1 /* 2 * This program is free software; you can redistribute it and/or 3 * modify it under the terms of the GNU General Public License as 4 * published by the Free Software Foundation, version 2 of the 5 * License. 6 */ 7 8 #include <linux/export.h> 9 #include <linux/nsproxy.h> 10 #include <linux/slab.h> 11 #include <linux/user_namespace.h> 12 #include <linux/proc_ns.h> 13 #include <linux/highuid.h> 14 #include <linux/cred.h> 15 #include <linux/securebits.h> 16 #include <linux/keyctl.h> 17 #include <linux/key-type.h> 18 #include <keys/user-type.h> 19 #include <linux/seq_file.h> 20 #include <linux/fs.h> 21 #include <linux/uaccess.h> 22 #include <linux/ctype.h> 23 #include <linux/projid.h> 24 #include <linux/fs_struct.h> 25 26 static struct kmem_cache *user_ns_cachep __read_mostly; 27 28 static bool new_idmap_permitted(const struct file *file, 29 struct user_namespace *ns, int cap_setid, 30 struct uid_gid_map *map); 31 32 static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns) 33 { 34 /* Start with the same capabilities as init but useless for doing 35 * anything as the capabilities are bound to the new user namespace. 36 */ 37 cred->securebits = SECUREBITS_DEFAULT; 38 cred->cap_inheritable = CAP_EMPTY_SET; 39 cred->cap_permitted = CAP_FULL_SET; 40 cred->cap_effective = CAP_FULL_SET; 41 cred->cap_bset = CAP_FULL_SET; 42 #ifdef CONFIG_KEYS 43 key_put(cred->request_key_auth); 44 cred->request_key_auth = NULL; 45 #endif 46 /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */ 47 cred->user_ns = user_ns; 48 } 49 50 /* 51 * Create a new user namespace, deriving the creator from the user in the 52 * passed credentials, and replacing that user with the new root user for the 53 * new namespace. 54 * 55 * This is called by copy_creds(), which will finish setting the target task's 56 * credentials. 57 */ 58 int create_user_ns(struct cred *new) 59 { 60 struct user_namespace *ns, *parent_ns = new->user_ns; 61 kuid_t owner = new->euid; 62 kgid_t group = new->egid; 63 int ret; 64 65 if (parent_ns->level > 32) 66 return -EUSERS; 67 68 /* 69 * Verify that we can not violate the policy of which files 70 * may be accessed that is specified by the root directory, 71 * by verifing that the root directory is at the root of the 72 * mount namespace which allows all files to be accessed. 73 */ 74 if (current_chrooted()) 75 return -EPERM; 76 77 /* The creator needs a mapping in the parent user namespace 78 * or else we won't be able to reasonably tell userspace who 79 * created a user_namespace. 80 */ 81 if (!kuid_has_mapping(parent_ns, owner) || 82 !kgid_has_mapping(parent_ns, group)) 83 return -EPERM; 84 85 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL); 86 if (!ns) 87 return -ENOMEM; 88 89 ret = proc_alloc_inum(&ns->proc_inum); 90 if (ret) { 91 kmem_cache_free(user_ns_cachep, ns); 92 return ret; 93 } 94 95 atomic_set(&ns->count, 1); 96 /* Leave the new->user_ns reference with the new user namespace. */ 97 ns->parent = parent_ns; 98 ns->level = parent_ns->level + 1; 99 ns->owner = owner; 100 ns->group = group; 101 102 set_cred_user_ns(new, ns); 103 104 #ifdef CONFIG_PERSISTENT_KEYRINGS 105 init_rwsem(&ns->persistent_keyring_register_sem); 106 #endif 107 return 0; 108 } 109 110 int unshare_userns(unsigned long unshare_flags, struct cred **new_cred) 111 { 112 struct cred *cred; 113 int err = -ENOMEM; 114 115 if (!(unshare_flags & CLONE_NEWUSER)) 116 return 0; 117 118 cred = prepare_creds(); 119 if (cred) { 120 err = create_user_ns(cred); 121 if (err) 122 put_cred(cred); 123 else 124 *new_cred = cred; 125 } 126 127 return err; 128 } 129 130 void free_user_ns(struct user_namespace *ns) 131 { 132 struct user_namespace *parent; 133 134 do { 135 parent = ns->parent; 136 #ifdef CONFIG_PERSISTENT_KEYRINGS 137 key_put(ns->persistent_keyring_register); 138 #endif 139 proc_free_inum(ns->proc_inum); 140 kmem_cache_free(user_ns_cachep, ns); 141 ns = parent; 142 } while (atomic_dec_and_test(&parent->count)); 143 } 144 EXPORT_SYMBOL(free_user_ns); 145 146 static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count) 147 { 148 unsigned idx, extents; 149 u32 first, last, id2; 150 151 id2 = id + count - 1; 152 153 /* Find the matching extent */ 154 extents = map->nr_extents; 155 smp_rmb(); 156 for (idx = 0; idx < extents; idx++) { 157 first = map->extent[idx].first; 158 last = first + map->extent[idx].count - 1; 159 if (id >= first && id <= last && 160 (id2 >= first && id2 <= last)) 161 break; 162 } 163 /* Map the id or note failure */ 164 if (idx < extents) 165 id = (id - first) + map->extent[idx].lower_first; 166 else 167 id = (u32) -1; 168 169 return id; 170 } 171 172 static u32 map_id_down(struct uid_gid_map *map, u32 id) 173 { 174 unsigned idx, extents; 175 u32 first, last; 176 177 /* Find the matching extent */ 178 extents = map->nr_extents; 179 smp_rmb(); 180 for (idx = 0; idx < extents; idx++) { 181 first = map->extent[idx].first; 182 last = first + map->extent[idx].count - 1; 183 if (id >= first && id <= last) 184 break; 185 } 186 /* Map the id or note failure */ 187 if (idx < extents) 188 id = (id - first) + map->extent[idx].lower_first; 189 else 190 id = (u32) -1; 191 192 return id; 193 } 194 195 static u32 map_id_up(struct uid_gid_map *map, u32 id) 196 { 197 unsigned idx, extents; 198 u32 first, last; 199 200 /* Find the matching extent */ 201 extents = map->nr_extents; 202 smp_rmb(); 203 for (idx = 0; idx < extents; idx++) { 204 first = map->extent[idx].lower_first; 205 last = first + map->extent[idx].count - 1; 206 if (id >= first && id <= last) 207 break; 208 } 209 /* Map the id or note failure */ 210 if (idx < extents) 211 id = (id - first) + map->extent[idx].first; 212 else 213 id = (u32) -1; 214 215 return id; 216 } 217 218 /** 219 * make_kuid - Map a user-namespace uid pair into a kuid. 220 * @ns: User namespace that the uid is in 221 * @uid: User identifier 222 * 223 * Maps a user-namespace uid pair into a kernel internal kuid, 224 * and returns that kuid. 225 * 226 * When there is no mapping defined for the user-namespace uid 227 * pair INVALID_UID is returned. Callers are expected to test 228 * for and handle INVALID_UID being returned. INVALID_UID 229 * may be tested for using uid_valid(). 230 */ 231 kuid_t make_kuid(struct user_namespace *ns, uid_t uid) 232 { 233 /* Map the uid to a global kernel uid */ 234 return KUIDT_INIT(map_id_down(&ns->uid_map, uid)); 235 } 236 EXPORT_SYMBOL(make_kuid); 237 238 /** 239 * from_kuid - Create a uid from a kuid user-namespace pair. 240 * @targ: The user namespace we want a uid in. 241 * @kuid: The kernel internal uid to start with. 242 * 243 * Map @kuid into the user-namespace specified by @targ and 244 * return the resulting uid. 245 * 246 * There is always a mapping into the initial user_namespace. 247 * 248 * If @kuid has no mapping in @targ (uid_t)-1 is returned. 249 */ 250 uid_t from_kuid(struct user_namespace *targ, kuid_t kuid) 251 { 252 /* Map the uid from a global kernel uid */ 253 return map_id_up(&targ->uid_map, __kuid_val(kuid)); 254 } 255 EXPORT_SYMBOL(from_kuid); 256 257 /** 258 * from_kuid_munged - Create a uid from a kuid user-namespace pair. 259 * @targ: The user namespace we want a uid in. 260 * @kuid: The kernel internal uid to start with. 261 * 262 * Map @kuid into the user-namespace specified by @targ and 263 * return the resulting uid. 264 * 265 * There is always a mapping into the initial user_namespace. 266 * 267 * Unlike from_kuid from_kuid_munged never fails and always 268 * returns a valid uid. This makes from_kuid_munged appropriate 269 * for use in syscalls like stat and getuid where failing the 270 * system call and failing to provide a valid uid are not an 271 * options. 272 * 273 * If @kuid has no mapping in @targ overflowuid is returned. 274 */ 275 uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid) 276 { 277 uid_t uid; 278 uid = from_kuid(targ, kuid); 279 280 if (uid == (uid_t) -1) 281 uid = overflowuid; 282 return uid; 283 } 284 EXPORT_SYMBOL(from_kuid_munged); 285 286 /** 287 * make_kgid - Map a user-namespace gid pair into a kgid. 288 * @ns: User namespace that the gid is in 289 * @gid: group identifier 290 * 291 * Maps a user-namespace gid pair into a kernel internal kgid, 292 * and returns that kgid. 293 * 294 * When there is no mapping defined for the user-namespace gid 295 * pair INVALID_GID is returned. Callers are expected to test 296 * for and handle INVALID_GID being returned. INVALID_GID may be 297 * tested for using gid_valid(). 298 */ 299 kgid_t make_kgid(struct user_namespace *ns, gid_t gid) 300 { 301 /* Map the gid to a global kernel gid */ 302 return KGIDT_INIT(map_id_down(&ns->gid_map, gid)); 303 } 304 EXPORT_SYMBOL(make_kgid); 305 306 /** 307 * from_kgid - Create a gid from a kgid user-namespace pair. 308 * @targ: The user namespace we want a gid in. 309 * @kgid: The kernel internal gid to start with. 310 * 311 * Map @kgid into the user-namespace specified by @targ and 312 * return the resulting gid. 313 * 314 * There is always a mapping into the initial user_namespace. 315 * 316 * If @kgid has no mapping in @targ (gid_t)-1 is returned. 317 */ 318 gid_t from_kgid(struct user_namespace *targ, kgid_t kgid) 319 { 320 /* Map the gid from a global kernel gid */ 321 return map_id_up(&targ->gid_map, __kgid_val(kgid)); 322 } 323 EXPORT_SYMBOL(from_kgid); 324 325 /** 326 * from_kgid_munged - Create a gid from a kgid user-namespace pair. 327 * @targ: The user namespace we want a gid in. 328 * @kgid: The kernel internal gid to start with. 329 * 330 * Map @kgid into the user-namespace specified by @targ and 331 * return the resulting gid. 332 * 333 * There is always a mapping into the initial user_namespace. 334 * 335 * Unlike from_kgid from_kgid_munged never fails and always 336 * returns a valid gid. This makes from_kgid_munged appropriate 337 * for use in syscalls like stat and getgid where failing the 338 * system call and failing to provide a valid gid are not options. 339 * 340 * If @kgid has no mapping in @targ overflowgid is returned. 341 */ 342 gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid) 343 { 344 gid_t gid; 345 gid = from_kgid(targ, kgid); 346 347 if (gid == (gid_t) -1) 348 gid = overflowgid; 349 return gid; 350 } 351 EXPORT_SYMBOL(from_kgid_munged); 352 353 /** 354 * make_kprojid - Map a user-namespace projid pair into a kprojid. 355 * @ns: User namespace that the projid is in 356 * @projid: Project identifier 357 * 358 * Maps a user-namespace uid pair into a kernel internal kuid, 359 * and returns that kuid. 360 * 361 * When there is no mapping defined for the user-namespace projid 362 * pair INVALID_PROJID is returned. Callers are expected to test 363 * for and handle handle INVALID_PROJID being returned. INVALID_PROJID 364 * may be tested for using projid_valid(). 365 */ 366 kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid) 367 { 368 /* Map the uid to a global kernel uid */ 369 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid)); 370 } 371 EXPORT_SYMBOL(make_kprojid); 372 373 /** 374 * from_kprojid - Create a projid from a kprojid user-namespace pair. 375 * @targ: The user namespace we want a projid in. 376 * @kprojid: The kernel internal project identifier to start with. 377 * 378 * Map @kprojid into the user-namespace specified by @targ and 379 * return the resulting projid. 380 * 381 * There is always a mapping into the initial user_namespace. 382 * 383 * If @kprojid has no mapping in @targ (projid_t)-1 is returned. 384 */ 385 projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid) 386 { 387 /* Map the uid from a global kernel uid */ 388 return map_id_up(&targ->projid_map, __kprojid_val(kprojid)); 389 } 390 EXPORT_SYMBOL(from_kprojid); 391 392 /** 393 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair. 394 * @targ: The user namespace we want a projid in. 395 * @kprojid: The kernel internal projid to start with. 396 * 397 * Map @kprojid into the user-namespace specified by @targ and 398 * return the resulting projid. 399 * 400 * There is always a mapping into the initial user_namespace. 401 * 402 * Unlike from_kprojid from_kprojid_munged never fails and always 403 * returns a valid projid. This makes from_kprojid_munged 404 * appropriate for use in syscalls like stat and where 405 * failing the system call and failing to provide a valid projid are 406 * not an options. 407 * 408 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned. 409 */ 410 projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid) 411 { 412 projid_t projid; 413 projid = from_kprojid(targ, kprojid); 414 415 if (projid == (projid_t) -1) 416 projid = OVERFLOW_PROJID; 417 return projid; 418 } 419 EXPORT_SYMBOL(from_kprojid_munged); 420 421 422 static int uid_m_show(struct seq_file *seq, void *v) 423 { 424 struct user_namespace *ns = seq->private; 425 struct uid_gid_extent *extent = v; 426 struct user_namespace *lower_ns; 427 uid_t lower; 428 429 lower_ns = seq_user_ns(seq); 430 if ((lower_ns == ns) && lower_ns->parent) 431 lower_ns = lower_ns->parent; 432 433 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first)); 434 435 seq_printf(seq, "%10u %10u %10u\n", 436 extent->first, 437 lower, 438 extent->count); 439 440 return 0; 441 } 442 443 static int gid_m_show(struct seq_file *seq, void *v) 444 { 445 struct user_namespace *ns = seq->private; 446 struct uid_gid_extent *extent = v; 447 struct user_namespace *lower_ns; 448 gid_t lower; 449 450 lower_ns = seq_user_ns(seq); 451 if ((lower_ns == ns) && lower_ns->parent) 452 lower_ns = lower_ns->parent; 453 454 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first)); 455 456 seq_printf(seq, "%10u %10u %10u\n", 457 extent->first, 458 lower, 459 extent->count); 460 461 return 0; 462 } 463 464 static int projid_m_show(struct seq_file *seq, void *v) 465 { 466 struct user_namespace *ns = seq->private; 467 struct uid_gid_extent *extent = v; 468 struct user_namespace *lower_ns; 469 projid_t lower; 470 471 lower_ns = seq_user_ns(seq); 472 if ((lower_ns == ns) && lower_ns->parent) 473 lower_ns = lower_ns->parent; 474 475 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first)); 476 477 seq_printf(seq, "%10u %10u %10u\n", 478 extent->first, 479 lower, 480 extent->count); 481 482 return 0; 483 } 484 485 static void *m_start(struct seq_file *seq, loff_t *ppos, 486 struct uid_gid_map *map) 487 { 488 struct uid_gid_extent *extent = NULL; 489 loff_t pos = *ppos; 490 491 if (pos < map->nr_extents) 492 extent = &map->extent[pos]; 493 494 return extent; 495 } 496 497 static void *uid_m_start(struct seq_file *seq, loff_t *ppos) 498 { 499 struct user_namespace *ns = seq->private; 500 501 return m_start(seq, ppos, &ns->uid_map); 502 } 503 504 static void *gid_m_start(struct seq_file *seq, loff_t *ppos) 505 { 506 struct user_namespace *ns = seq->private; 507 508 return m_start(seq, ppos, &ns->gid_map); 509 } 510 511 static void *projid_m_start(struct seq_file *seq, loff_t *ppos) 512 { 513 struct user_namespace *ns = seq->private; 514 515 return m_start(seq, ppos, &ns->projid_map); 516 } 517 518 static void *m_next(struct seq_file *seq, void *v, loff_t *pos) 519 { 520 (*pos)++; 521 return seq->op->start(seq, pos); 522 } 523 524 static void m_stop(struct seq_file *seq, void *v) 525 { 526 return; 527 } 528 529 struct seq_operations proc_uid_seq_operations = { 530 .start = uid_m_start, 531 .stop = m_stop, 532 .next = m_next, 533 .show = uid_m_show, 534 }; 535 536 struct seq_operations proc_gid_seq_operations = { 537 .start = gid_m_start, 538 .stop = m_stop, 539 .next = m_next, 540 .show = gid_m_show, 541 }; 542 543 struct seq_operations proc_projid_seq_operations = { 544 .start = projid_m_start, 545 .stop = m_stop, 546 .next = m_next, 547 .show = projid_m_show, 548 }; 549 550 static bool mappings_overlap(struct uid_gid_map *new_map, 551 struct uid_gid_extent *extent) 552 { 553 u32 upper_first, lower_first, upper_last, lower_last; 554 unsigned idx; 555 556 upper_first = extent->first; 557 lower_first = extent->lower_first; 558 upper_last = upper_first + extent->count - 1; 559 lower_last = lower_first + extent->count - 1; 560 561 for (idx = 0; idx < new_map->nr_extents; idx++) { 562 u32 prev_upper_first, prev_lower_first; 563 u32 prev_upper_last, prev_lower_last; 564 struct uid_gid_extent *prev; 565 566 prev = &new_map->extent[idx]; 567 568 prev_upper_first = prev->first; 569 prev_lower_first = prev->lower_first; 570 prev_upper_last = prev_upper_first + prev->count - 1; 571 prev_lower_last = prev_lower_first + prev->count - 1; 572 573 /* Does the upper range intersect a previous extent? */ 574 if ((prev_upper_first <= upper_last) && 575 (prev_upper_last >= upper_first)) 576 return true; 577 578 /* Does the lower range intersect a previous extent? */ 579 if ((prev_lower_first <= lower_last) && 580 (prev_lower_last >= lower_first)) 581 return true; 582 } 583 return false; 584 } 585 586 587 static DEFINE_MUTEX(id_map_mutex); 588 589 static ssize_t map_write(struct file *file, const char __user *buf, 590 size_t count, loff_t *ppos, 591 int cap_setid, 592 struct uid_gid_map *map, 593 struct uid_gid_map *parent_map) 594 { 595 struct seq_file *seq = file->private_data; 596 struct user_namespace *ns = seq->private; 597 struct uid_gid_map new_map; 598 unsigned idx; 599 struct uid_gid_extent *extent = NULL; 600 unsigned long page = 0; 601 char *kbuf, *pos, *next_line; 602 ssize_t ret = -EINVAL; 603 604 /* 605 * The id_map_mutex serializes all writes to any given map. 606 * 607 * Any map is only ever written once. 608 * 609 * An id map fits within 1 cache line on most architectures. 610 * 611 * On read nothing needs to be done unless you are on an 612 * architecture with a crazy cache coherency model like alpha. 613 * 614 * There is a one time data dependency between reading the 615 * count of the extents and the values of the extents. The 616 * desired behavior is to see the values of the extents that 617 * were written before the count of the extents. 618 * 619 * To achieve this smp_wmb() is used on guarantee the write 620 * order and smp_rmb() is guaranteed that we don't have crazy 621 * architectures returning stale data. 622 */ 623 mutex_lock(&id_map_mutex); 624 625 ret = -EPERM; 626 /* Only allow one successful write to the map */ 627 if (map->nr_extents != 0) 628 goto out; 629 630 /* 631 * Adjusting namespace settings requires capabilities on the target. 632 */ 633 if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN)) 634 goto out; 635 636 /* Get a buffer */ 637 ret = -ENOMEM; 638 page = __get_free_page(GFP_TEMPORARY); 639 kbuf = (char *) page; 640 if (!page) 641 goto out; 642 643 /* Only allow <= page size writes at the beginning of the file */ 644 ret = -EINVAL; 645 if ((*ppos != 0) || (count >= PAGE_SIZE)) 646 goto out; 647 648 /* Slurp in the user data */ 649 ret = -EFAULT; 650 if (copy_from_user(kbuf, buf, count)) 651 goto out; 652 kbuf[count] = '\0'; 653 654 /* Parse the user data */ 655 ret = -EINVAL; 656 pos = kbuf; 657 new_map.nr_extents = 0; 658 for (; pos; pos = next_line) { 659 extent = &new_map.extent[new_map.nr_extents]; 660 661 /* Find the end of line and ensure I don't look past it */ 662 next_line = strchr(pos, '\n'); 663 if (next_line) { 664 *next_line = '\0'; 665 next_line++; 666 if (*next_line == '\0') 667 next_line = NULL; 668 } 669 670 pos = skip_spaces(pos); 671 extent->first = simple_strtoul(pos, &pos, 10); 672 if (!isspace(*pos)) 673 goto out; 674 675 pos = skip_spaces(pos); 676 extent->lower_first = simple_strtoul(pos, &pos, 10); 677 if (!isspace(*pos)) 678 goto out; 679 680 pos = skip_spaces(pos); 681 extent->count = simple_strtoul(pos, &pos, 10); 682 if (*pos && !isspace(*pos)) 683 goto out; 684 685 /* Verify there is not trailing junk on the line */ 686 pos = skip_spaces(pos); 687 if (*pos != '\0') 688 goto out; 689 690 /* Verify we have been given valid starting values */ 691 if ((extent->first == (u32) -1) || 692 (extent->lower_first == (u32) -1)) 693 goto out; 694 695 /* Verify count is not zero and does not cause the 696 * extent to wrap 697 */ 698 if ((extent->first + extent->count) <= extent->first) 699 goto out; 700 if ((extent->lower_first + extent->count) <= 701 extent->lower_first) 702 goto out; 703 704 /* Do the ranges in extent overlap any previous extents? */ 705 if (mappings_overlap(&new_map, extent)) 706 goto out; 707 708 new_map.nr_extents++; 709 710 /* Fail if the file contains too many extents */ 711 if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) && 712 (next_line != NULL)) 713 goto out; 714 } 715 /* Be very certaint the new map actually exists */ 716 if (new_map.nr_extents == 0) 717 goto out; 718 719 ret = -EPERM; 720 /* Validate the user is allowed to use user id's mapped to. */ 721 if (!new_idmap_permitted(file, ns, cap_setid, &new_map)) 722 goto out; 723 724 /* Map the lower ids from the parent user namespace to the 725 * kernel global id space. 726 */ 727 for (idx = 0; idx < new_map.nr_extents; idx++) { 728 u32 lower_first; 729 extent = &new_map.extent[idx]; 730 731 lower_first = map_id_range_down(parent_map, 732 extent->lower_first, 733 extent->count); 734 735 /* Fail if we can not map the specified extent to 736 * the kernel global id space. 737 */ 738 if (lower_first == (u32) -1) 739 goto out; 740 741 extent->lower_first = lower_first; 742 } 743 744 /* Install the map */ 745 memcpy(map->extent, new_map.extent, 746 new_map.nr_extents*sizeof(new_map.extent[0])); 747 smp_wmb(); 748 map->nr_extents = new_map.nr_extents; 749 750 *ppos = count; 751 ret = count; 752 out: 753 mutex_unlock(&id_map_mutex); 754 if (page) 755 free_page(page); 756 return ret; 757 } 758 759 ssize_t proc_uid_map_write(struct file *file, const char __user *buf, 760 size_t size, loff_t *ppos) 761 { 762 struct seq_file *seq = file->private_data; 763 struct user_namespace *ns = seq->private; 764 struct user_namespace *seq_ns = seq_user_ns(seq); 765 766 if (!ns->parent) 767 return -EPERM; 768 769 if ((seq_ns != ns) && (seq_ns != ns->parent)) 770 return -EPERM; 771 772 return map_write(file, buf, size, ppos, CAP_SETUID, 773 &ns->uid_map, &ns->parent->uid_map); 774 } 775 776 ssize_t proc_gid_map_write(struct file *file, const char __user *buf, 777 size_t size, loff_t *ppos) 778 { 779 struct seq_file *seq = file->private_data; 780 struct user_namespace *ns = seq->private; 781 struct user_namespace *seq_ns = seq_user_ns(seq); 782 783 if (!ns->parent) 784 return -EPERM; 785 786 if ((seq_ns != ns) && (seq_ns != ns->parent)) 787 return -EPERM; 788 789 return map_write(file, buf, size, ppos, CAP_SETGID, 790 &ns->gid_map, &ns->parent->gid_map); 791 } 792 793 ssize_t proc_projid_map_write(struct file *file, const char __user *buf, 794 size_t size, loff_t *ppos) 795 { 796 struct seq_file *seq = file->private_data; 797 struct user_namespace *ns = seq->private; 798 struct user_namespace *seq_ns = seq_user_ns(seq); 799 800 if (!ns->parent) 801 return -EPERM; 802 803 if ((seq_ns != ns) && (seq_ns != ns->parent)) 804 return -EPERM; 805 806 /* Anyone can set any valid project id no capability needed */ 807 return map_write(file, buf, size, ppos, -1, 808 &ns->projid_map, &ns->parent->projid_map); 809 } 810 811 static bool new_idmap_permitted(const struct file *file, 812 struct user_namespace *ns, int cap_setid, 813 struct uid_gid_map *new_map) 814 { 815 /* Allow mapping to your own filesystem ids */ 816 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) { 817 u32 id = new_map->extent[0].lower_first; 818 if (cap_setid == CAP_SETUID) { 819 kuid_t uid = make_kuid(ns->parent, id); 820 if (uid_eq(uid, file->f_cred->fsuid)) 821 return true; 822 } else if (cap_setid == CAP_SETGID) { 823 kgid_t gid = make_kgid(ns->parent, id); 824 if (gid_eq(gid, file->f_cred->fsgid)) 825 return true; 826 } 827 } 828 829 /* Allow anyone to set a mapping that doesn't require privilege */ 830 if (!cap_valid(cap_setid)) 831 return true; 832 833 /* Allow the specified ids if we have the appropriate capability 834 * (CAP_SETUID or CAP_SETGID) over the parent user namespace. 835 * And the opener of the id file also had the approprpiate capability. 836 */ 837 if (ns_capable(ns->parent, cap_setid) && 838 file_ns_capable(file, ns->parent, cap_setid)) 839 return true; 840 841 return false; 842 } 843 844 static void *userns_get(struct task_struct *task) 845 { 846 struct user_namespace *user_ns; 847 848 rcu_read_lock(); 849 user_ns = get_user_ns(__task_cred(task)->user_ns); 850 rcu_read_unlock(); 851 852 return user_ns; 853 } 854 855 static void userns_put(void *ns) 856 { 857 put_user_ns(ns); 858 } 859 860 static int userns_install(struct nsproxy *nsproxy, void *ns) 861 { 862 struct user_namespace *user_ns = ns; 863 struct cred *cred; 864 865 /* Don't allow gaining capabilities by reentering 866 * the same user namespace. 867 */ 868 if (user_ns == current_user_ns()) 869 return -EINVAL; 870 871 /* Threaded processes may not enter a different user namespace */ 872 if (atomic_read(¤t->mm->mm_users) > 1) 873 return -EINVAL; 874 875 if (current->fs->users != 1) 876 return -EINVAL; 877 878 if (!ns_capable(user_ns, CAP_SYS_ADMIN)) 879 return -EPERM; 880 881 cred = prepare_creds(); 882 if (!cred) 883 return -ENOMEM; 884 885 put_user_ns(cred->user_ns); 886 set_cred_user_ns(cred, get_user_ns(user_ns)); 887 888 return commit_creds(cred); 889 } 890 891 static unsigned int userns_inum(void *ns) 892 { 893 struct user_namespace *user_ns = ns; 894 return user_ns->proc_inum; 895 } 896 897 const struct proc_ns_operations userns_operations = { 898 .name = "user", 899 .type = CLONE_NEWUSER, 900 .get = userns_get, 901 .put = userns_put, 902 .install = userns_install, 903 .inum = userns_inum, 904 }; 905 906 static __init int user_namespaces_init(void) 907 { 908 user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC); 909 return 0; 910 } 911 subsys_initcall(user_namespaces_init); 912