]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blob - kernel/user_namespace.c
projects / mirror_ubuntu-zesty-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
UBUNTU: SAUCE: (namespace) fuse: Restrict allow_other to the superblock's namespace...
[mirror_ubuntu-zesty-kernel.git] / kernel / user_namespace.c
1 /*
2 * This program is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU General Public License as
4 * published by the Free Software Foundation, version 2 of the
5 * License.
6 */
7
8 #include <linux/export.h>
9 #include <linux/nsproxy.h>
10 #include <linux/slab.h>
11 #include <linux/user_namespace.h>
12 #include <linux/proc_ns.h>
13 #include <linux/highuid.h>
14 #include <linux/cred.h>
15 #include <linux/securebits.h>
16 #include <linux/keyctl.h>
17 #include <linux/key-type.h>
18 #include <keys/user-type.h>
19 #include <linux/seq_file.h>
20 #include <linux/fs.h>
21 #include <linux/uaccess.h>
22 #include <linux/ctype.h>
23 #include <linux/projid.h>
24 #include <linux/fs_struct.h>
25
26 /*
27 * sysctl determining whether unprivileged users may unshare a new
28 * userns. Allowed by default
29 */
30 int unprivileged_userns_clone = 1;
31
32 static struct kmem_cache *user_ns_cachep __read_mostly;
33 static DEFINE_MUTEX(userns_state_mutex);
34
35 static bool new_idmap_permitted(const struct file *file,
36 struct user_namespace *ns, int cap_setid,
37 struct uid_gid_map *map);
38 static void free_user_ns(struct work_struct *work);
39
40 static struct ucounts *inc_user_namespaces(struct user_namespace *ns, kuid_t uid)
41 {
42 return inc_ucount(ns, uid, UCOUNT_USER_NAMESPACES);
43 }
44
45 static void dec_user_namespaces(struct ucounts *ucounts)
46 {
47 return dec_ucount(ucounts, UCOUNT_USER_NAMESPACES);
48 }
49
50 static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
51 {
52 /* Start with the same capabilities as init but useless for doing
53 * anything as the capabilities are bound to the new user namespace.
54 */
55 cred->securebits = SECUREBITS_DEFAULT;
56 cred->cap_inheritable = CAP_EMPTY_SET;
57 cred->cap_permitted = CAP_FULL_SET;
58 cred->cap_effective = CAP_FULL_SET;
59 cred->cap_ambient = CAP_EMPTY_SET;
60 cred->cap_bset = CAP_FULL_SET;
61 #ifdef CONFIG_KEYS
62 key_put(cred->request_key_auth);
63 cred->request_key_auth = NULL;
64 #endif
65 /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
66 cred->user_ns = user_ns;
67 }
68
69 /*
70 * Create a new user namespace, deriving the creator from the user in the
71 * passed credentials, and replacing that user with the new root user for the
72 * new namespace.
73 *
74 * This is called by copy_creds(), which will finish setting the target task's
75 * credentials.
76 */
77 int create_user_ns(struct cred *new)
78 {
79 struct user_namespace *ns, *parent_ns = new->user_ns;
80 kuid_t owner = new->euid;
81 kgid_t group = new->egid;
82 struct ucounts *ucounts;
83 int ret, i;
84
85 ret = -ENOSPC;
86 if (parent_ns->level > 32)
87 goto fail;
88
89 ucounts = inc_user_namespaces(parent_ns, owner);
90 if (!ucounts)
91 goto fail;
92
93 /*
94 * Verify that we can not violate the policy of which files
95 * may be accessed that is specified by the root directory,
96 * by verifing that the root directory is at the root of the
97 * mount namespace which allows all files to be accessed.
98 */
99 ret = -EPERM;
100 if (current_chrooted())
101 goto fail_dec;
102
103 /* The creator needs a mapping in the parent user namespace
104 * or else we won't be able to reasonably tell userspace who
105 * created a user_namespace.
106 */
107 ret = -EPERM;
108 if (!kuid_has_mapping(parent_ns, owner) ||
109 !kgid_has_mapping(parent_ns, group))
110 goto fail_dec;
111
112 ret = -ENOMEM;
113 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
114 if (!ns)
115 goto fail_dec;
116
117 ret = ns_alloc_inum(&ns->ns);
118 if (ret)
119 goto fail_free;
120 ns->ns.ops = &userns_operations;
121
122 atomic_set(&ns->count, 1);
123 /* Leave the new->user_ns reference with the new user namespace. */
124 ns->parent = parent_ns;
125 ns->level = parent_ns->level + 1;
126 ns->owner = owner;
127 ns->group = group;
128 INIT_WORK(&ns->work, free_user_ns);
129 for (i = 0; i < UCOUNT_COUNTS; i++) {
130 ns->ucount_max[i] = INT_MAX;
131 }
132 ns->ucounts = ucounts;
133
134 /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
135 mutex_lock(&userns_state_mutex);
136 ns->flags = parent_ns->flags;
137 mutex_unlock(&userns_state_mutex);
138
139 #ifdef CONFIG_PERSISTENT_KEYRINGS
140 init_rwsem(&ns->persistent_keyring_register_sem);
141 #endif
142 ret = -ENOMEM;
143 if (!setup_userns_sysctls(ns))
144 goto fail_keyring;
145
146 set_cred_user_ns(new, ns);
147 return 0;
148 fail_keyring:
149 #ifdef CONFIG_PERSISTENT_KEYRINGS
150 key_put(ns->persistent_keyring_register);
151 #endif
152 ns_free_inum(&ns->ns);
153 fail_free:
154 kmem_cache_free(user_ns_cachep, ns);
155 fail_dec:
156 dec_user_namespaces(ucounts);
157 fail:
158 return ret;
159 }
160
161 int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
162 {
163 struct cred *cred;
164 int err = -ENOMEM;
165
166 if (!(unshare_flags & CLONE_NEWUSER))
167 return 0;
168
169 cred = prepare_creds();
170 if (cred) {
171 err = create_user_ns(cred);
172 if (err)
173 put_cred(cred);
174 else
175 *new_cred = cred;
176 }
177
178 return err;
179 }
180
181 static void free_user_ns(struct work_struct *work)
182 {
183 struct user_namespace *parent, *ns =
184 container_of(work, struct user_namespace, work);
185
186 do {
187 struct ucounts *ucounts = ns->ucounts;
188 parent = ns->parent;
189 retire_userns_sysctls(ns);
190 #ifdef CONFIG_PERSISTENT_KEYRINGS
191 key_put(ns->persistent_keyring_register);
192 #endif
193 ns_free_inum(&ns->ns);
194 kmem_cache_free(user_ns_cachep, ns);
195 dec_user_namespaces(ucounts);
196 ns = parent;
197 } while (atomic_dec_and_test(&parent->count));
198 }
199
200 void __put_user_ns(struct user_namespace *ns)
201 {
202 schedule_work(&ns->work);
203 }
204 EXPORT_SYMBOL(__put_user_ns);
205
206 static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
207 {
208 unsigned idx, extents;
209 u32 first, last, id2;
210
211 id2 = id + count - 1;
212
213 /* Find the matching extent */
214 extents = map->nr_extents;
215 smp_rmb();
216 for (idx = 0; idx < extents; idx++) {
217 first = map->extent[idx].first;
218 last = first + map->extent[idx].count - 1;
219 if (id >= first && id <= last &&
220 (id2 >= first && id2 <= last))
221 break;
222 }
223 /* Map the id or note failure */
224 if (idx < extents)
225 id = (id - first) + map->extent[idx].lower_first;
226 else
227 id = (u32) -1;
228
229 return id;
230 }
231
232 static u32 map_id_down(struct uid_gid_map *map, u32 id)
233 {
234 unsigned idx, extents;
235 u32 first, last;
236
237 /* Find the matching extent */
238 extents = map->nr_extents;
239 smp_rmb();
240 for (idx = 0; idx < extents; idx++) {
241 first = map->extent[idx].first;
242 last = first + map->extent[idx].count - 1;
243 if (id >= first && id <= last)
244 break;
245 }
246 /* Map the id or note failure */
247 if (idx < extents)
248 id = (id - first) + map->extent[idx].lower_first;
249 else
250 id = (u32) -1;
251
252 return id;
253 }
254
255 static u32 map_id_up(struct uid_gid_map *map, u32 id)
256 {
257 unsigned idx, extents;
258 u32 first, last;
259
260 /* Find the matching extent */
261 extents = map->nr_extents;
262 smp_rmb();
263 for (idx = 0; idx < extents; idx++) {
264 first = map->extent[idx].lower_first;
265 last = first + map->extent[idx].count - 1;
266 if (id >= first && id <= last)
267 break;
268 }
269 /* Map the id or note failure */
270 if (idx < extents)
271 id = (id - first) + map->extent[idx].first;
272 else
273 id = (u32) -1;
274
275 return id;
276 }
277
278 /**
279 * make_kuid - Map a user-namespace uid pair into a kuid.
280 * @ns: User namespace that the uid is in
281 * @uid: User identifier
282 *
283 * Maps a user-namespace uid pair into a kernel internal kuid,
284 * and returns that kuid.
285 *
286 * When there is no mapping defined for the user-namespace uid
287 * pair INVALID_UID is returned. Callers are expected to test
288 * for and handle INVALID_UID being returned. INVALID_UID
289 * may be tested for using uid_valid().
290 */
291 kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
292 {
293 /* Map the uid to a global kernel uid */
294 return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
295 }
296 EXPORT_SYMBOL(make_kuid);
297
298 /**
299 * from_kuid - Create a uid from a kuid user-namespace pair.
300 * @targ: The user namespace we want a uid in.
301 * @kuid: The kernel internal uid to start with.
302 *
303 * Map @kuid into the user-namespace specified by @targ and
304 * return the resulting uid.
305 *
306 * There is always a mapping into the initial user_namespace.
307 *
308 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
309 */
310 uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
311 {
312 /* Map the uid from a global kernel uid */
313 return map_id_up(&targ->uid_map, __kuid_val(kuid));
314 }
315 EXPORT_SYMBOL(from_kuid);
316
317 /**
318 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
319 * @targ: The user namespace we want a uid in.
320 * @kuid: The kernel internal uid to start with.
321 *
322 * Map @kuid into the user-namespace specified by @targ and
323 * return the resulting uid.
324 *
325 * There is always a mapping into the initial user_namespace.
326 *
327 * Unlike from_kuid from_kuid_munged never fails and always
328 * returns a valid uid. This makes from_kuid_munged appropriate
329 * for use in syscalls like stat and getuid where failing the
330 * system call and failing to provide a valid uid are not an
331 * options.
332 *
333 * If @kuid has no mapping in @targ overflowuid is returned.
334 */
335 uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
336 {
337 uid_t uid;
338 uid = from_kuid(targ, kuid);
339
340 if (uid == (uid_t) -1)
341 uid = overflowuid;
342 return uid;
343 }
344 EXPORT_SYMBOL(from_kuid_munged);
345
346 /**
347 * make_kgid - Map a user-namespace gid pair into a kgid.
348 * @ns: User namespace that the gid is in
349 * @gid: group identifier
350 *
351 * Maps a user-namespace gid pair into a kernel internal kgid,
352 * and returns that kgid.
353 *
354 * When there is no mapping defined for the user-namespace gid
355 * pair INVALID_GID is returned. Callers are expected to test
356 * for and handle INVALID_GID being returned. INVALID_GID may be
357 * tested for using gid_valid().
358 */
359 kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
360 {
361 /* Map the gid to a global kernel gid */
362 return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
363 }
364 EXPORT_SYMBOL(make_kgid);
365
366 /**
367 * from_kgid - Create a gid from a kgid user-namespace pair.
368 * @targ: The user namespace we want a gid in.
369 * @kgid: The kernel internal gid to start with.
370 *
371 * Map @kgid into the user-namespace specified by @targ and
372 * return the resulting gid.
373 *
374 * There is always a mapping into the initial user_namespace.
375 *
376 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
377 */
378 gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
379 {
380 /* Map the gid from a global kernel gid */
381 return map_id_up(&targ->gid_map, __kgid_val(kgid));
382 }
383 EXPORT_SYMBOL(from_kgid);
384
385 /**
386 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
387 * @targ: The user namespace we want a gid in.
388 * @kgid: The kernel internal gid to start with.
389 *
390 * Map @kgid into the user-namespace specified by @targ and
391 * return the resulting gid.
392 *
393 * There is always a mapping into the initial user_namespace.
394 *
395 * Unlike from_kgid from_kgid_munged never fails and always
396 * returns a valid gid. This makes from_kgid_munged appropriate
397 * for use in syscalls like stat and getgid where failing the
398 * system call and failing to provide a valid gid are not options.
399 *
400 * If @kgid has no mapping in @targ overflowgid is returned.
401 */
402 gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
403 {
404 gid_t gid;
405 gid = from_kgid(targ, kgid);
406
407 if (gid == (gid_t) -1)
408 gid = overflowgid;
409 return gid;
410 }
411 EXPORT_SYMBOL(from_kgid_munged);
412
413 /**
414 * make_kprojid - Map a user-namespace projid pair into a kprojid.
415 * @ns: User namespace that the projid is in
416 * @projid: Project identifier
417 *
418 * Maps a user-namespace uid pair into a kernel internal kuid,
419 * and returns that kuid.
420 *
421 * When there is no mapping defined for the user-namespace projid
422 * pair INVALID_PROJID is returned. Callers are expected to test
423 * for and handle handle INVALID_PROJID being returned. INVALID_PROJID
424 * may be tested for using projid_valid().
425 */
426 kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
427 {
428 /* Map the uid to a global kernel uid */
429 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
430 }
431 EXPORT_SYMBOL(make_kprojid);
432
433 /**
434 * from_kprojid - Create a projid from a kprojid user-namespace pair.
435 * @targ: The user namespace we want a projid in.
436 * @kprojid: The kernel internal project identifier to start with.
437 *
438 * Map @kprojid into the user-namespace specified by @targ and
439 * return the resulting projid.
440 *
441 * There is always a mapping into the initial user_namespace.
442 *
443 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
444 */
445 projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
446 {
447 /* Map the uid from a global kernel uid */
448 return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
449 }
450 EXPORT_SYMBOL(from_kprojid);
451
452 /**
453 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
454 * @targ: The user namespace we want a projid in.
455 * @kprojid: The kernel internal projid to start with.
456 *
457 * Map @kprojid into the user-namespace specified by @targ and
458 * return the resulting projid.
459 *
460 * There is always a mapping into the initial user_namespace.
461 *
462 * Unlike from_kprojid from_kprojid_munged never fails and always
463 * returns a valid projid. This makes from_kprojid_munged
464 * appropriate for use in syscalls like stat and where
465 * failing the system call and failing to provide a valid projid are
466 * not an options.
467 *
468 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
469 */
470 projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
471 {
472 projid_t projid;
473 projid = from_kprojid(targ, kprojid);
474
475 if (projid == (projid_t) -1)
476 projid = OVERFLOW_PROJID;
477 return projid;
478 }
479 EXPORT_SYMBOL(from_kprojid_munged);
480
481
482 static int uid_m_show(struct seq_file *seq, void *v)
483 {
484 struct user_namespace *ns = seq->private;
485 struct uid_gid_extent *extent = v;
486 struct user_namespace *lower_ns;
487 uid_t lower;
488
489 lower_ns = seq_user_ns(seq);
490 if ((lower_ns == ns) && lower_ns->parent)
491 lower_ns = lower_ns->parent;
492
493 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
494
495 seq_printf(seq, "%10u %10u %10u\n",
496 extent->first,
497 lower,
498 extent->count);
499
500 return 0;
501 }
502
503 static int gid_m_show(struct seq_file *seq, void *v)
504 {
505 struct user_namespace *ns = seq->private;
506 struct uid_gid_extent *extent = v;
507 struct user_namespace *lower_ns;
508 gid_t lower;
509
510 lower_ns = seq_user_ns(seq);
511 if ((lower_ns == ns) && lower_ns->parent)
512 lower_ns = lower_ns->parent;
513
514 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
515
516 seq_printf(seq, "%10u %10u %10u\n",
517 extent->first,
518 lower,
519 extent->count);
520
521 return 0;
522 }
523
524 static int projid_m_show(struct seq_file *seq, void *v)
525 {
526 struct user_namespace *ns = seq->private;
527 struct uid_gid_extent *extent = v;
528 struct user_namespace *lower_ns;
529 projid_t lower;
530
531 lower_ns = seq_user_ns(seq);
532 if ((lower_ns == ns) && lower_ns->parent)
533 lower_ns = lower_ns->parent;
534
535 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
536
537 seq_printf(seq, "%10u %10u %10u\n",
538 extent->first,
539 lower,
540 extent->count);
541
542 return 0;
543 }
544
545 static void *m_start(struct seq_file *seq, loff_t *ppos,
546 struct uid_gid_map *map)
547 {
548 struct uid_gid_extent *extent = NULL;
549 loff_t pos = *ppos;
550
551 if (pos < map->nr_extents)
552 extent = &map->extent[pos];
553
554 return extent;
555 }
556
557 static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
558 {
559 struct user_namespace *ns = seq->private;
560
561 return m_start(seq, ppos, &ns->uid_map);
562 }
563
564 static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
565 {
566 struct user_namespace *ns = seq->private;
567
568 return m_start(seq, ppos, &ns->gid_map);
569 }
570
571 static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
572 {
573 struct user_namespace *ns = seq->private;
574
575 return m_start(seq, ppos, &ns->projid_map);
576 }
577
578 static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
579 {
580 (*pos)++;
581 return seq->op->start(seq, pos);
582 }
583
584 static void m_stop(struct seq_file *seq, void *v)
585 {
586 return;
587 }
588
589 const struct seq_operations proc_uid_seq_operations = {
590 .start = uid_m_start,
591 .stop = m_stop,
592 .next = m_next,
593 .show = uid_m_show,
594 };
595
596 const struct seq_operations proc_gid_seq_operations = {
597 .start = gid_m_start,
598 .stop = m_stop,
599 .next = m_next,
600 .show = gid_m_show,
601 };
602
603 const struct seq_operations proc_projid_seq_operations = {
604 .start = projid_m_start,
605 .stop = m_stop,
606 .next = m_next,
607 .show = projid_m_show,
608 };
609
610 static bool mappings_overlap(struct uid_gid_map *new_map,
611 struct uid_gid_extent *extent)
612 {
613 u32 upper_first, lower_first, upper_last, lower_last;
614 unsigned idx;
615
616 upper_first = extent->first;
617 lower_first = extent->lower_first;
618 upper_last = upper_first + extent->count - 1;
619 lower_last = lower_first + extent->count - 1;
620
621 for (idx = 0; idx < new_map->nr_extents; idx++) {
622 u32 prev_upper_first, prev_lower_first;
623 u32 prev_upper_last, prev_lower_last;
624 struct uid_gid_extent *prev;
625
626 prev = &new_map->extent[idx];
627
628 prev_upper_first = prev->first;
629 prev_lower_first = prev->lower_first;
630 prev_upper_last = prev_upper_first + prev->count - 1;
631 prev_lower_last = prev_lower_first + prev->count - 1;
632
633 /* Does the upper range intersect a previous extent? */
634 if ((prev_upper_first <= upper_last) &&
635 (prev_upper_last >= upper_first))
636 return true;
637
638 /* Does the lower range intersect a previous extent? */
639 if ((prev_lower_first <= lower_last) &&
640 (prev_lower_last >= lower_first))
641 return true;
642 }
643 return false;
644 }
645
646 static ssize_t map_write(struct file *file, const char __user *buf,
647 size_t count, loff_t *ppos,
648 int cap_setid,
649 struct uid_gid_map *map,
650 struct uid_gid_map *parent_map)
651 {
652 struct seq_file *seq = file->private_data;
653 struct user_namespace *ns = seq->private;
654 struct uid_gid_map new_map;
655 unsigned idx;
656 struct uid_gid_extent *extent = NULL;
657 char *kbuf = NULL, *pos, *next_line;
658 ssize_t ret = -EINVAL;
659
660 /*
661 * The userns_state_mutex serializes all writes to any given map.
662 *
663 * Any map is only ever written once.
664 *
665 * An id map fits within 1 cache line on most architectures.
666 *
667 * On read nothing needs to be done unless you are on an
668 * architecture with a crazy cache coherency model like alpha.
669 *
670 * There is a one time data dependency between reading the
671 * count of the extents and the values of the extents. The
672 * desired behavior is to see the values of the extents that
673 * were written before the count of the extents.
674 *
675 * To achieve this smp_wmb() is used on guarantee the write
676 * order and smp_rmb() is guaranteed that we don't have crazy
677 * architectures returning stale data.
678 */
679 mutex_lock(&userns_state_mutex);
680
681 ret = -EPERM;
682 /* Only allow one successful write to the map */
683 if (map->nr_extents != 0)
684 goto out;
685
686 /*
687 * Adjusting namespace settings requires capabilities on the target.
688 */
689 if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
690 goto out;
691
692 /* Only allow < page size writes at the beginning of the file */
693 ret = -EINVAL;
694 if ((*ppos != 0) || (count >= PAGE_SIZE))
695 goto out;
696
697 /* Slurp in the user data */
698 kbuf = memdup_user_nul(buf, count);
699 if (IS_ERR(kbuf)) {
700 ret = PTR_ERR(kbuf);
701 kbuf = NULL;
702 goto out;
703 }
704
705 /* Parse the user data */
706 ret = -EINVAL;
707 pos = kbuf;
708 new_map.nr_extents = 0;
709 for (; pos; pos = next_line) {
710 extent = &new_map.extent[new_map.nr_extents];
711
712 /* Find the end of line and ensure I don't look past it */
713 next_line = strchr(pos, '\n');
714 if (next_line) {
715 *next_line = '\0';
716 next_line++;
717 if (*next_line == '\0')
718 next_line = NULL;
719 }
720
721 pos = skip_spaces(pos);
722 extent->first = simple_strtoul(pos, &pos, 10);
723 if (!isspace(*pos))
724 goto out;
725
726 pos = skip_spaces(pos);
727 extent->lower_first = simple_strtoul(pos, &pos, 10);
728 if (!isspace(*pos))
729 goto out;
730
731 pos = skip_spaces(pos);
732 extent->count = simple_strtoul(pos, &pos, 10);
733 if (*pos && !isspace(*pos))
734 goto out;
735
736 /* Verify there is not trailing junk on the line */
737 pos = skip_spaces(pos);
738 if (*pos != '\0')
739 goto out;
740
741 /* Verify we have been given valid starting values */
742 if ((extent->first == (u32) -1) ||
743 (extent->lower_first == (u32) -1))
744 goto out;
745
746 /* Verify count is not zero and does not cause the
747 * extent to wrap
748 */
749 if ((extent->first + extent->count) <= extent->first)
750 goto out;
751 if ((extent->lower_first + extent->count) <=
752 extent->lower_first)
753 goto out;
754
755 /* Do the ranges in extent overlap any previous extents? */
756 if (mappings_overlap(&new_map, extent))
757 goto out;
758
759 new_map.nr_extents++;
760
761 /* Fail if the file contains too many extents */
762 if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) &&
763 (next_line != NULL))
764 goto out;
765 }
766 /* Be very certaint the new map actually exists */
767 if (new_map.nr_extents == 0)
768 goto out;
769
770 ret = -EPERM;
771 /* Validate the user is allowed to use user id's mapped to. */
772 if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
773 goto out;
774
775 /* Map the lower ids from the parent user namespace to the
776 * kernel global id space.
777 */
778 for (idx = 0; idx < new_map.nr_extents; idx++) {
779 u32 lower_first;
780 extent = &new_map.extent[idx];
781
782 lower_first = map_id_range_down(parent_map,
783 extent->lower_first,
784 extent->count);
785
786 /* Fail if we can not map the specified extent to
787 * the kernel global id space.
788 */
789 if (lower_first == (u32) -1)
790 goto out;
791
792 extent->lower_first = lower_first;
793 }
794
795 /* Install the map */
796 memcpy(map->extent, new_map.extent,
797 new_map.nr_extents*sizeof(new_map.extent[0]));
798 smp_wmb();
799 map->nr_extents = new_map.nr_extents;
800
801 *ppos = count;
802 ret = count;
803 out:
804 mutex_unlock(&userns_state_mutex);
805 kfree(kbuf);
806 return ret;
807 }
808
809 ssize_t proc_uid_map_write(struct file *file, const char __user *buf,
810 size_t size, loff_t *ppos)
811 {
812 struct seq_file *seq = file->private_data;
813 struct user_namespace *ns = seq->private;
814 struct user_namespace *seq_ns = seq_user_ns(seq);
815
816 if (!ns->parent)
817 return -EPERM;
818
819 if ((seq_ns != ns) && (seq_ns != ns->parent))
820 return -EPERM;
821
822 return map_write(file, buf, size, ppos, CAP_SETUID,
823 &ns->uid_map, &ns->parent->uid_map);
824 }
825
826 ssize_t proc_gid_map_write(struct file *file, const char __user *buf,
827 size_t size, loff_t *ppos)
828 {
829 struct seq_file *seq = file->private_data;
830 struct user_namespace *ns = seq->private;
831 struct user_namespace *seq_ns = seq_user_ns(seq);
832
833 if (!ns->parent)
834 return -EPERM;
835
836 if ((seq_ns != ns) && (seq_ns != ns->parent))
837 return -EPERM;
838
839 return map_write(file, buf, size, ppos, CAP_SETGID,
840 &ns->gid_map, &ns->parent->gid_map);
841 }
842
843 ssize_t proc_projid_map_write(struct file *file, const char __user *buf,
844 size_t size, loff_t *ppos)
845 {
846 struct seq_file *seq = file->private_data;
847 struct user_namespace *ns = seq->private;
848 struct user_namespace *seq_ns = seq_user_ns(seq);
849
850 if (!ns->parent)
851 return -EPERM;
852
853 if ((seq_ns != ns) && (seq_ns != ns->parent))
854 return -EPERM;
855
856 /* Anyone can set any valid project id no capability needed */
857 return map_write(file, buf, size, ppos, -1,
858 &ns->projid_map, &ns->parent->projid_map);
859 }
860
861 static bool new_idmap_permitted(const struct file *file,
862 struct user_namespace *ns, int cap_setid,
863 struct uid_gid_map *new_map)
864 {
865 const struct cred *cred = file->f_cred;
866 /* Don't allow mappings that would allow anything that wouldn't
867 * be allowed without the establishment of unprivileged mappings.
868 */
869 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
870 uid_eq(ns->owner, cred->euid)) {
871 u32 id = new_map->extent[0].lower_first;
872 if (cap_setid == CAP_SETUID) {
873 kuid_t uid = make_kuid(ns->parent, id);
874 if (uid_eq(uid, cred->euid))
875 return true;
876 } else if (cap_setid == CAP_SETGID) {
877 kgid_t gid = make_kgid(ns->parent, id);
878 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
879 gid_eq(gid, cred->egid))
880 return true;
881 }
882 }
883
884 /* Allow anyone to set a mapping that doesn't require privilege */
885 if (!cap_valid(cap_setid))
886 return true;
887
888 /* Allow the specified ids if we have the appropriate capability
889 * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
890 * And the opener of the id file also had the approprpiate capability.
891 */
892 if (ns_capable(ns->parent, cap_setid) &&
893 file_ns_capable(file, ns->parent, cap_setid))
894 return true;
895
896 return false;
897 }
898
899 int proc_setgroups_show(struct seq_file *seq, void *v)
900 {
901 struct user_namespace *ns = seq->private;
902 unsigned long userns_flags = ACCESS_ONCE(ns->flags);
903
904 seq_printf(seq, "%s\n",
905 (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
906 "allow" : "deny");
907 return 0;
908 }
909
910 ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
911 size_t count, loff_t *ppos)
912 {
913 struct seq_file *seq = file->private_data;
914 struct user_namespace *ns = seq->private;
915 char kbuf[8], *pos;
916 bool setgroups_allowed;
917 ssize_t ret;
918
919 /* Only allow a very narrow range of strings to be written */
920 ret = -EINVAL;
921 if ((*ppos != 0) || (count >= sizeof(kbuf)))
922 goto out;
923
924 /* What was written? */
925 ret = -EFAULT;
926 if (copy_from_user(kbuf, buf, count))
927 goto out;
928 kbuf[count] = '\0';
929 pos = kbuf;
930
931 /* What is being requested? */
932 ret = -EINVAL;
933 if (strncmp(pos, "allow", 5) == 0) {
934 pos += 5;
935 setgroups_allowed = true;
936 }
937 else if (strncmp(pos, "deny", 4) == 0) {
938 pos += 4;
939 setgroups_allowed = false;
940 }
941 else
942 goto out;
943
944 /* Verify there is not trailing junk on the line */
945 pos = skip_spaces(pos);
946 if (*pos != '\0')
947 goto out;
948
949 ret = -EPERM;
950 mutex_lock(&userns_state_mutex);
951 if (setgroups_allowed) {
952 /* Enabling setgroups after setgroups has been disabled
953 * is not allowed.
954 */
955 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
956 goto out_unlock;
957 } else {
958 /* Permanently disabling setgroups after setgroups has
959 * been enabled by writing the gid_map is not allowed.
960 */
961 if (ns->gid_map.nr_extents != 0)
962 goto out_unlock;
963 ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
964 }
965 mutex_unlock(&userns_state_mutex);
966
967 /* Report a successful write */
968 *ppos = count;
969 ret = count;
970 out:
971 return ret;
972 out_unlock:
973 mutex_unlock(&userns_state_mutex);
974 goto out;
975 }
976
977 bool userns_may_setgroups(const struct user_namespace *ns)
978 {
979 bool allowed;
980
981 mutex_lock(&userns_state_mutex);
982 /* It is not safe to use setgroups until a gid mapping in
983 * the user namespace has been established.
984 */
985 allowed = ns->gid_map.nr_extents != 0;
986 /* Is setgroups allowed? */
987 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
988 mutex_unlock(&userns_state_mutex);
989
990 return allowed;
991 }
992
993 /*
994 * Returns true if @ns is the same namespace as or a descendant of
995 * @target_ns.
996 */
997 bool current_in_userns(const struct user_namespace *target_ns)
998 {
999 struct user_namespace *ns;
1000 for (ns = current_user_ns(); ns; ns = ns->parent) {
1001 if (ns == target_ns)
1002 return true;
1003 }
1004 return false;
1005 }
1006 EXPORT_SYMBOL(current_in_userns);
1007
1008 static inline struct user_namespace *to_user_ns(struct ns_common *ns)
1009 {
1010 return container_of(ns, struct user_namespace, ns);
1011 }
1012
1013 static struct ns_common *userns_get(struct task_struct *task)
1014 {
1015 struct user_namespace *user_ns;
1016
1017 rcu_read_lock();
1018 user_ns = get_user_ns(__task_cred(task)->user_ns);
1019 rcu_read_unlock();
1020
1021 return user_ns ? &user_ns->ns : NULL;
1022 }
1023
1024 static void userns_put(struct ns_common *ns)
1025 {
1026 put_user_ns(to_user_ns(ns));
1027 }
1028
1029 static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
1030 {
1031 struct user_namespace *user_ns = to_user_ns(ns);
1032 struct cred *cred;
1033
1034 /* Don't allow gaining capabilities by reentering
1035 * the same user namespace.
1036 */
1037 if (user_ns == current_user_ns())
1038 return -EINVAL;
1039
1040 /* Tasks that share a thread group must share a user namespace */
1041 if (!thread_group_empty(current))
1042 return -EINVAL;
1043
1044 if (current->fs->users != 1)
1045 return -EINVAL;
1046
1047 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
1048 return -EPERM;
1049
1050 cred = prepare_creds();
1051 if (!cred)
1052 return -ENOMEM;
1053
1054 put_user_ns(cred->user_ns);
1055 set_cred_user_ns(cred, get_user_ns(user_ns));
1056
1057 return commit_creds(cred);
1058 }
1059
1060 struct ns_common *ns_get_owner(struct ns_common *ns)
1061 {
1062 struct user_namespace *my_user_ns = current_user_ns();
1063 struct user_namespace *owner, *p;
1064
1065 /* See if the owner is in the current user namespace */
1066 owner = p = ns->ops->owner(ns);
1067 for (;;) {
1068 if (!p)
1069 return ERR_PTR(-EPERM);
1070 if (p == my_user_ns)
1071 break;
1072 p = p->parent;
1073 }
1074
1075 return &get_user_ns(owner)->ns;
1076 }
1077
1078 static struct user_namespace *userns_owner(struct ns_common *ns)
1079 {
1080 return to_user_ns(ns)->parent;
1081 }
1082
1083 const struct proc_ns_operations userns_operations = {
1084 .name = "user",
1085 .type = CLONE_NEWUSER,
1086 .get = userns_get,
1087 .put = userns_put,
1088 .install = userns_install,
1089 .owner = userns_owner,
1090 .get_parent = ns_get_owner,
1091 };
1092
1093 static __init int user_namespaces_init(void)
1094 {
1095 user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC);
1096 return 0;
1097 }
1098 subsys_initcall(user_namespaces_init);
ubuntu-zesty-kernel mirror