1 /* 2 * This program is free software; you can redistribute it and/or 3 * modify it under the terms of the GNU General Public License as 4 * published by the Free Software Foundation, version 2 of the 5 * License. 6 */ 7 8 #include <linux/export.h> 9 #include <linux/nsproxy.h> 10 #include <linux/slab.h> 11 #include <linux/user_namespace.h> 12 #include <linux/proc_ns.h> 13 #include <linux/highuid.h> 14 #include <linux/cred.h> 15 #include <linux/securebits.h> 16 #include <linux/keyctl.h> 17 #include <linux/key-type.h> 18 #include <keys/user-type.h> 19 #include <linux/seq_file.h> 20 #include <linux/fs.h> 21 #include <linux/uaccess.h> 22 #include <linux/ctype.h> 23 #include <linux/projid.h> 24 #include <linux/fs_struct.h> 25 26 static struct kmem_cache *user_ns_cachep __read_mostly; 27 28 static bool new_idmap_permitted(const struct file *file, 29 struct user_namespace *ns, int cap_setid, 30 struct uid_gid_map *map); 31 32 static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns) 33 { 34 /* Start with the same capabilities as init but useless for doing 35 * anything as the capabilities are bound to the new user namespace. 36 */ 37 cred->securebits = SECUREBITS_DEFAULT; 38 cred->cap_inheritable = CAP_EMPTY_SET; 39 cred->cap_permitted = CAP_FULL_SET; 40 cred->cap_effective = CAP_FULL_SET; 41 cred->cap_bset = CAP_FULL_SET; 42 #ifdef CONFIG_KEYS 43 key_put(cred->request_key_auth); 44 cred->request_key_auth = NULL; 45 #endif 46 /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */ 47 cred->user_ns = user_ns; 48 } 49 50 /* 51 * Create a new user namespace, deriving the creator from the user in the 52 * passed credentials, and replacing that user with the new root user for the 53 * new namespace. 54 * 55 * This is called by copy_creds(), which will finish setting the target task's 56 * credentials. 57 */ 58 int create_user_ns(struct cred *new) 59 { 60 struct user_namespace *ns, *parent_ns = new->user_ns; 61 kuid_t owner = new->euid; 62 kgid_t group = new->egid; 63 int ret; 64 65 if (parent_ns->level > 32) 66 return -EUSERS; 67 68 /* 69 * Verify that we can not violate the policy of which files 70 * may be accessed that is specified by the root directory, 71 * by verifing that the root directory is at the root of the 72 * mount namespace which allows all files to be accessed. 73 */ 74 if (current_chrooted()) 75 return -EPERM; 76 77 /* The creator needs a mapping in the parent user namespace 78 * or else we won't be able to reasonably tell userspace who 79 * created a user_namespace. 80 */ 81 if (!kuid_has_mapping(parent_ns, owner) || 82 !kgid_has_mapping(parent_ns, group)) 83 return -EPERM; 84 85 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL); 86 if (!ns) 87 return -ENOMEM; 88 89 ret = proc_alloc_inum(&ns->proc_inum); 90 if (ret) { 91 kmem_cache_free(user_ns_cachep, ns); 92 return ret; 93 } 94 95 atomic_set(&ns->count, 1); 96 /* Leave the new->user_ns reference with the new user namespace. */ 97 ns->parent = parent_ns; 98 ns->level = parent_ns->level + 1; 99 ns->owner = owner; 100 ns->group = group; 101 102 set_cred_user_ns(new, ns); 103 104 #ifdef CONFIG_PERSISTENT_KEYRINGS 105 init_rwsem(&ns->persistent_keyring_register_sem); 106 #endif 107 return 0; 108 } 109 110 int unshare_userns(unsigned long unshare_flags, struct cred **new_cred) 111 { 112 struct cred *cred; 113 int err = -ENOMEM; 114 115 if (!(unshare_flags & CLONE_NEWUSER)) 116 return 0; 117 118 cred = prepare_creds(); 119 if (cred) { 120 err = create_user_ns(cred); 121 if (err) 122 put_cred(cred); 123 else 124 *new_cred = cred; 125 } 126 127 return err; 128 } 129 130 void free_user_ns(struct user_namespace *ns) 131 { 132 struct user_namespace *parent; 133 134 do { 135 parent = ns->parent; 136 #ifdef CONFIG_PERSISTENT_KEYRINGS 137 key_put(ns->persistent_keyring_register); 138 #endif 139 proc_free_inum(ns->proc_inum); 140 kmem_cache_free(user_ns_cachep, ns); 141 ns = parent; 142 } while (atomic_dec_and_test(&parent->count)); 143 } 144 EXPORT_SYMBOL(free_user_ns); 145 146 static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count) 147 { 148 unsigned idx, extents; 149 u32 first, last, id2; 150 151 id2 = id + count - 1; 152 153 /* Find the matching extent */ 154 extents = map->nr_extents; 155 smp_read_barrier_depends(); 156 for (idx = 0; idx < extents; idx++) { 157 first = map->extent[idx].first; 158 last = first + map->extent[idx].count - 1; 159 if (id >= first && id <= last && 160 (id2 >= first && id2 <= last)) 161 break; 162 } 163 /* Map the id or note failure */ 164 if (idx < extents) 165 id = (id - first) + map->extent[idx].lower_first; 166 else 167 id = (u32) -1; 168 169 return id; 170 } 171 172 static u32 map_id_down(struct uid_gid_map *map, u32 id) 173 { 174 unsigned idx, extents; 175 u32 first, last; 176 177 /* Find the matching extent */ 178 extents = map->nr_extents; 179 smp_read_barrier_depends(); 180 for (idx = 0; idx < extents; idx++) { 181 first = map->extent[idx].first; 182 last = first + map->extent[idx].count - 1; 183 if (id >= first && id <= last) 184 break; 185 } 186 /* Map the id or note failure */ 187 if (idx < extents) 188 id = (id - first) + map->extent[idx].lower_first; 189 else 190 id = (u32) -1; 191 192 return id; 193 } 194 195 static u32 map_id_up(struct uid_gid_map *map, u32 id) 196 { 197 unsigned idx, extents; 198 u32 first, last; 199 200 /* Find the matching extent */ 201 extents = map->nr_extents; 202 smp_read_barrier_depends(); 203 for (idx = 0; idx < extents; idx++) { 204 first = map->extent[idx].lower_first; 205 last = first + map->extent[idx].count - 1; 206 if (id >= first && id <= last) 207 break; 208 } 209 /* Map the id or note failure */ 210 if (idx < extents) 211 id = (id - first) + map->extent[idx].first; 212 else 213 id = (u32) -1; 214 215 return id; 216 } 217 218 /** 219 * make_kuid - Map a user-namespace uid pair into a kuid. 220 * @ns: User namespace that the uid is in 221 * @uid: User identifier 222 * 223 * Maps a user-namespace uid pair into a kernel internal kuid, 224 * and returns that kuid. 225 * 226 * When there is no mapping defined for the user-namespace uid 227 * pair INVALID_UID is returned. Callers are expected to test 228 * for and handle INVALID_UID being returned. INVALID_UID 229 * may be tested for using uid_valid(). 230 */ 231 kuid_t make_kuid(struct user_namespace *ns, uid_t uid) 232 { 233 /* Map the uid to a global kernel uid */ 234 return KUIDT_INIT(map_id_down(&ns->uid_map, uid)); 235 } 236 EXPORT_SYMBOL(make_kuid); 237 238 /** 239 * from_kuid - Create a uid from a kuid user-namespace pair. 240 * @targ: The user namespace we want a uid in. 241 * @kuid: The kernel internal uid to start with. 242 * 243 * Map @kuid into the user-namespace specified by @targ and 244 * return the resulting uid. 245 * 246 * There is always a mapping into the initial user_namespace. 247 * 248 * If @kuid has no mapping in @targ (uid_t)-1 is returned. 249 */ 250 uid_t from_kuid(struct user_namespace *targ, kuid_t kuid) 251 { 252 /* Map the uid from a global kernel uid */ 253 return map_id_up(&targ->uid_map, __kuid_val(kuid)); 254 } 255 EXPORT_SYMBOL(from_kuid); 256 257 /** 258 * from_kuid_munged - Create a uid from a kuid user-namespace pair. 259 * @targ: The user namespace we want a uid in. 260 * @kuid: The kernel internal uid to start with. 261 * 262 * Map @kuid into the user-namespace specified by @targ and 263 * return the resulting uid. 264 * 265 * There is always a mapping into the initial user_namespace. 266 * 267 * Unlike from_kuid from_kuid_munged never fails and always 268 * returns a valid uid. This makes from_kuid_munged appropriate 269 * for use in syscalls like stat and getuid where failing the 270 * system call and failing to provide a valid uid are not an 271 * options. 272 * 273 * If @kuid has no mapping in @targ overflowuid is returned. 274 */ 275 uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid) 276 { 277 uid_t uid; 278 uid = from_kuid(targ, kuid); 279 280 if (uid == (uid_t) -1) 281 uid = overflowuid; 282 return uid; 283 } 284 EXPORT_SYMBOL(from_kuid_munged); 285 286 /** 287 * make_kgid - Map a user-namespace gid pair into a kgid. 288 * @ns: User namespace that the gid is in 289 * @uid: group identifier 290 * 291 * Maps a user-namespace gid pair into a kernel internal kgid, 292 * and returns that kgid. 293 * 294 * When there is no mapping defined for the user-namespace gid 295 * pair INVALID_GID is returned. Callers are expected to test 296 * for and handle INVALID_GID being returned. INVALID_GID may be 297 * tested for using gid_valid(). 298 */ 299 kgid_t make_kgid(struct user_namespace *ns, gid_t gid) 300 { 301 /* Map the gid to a global kernel gid */ 302 return KGIDT_INIT(map_id_down(&ns->gid_map, gid)); 303 } 304 EXPORT_SYMBOL(make_kgid); 305 306 /** 307 * from_kgid - Create a gid from a kgid user-namespace pair. 308 * @targ: The user namespace we want a gid in. 309 * @kgid: The kernel internal gid to start with. 310 * 311 * Map @kgid into the user-namespace specified by @targ and 312 * return the resulting gid. 313 * 314 * There is always a mapping into the initial user_namespace. 315 * 316 * If @kgid has no mapping in @targ (gid_t)-1 is returned. 317 */ 318 gid_t from_kgid(struct user_namespace *targ, kgid_t kgid) 319 { 320 /* Map the gid from a global kernel gid */ 321 return map_id_up(&targ->gid_map, __kgid_val(kgid)); 322 } 323 EXPORT_SYMBOL(from_kgid); 324 325 /** 326 * from_kgid_munged - Create a gid from a kgid user-namespace pair. 327 * @targ: The user namespace we want a gid in. 328 * @kgid: The kernel internal gid to start with. 329 * 330 * Map @kgid into the user-namespace specified by @targ and 331 * return the resulting gid. 332 * 333 * There is always a mapping into the initial user_namespace. 334 * 335 * Unlike from_kgid from_kgid_munged never fails and always 336 * returns a valid gid. This makes from_kgid_munged appropriate 337 * for use in syscalls like stat and getgid where failing the 338 * system call and failing to provide a valid gid are not options. 339 * 340 * If @kgid has no mapping in @targ overflowgid is returned. 341 */ 342 gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid) 343 { 344 gid_t gid; 345 gid = from_kgid(targ, kgid); 346 347 if (gid == (gid_t) -1) 348 gid = overflowgid; 349 return gid; 350 } 351 EXPORT_SYMBOL(from_kgid_munged); 352 353 /** 354 * make_kprojid - Map a user-namespace projid pair into a kprojid. 355 * @ns: User namespace that the projid is in 356 * @projid: Project identifier 357 * 358 * Maps a user-namespace uid pair into a kernel internal kuid, 359 * and returns that kuid. 360 * 361 * When there is no mapping defined for the user-namespace projid 362 * pair INVALID_PROJID is returned. Callers are expected to test 363 * for and handle handle INVALID_PROJID being returned. INVALID_PROJID 364 * may be tested for using projid_valid(). 365 */ 366 kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid) 367 { 368 /* Map the uid to a global kernel uid */ 369 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid)); 370 } 371 EXPORT_SYMBOL(make_kprojid); 372 373 /** 374 * from_kprojid - Create a projid from a kprojid user-namespace pair. 375 * @targ: The user namespace we want a projid in. 376 * @kprojid: The kernel internal project identifier to start with. 377 * 378 * Map @kprojid into the user-namespace specified by @targ and 379 * return the resulting projid. 380 * 381 * There is always a mapping into the initial user_namespace. 382 * 383 * If @kprojid has no mapping in @targ (projid_t)-1 is returned. 384 */ 385 projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid) 386 { 387 /* Map the uid from a global kernel uid */ 388 return map_id_up(&targ->projid_map, __kprojid_val(kprojid)); 389 } 390 EXPORT_SYMBOL(from_kprojid); 391 392 /** 393 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair. 394 * @targ: The user namespace we want a projid in. 395 * @kprojid: The kernel internal projid to start with. 396 * 397 * Map @kprojid into the user-namespace specified by @targ and 398 * return the resulting projid. 399 * 400 * There is always a mapping into the initial user_namespace. 401 * 402 * Unlike from_kprojid from_kprojid_munged never fails and always 403 * returns a valid projid. This makes from_kprojid_munged 404 * appropriate for use in syscalls like stat and where 405 * failing the system call and failing to provide a valid projid are 406 * not an options. 407 * 408 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned. 409 */ 410 projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid) 411 { 412 projid_t projid; 413 projid = from_kprojid(targ, kprojid); 414 415 if (projid == (projid_t) -1) 416 projid = OVERFLOW_PROJID; 417 return projid; 418 } 419 EXPORT_SYMBOL(from_kprojid_munged); 420 421 422 static int uid_m_show(struct seq_file *seq, void *v) 423 { 424 struct user_namespace *ns = seq->private; 425 struct uid_gid_extent *extent = v; 426 struct user_namespace *lower_ns; 427 uid_t lower; 428 429 lower_ns = seq_user_ns(seq); 430 if ((lower_ns == ns) && lower_ns->parent) 431 lower_ns = lower_ns->parent; 432 433 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first)); 434 435 seq_printf(seq, "%10u %10u %10u\n", 436 extent->first, 437 lower, 438 extent->count); 439 440 return 0; 441 } 442 443 static int gid_m_show(struct seq_file *seq, void *v) 444 { 445 struct user_namespace *ns = seq->private; 446 struct uid_gid_extent *extent = v; 447 struct user_namespace *lower_ns; 448 gid_t lower; 449 450 lower_ns = seq_user_ns(seq); 451 if ((lower_ns == ns) && lower_ns->parent) 452 lower_ns = lower_ns->parent; 453 454 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first)); 455 456 seq_printf(seq, "%10u %10u %10u\n", 457 extent->first, 458 lower, 459 extent->count); 460 461 return 0; 462 } 463 464 static int projid_m_show(struct seq_file *seq, void *v) 465 { 466 struct user_namespace *ns = seq->private; 467 struct uid_gid_extent *extent = v; 468 struct user_namespace *lower_ns; 469 projid_t lower; 470 471 lower_ns = seq_user_ns(seq); 472 if ((lower_ns == ns) && lower_ns->parent) 473 lower_ns = lower_ns->parent; 474 475 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first)); 476 477 seq_printf(seq, "%10u %10u %10u\n", 478 extent->first, 479 lower, 480 extent->count); 481 482 return 0; 483 } 484 485 static void *m_start(struct seq_file *seq, loff_t *ppos, struct uid_gid_map *map) 486 { 487 struct uid_gid_extent *extent = NULL; 488 loff_t pos = *ppos; 489 490 if (pos < map->nr_extents) 491 extent = &map->extent[pos]; 492 493 return extent; 494 } 495 496 static void *uid_m_start(struct seq_file *seq, loff_t *ppos) 497 { 498 struct user_namespace *ns = seq->private; 499 500 return m_start(seq, ppos, &ns->uid_map); 501 } 502 503 static void *gid_m_start(struct seq_file *seq, loff_t *ppos) 504 { 505 struct user_namespace *ns = seq->private; 506 507 return m_start(seq, ppos, &ns->gid_map); 508 } 509 510 static void *projid_m_start(struct seq_file *seq, loff_t *ppos) 511 { 512 struct user_namespace *ns = seq->private; 513 514 return m_start(seq, ppos, &ns->projid_map); 515 } 516 517 static void *m_next(struct seq_file *seq, void *v, loff_t *pos) 518 { 519 (*pos)++; 520 return seq->op->start(seq, pos); 521 } 522 523 static void m_stop(struct seq_file *seq, void *v) 524 { 525 return; 526 } 527 528 struct seq_operations proc_uid_seq_operations = { 529 .start = uid_m_start, 530 .stop = m_stop, 531 .next = m_next, 532 .show = uid_m_show, 533 }; 534 535 struct seq_operations proc_gid_seq_operations = { 536 .start = gid_m_start, 537 .stop = m_stop, 538 .next = m_next, 539 .show = gid_m_show, 540 }; 541 542 struct seq_operations proc_projid_seq_operations = { 543 .start = projid_m_start, 544 .stop = m_stop, 545 .next = m_next, 546 .show = projid_m_show, 547 }; 548 549 static bool mappings_overlap(struct uid_gid_map *new_map, struct uid_gid_extent *extent) 550 { 551 u32 upper_first, lower_first, upper_last, lower_last; 552 unsigned idx; 553 554 upper_first = extent->first; 555 lower_first = extent->lower_first; 556 upper_last = upper_first + extent->count - 1; 557 lower_last = lower_first + extent->count - 1; 558 559 for (idx = 0; idx < new_map->nr_extents; idx++) { 560 u32 prev_upper_first, prev_lower_first; 561 u32 prev_upper_last, prev_lower_last; 562 struct uid_gid_extent *prev; 563 564 prev = &new_map->extent[idx]; 565 566 prev_upper_first = prev->first; 567 prev_lower_first = prev->lower_first; 568 prev_upper_last = prev_upper_first + prev->count - 1; 569 prev_lower_last = prev_lower_first + prev->count - 1; 570 571 /* Does the upper range intersect a previous extent? */ 572 if ((prev_upper_first <= upper_last) && 573 (prev_upper_last >= upper_first)) 574 return true; 575 576 /* Does the lower range intersect a previous extent? */ 577 if ((prev_lower_first <= lower_last) && 578 (prev_lower_last >= lower_first)) 579 return true; 580 } 581 return false; 582 } 583 584 585 static DEFINE_MUTEX(id_map_mutex); 586 587 static ssize_t map_write(struct file *file, const char __user *buf, 588 size_t count, loff_t *ppos, 589 int cap_setid, 590 struct uid_gid_map *map, 591 struct uid_gid_map *parent_map) 592 { 593 struct seq_file *seq = file->private_data; 594 struct user_namespace *ns = seq->private; 595 struct uid_gid_map new_map; 596 unsigned idx; 597 struct uid_gid_extent *extent = NULL; 598 unsigned long page = 0; 599 char *kbuf, *pos, *next_line; 600 ssize_t ret = -EINVAL; 601 602 /* 603 * The id_map_mutex serializes all writes to any given map. 604 * 605 * Any map is only ever written once. 606 * 607 * An id map fits within 1 cache line on most architectures. 608 * 609 * On read nothing needs to be done unless you are on an 610 * architecture with a crazy cache coherency model like alpha. 611 * 612 * There is a one time data dependency between reading the 613 * count of the extents and the values of the extents. The 614 * desired behavior is to see the values of the extents that 615 * were written before the count of the extents. 616 * 617 * To achieve this smp_wmb() is used on guarantee the write 618 * order and smp_read_barrier_depends() is guaranteed that we 619 * don't have crazy architectures returning stale data. 620 * 621 */ 622 mutex_lock(&id_map_mutex); 623 624 ret = -EPERM; 625 /* Only allow one successful write to the map */ 626 if (map->nr_extents != 0) 627 goto out; 628 629 /* 630 * Adjusting namespace settings requires capabilities on the target. 631 */ 632 if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN)) 633 goto out; 634 635 /* Get a buffer */ 636 ret = -ENOMEM; 637 page = __get_free_page(GFP_TEMPORARY); 638 kbuf = (char *) page; 639 if (!page) 640 goto out; 641 642 /* Only allow <= page size writes at the beginning of the file */ 643 ret = -EINVAL; 644 if ((*ppos != 0) || (count >= PAGE_SIZE)) 645 goto out; 646 647 /* Slurp in the user data */ 648 ret = -EFAULT; 649 if (copy_from_user(kbuf, buf, count)) 650 goto out; 651 kbuf[count] = '\0'; 652 653 /* Parse the user data */ 654 ret = -EINVAL; 655 pos = kbuf; 656 new_map.nr_extents = 0; 657 for (;pos; pos = next_line) { 658 extent = &new_map.extent[new_map.nr_extents]; 659 660 /* Find the end of line and ensure I don't look past it */ 661 next_line = strchr(pos, '\n'); 662 if (next_line) { 663 *next_line = '\0'; 664 next_line++; 665 if (*next_line == '\0') 666 next_line = NULL; 667 } 668 669 pos = skip_spaces(pos); 670 extent->first = simple_strtoul(pos, &pos, 10); 671 if (!isspace(*pos)) 672 goto out; 673 674 pos = skip_spaces(pos); 675 extent->lower_first = simple_strtoul(pos, &pos, 10); 676 if (!isspace(*pos)) 677 goto out; 678 679 pos = skip_spaces(pos); 680 extent->count = simple_strtoul(pos, &pos, 10); 681 if (*pos && !isspace(*pos)) 682 goto out; 683 684 /* Verify there is not trailing junk on the line */ 685 pos = skip_spaces(pos); 686 if (*pos != '\0') 687 goto out; 688 689 /* Verify we have been given valid starting values */ 690 if ((extent->first == (u32) -1) || 691 (extent->lower_first == (u32) -1 )) 692 goto out; 693 694 /* Verify count is not zero and does not cause the extent to wrap */ 695 if ((extent->first + extent->count) <= extent->first) 696 goto out; 697 if ((extent->lower_first + extent->count) <= extent->lower_first) 698 goto out; 699 700 /* Do the ranges in extent overlap any previous extents? */ 701 if (mappings_overlap(&new_map, extent)) 702 goto out; 703 704 new_map.nr_extents++; 705 706 /* Fail if the file contains too many extents */ 707 if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) && 708 (next_line != NULL)) 709 goto out; 710 } 711 /* Be very certaint the new map actually exists */ 712 if (new_map.nr_extents == 0) 713 goto out; 714 715 ret = -EPERM; 716 /* Validate the user is allowed to use user id's mapped to. */ 717 if (!new_idmap_permitted(file, ns, cap_setid, &new_map)) 718 goto out; 719 720 /* Map the lower ids from the parent user namespace to the 721 * kernel global id space. 722 */ 723 for (idx = 0; idx < new_map.nr_extents; idx++) { 724 u32 lower_first; 725 extent = &new_map.extent[idx]; 726 727 lower_first = map_id_range_down(parent_map, 728 extent->lower_first, 729 extent->count); 730 731 /* Fail if we can not map the specified extent to 732 * the kernel global id space. 733 */ 734 if (lower_first == (u32) -1) 735 goto out; 736 737 extent->lower_first = lower_first; 738 } 739 740 /* Install the map */ 741 memcpy(map->extent, new_map.extent, 742 new_map.nr_extents*sizeof(new_map.extent[0])); 743 smp_wmb(); 744 map->nr_extents = new_map.nr_extents; 745 746 *ppos = count; 747 ret = count; 748 out: 749 mutex_unlock(&id_map_mutex); 750 if (page) 751 free_page(page); 752 return ret; 753 } 754 755 ssize_t proc_uid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos) 756 { 757 struct seq_file *seq = file->private_data; 758 struct user_namespace *ns = seq->private; 759 struct user_namespace *seq_ns = seq_user_ns(seq); 760 761 if (!ns->parent) 762 return -EPERM; 763 764 if ((seq_ns != ns) && (seq_ns != ns->parent)) 765 return -EPERM; 766 767 return map_write(file, buf, size, ppos, CAP_SETUID, 768 &ns->uid_map, &ns->parent->uid_map); 769 } 770 771 ssize_t proc_gid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos) 772 { 773 struct seq_file *seq = file->private_data; 774 struct user_namespace *ns = seq->private; 775 struct user_namespace *seq_ns = seq_user_ns(seq); 776 777 if (!ns->parent) 778 return -EPERM; 779 780 if ((seq_ns != ns) && (seq_ns != ns->parent)) 781 return -EPERM; 782 783 return map_write(file, buf, size, ppos, CAP_SETGID, 784 &ns->gid_map, &ns->parent->gid_map); 785 } 786 787 ssize_t proc_projid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos) 788 { 789 struct seq_file *seq = file->private_data; 790 struct user_namespace *ns = seq->private; 791 struct user_namespace *seq_ns = seq_user_ns(seq); 792 793 if (!ns->parent) 794 return -EPERM; 795 796 if ((seq_ns != ns) && (seq_ns != ns->parent)) 797 return -EPERM; 798 799 /* Anyone can set any valid project id no capability needed */ 800 return map_write(file, buf, size, ppos, -1, 801 &ns->projid_map, &ns->parent->projid_map); 802 } 803 804 static bool new_idmap_permitted(const struct file *file, 805 struct user_namespace *ns, int cap_setid, 806 struct uid_gid_map *new_map) 807 { 808 /* Allow mapping to your own filesystem ids */ 809 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) { 810 u32 id = new_map->extent[0].lower_first; 811 if (cap_setid == CAP_SETUID) { 812 kuid_t uid = make_kuid(ns->parent, id); 813 if (uid_eq(uid, file->f_cred->fsuid)) 814 return true; 815 } 816 else if (cap_setid == CAP_SETGID) { 817 kgid_t gid = make_kgid(ns->parent, id); 818 if (gid_eq(gid, file->f_cred->fsgid)) 819 return true; 820 } 821 } 822 823 /* Allow anyone to set a mapping that doesn't require privilege */ 824 if (!cap_valid(cap_setid)) 825 return true; 826 827 /* Allow the specified ids if we have the appropriate capability 828 * (CAP_SETUID or CAP_SETGID) over the parent user namespace. 829 * And the opener of the id file also had the approprpiate capability. 830 */ 831 if (ns_capable(ns->parent, cap_setid) && 832 file_ns_capable(file, ns->parent, cap_setid)) 833 return true; 834 835 return false; 836 } 837 838 static void *userns_get(struct task_struct *task) 839 { 840 struct user_namespace *user_ns; 841 842 rcu_read_lock(); 843 user_ns = get_user_ns(__task_cred(task)->user_ns); 844 rcu_read_unlock(); 845 846 return user_ns; 847 } 848 849 static void userns_put(void *ns) 850 { 851 put_user_ns(ns); 852 } 853 854 static int userns_install(struct nsproxy *nsproxy, void *ns) 855 { 856 struct user_namespace *user_ns = ns; 857 struct cred *cred; 858 859 /* Don't allow gaining capabilities by reentering 860 * the same user namespace. 861 */ 862 if (user_ns == current_user_ns()) 863 return -EINVAL; 864 865 /* Threaded processes may not enter a different user namespace */ 866 if (atomic_read(¤t->mm->mm_users) > 1) 867 return -EINVAL; 868 869 if (current->fs->users != 1) 870 return -EINVAL; 871 872 if (!ns_capable(user_ns, CAP_SYS_ADMIN)) 873 return -EPERM; 874 875 cred = prepare_creds(); 876 if (!cred) 877 return -ENOMEM; 878 879 put_user_ns(cred->user_ns); 880 set_cred_user_ns(cred, get_user_ns(user_ns)); 881 882 return commit_creds(cred); 883 } 884 885 static unsigned int userns_inum(void *ns) 886 { 887 struct user_namespace *user_ns = ns; 888 return user_ns->proc_inum; 889 } 890 891 const struct proc_ns_operations userns_operations = { 892 .name = "user", 893 .type = CLONE_NEWUSER, 894 .get = userns_get, 895 .put = userns_put, 896 .install = userns_install, 897 .inum = userns_inum, 898 }; 899 900 static __init int user_namespaces_init(void) 901 { 902 user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC); 903 return 0; 904 } 905 subsys_initcall(user_namespaces_init); 906