]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - kernel/user_namespace.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'mac80211-for-davem-2015-01-06' of git://git.kernel.org/pub/scm/linux/kerne...
[mirror_ubuntu-artful-kernel.git] / kernel / user_namespace.c
1 /*
2 * This program is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU General Public License as
4 * published by the Free Software Foundation, version 2 of the
5 * License.
6 */
7
8 #include <linux/export.h>
9 #include <linux/nsproxy.h>
10 #include <linux/slab.h>
11 #include <linux/user_namespace.h>
12 #include <linux/proc_ns.h>
13 #include <linux/highuid.h>
14 #include <linux/cred.h>
15 #include <linux/securebits.h>
16 #include <linux/keyctl.h>
17 #include <linux/key-type.h>
18 #include <keys/user-type.h>
19 #include <linux/seq_file.h>
20 #include <linux/fs.h>
21 #include <linux/uaccess.h>
22 #include <linux/ctype.h>
23 #include <linux/projid.h>
24 #include <linux/fs_struct.h>
25
26 static struct kmem_cache *user_ns_cachep __read_mostly;
27 static DEFINE_MUTEX(userns_state_mutex);
28
29 static bool new_idmap_permitted(const struct file *file,
30 struct user_namespace *ns, int cap_setid,
31 struct uid_gid_map *map);
32
33 static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
34 {
35 /* Start with the same capabilities as init but useless for doing
36 * anything as the capabilities are bound to the new user namespace.
37 */
38 cred->securebits = SECUREBITS_DEFAULT;
39 cred->cap_inheritable = CAP_EMPTY_SET;
40 cred->cap_permitted = CAP_FULL_SET;
41 cred->cap_effective = CAP_FULL_SET;
42 cred->cap_bset = CAP_FULL_SET;
43 #ifdef CONFIG_KEYS
44 key_put(cred->request_key_auth);
45 cred->request_key_auth = NULL;
46 #endif
47 /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
48 cred->user_ns = user_ns;
49 }
50
51 /*
52 * Create a new user namespace, deriving the creator from the user in the
53 * passed credentials, and replacing that user with the new root user for the
54 * new namespace.
55 *
56 * This is called by copy_creds(), which will finish setting the target task's
57 * credentials.
58 */
59 int create_user_ns(struct cred *new)
60 {
61 struct user_namespace *ns, *parent_ns = new->user_ns;
62 kuid_t owner = new->euid;
63 kgid_t group = new->egid;
64 int ret;
65
66 if (parent_ns->level > 32)
67 return -EUSERS;
68
69 /*
70 * Verify that we can not violate the policy of which files
71 * may be accessed that is specified by the root directory,
72 * by verifing that the root directory is at the root of the
73 * mount namespace which allows all files to be accessed.
74 */
75 if (current_chrooted())
76 return -EPERM;
77
78 /* The creator needs a mapping in the parent user namespace
79 * or else we won't be able to reasonably tell userspace who
80 * created a user_namespace.
81 */
82 if (!kuid_has_mapping(parent_ns, owner) ||
83 !kgid_has_mapping(parent_ns, group))
84 return -EPERM;
85
86 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
87 if (!ns)
88 return -ENOMEM;
89
90 ret = ns_alloc_inum(&ns->ns);
91 if (ret) {
92 kmem_cache_free(user_ns_cachep, ns);
93 return ret;
94 }
95 ns->ns.ops = &userns_operations;
96
97 atomic_set(&ns->count, 1);
98 /* Leave the new->user_ns reference with the new user namespace. */
99 ns->parent = parent_ns;
100 ns->level = parent_ns->level + 1;
101 ns->owner = owner;
102 ns->group = group;
103
104 /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
105 mutex_lock(&userns_state_mutex);
106 ns->flags = parent_ns->flags;
107 mutex_unlock(&userns_state_mutex);
108
109 set_cred_user_ns(new, ns);
110
111 #ifdef CONFIG_PERSISTENT_KEYRINGS
112 init_rwsem(&ns->persistent_keyring_register_sem);
113 #endif
114 return 0;
115 }
116
117 int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
118 {
119 struct cred *cred;
120 int err = -ENOMEM;
121
122 if (!(unshare_flags & CLONE_NEWUSER))
123 return 0;
124
125 cred = prepare_creds();
126 if (cred) {
127 err = create_user_ns(cred);
128 if (err)
129 put_cred(cred);
130 else
131 *new_cred = cred;
132 }
133
134 return err;
135 }
136
137 void free_user_ns(struct user_namespace *ns)
138 {
139 struct user_namespace *parent;
140
141 do {
142 parent = ns->parent;
143 #ifdef CONFIG_PERSISTENT_KEYRINGS
144 key_put(ns->persistent_keyring_register);
145 #endif
146 ns_free_inum(&ns->ns);
147 kmem_cache_free(user_ns_cachep, ns);
148 ns = parent;
149 } while (atomic_dec_and_test(&parent->count));
150 }
151 EXPORT_SYMBOL(free_user_ns);
152
153 static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
154 {
155 unsigned idx, extents;
156 u32 first, last, id2;
157
158 id2 = id + count - 1;
159
160 /* Find the matching extent */
161 extents = map->nr_extents;
162 smp_rmb();
163 for (idx = 0; idx < extents; idx++) {
164 first = map->extent[idx].first;
165 last = first + map->extent[idx].count - 1;
166 if (id >= first && id <= last &&
167 (id2 >= first && id2 <= last))
168 break;
169 }
170 /* Map the id or note failure */
171 if (idx < extents)
172 id = (id - first) + map->extent[idx].lower_first;
173 else
174 id = (u32) -1;
175
176 return id;
177 }
178
179 static u32 map_id_down(struct uid_gid_map *map, u32 id)
180 {
181 unsigned idx, extents;
182 u32 first, last;
183
184 /* Find the matching extent */
185 extents = map->nr_extents;
186 smp_rmb();
187 for (idx = 0; idx < extents; idx++) {
188 first = map->extent[idx].first;
189 last = first + map->extent[idx].count - 1;
190 if (id >= first && id <= last)
191 break;
192 }
193 /* Map the id or note failure */
194 if (idx < extents)
195 id = (id - first) + map->extent[idx].lower_first;
196 else
197 id = (u32) -1;
198
199 return id;
200 }
201
202 static u32 map_id_up(struct uid_gid_map *map, u32 id)
203 {
204 unsigned idx, extents;
205 u32 first, last;
206
207 /* Find the matching extent */
208 extents = map->nr_extents;
209 smp_rmb();
210 for (idx = 0; idx < extents; idx++) {
211 first = map->extent[idx].lower_first;
212 last = first + map->extent[idx].count - 1;
213 if (id >= first && id <= last)
214 break;
215 }
216 /* Map the id or note failure */
217 if (idx < extents)
218 id = (id - first) + map->extent[idx].first;
219 else
220 id = (u32) -1;
221
222 return id;
223 }
224
225 /**
226 * make_kuid - Map a user-namespace uid pair into a kuid.
227 * @ns: User namespace that the uid is in
228 * @uid: User identifier
229 *
230 * Maps a user-namespace uid pair into a kernel internal kuid,
231 * and returns that kuid.
232 *
233 * When there is no mapping defined for the user-namespace uid
234 * pair INVALID_UID is returned. Callers are expected to test
235 * for and handle INVALID_UID being returned. INVALID_UID
236 * may be tested for using uid_valid().
237 */
238 kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
239 {
240 /* Map the uid to a global kernel uid */
241 return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
242 }
243 EXPORT_SYMBOL(make_kuid);
244
245 /**
246 * from_kuid - Create a uid from a kuid user-namespace pair.
247 * @targ: The user namespace we want a uid in.
248 * @kuid: The kernel internal uid to start with.
249 *
250 * Map @kuid into the user-namespace specified by @targ and
251 * return the resulting uid.
252 *
253 * There is always a mapping into the initial user_namespace.
254 *
255 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
256 */
257 uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
258 {
259 /* Map the uid from a global kernel uid */
260 return map_id_up(&targ->uid_map, __kuid_val(kuid));
261 }
262 EXPORT_SYMBOL(from_kuid);
263
264 /**
265 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
266 * @targ: The user namespace we want a uid in.
267 * @kuid: The kernel internal uid to start with.
268 *
269 * Map @kuid into the user-namespace specified by @targ and
270 * return the resulting uid.
271 *
272 * There is always a mapping into the initial user_namespace.
273 *
274 * Unlike from_kuid from_kuid_munged never fails and always
275 * returns a valid uid. This makes from_kuid_munged appropriate
276 * for use in syscalls like stat and getuid where failing the
277 * system call and failing to provide a valid uid are not an
278 * options.
279 *
280 * If @kuid has no mapping in @targ overflowuid is returned.
281 */
282 uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
283 {
284 uid_t uid;
285 uid = from_kuid(targ, kuid);
286
287 if (uid == (uid_t) -1)
288 uid = overflowuid;
289 return uid;
290 }
291 EXPORT_SYMBOL(from_kuid_munged);
292
293 /**
294 * make_kgid - Map a user-namespace gid pair into a kgid.
295 * @ns: User namespace that the gid is in
296 * @gid: group identifier
297 *
298 * Maps a user-namespace gid pair into a kernel internal kgid,
299 * and returns that kgid.
300 *
301 * When there is no mapping defined for the user-namespace gid
302 * pair INVALID_GID is returned. Callers are expected to test
303 * for and handle INVALID_GID being returned. INVALID_GID may be
304 * tested for using gid_valid().
305 */
306 kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
307 {
308 /* Map the gid to a global kernel gid */
309 return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
310 }
311 EXPORT_SYMBOL(make_kgid);
312
313 /**
314 * from_kgid - Create a gid from a kgid user-namespace pair.
315 * @targ: The user namespace we want a gid in.
316 * @kgid: The kernel internal gid to start with.
317 *
318 * Map @kgid into the user-namespace specified by @targ and
319 * return the resulting gid.
320 *
321 * There is always a mapping into the initial user_namespace.
322 *
323 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
324 */
325 gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
326 {
327 /* Map the gid from a global kernel gid */
328 return map_id_up(&targ->gid_map, __kgid_val(kgid));
329 }
330 EXPORT_SYMBOL(from_kgid);
331
332 /**
333 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
334 * @targ: The user namespace we want a gid in.
335 * @kgid: The kernel internal gid to start with.
336 *
337 * Map @kgid into the user-namespace specified by @targ and
338 * return the resulting gid.
339 *
340 * There is always a mapping into the initial user_namespace.
341 *
342 * Unlike from_kgid from_kgid_munged never fails and always
343 * returns a valid gid. This makes from_kgid_munged appropriate
344 * for use in syscalls like stat and getgid where failing the
345 * system call and failing to provide a valid gid are not options.
346 *
347 * If @kgid has no mapping in @targ overflowgid is returned.
348 */
349 gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
350 {
351 gid_t gid;
352 gid = from_kgid(targ, kgid);
353
354 if (gid == (gid_t) -1)
355 gid = overflowgid;
356 return gid;
357 }
358 EXPORT_SYMBOL(from_kgid_munged);
359
360 /**
361 * make_kprojid - Map a user-namespace projid pair into a kprojid.
362 * @ns: User namespace that the projid is in
363 * @projid: Project identifier
364 *
365 * Maps a user-namespace uid pair into a kernel internal kuid,
366 * and returns that kuid.
367 *
368 * When there is no mapping defined for the user-namespace projid
369 * pair INVALID_PROJID is returned. Callers are expected to test
370 * for and handle handle INVALID_PROJID being returned. INVALID_PROJID
371 * may be tested for using projid_valid().
372 */
373 kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
374 {
375 /* Map the uid to a global kernel uid */
376 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
377 }
378 EXPORT_SYMBOL(make_kprojid);
379
380 /**
381 * from_kprojid - Create a projid from a kprojid user-namespace pair.
382 * @targ: The user namespace we want a projid in.
383 * @kprojid: The kernel internal project identifier to start with.
384 *
385 * Map @kprojid into the user-namespace specified by @targ and
386 * return the resulting projid.
387 *
388 * There is always a mapping into the initial user_namespace.
389 *
390 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
391 */
392 projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
393 {
394 /* Map the uid from a global kernel uid */
395 return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
396 }
397 EXPORT_SYMBOL(from_kprojid);
398
399 /**
400 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
401 * @targ: The user namespace we want a projid in.
402 * @kprojid: The kernel internal projid to start with.
403 *
404 * Map @kprojid into the user-namespace specified by @targ and
405 * return the resulting projid.
406 *
407 * There is always a mapping into the initial user_namespace.
408 *
409 * Unlike from_kprojid from_kprojid_munged never fails and always
410 * returns a valid projid. This makes from_kprojid_munged
411 * appropriate for use in syscalls like stat and where
412 * failing the system call and failing to provide a valid projid are
413 * not an options.
414 *
415 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
416 */
417 projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
418 {
419 projid_t projid;
420 projid = from_kprojid(targ, kprojid);
421
422 if (projid == (projid_t) -1)
423 projid = OVERFLOW_PROJID;
424 return projid;
425 }
426 EXPORT_SYMBOL(from_kprojid_munged);
427
428
429 static int uid_m_show(struct seq_file *seq, void *v)
430 {
431 struct user_namespace *ns = seq->private;
432 struct uid_gid_extent *extent = v;
433 struct user_namespace *lower_ns;
434 uid_t lower;
435
436 lower_ns = seq_user_ns(seq);
437 if ((lower_ns == ns) && lower_ns->parent)
438 lower_ns = lower_ns->parent;
439
440 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
441
442 seq_printf(seq, "%10u %10u %10u\n",
443 extent->first,
444 lower,
445 extent->count);
446
447 return 0;
448 }
449
450 static int gid_m_show(struct seq_file *seq, void *v)
451 {
452 struct user_namespace *ns = seq->private;
453 struct uid_gid_extent *extent = v;
454 struct user_namespace *lower_ns;
455 gid_t lower;
456
457 lower_ns = seq_user_ns(seq);
458 if ((lower_ns == ns) && lower_ns->parent)
459 lower_ns = lower_ns->parent;
460
461 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
462
463 seq_printf(seq, "%10u %10u %10u\n",
464 extent->first,
465 lower,
466 extent->count);
467
468 return 0;
469 }
470
471 static int projid_m_show(struct seq_file *seq, void *v)
472 {
473 struct user_namespace *ns = seq->private;
474 struct uid_gid_extent *extent = v;
475 struct user_namespace *lower_ns;
476 projid_t lower;
477
478 lower_ns = seq_user_ns(seq);
479 if ((lower_ns == ns) && lower_ns->parent)
480 lower_ns = lower_ns->parent;
481
482 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
483
484 seq_printf(seq, "%10u %10u %10u\n",
485 extent->first,
486 lower,
487 extent->count);
488
489 return 0;
490 }
491
492 static void *m_start(struct seq_file *seq, loff_t *ppos,
493 struct uid_gid_map *map)
494 {
495 struct uid_gid_extent *extent = NULL;
496 loff_t pos = *ppos;
497
498 if (pos < map->nr_extents)
499 extent = &map->extent[pos];
500
501 return extent;
502 }
503
504 static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
505 {
506 struct user_namespace *ns = seq->private;
507
508 return m_start(seq, ppos, &ns->uid_map);
509 }
510
511 static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
512 {
513 struct user_namespace *ns = seq->private;
514
515 return m_start(seq, ppos, &ns->gid_map);
516 }
517
518 static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
519 {
520 struct user_namespace *ns = seq->private;
521
522 return m_start(seq, ppos, &ns->projid_map);
523 }
524
525 static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
526 {
527 (*pos)++;
528 return seq->op->start(seq, pos);
529 }
530
531 static void m_stop(struct seq_file *seq, void *v)
532 {
533 return;
534 }
535
536 const struct seq_operations proc_uid_seq_operations = {
537 .start = uid_m_start,
538 .stop = m_stop,
539 .next = m_next,
540 .show = uid_m_show,
541 };
542
543 const struct seq_operations proc_gid_seq_operations = {
544 .start = gid_m_start,
545 .stop = m_stop,
546 .next = m_next,
547 .show = gid_m_show,
548 };
549
550 const struct seq_operations proc_projid_seq_operations = {
551 .start = projid_m_start,
552 .stop = m_stop,
553 .next = m_next,
554 .show = projid_m_show,
555 };
556
557 static bool mappings_overlap(struct uid_gid_map *new_map,
558 struct uid_gid_extent *extent)
559 {
560 u32 upper_first, lower_first, upper_last, lower_last;
561 unsigned idx;
562
563 upper_first = extent->first;
564 lower_first = extent->lower_first;
565 upper_last = upper_first + extent->count - 1;
566 lower_last = lower_first + extent->count - 1;
567
568 for (idx = 0; idx < new_map->nr_extents; idx++) {
569 u32 prev_upper_first, prev_lower_first;
570 u32 prev_upper_last, prev_lower_last;
571 struct uid_gid_extent *prev;
572
573 prev = &new_map->extent[idx];
574
575 prev_upper_first = prev->first;
576 prev_lower_first = prev->lower_first;
577 prev_upper_last = prev_upper_first + prev->count - 1;
578 prev_lower_last = prev_lower_first + prev->count - 1;
579
580 /* Does the upper range intersect a previous extent? */
581 if ((prev_upper_first <= upper_last) &&
582 (prev_upper_last >= upper_first))
583 return true;
584
585 /* Does the lower range intersect a previous extent? */
586 if ((prev_lower_first <= lower_last) &&
587 (prev_lower_last >= lower_first))
588 return true;
589 }
590 return false;
591 }
592
593 static ssize_t map_write(struct file *file, const char __user *buf,
594 size_t count, loff_t *ppos,
595 int cap_setid,
596 struct uid_gid_map *map,
597 struct uid_gid_map *parent_map)
598 {
599 struct seq_file *seq = file->private_data;
600 struct user_namespace *ns = seq->private;
601 struct uid_gid_map new_map;
602 unsigned idx;
603 struct uid_gid_extent *extent = NULL;
604 unsigned long page = 0;
605 char *kbuf, *pos, *next_line;
606 ssize_t ret = -EINVAL;
607
608 /*
609 * The userns_state_mutex serializes all writes to any given map.
610 *
611 * Any map is only ever written once.
612 *
613 * An id map fits within 1 cache line on most architectures.
614 *
615 * On read nothing needs to be done unless you are on an
616 * architecture with a crazy cache coherency model like alpha.
617 *
618 * There is a one time data dependency between reading the
619 * count of the extents and the values of the extents. The
620 * desired behavior is to see the values of the extents that
621 * were written before the count of the extents.
622 *
623 * To achieve this smp_wmb() is used on guarantee the write
624 * order and smp_rmb() is guaranteed that we don't have crazy
625 * architectures returning stale data.
626 */
627 mutex_lock(&userns_state_mutex);
628
629 ret = -EPERM;
630 /* Only allow one successful write to the map */
631 if (map->nr_extents != 0)
632 goto out;
633
634 /*
635 * Adjusting namespace settings requires capabilities on the target.
636 */
637 if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
638 goto out;
639
640 /* Get a buffer */
641 ret = -ENOMEM;
642 page = __get_free_page(GFP_TEMPORARY);
643 kbuf = (char *) page;
644 if (!page)
645 goto out;
646
647 /* Only allow < page size writes at the beginning of the file */
648 ret = -EINVAL;
649 if ((*ppos != 0) || (count >= PAGE_SIZE))
650 goto out;
651
652 /* Slurp in the user data */
653 ret = -EFAULT;
654 if (copy_from_user(kbuf, buf, count))
655 goto out;
656 kbuf[count] = '\0';
657
658 /* Parse the user data */
659 ret = -EINVAL;
660 pos = kbuf;
661 new_map.nr_extents = 0;
662 for (; pos; pos = next_line) {
663 extent = &new_map.extent[new_map.nr_extents];
664
665 /* Find the end of line and ensure I don't look past it */
666 next_line = strchr(pos, '\n');
667 if (next_line) {
668 *next_line = '\0';
669 next_line++;
670 if (*next_line == '\0')
671 next_line = NULL;
672 }
673
674 pos = skip_spaces(pos);
675 extent->first = simple_strtoul(pos, &pos, 10);
676 if (!isspace(*pos))
677 goto out;
678
679 pos = skip_spaces(pos);
680 extent->lower_first = simple_strtoul(pos, &pos, 10);
681 if (!isspace(*pos))
682 goto out;
683
684 pos = skip_spaces(pos);
685 extent->count = simple_strtoul(pos, &pos, 10);
686 if (*pos && !isspace(*pos))
687 goto out;
688
689 /* Verify there is not trailing junk on the line */
690 pos = skip_spaces(pos);
691 if (*pos != '\0')
692 goto out;
693
694 /* Verify we have been given valid starting values */
695 if ((extent->first == (u32) -1) ||
696 (extent->lower_first == (u32) -1))
697 goto out;
698
699 /* Verify count is not zero and does not cause the
700 * extent to wrap
701 */
702 if ((extent->first + extent->count) <= extent->first)
703 goto out;
704 if ((extent->lower_first + extent->count) <=
705 extent->lower_first)
706 goto out;
707
708 /* Do the ranges in extent overlap any previous extents? */
709 if (mappings_overlap(&new_map, extent))
710 goto out;
711
712 new_map.nr_extents++;
713
714 /* Fail if the file contains too many extents */
715 if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) &&
716 (next_line != NULL))
717 goto out;
718 }
719 /* Be very certaint the new map actually exists */
720 if (new_map.nr_extents == 0)
721 goto out;
722
723 ret = -EPERM;
724 /* Validate the user is allowed to use user id's mapped to. */
725 if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
726 goto out;
727
728 /* Map the lower ids from the parent user namespace to the
729 * kernel global id space.
730 */
731 for (idx = 0; idx < new_map.nr_extents; idx++) {
732 u32 lower_first;
733 extent = &new_map.extent[idx];
734
735 lower_first = map_id_range_down(parent_map,
736 extent->lower_first,
737 extent->count);
738
739 /* Fail if we can not map the specified extent to
740 * the kernel global id space.
741 */
742 if (lower_first == (u32) -1)
743 goto out;
744
745 extent->lower_first = lower_first;
746 }
747
748 /* Install the map */
749 memcpy(map->extent, new_map.extent,
750 new_map.nr_extents*sizeof(new_map.extent[0]));
751 smp_wmb();
752 map->nr_extents = new_map.nr_extents;
753
754 *ppos = count;
755 ret = count;
756 out:
757 mutex_unlock(&userns_state_mutex);
758 if (page)
759 free_page(page);
760 return ret;
761 }
762
763 ssize_t proc_uid_map_write(struct file *file, const char __user *buf,
764 size_t size, loff_t *ppos)
765 {
766 struct seq_file *seq = file->private_data;
767 struct user_namespace *ns = seq->private;
768 struct user_namespace *seq_ns = seq_user_ns(seq);
769
770 if (!ns->parent)
771 return -EPERM;
772
773 if ((seq_ns != ns) && (seq_ns != ns->parent))
774 return -EPERM;
775
776 return map_write(file, buf, size, ppos, CAP_SETUID,
777 &ns->uid_map, &ns->parent->uid_map);
778 }
779
780 ssize_t proc_gid_map_write(struct file *file, const char __user *buf,
781 size_t size, loff_t *ppos)
782 {
783 struct seq_file *seq = file->private_data;
784 struct user_namespace *ns = seq->private;
785 struct user_namespace *seq_ns = seq_user_ns(seq);
786
787 if (!ns->parent)
788 return -EPERM;
789
790 if ((seq_ns != ns) && (seq_ns != ns->parent))
791 return -EPERM;
792
793 return map_write(file, buf, size, ppos, CAP_SETGID,
794 &ns->gid_map, &ns->parent->gid_map);
795 }
796
797 ssize_t proc_projid_map_write(struct file *file, const char __user *buf,
798 size_t size, loff_t *ppos)
799 {
800 struct seq_file *seq = file->private_data;
801 struct user_namespace *ns = seq->private;
802 struct user_namespace *seq_ns = seq_user_ns(seq);
803
804 if (!ns->parent)
805 return -EPERM;
806
807 if ((seq_ns != ns) && (seq_ns != ns->parent))
808 return -EPERM;
809
810 /* Anyone can set any valid project id no capability needed */
811 return map_write(file, buf, size, ppos, -1,
812 &ns->projid_map, &ns->parent->projid_map);
813 }
814
815 static bool new_idmap_permitted(const struct file *file,
816 struct user_namespace *ns, int cap_setid,
817 struct uid_gid_map *new_map)
818 {
819 const struct cred *cred = file->f_cred;
820 /* Don't allow mappings that would allow anything that wouldn't
821 * be allowed without the establishment of unprivileged mappings.
822 */
823 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
824 uid_eq(ns->owner, cred->euid)) {
825 u32 id = new_map->extent[0].lower_first;
826 if (cap_setid == CAP_SETUID) {
827 kuid_t uid = make_kuid(ns->parent, id);
828 if (uid_eq(uid, cred->euid))
829 return true;
830 } else if (cap_setid == CAP_SETGID) {
831 kgid_t gid = make_kgid(ns->parent, id);
832 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
833 gid_eq(gid, cred->egid))
834 return true;
835 }
836 }
837
838 /* Allow anyone to set a mapping that doesn't require privilege */
839 if (!cap_valid(cap_setid))
840 return true;
841
842 /* Allow the specified ids if we have the appropriate capability
843 * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
844 * And the opener of the id file also had the approprpiate capability.
845 */
846 if (ns_capable(ns->parent, cap_setid) &&
847 file_ns_capable(file, ns->parent, cap_setid))
848 return true;
849
850 return false;
851 }
852
853 int proc_setgroups_show(struct seq_file *seq, void *v)
854 {
855 struct user_namespace *ns = seq->private;
856 unsigned long userns_flags = ACCESS_ONCE(ns->flags);
857
858 seq_printf(seq, "%s\n",
859 (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
860 "allow" : "deny");
861 return 0;
862 }
863
864 ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
865 size_t count, loff_t *ppos)
866 {
867 struct seq_file *seq = file->private_data;
868 struct user_namespace *ns = seq->private;
869 char kbuf[8], *pos;
870 bool setgroups_allowed;
871 ssize_t ret;
872
873 /* Only allow a very narrow range of strings to be written */
874 ret = -EINVAL;
875 if ((*ppos != 0) || (count >= sizeof(kbuf)))
876 goto out;
877
878 /* What was written? */
879 ret = -EFAULT;
880 if (copy_from_user(kbuf, buf, count))
881 goto out;
882 kbuf[count] = '\0';
883 pos = kbuf;
884
885 /* What is being requested? */
886 ret = -EINVAL;
887 if (strncmp(pos, "allow", 5) == 0) {
888 pos += 5;
889 setgroups_allowed = true;
890 }
891 else if (strncmp(pos, "deny", 4) == 0) {
892 pos += 4;
893 setgroups_allowed = false;
894 }
895 else
896 goto out;
897
898 /* Verify there is not trailing junk on the line */
899 pos = skip_spaces(pos);
900 if (*pos != '\0')
901 goto out;
902
903 ret = -EPERM;
904 mutex_lock(&userns_state_mutex);
905 if (setgroups_allowed) {
906 /* Enabling setgroups after setgroups has been disabled
907 * is not allowed.
908 */
909 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
910 goto out_unlock;
911 } else {
912 /* Permanently disabling setgroups after setgroups has
913 * been enabled by writing the gid_map is not allowed.
914 */
915 if (ns->gid_map.nr_extents != 0)
916 goto out_unlock;
917 ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
918 }
919 mutex_unlock(&userns_state_mutex);
920
921 /* Report a successful write */
922 *ppos = count;
923 ret = count;
924 out:
925 return ret;
926 out_unlock:
927 mutex_unlock(&userns_state_mutex);
928 goto out;
929 }
930
931 bool userns_may_setgroups(const struct user_namespace *ns)
932 {
933 bool allowed;
934
935 mutex_lock(&userns_state_mutex);
936 /* It is not safe to use setgroups until a gid mapping in
937 * the user namespace has been established.
938 */
939 allowed = ns->gid_map.nr_extents != 0;
940 /* Is setgroups allowed? */
941 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
942 mutex_unlock(&userns_state_mutex);
943
944 return allowed;
945 }
946
947 static inline struct user_namespace *to_user_ns(struct ns_common *ns)
948 {
949 return container_of(ns, struct user_namespace, ns);
950 }
951
952 static struct ns_common *userns_get(struct task_struct *task)
953 {
954 struct user_namespace *user_ns;
955
956 rcu_read_lock();
957 user_ns = get_user_ns(__task_cred(task)->user_ns);
958 rcu_read_unlock();
959
960 return user_ns ? &user_ns->ns : NULL;
961 }
962
963 static void userns_put(struct ns_common *ns)
964 {
965 put_user_ns(to_user_ns(ns));
966 }
967
968 static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
969 {
970 struct user_namespace *user_ns = to_user_ns(ns);
971 struct cred *cred;
972
973 /* Don't allow gaining capabilities by reentering
974 * the same user namespace.
975 */
976 if (user_ns == current_user_ns())
977 return -EINVAL;
978
979 /* Threaded processes may not enter a different user namespace */
980 if (atomic_read(&current->mm->mm_users) > 1)
981 return -EINVAL;
982
983 if (current->fs->users != 1)
984 return -EINVAL;
985
986 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
987 return -EPERM;
988
989 cred = prepare_creds();
990 if (!cred)
991 return -ENOMEM;
992
993 put_user_ns(cred->user_ns);
994 set_cred_user_ns(cred, get_user_ns(user_ns));
995
996 return commit_creds(cred);
997 }
998
999 const struct proc_ns_operations userns_operations = {
1000 .name = "user",
1001 .type = CLONE_NEWUSER,
1002 .get = userns_get,
1003 .put = userns_put,
1004 .install = userns_install,
1005 };
1006
1007 static __init int user_namespaces_init(void)
1008 {
1009 user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC);
1010 return 0;
1011 }
1012 subsys_initcall(user_namespaces_init);
Ubuntu Artful kernel mirror