1b2441318SGreg Kroah-Hartman // SPDX-License-Identifier: GPL-2.0
2dcfe149bSTejun Heo #include "cgroup-internal.h"
3dcfe149bSTejun Heo
456cd6973SIngo Molnar #include <linux/sched/task.h>
5dcfe149bSTejun Heo #include <linux/slab.h>
6dcfe149bSTejun Heo #include <linux/nsproxy.h>
7dcfe149bSTejun Heo #include <linux/proc_ns.h>
8dcfe149bSTejun Heo
9dcfe149bSTejun Heo
10dcfe149bSTejun Heo /* cgroup namespaces */
11dcfe149bSTejun Heo
inc_cgroup_namespaces(struct user_namespace * ns)12dcfe149bSTejun Heo static struct ucounts *inc_cgroup_namespaces(struct user_namespace *ns)
13dcfe149bSTejun Heo {
14dcfe149bSTejun Heo return inc_ucount(ns, current_euid(), UCOUNT_CGROUP_NAMESPACES);
15dcfe149bSTejun Heo }
16dcfe149bSTejun Heo
dec_cgroup_namespaces(struct ucounts * ucounts)17dcfe149bSTejun Heo static void dec_cgroup_namespaces(struct ucounts *ucounts)
18dcfe149bSTejun Heo {
19dcfe149bSTejun Heo dec_ucount(ucounts, UCOUNT_CGROUP_NAMESPACES);
20dcfe149bSTejun Heo }
21dcfe149bSTejun Heo
alloc_cgroup_ns(void)22dcfe149bSTejun Heo static struct cgroup_namespace *alloc_cgroup_ns(void)
23dcfe149bSTejun Heo {
24dcfe149bSTejun Heo struct cgroup_namespace *new_ns;
25dcfe149bSTejun Heo int ret;
26dcfe149bSTejun Heo
27*30acd0bdSVasily Averin new_ns = kzalloc(sizeof(struct cgroup_namespace), GFP_KERNEL_ACCOUNT);
28dcfe149bSTejun Heo if (!new_ns)
29dcfe149bSTejun Heo return ERR_PTR(-ENOMEM);
30dcfe149bSTejun Heo ret = ns_alloc_inum(&new_ns->ns);
31dcfe149bSTejun Heo if (ret) {
32dcfe149bSTejun Heo kfree(new_ns);
33dcfe149bSTejun Heo return ERR_PTR(ret);
34dcfe149bSTejun Heo }
35f387882dSKirill Tkhai refcount_set(&new_ns->ns.count, 1);
36dcfe149bSTejun Heo new_ns->ns.ops = &cgroupns_operations;
37dcfe149bSTejun Heo return new_ns;
38dcfe149bSTejun Heo }
39dcfe149bSTejun Heo
free_cgroup_ns(struct cgroup_namespace * ns)40dcfe149bSTejun Heo void free_cgroup_ns(struct cgroup_namespace *ns)
41dcfe149bSTejun Heo {
42dcfe149bSTejun Heo put_css_set(ns->root_cset);
43dcfe149bSTejun Heo dec_cgroup_namespaces(ns->ucounts);
44dcfe149bSTejun Heo put_user_ns(ns->user_ns);
45dcfe149bSTejun Heo ns_free_inum(&ns->ns);
46dcfe149bSTejun Heo kfree(ns);
47dcfe149bSTejun Heo }
48dcfe149bSTejun Heo EXPORT_SYMBOL(free_cgroup_ns);
49dcfe149bSTejun Heo
copy_cgroup_ns(unsigned long flags,struct user_namespace * user_ns,struct cgroup_namespace * old_ns)50dcfe149bSTejun Heo struct cgroup_namespace *copy_cgroup_ns(unsigned long flags,
51dcfe149bSTejun Heo struct user_namespace *user_ns,
52dcfe149bSTejun Heo struct cgroup_namespace *old_ns)
53dcfe149bSTejun Heo {
54dcfe149bSTejun Heo struct cgroup_namespace *new_ns;
55dcfe149bSTejun Heo struct ucounts *ucounts;
56dcfe149bSTejun Heo struct css_set *cset;
57dcfe149bSTejun Heo
58dcfe149bSTejun Heo BUG_ON(!old_ns);
59dcfe149bSTejun Heo
60dcfe149bSTejun Heo if (!(flags & CLONE_NEWCGROUP)) {
61dcfe149bSTejun Heo get_cgroup_ns(old_ns);
62dcfe149bSTejun Heo return old_ns;
63dcfe149bSTejun Heo }
64dcfe149bSTejun Heo
65dcfe149bSTejun Heo /* Allow only sysadmin to create cgroup namespace. */
66dcfe149bSTejun Heo if (!ns_capable(user_ns, CAP_SYS_ADMIN))
67dcfe149bSTejun Heo return ERR_PTR(-EPERM);
68dcfe149bSTejun Heo
69dcfe149bSTejun Heo ucounts = inc_cgroup_namespaces(user_ns);
70dcfe149bSTejun Heo if (!ucounts)
71dcfe149bSTejun Heo return ERR_PTR(-ENOSPC);
72dcfe149bSTejun Heo
73dcfe149bSTejun Heo /* It is not safe to take cgroup_mutex here */
74dcfe149bSTejun Heo spin_lock_irq(&css_set_lock);
75dcfe149bSTejun Heo cset = task_css_set(current);
76dcfe149bSTejun Heo get_css_set(cset);
77dcfe149bSTejun Heo spin_unlock_irq(&css_set_lock);
78dcfe149bSTejun Heo
79dcfe149bSTejun Heo new_ns = alloc_cgroup_ns();
80dcfe149bSTejun Heo if (IS_ERR(new_ns)) {
81dcfe149bSTejun Heo put_css_set(cset);
82dcfe149bSTejun Heo dec_cgroup_namespaces(ucounts);
83dcfe149bSTejun Heo return new_ns;
84dcfe149bSTejun Heo }
85dcfe149bSTejun Heo
86dcfe149bSTejun Heo new_ns->user_ns = get_user_ns(user_ns);
87dcfe149bSTejun Heo new_ns->ucounts = ucounts;
88dcfe149bSTejun Heo new_ns->root_cset = cset;
89dcfe149bSTejun Heo
90dcfe149bSTejun Heo return new_ns;
91dcfe149bSTejun Heo }
92dcfe149bSTejun Heo
to_cg_ns(struct ns_common * ns)93dcfe149bSTejun Heo static inline struct cgroup_namespace *to_cg_ns(struct ns_common *ns)
94dcfe149bSTejun Heo {
95dcfe149bSTejun Heo return container_of(ns, struct cgroup_namespace, ns);
96dcfe149bSTejun Heo }
97dcfe149bSTejun Heo
cgroupns_install(struct nsset * nsset,struct ns_common * ns)98f2a8d52eSChristian Brauner static int cgroupns_install(struct nsset *nsset, struct ns_common *ns)
99dcfe149bSTejun Heo {
100f2a8d52eSChristian Brauner struct nsproxy *nsproxy = nsset->nsproxy;
101dcfe149bSTejun Heo struct cgroup_namespace *cgroup_ns = to_cg_ns(ns);
102dcfe149bSTejun Heo
103f2a8d52eSChristian Brauner if (!ns_capable(nsset->cred->user_ns, CAP_SYS_ADMIN) ||
104dcfe149bSTejun Heo !ns_capable(cgroup_ns->user_ns, CAP_SYS_ADMIN))
105dcfe149bSTejun Heo return -EPERM;
106dcfe149bSTejun Heo
107dcfe149bSTejun Heo /* Don't need to do anything if we are attaching to our own cgroupns. */
108dcfe149bSTejun Heo if (cgroup_ns == nsproxy->cgroup_ns)
109dcfe149bSTejun Heo return 0;
110dcfe149bSTejun Heo
111dcfe149bSTejun Heo get_cgroup_ns(cgroup_ns);
112dcfe149bSTejun Heo put_cgroup_ns(nsproxy->cgroup_ns);
113dcfe149bSTejun Heo nsproxy->cgroup_ns = cgroup_ns;
114dcfe149bSTejun Heo
115dcfe149bSTejun Heo return 0;
116dcfe149bSTejun Heo }
117dcfe149bSTejun Heo
cgroupns_get(struct task_struct * task)118dcfe149bSTejun Heo static struct ns_common *cgroupns_get(struct task_struct *task)
119dcfe149bSTejun Heo {
120dcfe149bSTejun Heo struct cgroup_namespace *ns = NULL;
121dcfe149bSTejun Heo struct nsproxy *nsproxy;
122dcfe149bSTejun Heo
123dcfe149bSTejun Heo task_lock(task);
124dcfe149bSTejun Heo nsproxy = task->nsproxy;
125dcfe149bSTejun Heo if (nsproxy) {
126dcfe149bSTejun Heo ns = nsproxy->cgroup_ns;
127dcfe149bSTejun Heo get_cgroup_ns(ns);
128dcfe149bSTejun Heo }
129dcfe149bSTejun Heo task_unlock(task);
130dcfe149bSTejun Heo
131dcfe149bSTejun Heo return ns ? &ns->ns : NULL;
132dcfe149bSTejun Heo }
133dcfe149bSTejun Heo
cgroupns_put(struct ns_common * ns)134dcfe149bSTejun Heo static void cgroupns_put(struct ns_common *ns)
135dcfe149bSTejun Heo {
136dcfe149bSTejun Heo put_cgroup_ns(to_cg_ns(ns));
137dcfe149bSTejun Heo }
138dcfe149bSTejun Heo
cgroupns_owner(struct ns_common * ns)139dcfe149bSTejun Heo static struct user_namespace *cgroupns_owner(struct ns_common *ns)
140dcfe149bSTejun Heo {
141dcfe149bSTejun Heo return to_cg_ns(ns)->user_ns;
142dcfe149bSTejun Heo }
143dcfe149bSTejun Heo
144dcfe149bSTejun Heo const struct proc_ns_operations cgroupns_operations = {
145dcfe149bSTejun Heo .name = "cgroup",
146dcfe149bSTejun Heo .type = CLONE_NEWCGROUP,
147dcfe149bSTejun Heo .get = cgroupns_get,
148dcfe149bSTejun Heo .put = cgroupns_put,
149dcfe149bSTejun Heo .install = cgroupns_install,
150dcfe149bSTejun Heo .owner = cgroupns_owner,
151dcfe149bSTejun Heo };
152