xref: /openbmc/linux/kernel/user_namespace.c (revision 92b19ff5)
1 /*
2  *  This program is free software; you can redistribute it and/or
3  *  modify it under the terms of the GNU General Public License as
4  *  published by the Free Software Foundation, version 2 of the
5  *  License.
6  */
7 
8 #include <linux/export.h>
9 #include <linux/nsproxy.h>
10 #include <linux/slab.h>
11 #include <linux/user_namespace.h>
12 #include <linux/proc_ns.h>
13 #include <linux/highuid.h>
14 #include <linux/cred.h>
15 #include <linux/securebits.h>
16 #include <linux/keyctl.h>
17 #include <linux/key-type.h>
18 #include <keys/user-type.h>
19 #include <linux/seq_file.h>
20 #include <linux/fs.h>
21 #include <linux/uaccess.h>
22 #include <linux/ctype.h>
23 #include <linux/projid.h>
24 #include <linux/fs_struct.h>
25 
26 static struct kmem_cache *user_ns_cachep __read_mostly;
27 static DEFINE_MUTEX(userns_state_mutex);
28 
29 static bool new_idmap_permitted(const struct file *file,
30 				struct user_namespace *ns, int cap_setid,
31 				struct uid_gid_map *map);
32 
33 static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
34 {
35 	/* Start with the same capabilities as init but useless for doing
36 	 * anything as the capabilities are bound to the new user namespace.
37 	 */
38 	cred->securebits = SECUREBITS_DEFAULT;
39 	cred->cap_inheritable = CAP_EMPTY_SET;
40 	cred->cap_permitted = CAP_FULL_SET;
41 	cred->cap_effective = CAP_FULL_SET;
42 	cred->cap_bset = CAP_FULL_SET;
43 #ifdef CONFIG_KEYS
44 	key_put(cred->request_key_auth);
45 	cred->request_key_auth = NULL;
46 #endif
47 	/* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
48 	cred->user_ns = user_ns;
49 }
50 
51 /*
52  * Create a new user namespace, deriving the creator from the user in the
53  * passed credentials, and replacing that user with the new root user for the
54  * new namespace.
55  *
56  * This is called by copy_creds(), which will finish setting the target task's
57  * credentials.
58  */
59 int create_user_ns(struct cred *new)
60 {
61 	struct user_namespace *ns, *parent_ns = new->user_ns;
62 	kuid_t owner = new->euid;
63 	kgid_t group = new->egid;
64 	int ret;
65 
66 	if (parent_ns->level > 32)
67 		return -EUSERS;
68 
69 	/*
70 	 * Verify that we can not violate the policy of which files
71 	 * may be accessed that is specified by the root directory,
72 	 * by verifing that the root directory is at the root of the
73 	 * mount namespace which allows all files to be accessed.
74 	 */
75 	if (current_chrooted())
76 		return -EPERM;
77 
78 	/* The creator needs a mapping in the parent user namespace
79 	 * or else we won't be able to reasonably tell userspace who
80 	 * created a user_namespace.
81 	 */
82 	if (!kuid_has_mapping(parent_ns, owner) ||
83 	    !kgid_has_mapping(parent_ns, group))
84 		return -EPERM;
85 
86 	ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
87 	if (!ns)
88 		return -ENOMEM;
89 
90 	ret = ns_alloc_inum(&ns->ns);
91 	if (ret) {
92 		kmem_cache_free(user_ns_cachep, ns);
93 		return ret;
94 	}
95 	ns->ns.ops = &userns_operations;
96 
97 	atomic_set(&ns->count, 1);
98 	/* Leave the new->user_ns reference with the new user namespace. */
99 	ns->parent = parent_ns;
100 	ns->level = parent_ns->level + 1;
101 	ns->owner = owner;
102 	ns->group = group;
103 
104 	/* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
105 	mutex_lock(&userns_state_mutex);
106 	ns->flags = parent_ns->flags;
107 	mutex_unlock(&userns_state_mutex);
108 
109 	set_cred_user_ns(new, ns);
110 
111 #ifdef CONFIG_PERSISTENT_KEYRINGS
112 	init_rwsem(&ns->persistent_keyring_register_sem);
113 #endif
114 	return 0;
115 }
116 
117 int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
118 {
119 	struct cred *cred;
120 	int err = -ENOMEM;
121 
122 	if (!(unshare_flags & CLONE_NEWUSER))
123 		return 0;
124 
125 	cred = prepare_creds();
126 	if (cred) {
127 		err = create_user_ns(cred);
128 		if (err)
129 			put_cred(cred);
130 		else
131 			*new_cred = cred;
132 	}
133 
134 	return err;
135 }
136 
137 void free_user_ns(struct user_namespace *ns)
138 {
139 	struct user_namespace *parent;
140 
141 	do {
142 		parent = ns->parent;
143 #ifdef CONFIG_PERSISTENT_KEYRINGS
144 		key_put(ns->persistent_keyring_register);
145 #endif
146 		ns_free_inum(&ns->ns);
147 		kmem_cache_free(user_ns_cachep, ns);
148 		ns = parent;
149 	} while (atomic_dec_and_test(&parent->count));
150 }
151 EXPORT_SYMBOL(free_user_ns);
152 
153 static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
154 {
155 	unsigned idx, extents;
156 	u32 first, last, id2;
157 
158 	id2 = id + count - 1;
159 
160 	/* Find the matching extent */
161 	extents = map->nr_extents;
162 	smp_rmb();
163 	for (idx = 0; idx < extents; idx++) {
164 		first = map->extent[idx].first;
165 		last = first + map->extent[idx].count - 1;
166 		if (id >= first && id <= last &&
167 		    (id2 >= first && id2 <= last))
168 			break;
169 	}
170 	/* Map the id or note failure */
171 	if (idx < extents)
172 		id = (id - first) + map->extent[idx].lower_first;
173 	else
174 		id = (u32) -1;
175 
176 	return id;
177 }
178 
179 static u32 map_id_down(struct uid_gid_map *map, u32 id)
180 {
181 	unsigned idx, extents;
182 	u32 first, last;
183 
184 	/* Find the matching extent */
185 	extents = map->nr_extents;
186 	smp_rmb();
187 	for (idx = 0; idx < extents; idx++) {
188 		first = map->extent[idx].first;
189 		last = first + map->extent[idx].count - 1;
190 		if (id >= first && id <= last)
191 			break;
192 	}
193 	/* Map the id or note failure */
194 	if (idx < extents)
195 		id = (id - first) + map->extent[idx].lower_first;
196 	else
197 		id = (u32) -1;
198 
199 	return id;
200 }
201 
202 static u32 map_id_up(struct uid_gid_map *map, u32 id)
203 {
204 	unsigned idx, extents;
205 	u32 first, last;
206 
207 	/* Find the matching extent */
208 	extents = map->nr_extents;
209 	smp_rmb();
210 	for (idx = 0; idx < extents; idx++) {
211 		first = map->extent[idx].lower_first;
212 		last = first + map->extent[idx].count - 1;
213 		if (id >= first && id <= last)
214 			break;
215 	}
216 	/* Map the id or note failure */
217 	if (idx < extents)
218 		id = (id - first) + map->extent[idx].first;
219 	else
220 		id = (u32) -1;
221 
222 	return id;
223 }
224 
225 /**
226  *	make_kuid - Map a user-namespace uid pair into a kuid.
227  *	@ns:  User namespace that the uid is in
228  *	@uid: User identifier
229  *
230  *	Maps a user-namespace uid pair into a kernel internal kuid,
231  *	and returns that kuid.
232  *
233  *	When there is no mapping defined for the user-namespace uid
234  *	pair INVALID_UID is returned.  Callers are expected to test
235  *	for and handle INVALID_UID being returned.  INVALID_UID
236  *	may be tested for using uid_valid().
237  */
238 kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
239 {
240 	/* Map the uid to a global kernel uid */
241 	return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
242 }
243 EXPORT_SYMBOL(make_kuid);
244 
245 /**
246  *	from_kuid - Create a uid from a kuid user-namespace pair.
247  *	@targ: The user namespace we want a uid in.
248  *	@kuid: The kernel internal uid to start with.
249  *
250  *	Map @kuid into the user-namespace specified by @targ and
251  *	return the resulting uid.
252  *
253  *	There is always a mapping into the initial user_namespace.
254  *
255  *	If @kuid has no mapping in @targ (uid_t)-1 is returned.
256  */
257 uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
258 {
259 	/* Map the uid from a global kernel uid */
260 	return map_id_up(&targ->uid_map, __kuid_val(kuid));
261 }
262 EXPORT_SYMBOL(from_kuid);
263 
264 /**
265  *	from_kuid_munged - Create a uid from a kuid user-namespace pair.
266  *	@targ: The user namespace we want a uid in.
267  *	@kuid: The kernel internal uid to start with.
268  *
269  *	Map @kuid into the user-namespace specified by @targ and
270  *	return the resulting uid.
271  *
272  *	There is always a mapping into the initial user_namespace.
273  *
274  *	Unlike from_kuid from_kuid_munged never fails and always
275  *	returns a valid uid.  This makes from_kuid_munged appropriate
276  *	for use in syscalls like stat and getuid where failing the
277  *	system call and failing to provide a valid uid are not an
278  *	options.
279  *
280  *	If @kuid has no mapping in @targ overflowuid is returned.
281  */
282 uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
283 {
284 	uid_t uid;
285 	uid = from_kuid(targ, kuid);
286 
287 	if (uid == (uid_t) -1)
288 		uid = overflowuid;
289 	return uid;
290 }
291 EXPORT_SYMBOL(from_kuid_munged);
292 
293 /**
294  *	make_kgid - Map a user-namespace gid pair into a kgid.
295  *	@ns:  User namespace that the gid is in
296  *	@gid: group identifier
297  *
298  *	Maps a user-namespace gid pair into a kernel internal kgid,
299  *	and returns that kgid.
300  *
301  *	When there is no mapping defined for the user-namespace gid
302  *	pair INVALID_GID is returned.  Callers are expected to test
303  *	for and handle INVALID_GID being returned.  INVALID_GID may be
304  *	tested for using gid_valid().
305  */
306 kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
307 {
308 	/* Map the gid to a global kernel gid */
309 	return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
310 }
311 EXPORT_SYMBOL(make_kgid);
312 
313 /**
314  *	from_kgid - Create a gid from a kgid user-namespace pair.
315  *	@targ: The user namespace we want a gid in.
316  *	@kgid: The kernel internal gid to start with.
317  *
318  *	Map @kgid into the user-namespace specified by @targ and
319  *	return the resulting gid.
320  *
321  *	There is always a mapping into the initial user_namespace.
322  *
323  *	If @kgid has no mapping in @targ (gid_t)-1 is returned.
324  */
325 gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
326 {
327 	/* Map the gid from a global kernel gid */
328 	return map_id_up(&targ->gid_map, __kgid_val(kgid));
329 }
330 EXPORT_SYMBOL(from_kgid);
331 
332 /**
333  *	from_kgid_munged - Create a gid from a kgid user-namespace pair.
334  *	@targ: The user namespace we want a gid in.
335  *	@kgid: The kernel internal gid to start with.
336  *
337  *	Map @kgid into the user-namespace specified by @targ and
338  *	return the resulting gid.
339  *
340  *	There is always a mapping into the initial user_namespace.
341  *
342  *	Unlike from_kgid from_kgid_munged never fails and always
343  *	returns a valid gid.  This makes from_kgid_munged appropriate
344  *	for use in syscalls like stat and getgid where failing the
345  *	system call and failing to provide a valid gid are not options.
346  *
347  *	If @kgid has no mapping in @targ overflowgid is returned.
348  */
349 gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
350 {
351 	gid_t gid;
352 	gid = from_kgid(targ, kgid);
353 
354 	if (gid == (gid_t) -1)
355 		gid = overflowgid;
356 	return gid;
357 }
358 EXPORT_SYMBOL(from_kgid_munged);
359 
360 /**
361  *	make_kprojid - Map a user-namespace projid pair into a kprojid.
362  *	@ns:  User namespace that the projid is in
363  *	@projid: Project identifier
364  *
365  *	Maps a user-namespace uid pair into a kernel internal kuid,
366  *	and returns that kuid.
367  *
368  *	When there is no mapping defined for the user-namespace projid
369  *	pair INVALID_PROJID is returned.  Callers are expected to test
370  *	for and handle handle INVALID_PROJID being returned.  INVALID_PROJID
371  *	may be tested for using projid_valid().
372  */
373 kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
374 {
375 	/* Map the uid to a global kernel uid */
376 	return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
377 }
378 EXPORT_SYMBOL(make_kprojid);
379 
380 /**
381  *	from_kprojid - Create a projid from a kprojid user-namespace pair.
382  *	@targ: The user namespace we want a projid in.
383  *	@kprojid: The kernel internal project identifier to start with.
384  *
385  *	Map @kprojid into the user-namespace specified by @targ and
386  *	return the resulting projid.
387  *
388  *	There is always a mapping into the initial user_namespace.
389  *
390  *	If @kprojid has no mapping in @targ (projid_t)-1 is returned.
391  */
392 projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
393 {
394 	/* Map the uid from a global kernel uid */
395 	return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
396 }
397 EXPORT_SYMBOL(from_kprojid);
398 
399 /**
400  *	from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
401  *	@targ: The user namespace we want a projid in.
402  *	@kprojid: The kernel internal projid to start with.
403  *
404  *	Map @kprojid into the user-namespace specified by @targ and
405  *	return the resulting projid.
406  *
407  *	There is always a mapping into the initial user_namespace.
408  *
409  *	Unlike from_kprojid from_kprojid_munged never fails and always
410  *	returns a valid projid.  This makes from_kprojid_munged
411  *	appropriate for use in syscalls like stat and where
412  *	failing the system call and failing to provide a valid projid are
413  *	not an options.
414  *
415  *	If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
416  */
417 projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
418 {
419 	projid_t projid;
420 	projid = from_kprojid(targ, kprojid);
421 
422 	if (projid == (projid_t) -1)
423 		projid = OVERFLOW_PROJID;
424 	return projid;
425 }
426 EXPORT_SYMBOL(from_kprojid_munged);
427 
428 
429 static int uid_m_show(struct seq_file *seq, void *v)
430 {
431 	struct user_namespace *ns = seq->private;
432 	struct uid_gid_extent *extent = v;
433 	struct user_namespace *lower_ns;
434 	uid_t lower;
435 
436 	lower_ns = seq_user_ns(seq);
437 	if ((lower_ns == ns) && lower_ns->parent)
438 		lower_ns = lower_ns->parent;
439 
440 	lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
441 
442 	seq_printf(seq, "%10u %10u %10u\n",
443 		extent->first,
444 		lower,
445 		extent->count);
446 
447 	return 0;
448 }
449 
450 static int gid_m_show(struct seq_file *seq, void *v)
451 {
452 	struct user_namespace *ns = seq->private;
453 	struct uid_gid_extent *extent = v;
454 	struct user_namespace *lower_ns;
455 	gid_t lower;
456 
457 	lower_ns = seq_user_ns(seq);
458 	if ((lower_ns == ns) && lower_ns->parent)
459 		lower_ns = lower_ns->parent;
460 
461 	lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
462 
463 	seq_printf(seq, "%10u %10u %10u\n",
464 		extent->first,
465 		lower,
466 		extent->count);
467 
468 	return 0;
469 }
470 
471 static int projid_m_show(struct seq_file *seq, void *v)
472 {
473 	struct user_namespace *ns = seq->private;
474 	struct uid_gid_extent *extent = v;
475 	struct user_namespace *lower_ns;
476 	projid_t lower;
477 
478 	lower_ns = seq_user_ns(seq);
479 	if ((lower_ns == ns) && lower_ns->parent)
480 		lower_ns = lower_ns->parent;
481 
482 	lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
483 
484 	seq_printf(seq, "%10u %10u %10u\n",
485 		extent->first,
486 		lower,
487 		extent->count);
488 
489 	return 0;
490 }
491 
492 static void *m_start(struct seq_file *seq, loff_t *ppos,
493 		     struct uid_gid_map *map)
494 {
495 	struct uid_gid_extent *extent = NULL;
496 	loff_t pos = *ppos;
497 
498 	if (pos < map->nr_extents)
499 		extent = &map->extent[pos];
500 
501 	return extent;
502 }
503 
504 static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
505 {
506 	struct user_namespace *ns = seq->private;
507 
508 	return m_start(seq, ppos, &ns->uid_map);
509 }
510 
511 static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
512 {
513 	struct user_namespace *ns = seq->private;
514 
515 	return m_start(seq, ppos, &ns->gid_map);
516 }
517 
518 static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
519 {
520 	struct user_namespace *ns = seq->private;
521 
522 	return m_start(seq, ppos, &ns->projid_map);
523 }
524 
525 static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
526 {
527 	(*pos)++;
528 	return seq->op->start(seq, pos);
529 }
530 
531 static void m_stop(struct seq_file *seq, void *v)
532 {
533 	return;
534 }
535 
536 const struct seq_operations proc_uid_seq_operations = {
537 	.start = uid_m_start,
538 	.stop = m_stop,
539 	.next = m_next,
540 	.show = uid_m_show,
541 };
542 
543 const struct seq_operations proc_gid_seq_operations = {
544 	.start = gid_m_start,
545 	.stop = m_stop,
546 	.next = m_next,
547 	.show = gid_m_show,
548 };
549 
550 const struct seq_operations proc_projid_seq_operations = {
551 	.start = projid_m_start,
552 	.stop = m_stop,
553 	.next = m_next,
554 	.show = projid_m_show,
555 };
556 
557 static bool mappings_overlap(struct uid_gid_map *new_map,
558 			     struct uid_gid_extent *extent)
559 {
560 	u32 upper_first, lower_first, upper_last, lower_last;
561 	unsigned idx;
562 
563 	upper_first = extent->first;
564 	lower_first = extent->lower_first;
565 	upper_last = upper_first + extent->count - 1;
566 	lower_last = lower_first + extent->count - 1;
567 
568 	for (idx = 0; idx < new_map->nr_extents; idx++) {
569 		u32 prev_upper_first, prev_lower_first;
570 		u32 prev_upper_last, prev_lower_last;
571 		struct uid_gid_extent *prev;
572 
573 		prev = &new_map->extent[idx];
574 
575 		prev_upper_first = prev->first;
576 		prev_lower_first = prev->lower_first;
577 		prev_upper_last = prev_upper_first + prev->count - 1;
578 		prev_lower_last = prev_lower_first + prev->count - 1;
579 
580 		/* Does the upper range intersect a previous extent? */
581 		if ((prev_upper_first <= upper_last) &&
582 		    (prev_upper_last >= upper_first))
583 			return true;
584 
585 		/* Does the lower range intersect a previous extent? */
586 		if ((prev_lower_first <= lower_last) &&
587 		    (prev_lower_last >= lower_first))
588 			return true;
589 	}
590 	return false;
591 }
592 
593 static ssize_t map_write(struct file *file, const char __user *buf,
594 			 size_t count, loff_t *ppos,
595 			 int cap_setid,
596 			 struct uid_gid_map *map,
597 			 struct uid_gid_map *parent_map)
598 {
599 	struct seq_file *seq = file->private_data;
600 	struct user_namespace *ns = seq->private;
601 	struct uid_gid_map new_map;
602 	unsigned idx;
603 	struct uid_gid_extent *extent = NULL;
604 	unsigned long page = 0;
605 	char *kbuf, *pos, *next_line;
606 	ssize_t ret = -EINVAL;
607 
608 	/*
609 	 * The userns_state_mutex serializes all writes to any given map.
610 	 *
611 	 * Any map is only ever written once.
612 	 *
613 	 * An id map fits within 1 cache line on most architectures.
614 	 *
615 	 * On read nothing needs to be done unless you are on an
616 	 * architecture with a crazy cache coherency model like alpha.
617 	 *
618 	 * There is a one time data dependency between reading the
619 	 * count of the extents and the values of the extents.  The
620 	 * desired behavior is to see the values of the extents that
621 	 * were written before the count of the extents.
622 	 *
623 	 * To achieve this smp_wmb() is used on guarantee the write
624 	 * order and smp_rmb() is guaranteed that we don't have crazy
625 	 * architectures returning stale data.
626 	 */
627 	mutex_lock(&userns_state_mutex);
628 
629 	ret = -EPERM;
630 	/* Only allow one successful write to the map */
631 	if (map->nr_extents != 0)
632 		goto out;
633 
634 	/*
635 	 * Adjusting namespace settings requires capabilities on the target.
636 	 */
637 	if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
638 		goto out;
639 
640 	/* Get a buffer */
641 	ret = -ENOMEM;
642 	page = __get_free_page(GFP_TEMPORARY);
643 	kbuf = (char *) page;
644 	if (!page)
645 		goto out;
646 
647 	/* Only allow < page size writes at the beginning of the file */
648 	ret = -EINVAL;
649 	if ((*ppos != 0) || (count >= PAGE_SIZE))
650 		goto out;
651 
652 	/* Slurp in the user data */
653 	ret = -EFAULT;
654 	if (copy_from_user(kbuf, buf, count))
655 		goto out;
656 	kbuf[count] = '\0';
657 
658 	/* Parse the user data */
659 	ret = -EINVAL;
660 	pos = kbuf;
661 	new_map.nr_extents = 0;
662 	for (; pos; pos = next_line) {
663 		extent = &new_map.extent[new_map.nr_extents];
664 
665 		/* Find the end of line and ensure I don't look past it */
666 		next_line = strchr(pos, '\n');
667 		if (next_line) {
668 			*next_line = '\0';
669 			next_line++;
670 			if (*next_line == '\0')
671 				next_line = NULL;
672 		}
673 
674 		pos = skip_spaces(pos);
675 		extent->first = simple_strtoul(pos, &pos, 10);
676 		if (!isspace(*pos))
677 			goto out;
678 
679 		pos = skip_spaces(pos);
680 		extent->lower_first = simple_strtoul(pos, &pos, 10);
681 		if (!isspace(*pos))
682 			goto out;
683 
684 		pos = skip_spaces(pos);
685 		extent->count = simple_strtoul(pos, &pos, 10);
686 		if (*pos && !isspace(*pos))
687 			goto out;
688 
689 		/* Verify there is not trailing junk on the line */
690 		pos = skip_spaces(pos);
691 		if (*pos != '\0')
692 			goto out;
693 
694 		/* Verify we have been given valid starting values */
695 		if ((extent->first == (u32) -1) ||
696 		    (extent->lower_first == (u32) -1))
697 			goto out;
698 
699 		/* Verify count is not zero and does not cause the
700 		 * extent to wrap
701 		 */
702 		if ((extent->first + extent->count) <= extent->first)
703 			goto out;
704 		if ((extent->lower_first + extent->count) <=
705 		     extent->lower_first)
706 			goto out;
707 
708 		/* Do the ranges in extent overlap any previous extents? */
709 		if (mappings_overlap(&new_map, extent))
710 			goto out;
711 
712 		new_map.nr_extents++;
713 
714 		/* Fail if the file contains too many extents */
715 		if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) &&
716 		    (next_line != NULL))
717 			goto out;
718 	}
719 	/* Be very certaint the new map actually exists */
720 	if (new_map.nr_extents == 0)
721 		goto out;
722 
723 	ret = -EPERM;
724 	/* Validate the user is allowed to use user id's mapped to. */
725 	if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
726 		goto out;
727 
728 	/* Map the lower ids from the parent user namespace to the
729 	 * kernel global id space.
730 	 */
731 	for (idx = 0; idx < new_map.nr_extents; idx++) {
732 		u32 lower_first;
733 		extent = &new_map.extent[idx];
734 
735 		lower_first = map_id_range_down(parent_map,
736 						extent->lower_first,
737 						extent->count);
738 
739 		/* Fail if we can not map the specified extent to
740 		 * the kernel global id space.
741 		 */
742 		if (lower_first == (u32) -1)
743 			goto out;
744 
745 		extent->lower_first = lower_first;
746 	}
747 
748 	/* Install the map */
749 	memcpy(map->extent, new_map.extent,
750 		new_map.nr_extents*sizeof(new_map.extent[0]));
751 	smp_wmb();
752 	map->nr_extents = new_map.nr_extents;
753 
754 	*ppos = count;
755 	ret = count;
756 out:
757 	mutex_unlock(&userns_state_mutex);
758 	if (page)
759 		free_page(page);
760 	return ret;
761 }
762 
763 ssize_t proc_uid_map_write(struct file *file, const char __user *buf,
764 			   size_t size, loff_t *ppos)
765 {
766 	struct seq_file *seq = file->private_data;
767 	struct user_namespace *ns = seq->private;
768 	struct user_namespace *seq_ns = seq_user_ns(seq);
769 
770 	if (!ns->parent)
771 		return -EPERM;
772 
773 	if ((seq_ns != ns) && (seq_ns != ns->parent))
774 		return -EPERM;
775 
776 	return map_write(file, buf, size, ppos, CAP_SETUID,
777 			 &ns->uid_map, &ns->parent->uid_map);
778 }
779 
780 ssize_t proc_gid_map_write(struct file *file, const char __user *buf,
781 			   size_t size, loff_t *ppos)
782 {
783 	struct seq_file *seq = file->private_data;
784 	struct user_namespace *ns = seq->private;
785 	struct user_namespace *seq_ns = seq_user_ns(seq);
786 
787 	if (!ns->parent)
788 		return -EPERM;
789 
790 	if ((seq_ns != ns) && (seq_ns != ns->parent))
791 		return -EPERM;
792 
793 	return map_write(file, buf, size, ppos, CAP_SETGID,
794 			 &ns->gid_map, &ns->parent->gid_map);
795 }
796 
797 ssize_t proc_projid_map_write(struct file *file, const char __user *buf,
798 			      size_t size, loff_t *ppos)
799 {
800 	struct seq_file *seq = file->private_data;
801 	struct user_namespace *ns = seq->private;
802 	struct user_namespace *seq_ns = seq_user_ns(seq);
803 
804 	if (!ns->parent)
805 		return -EPERM;
806 
807 	if ((seq_ns != ns) && (seq_ns != ns->parent))
808 		return -EPERM;
809 
810 	/* Anyone can set any valid project id no capability needed */
811 	return map_write(file, buf, size, ppos, -1,
812 			 &ns->projid_map, &ns->parent->projid_map);
813 }
814 
815 static bool new_idmap_permitted(const struct file *file,
816 				struct user_namespace *ns, int cap_setid,
817 				struct uid_gid_map *new_map)
818 {
819 	const struct cred *cred = file->f_cred;
820 	/* Don't allow mappings that would allow anything that wouldn't
821 	 * be allowed without the establishment of unprivileged mappings.
822 	 */
823 	if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
824 	    uid_eq(ns->owner, cred->euid)) {
825 		u32 id = new_map->extent[0].lower_first;
826 		if (cap_setid == CAP_SETUID) {
827 			kuid_t uid = make_kuid(ns->parent, id);
828 			if (uid_eq(uid, cred->euid))
829 				return true;
830 		} else if (cap_setid == CAP_SETGID) {
831 			kgid_t gid = make_kgid(ns->parent, id);
832 			if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
833 			    gid_eq(gid, cred->egid))
834 				return true;
835 		}
836 	}
837 
838 	/* Allow anyone to set a mapping that doesn't require privilege */
839 	if (!cap_valid(cap_setid))
840 		return true;
841 
842 	/* Allow the specified ids if we have the appropriate capability
843 	 * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
844 	 * And the opener of the id file also had the approprpiate capability.
845 	 */
846 	if (ns_capable(ns->parent, cap_setid) &&
847 	    file_ns_capable(file, ns->parent, cap_setid))
848 		return true;
849 
850 	return false;
851 }
852 
853 int proc_setgroups_show(struct seq_file *seq, void *v)
854 {
855 	struct user_namespace *ns = seq->private;
856 	unsigned long userns_flags = ACCESS_ONCE(ns->flags);
857 
858 	seq_printf(seq, "%s\n",
859 		   (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
860 		   "allow" : "deny");
861 	return 0;
862 }
863 
864 ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
865 			     size_t count, loff_t *ppos)
866 {
867 	struct seq_file *seq = file->private_data;
868 	struct user_namespace *ns = seq->private;
869 	char kbuf[8], *pos;
870 	bool setgroups_allowed;
871 	ssize_t ret;
872 
873 	/* Only allow a very narrow range of strings to be written */
874 	ret = -EINVAL;
875 	if ((*ppos != 0) || (count >= sizeof(kbuf)))
876 		goto out;
877 
878 	/* What was written? */
879 	ret = -EFAULT;
880 	if (copy_from_user(kbuf, buf, count))
881 		goto out;
882 	kbuf[count] = '\0';
883 	pos = kbuf;
884 
885 	/* What is being requested? */
886 	ret = -EINVAL;
887 	if (strncmp(pos, "allow", 5) == 0) {
888 		pos += 5;
889 		setgroups_allowed = true;
890 	}
891 	else if (strncmp(pos, "deny", 4) == 0) {
892 		pos += 4;
893 		setgroups_allowed = false;
894 	}
895 	else
896 		goto out;
897 
898 	/* Verify there is not trailing junk on the line */
899 	pos = skip_spaces(pos);
900 	if (*pos != '\0')
901 		goto out;
902 
903 	ret = -EPERM;
904 	mutex_lock(&userns_state_mutex);
905 	if (setgroups_allowed) {
906 		/* Enabling setgroups after setgroups has been disabled
907 		 * is not allowed.
908 		 */
909 		if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
910 			goto out_unlock;
911 	} else {
912 		/* Permanently disabling setgroups after setgroups has
913 		 * been enabled by writing the gid_map is not allowed.
914 		 */
915 		if (ns->gid_map.nr_extents != 0)
916 			goto out_unlock;
917 		ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
918 	}
919 	mutex_unlock(&userns_state_mutex);
920 
921 	/* Report a successful write */
922 	*ppos = count;
923 	ret = count;
924 out:
925 	return ret;
926 out_unlock:
927 	mutex_unlock(&userns_state_mutex);
928 	goto out;
929 }
930 
931 bool userns_may_setgroups(const struct user_namespace *ns)
932 {
933 	bool allowed;
934 
935 	mutex_lock(&userns_state_mutex);
936 	/* It is not safe to use setgroups until a gid mapping in
937 	 * the user namespace has been established.
938 	 */
939 	allowed = ns->gid_map.nr_extents != 0;
940 	/* Is setgroups allowed? */
941 	allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
942 	mutex_unlock(&userns_state_mutex);
943 
944 	return allowed;
945 }
946 
947 static inline struct user_namespace *to_user_ns(struct ns_common *ns)
948 {
949 	return container_of(ns, struct user_namespace, ns);
950 }
951 
952 static struct ns_common *userns_get(struct task_struct *task)
953 {
954 	struct user_namespace *user_ns;
955 
956 	rcu_read_lock();
957 	user_ns = get_user_ns(__task_cred(task)->user_ns);
958 	rcu_read_unlock();
959 
960 	return user_ns ? &user_ns->ns : NULL;
961 }
962 
963 static void userns_put(struct ns_common *ns)
964 {
965 	put_user_ns(to_user_ns(ns));
966 }
967 
968 static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
969 {
970 	struct user_namespace *user_ns = to_user_ns(ns);
971 	struct cred *cred;
972 
973 	/* Don't allow gaining capabilities by reentering
974 	 * the same user namespace.
975 	 */
976 	if (user_ns == current_user_ns())
977 		return -EINVAL;
978 
979 	/* Threaded processes may not enter a different user namespace */
980 	if (atomic_read(&current->mm->mm_users) > 1)
981 		return -EINVAL;
982 
983 	if (current->fs->users != 1)
984 		return -EINVAL;
985 
986 	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
987 		return -EPERM;
988 
989 	cred = prepare_creds();
990 	if (!cred)
991 		return -ENOMEM;
992 
993 	put_user_ns(cred->user_ns);
994 	set_cred_user_ns(cred, get_user_ns(user_ns));
995 
996 	return commit_creds(cred);
997 }
998 
999 const struct proc_ns_operations userns_operations = {
1000 	.name		= "user",
1001 	.type		= CLONE_NEWUSER,
1002 	.get		= userns_get,
1003 	.put		= userns_put,
1004 	.install	= userns_install,
1005 };
1006 
1007 static __init int user_namespaces_init(void)
1008 {
1009 	user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC);
1010 	return 0;
1011 }
1012 subsys_initcall(user_namespaces_init);
1013