Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

userns: Implement unshare of the user namespace

- Add CLONE_THREAD to the unshare flags if CLONE_NEWUSER is selected
  As changing user namespaces is only valid if all there is only
  a single thread.
- Restore the code to add CLONE_VM if CLONE_THREAD is selected and
  the code to addCLONE_SIGHAND if CLONE_VM is selected.
  Making the constraints in the code clear.

Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Eric W. Biederman 13 years ago
parent
cde1975bc2
commit
b2e0d98705
5 changed files with 51 additions and 8 deletions
Split View Show Diff Stats
  1. 1 1
      include/linux/nsproxy.h
  2. 9 0
      include/linux/user_namespace.h
  3. 22 3
      kernel/fork.c
  4. 4 4
      kernel/nsproxy.c
  5. 15 0
      kernel/user_namespace.c

+ 1 - 1
include/linux/nsproxy.h
View File 

@@ -67,7 +67,7 @@ void exit_task_namespaces(struct task_struct *tsk);
 
 void switch_task_namespaces(struct task_struct *tsk, struct nsproxy *new);
 
 void free_nsproxy(struct nsproxy *ns);
 
 int unshare_nsproxy_namespaces(unsigned long, struct nsproxy **,
 
-	struct fs_struct *);
 
+	struct cred *, struct fs_struct *);
 
 int __init nsproxy_cache_init(void);
 
 
 static inline void put_nsproxy(struct nsproxy *ns)

+ 9 - 0
include/linux/user_namespace.h
View File 

@@ -39,6 +39,7 @@ static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
 
 }
 
 
 extern int create_user_ns(struct cred *new);
 
+extern int unshare_userns(unsigned long unshare_flags, struct cred **new_cred);
 
 extern void free_user_ns(struct kref *kref);
 
 
 static inline void put_user_ns(struct user_namespace *ns)
 
@@ -66,6 +67,14 @@ static inline int create_user_ns(struct cred *new)
 
 	return -EINVAL;
 
 }
 
 
+static inline int unshare_userns(unsigned long unshare_flags,
 
+				 struct cred **new_cred)
 
+{
 
+	if (unshare_flags & CLONE_NEWUSER)
 
+		return -EINVAL;
 
+	return 0;
 
+}
 
+
 
 static inline void put_user_ns(struct user_namespace *ns)
 
 {
 
 }

+ 22 - 3
kernel/fork.c
View File 

@@ -1687,7 +1687,7 @@ static int check_unshare_flags(unsigned long unshare_flags)
 
 	if (unshare_flags & ~(CLONE_THREAD|CLONE_FS|CLONE_NEWNS|CLONE_SIGHAND|
 
 				CLONE_VM|CLONE_FILES|CLONE_SYSVSEM|
 
 				CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWNET|
 
-				CLONE_NEWPID))
 
+				CLONE_NEWUSER|CLONE_NEWPID))
 
 		return -EINVAL;
 
 	/*
 
 	 * Not implemented, but pretend it works if there is nothing to
 
@@ -1754,10 +1754,16 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
 
 {
 
 	struct fs_struct *fs, *new_fs = NULL;
 
 	struct files_struct *fd, *new_fd = NULL;
 
+	struct cred *new_cred = NULL;
 
 	struct nsproxy *new_nsproxy = NULL;
 
 	int do_sysvsem = 0;
 
 	int err;
 
 
+	/*
 
+	 * If unsharing a user namespace must also unshare the thread.
 
+	 */
 
+	if (unshare_flags & CLONE_NEWUSER)
 
+		unshare_flags |= CLONE_THREAD;
 
 	/*
 
 	 * If unsharing a pid namespace must also unshare the thread.
 
 	 */
 
@@ -1795,11 +1801,15 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
 
 	err = unshare_fd(unshare_flags, &new_fd);
 
 	if (err)
 
 		goto bad_unshare_cleanup_fs;
 
-	err = unshare_nsproxy_namespaces(unshare_flags, &new_nsproxy, new_fs);
 
+	err = unshare_userns(unshare_flags, &new_cred);
 
 	if (err)
 
 		goto bad_unshare_cleanup_fd;
 
+	err = unshare_nsproxy_namespaces(unshare_flags, &new_nsproxy,
 
+					 new_cred, new_fs);
 
+	if (err)
 
+		goto bad_unshare_cleanup_cred;
 
 
-	if (new_fs || new_fd || do_sysvsem || new_nsproxy) {
 
+	if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {
 
 		if (do_sysvsem) {
 
 			/*
 
 			 * CLONE_SYSVSEM is equivalent to sys_exit().
 
@@ -1832,11 +1842,20 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
 
 		}
 
 
 		task_unlock(current);
 
+
 
+		if (new_cred) {
 
+			/* Install the new user namespace */
 
+			commit_creds(new_cred);
 
+			new_cred = NULL;
 
+		}
 
 	}
 
 
 	if (new_nsproxy)
 
 		put_nsproxy(new_nsproxy);
 
 
+bad_unshare_cleanup_cred:
 
+	if (new_cred)
 
+		put_cred(new_cred);
 
 bad_unshare_cleanup_fd:
 
 	if (new_fd)
 
 		put_files_struct(new_fd);

+ 4 - 4
kernel/nsproxy.c
View File 

@@ -186,7 +186,7 @@ void free_nsproxy(struct nsproxy *ns)
 
  * On success, returns the new nsproxy.
 
  */
 
 int unshare_nsproxy_namespaces(unsigned long unshare_flags,
 
-		struct nsproxy **new_nsp, struct fs_struct *new_fs)
 
+	struct nsproxy **new_nsp, struct cred *new_cred, struct fs_struct *new_fs)
 
 {
 
 	struct user_namespace *user_ns;
 
 	int err = 0;
 
@@ -195,12 +195,12 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
 
 			       CLONE_NEWNET | CLONE_NEWPID)))
 
 		return 0;
 
 
-	if (!nsown_capable(CAP_SYS_ADMIN))
 
+	user_ns = new_cred ? new_cred->user_ns : current_user_ns();
 
+	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
 
 		return -EPERM;
 
 
-	user_ns = current_user_ns();
 
 	*new_nsp = create_new_namespaces(unshare_flags, current, user_ns,
 
-				new_fs ? new_fs : current->fs);
 
+					 new_fs ? new_fs : current->fs);
 
 	if (IS_ERR(*new_nsp)) {
 
 		err = PTR_ERR(*new_nsp);
 
 		goto out;

+ 15 - 0
kernel/user_namespace.c
View File 

@@ -82,6 +82,21 @@ int create_user_ns(struct cred *new)
 
 	return 0;
 
 }
 
 
+int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
 
+{
 
+	struct cred *cred;
 
+
 
+	if (!(unshare_flags & CLONE_NEWUSER))
 
+		return 0;
 
+
 
+	cred = prepare_creds();
 
+	if (!cred)
 
+		return -ENOMEM;
 
+
 
+	*new_cred = cred;
 
+	return create_user_ns(cred);
 
+}
 
+
 
 void free_user_ns(struct kref *kref)
 
 {
 
 	struct user_namespace *parent, *ns =