (!forward)
776 return -ENOMEM;
777
778 /* Copy over memory. Only set up memory for the forward pointer.
779 * Defer the memory setup for the reverse pointer.
780 */
781 memcpy(forward, map->extent,
782 map->nr_extents * sizeof(map->extent[0]));
783
784 map->forward = forward;
785 map->reverse = NULL;
786 }
787
788 if (map->nr_extents < UID_GID_MAP_MAX_BASE_EXTENTS)
789 dest = &map->extent[map->nr_extents];
790 else
791 dest = &map->forward[map->nr_extents];
792
793 *dest = *extent;
794 map->nr_extents++;
795 return 0;
796 }
797
798 /* cmp function to sort() forward mappings */
799 static int cmp_extents_forward(const void *a, const void *b)
800 {
801 const struct uid_gid_extent *e1 = a;
802 const struct uid_gid_extent *e2 = b;
803
804 if (e1->first < e2->first)
805 return -1;
806
807 if (e1->first > e2->first)
808 return 1;
809
810 return 0;
811 }
812
813 /* cmp function to sort() reverse mappings */
814 static int cmp_extents_reverse(const void *a, const void *b)
815 {
816 const struct uid_gid_extent *e1 = a;
817 const struct uid_gid_extent *e2 = b;
818
819 if (e1->lower_first < e2->lower_first)
820 return -1;
821
822 if (e1->lower_first > e2->lower_first)
823 return 1;
824
825 return 0;
826 }
827
828 /**
829 * sort_idmaps - Sorts an array of idmap entries.
830 * Can only be called if number of mappings exceeds UID_GID_MAP_MAX_BASE_EXTENTS.
831 */
832 static int sort_idmaps(struct uid_gid_map *map)
833 {
834 if (map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
835 return 0;
836
837 /* Sort forward array. */
838 sort(map->forward, map->nr_extents, sizeof(struct uid_gid_extent),
839 cmp_extents_forward, NULL);
840
841 /* Only copy the memory from forward we actually need. */
842 map->reverse = kmemdup(map->forward,
843 map->nr_extents * sizeof(struct uid_gid_extent),
844 GFP_KERNEL);
845 if (!map->reverse)
846 return -ENOMEM;
847
848 /* Sort reverse array. */
849 sort(map->reverse, map->nr_extents, sizeof(struct uid_gid_extent),
850 cmp_extents_reverse, NULL);
851
852 return 0;
853 }
854
855 /**
856 * verify_root_map() - check the uid 0 mapping
857 * @file: idmapping file
858 * @map_ns: user namespace of the target process
859 * @new_map: requested idmap
860 *
861 * If a process requests mapping parent uid 0 into the new ns, verify that the
862 * process writing the map had the CAP_SETFCAP capability as the target process
863 * will be able to write fscaps that are valid in ancestor user namespaces.
864 *
865 * Return: true if the mapping is allowed, false if not.
866 */
867 static bool verify_root_map(const struct file *file,
868 struct user_namespace *map_ns,
869 struct uid_gid_map *new_map)
870 {
871 int idx;
872 const struct user_namespace *file_ns = file->f_cred->user_ns;
873 struct uid_gid_extent *extent0 = NULL;
874
875 for (idx = 0; idx < new_map->nr_extents; idx++) {
876 if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
877 extent0 = &new_map->extent[idx];
878 else
879 extent0 = &new_map->forward[idx];
880 if (extent0->lower_first == 0)
881 break;
882
883 extent0 = NULL;
884 }
885
886 if (!extent0)
887 return true;
888
889 if (map_ns == file_ns) {
890 /* The process unshared its ns and is writing to its own
891 * /proc/self/uid_map. User already has full capabilites in
892 * the new namespace. Verify that the parent had CAP_SETFCAP
893 * when it unshared.
894 * */
895 if (!file_ns->parent_could_setfcap)
896 return false;
897 } else {
898 /* Process p1 is writing to uid_map of p2, who is in a child
899 * user namespace to p1's. Verify that the opener of the map
900 * file has CAP_SETFCAP against the parent of the new map
901 * namespace */
902 if (!file_ns_capable(file, map_ns->parent, CAP_SETFCAP))
903 return false;
904 }
905
906 return true;
907 }
908
909 static ssize_t map_write(struct file *file, const char __user *buf,
910 size_t count, loff_t *ppos,
911 int cap_setid,
912 struct uid_gid_map *map,
913 struct uid_gid_map *parent_map)
914 {
915 struct seq_file *seq = file->private_data;
916 struct user_namespace *map_ns = seq->private;
917 struct uid_gid_map new_map;
918 unsigned idx;
919 struct uid_gid_extent extent;
920 char *kbuf = NULL, *pos, *next_line;
921 ssize_t ret;
922
923 /* Only allow < page size writes at the beginning of the file */
924 if ((*ppos != 0) || (count >= PAGE_SIZE))
925 return -EINVAL;
926
927 /* Slurp in the user data */
928 kbuf = memdup_user_nul(buf, count);
929 if (IS_ERR(kbuf))
930 return PTR_ERR(kbuf);
931
932 /*
933 * The userns_state_mutex serializes all writes to any given map.
934 *
935 * Any map is only ever written once.
936 *
937 * An id map fits within 1 cache line on most architectures.
938 *
939 * On read nothing needs to be done unless you are on an
940 * architecture with a crazy cache coherency model like alpha.
941 *
942 * There is a one time data dependency between reading the
943 * count of the extents and the values of the extents. The
944 * desired behavior is to see the values of the extents that
945 * were written before the count of the extents.
946 *
947 * To achieve this smp_wmb() is used on guarantee the write
948 * order and smp_rmb() is guaranteed that we don't have crazy
949 * architectures returning stale data.
950 */
951 mutex_lock(&userns_state_mutex);
952
953 memset(&new_map, 0, sizeof(struct uid_gid_map));
954
955 ret = -EPERM;
956 /* Only allow one successful write to the map */
957 if (map->nr_extents != 0)
958 goto out;
959
960 /*
961 * Adjusting namespace settings requires capabilities on the target.
962 */
963 if (cap_valid(cap_setid) && !file_ns_capable(file, map_ns, CAP_SYS_ADMIN))
964 goto out;
965
966 /* Parse the user data */
967 ret = -EINVAL;
968 pos = kbuf;
969 for (; pos; pos = next_line) {
970
971 /* Find the end of line and ensure I don't look past it */
972 next_line = strchr(pos, '\n');
973 if (next_line) {
974 *next_line = '\0';
975 next_line++;
976 if (*next_line == '\0')
977 next_line = NULL;
978 }
979
980 pos = skip_spaces(pos);
981 extent.first = simple_strtoul(pos, &pos, 10);
982 if (!isspace(*pos))
983 goto out;
984
985 pos = skip_spaces(pos);
986 extent.lower_first = simple_strtoul(pos, &pos, 10);
987 if (!isspace(*pos))
988 goto out;
989
990 pos = skip_spaces(pos);
991 extent.count = simple_strtoul(pos, &pos, 10);
992 if (*pos && !isspace(*pos))
993 goto out;
994
995 /* Verify there is not trailing junk on the line */
996 pos = skip_spaces(pos);
997 if (*pos != '\0')
998 goto out;
999
1000 /* Verify we have been given valid starting values */
1001 if ((extent.first == (u32) -1) ||
1002 (extent.lower_first == (u32) -1))
1003 goto out;
1004
1005 /* Verify count is not zero and does not cause the
1006 * extent to wrap
1007 */
1008 if ((extent.first + extent.count) <= extent.first)
1009 goto out;
1010 if ((extent.lower_first + extent.count) <=
1011 extent.lower_first)
1012 goto out;
1013
1014 /* Do the ranges in extent overlap any previous extents? */
1015 if (mappings_overlap(&new_map, &extent))
1016 goto out;
1017
1018 if ((new_map.nr_extents + 1) == UID_GID_MAP_MAX_EXTENTS &&
1019 (next_line != NULL))
1020 goto out;
1021
1022 ret = insert_extent(&new_map, &extent);
1023 if (ret < 0)
1024 goto out;
1025 ret = -EINVAL;
1026 }
1027 /* Be very certain the new map actually exists */
1028 if (new_map.nr_extents == 0)
1029 goto out;
1030
1031 ret = -EPERM;
1032 /* Validate the user is allowed to use user id's mapped to. */
1033 if (!new_idmap_permitted(file, map_ns, cap_setid, &new_map))
1034 goto out;
1035
1036 ret = -EPERM;
1037 /* Map the lower ids from the parent user namespace to the
1038 * kernel global id space.
1039 */
1040 for (idx = 0; idx < new_map.nr_extents; idx++) {
1041 struct uid_gid_extent *e;
1042 u32 lower_first;
1043
1044 if (new_map.nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
1045 e = &new_map.extent[idx];
1046 else
1047 e = &new_map.forward[idx];
1048
1049 lower_first = map_id_range_down(parent_map,
1050 e->lower_first,
1051 e->count);
1052
1053 /* Fail if we can not map the specified extent to
1054 * the kernel global id space.
1055 */
1056 if (lower_first == (u32) -1)
1057 goto out;
1058
1059 e->lower_first = lower_first;
1060 }
1061
1062 /*
1063 * If we want to use binary search for lookup, this clones the extent
1064 * array and sorts both copies.
1065 */
1066 ret = sort_idmaps(&new_map);
1067 if (ret < 0)
1068 goto out;
1069
1070 /* Install the map */
1071 if (new_map.nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) {
1072 memcpy(map->extent, new_map.extent,
1073 new_map.nr_extents * sizeof(new_map.extent[0]));
1074 } else {
1075 map->forward = new_map.forward;
1076 map->reverse = new_map.reverse;
1077 }
1078 smp_wmb();
1079 map->nr_extents = new_map.nr_extents;
1080
1081 *ppos = count;
1082 ret = count;
1083 out:
1084 if (ret < 0 && new_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
1085 kfree(new_map.forward);
1086 kfree(new_map.reverse);
1087 map->forward = NULL;
1088 map->reverse = NULL;
1089 map->nr_extents = 0;
1090 }
1091
1092 mutex_unlock(&userns_state_mutex);
1093 kfree(kbuf);
1094 return ret;
1095 }
1096
1097 ssize_t proc_uid_map_write(struct file *file, const char __user *buf,
1098 size_t size, loff_t *ppos)
1099 {
1100 struct seq_file *seq = file->private_data;
1101 struct user_namespace *ns = seq->private;
1102 struct user_namespace *seq_ns = seq_user_ns(seq);
1103
1104 if (!ns->parent)
1105 return -EPERM;
1106
1107 if ((seq_ns != ns) && (seq_ns != ns->parent))
1108 return -EPERM;
1109
1110 return map_write(file, buf, size, ppos, CAP_SETUID,
1111 &ns->uid_map, &ns->parent->uid_map);
1112 }
1113
1114 ssize_t proc_gid_map_write(struct file *file, const char __user *buf,
1115 size_t size, loff_t *ppos)
1116 {
1117 struct seq_file *seq = file->private_data;
1118 struct user_namespace *ns = seq->private;
1119 struct user_namespace *seq_ns = seq_user_ns(seq);
1120
1121 if (!ns->parent)
1122 return -EPERM;
1123
1124 if ((seq_ns != ns) && (seq_ns != ns->parent))
1125 return -EPERM;
1126
1127 return map_write(file, buf, size, ppos, CAP_SETGID,
1128 &ns->gid_map, &ns->parent->gid_map);
1129 }
1130
1131 ssize_t proc_projid_map_write(struct file *file, const char __user *buf,
1132 size_t size, loff_t *ppos)
1133 {
1134 struct seq_file *seq = file->private_data;
1135 struct user_namespace *ns = seq->private;
1136 struct user_namespace *seq_ns = seq_user_ns(seq);
1137
1138 if (!ns->parent)
1139 return -EPERM;
1140
1141 if ((seq_ns != ns) && (seq_ns != ns->parent))
1142 return -EPERM;
1143
1144 /* Anyone can set any valid project id no capability needed */
1145 return map_write(file, buf, size, ppos, -1,
1146 &ns->projid_map, &ns->parent->projid_map);
1147 }
1148
1149 static bool new_idmap_permitted(const struct file *file,
1150 struct user_namespace *ns, int cap_setid,
1151 struct uid_gid_map *new_map)
1152 {
1153 const struct cred *cred = file->f_cred;
1154
1155 if (cap_setid == CAP_SETUID && !verify_root_map(file, ns, new_map))
1156 return false;
1157
1158 /* Don't allow mappings that would allow anything that wouldn't
1159 * be allowed without the establishment of unprivileged mappings.
1160 */
1161 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
1162 uid_eq(ns->owner, cred->euid)) {
1163 u32 id = new_map->extent[0].lower_first;
1164 if (cap_setid == CAP_SETUID) {
1165 kuid_t uid = make_kuid(ns->parent, id);
1166 if (uid_eq(uid, cred->euid))
1167 return true;
1168 } else if (cap_setid == CAP_SETGID) {
1169 kgid_t gid = make_kgid(ns->parent, id);
1170 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
1171 gid_eq(gid, cred->egid))
1172 return true;
1173 }
1174 }
1175
1176 /* Allow anyone to set a mapping that doesn't require privilege */
1177 if (!cap_valid(cap_setid))
1178 return true;
1179
1180 /* Allow the specified ids if we have the appropriate capability
1181 * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
1182 * And the opener of the id file also has the appropriate capability.
1183 */
1184 if (ns_capable(ns->parent, cap_setid) &&
1185 file_ns_capable(file, ns->parent, cap_setid))
1186 return true;
1187
1188 return false;
1189 }
1190
1191 int proc_setgroups_show(struct seq_file *seq, void *v)
1192 {
1193 struct user_namespace *ns = seq->private;
1194 unsigned long userns_flags = READ_ONCE(ns->flags);
1195
1196 seq_printf(seq, "%s\n",
1197 (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
1198 "allow" : "deny");
1199 return 0;
1200 }
1201
1202 ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
1203 size_t count, loff_t *ppos)
1204 {
1205 struct seq_file *seq = file->private_data;
1206 struct user_namespace *ns = seq->private;
1207 char kbuf[8], *pos;
1208 bool setgroups_allowed;
1209 ssize_t ret;
1210
1211 /* Only allow a very narrow range of strings to be written */
1212 ret = -EINVAL;
1213 if ((*ppos != 0) || (count >= sizeof(kbuf)))
1214 goto out;
1215
1216 /* What was written? */
1217 ret = -EFAULT;
1218 if (copy_from_user(kbuf, buf, count))
1219 goto out;
1220 kbuf[count] = '\0';
1221 pos = kbuf;
1222
1223 /* What is being requested? */
1224 ret = -EINVAL;
1225 if (strncmp(pos, "allow", 5) == 0) {
1226 pos += 5;
1227 setgroups_allowed = true;
1228 }
1229 else if (strncmp(pos, "deny", 4) == 0) {
1230 pos += 4;
1231 setgroups_allowed = false;
1232 }
1233 else
1234 goto out;
1235
1236 /* Verify there is not trailing junk on the line */
1237 pos = skip_spaces(pos);
1238 if (*pos != '\0')
1239 goto out;
1240
1241 ret = -EPERM;
1242 mutex_lock(&userns_state_mutex);
1243 if (setgroups_allowed) {
1244 /* Enabling setgroups after setgroups has been disabled
1245 * is not allowed.
1246 */
1247 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
1248 goto out_unlock;
1249 } else {
1250 /* Permanently disabling setgroups after setgroups has
1251 * been enabled by writing the gid_map is not allowed.
1252 */
1253 if (ns->gid_map.nr_extents != 0)
1254 goto out_unlock;
1255 ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
1256 }
1257 mutex_unlock(&userns_state_mutex);
1258
1259 /* Report a successful write */
1260 *ppos = count;
1261 ret = count;
1262 out:
1263 return ret;
1264 out_unlock:
1265 mutex_unlock(&userns_state_mutex);
1266 goto out;
1267 }
1268
1269 bool userns_may_setgroups(const struct user_namespace *ns)
1270 {
1271 bool allowed;
1272
1273 mutex_lock(&userns_state_mutex);
1274 /* It is not safe to use setgroups until a gid mapping in
1275 * the user namespace has been established.
1276 */
1277 allowed = ns->gid_map.nr_extents != 0;
1278 /* Is setgroups allowed? */
1279 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
1280 mutex_unlock(&userns_state_mutex);
1281
1282 return allowed;
1283 }
1284
1285 /*
1286 * Returns true if @child is the same namespace or a descendant of
1287 * @ancestor.
1288 */
1289 bool in_userns(const struct user_namespace *ancestor,
1290 const struct user_namespace *child)
1291 {
1292 const struct user_namespace *ns;
1293 for (ns = child; ns->level > ancestor->level; ns = ns->parent)
1294 ;
1295 return (ns == ancestor);
1296 }
1297
1298 bool current_in_userns(const struct user_namespace *target_ns)
1299 {
1300 return in_userns(target_ns, current_user_ns());
1301 }
1302 EXPORT_SYMBOL(current_in_userns);
1303
1304 static inline struct user_namespace *to_user_ns(struct ns_common *ns)
1305 {
1306 return container_of(ns, struct user_namespace, ns);
1307 }
1308
1309 static struct ns_common *userns_get(struct task_struct *task)
1310 {
1311 struct user_namespace *user_ns;
1312
1313 rcu_read_lock();
1314 user_ns = get_user_ns(__task_cred(task)->user_ns);
1315 rcu_read_unlock();
1316
1317 return user_ns ? &user_ns->ns : NULL;
1318 }
1319
1320 static void userns_put(struct ns_common *ns)
1321 {
1322 put_user_ns(to_user_ns(ns));
1323 }
1324
1325 static int userns_install(struct nsset *nsset, struct ns_common *ns)
1326 {
1327 struct user_namespace *user_ns = to_user_ns(ns);
1328 struct cred *cred;
1329
1330 /* Don't allow gaining capabilities by reentering
1331 * the same user namespace.
1332 */
1333 if (user_ns == current_user_ns())
1334 return -EINVAL;
1335
1336 /* Tasks that share a thread group must share a user namespace */
1337 if (!thread_group_empty(current))
1338 return -EINVAL;
1339
1340 if (current->fs->users != 1)
1341 return -EINVAL;
1342
1343 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
1344 return -EPERM;
1345
1346 cred = nsset_cred(nsset);
1347 if (!cred)
1348 return -EINVAL;
1349
1350 put_user_ns(cred->user_ns);
1351 set_cred_user_ns(cred, get_user_ns(user_ns));
1352
1353 if (set_cred_ucounts(cred) < 0)
1354 return -EINVAL;
1355
1356 return 0;
1357 }
1358
1359 struct ns_common *ns_get_owner(struct ns_common *ns)
1360 {
1361 struct user_namespace *my_user_ns = current_user_ns();
1362 struct user_namespace *owner, *p;
1363
1364 /* See if the owner is in the current user namespace */
1365 owner = p = ns->ops->owner(ns);
1366 for (;;) {
1367 if (!p)
1368 return ERR_PTR(-EPERM);
1369 if (p == my_user_ns)
1370 break;
1371 p = p->parent;
1372 }
1373
1374 return &get_user_ns(owner)->ns;
1375 }
1376
1377 static struct user_namespace *userns_owner(struct ns_common *ns)
1378 {
1379 return to_user_ns(ns)->parent;
1380 }
1381
1382 const struct proc_ns_operations userns_operations = {
1383 .name = "user",
1384 .type = CLONE_NEWUSER,
1385 .get = userns_get,
1386 .put = userns_put,
1387 .install = userns_install,
1388 .owner = userns_owner,
1389 .get_parent = ns_get_owner,
1390 };
1391
1392 static __init int user_namespaces_init(void)
1393 {
1394 user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC | SLAB_ACCOUNT);
1395 return 0;
1396 }
1397 subsys_initcall(user_namespaces_init);
Ubuntu Jammy Linux kernel mirror