user_namespace.c 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905
  1. /*
  2. * This program is free software; you can redistribute it and/or
  3. * modify it under the terms of the GNU General Public License as
  4. * published by the Free Software Foundation, version 2 of the
  5. * License.
  6. */
  7. #include <linux/export.h>
  8. #include <linux/nsproxy.h>
  9. #include <linux/slab.h>
  10. #include <linux/user_namespace.h>
  11. #include <linux/proc_ns.h>
  12. #include <linux/highuid.h>
  13. #include <linux/cred.h>
  14. #include <linux/securebits.h>
  15. #include <linux/keyctl.h>
  16. #include <linux/key-type.h>
  17. #include <keys/user-type.h>
  18. #include <linux/seq_file.h>
  19. #include <linux/fs.h>
  20. #include <linux/uaccess.h>
  21. #include <linux/ctype.h>
  22. #include <linux/projid.h>
  23. #include <linux/fs_struct.h>
  24. static struct kmem_cache *user_ns_cachep __read_mostly;
  25. static bool new_idmap_permitted(const struct file *file,
  26. struct user_namespace *ns, int cap_setid,
  27. struct uid_gid_map *map);
  28. static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
  29. {
  30. /* Start with the same capabilities as init but useless for doing
  31. * anything as the capabilities are bound to the new user namespace.
  32. */
  33. cred->securebits = SECUREBITS_DEFAULT;
  34. cred->cap_inheritable = CAP_EMPTY_SET;
  35. cred->cap_permitted = CAP_FULL_SET;
  36. cred->cap_effective = CAP_FULL_SET;
  37. cred->cap_bset = CAP_FULL_SET;
  38. #ifdef CONFIG_KEYS
  39. key_put(cred->request_key_auth);
  40. cred->request_key_auth = NULL;
  41. #endif
  42. /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
  43. cred->user_ns = user_ns;
  44. }
  45. /*
  46. * Create a new user namespace, deriving the creator from the user in the
  47. * passed credentials, and replacing that user with the new root user for the
  48. * new namespace.
  49. *
  50. * This is called by copy_creds(), which will finish setting the target task's
  51. * credentials.
  52. */
  53. int create_user_ns(struct cred *new)
  54. {
  55. struct user_namespace *ns, *parent_ns = new->user_ns;
  56. kuid_t owner = new->euid;
  57. kgid_t group = new->egid;
  58. int ret;
  59. if (parent_ns->level > 32)
  60. return -EUSERS;
  61. /*
  62. * Verify that we can not violate the policy of which files
  63. * may be accessed that is specified by the root directory,
  64. * by verifing that the root directory is at the root of the
  65. * mount namespace which allows all files to be accessed.
  66. */
  67. if (current_chrooted())
  68. return -EPERM;
  69. /* The creator needs a mapping in the parent user namespace
  70. * or else we won't be able to reasonably tell userspace who
  71. * created a user_namespace.
  72. */
  73. if (!kuid_has_mapping(parent_ns, owner) ||
  74. !kgid_has_mapping(parent_ns, group))
  75. return -EPERM;
  76. ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
  77. if (!ns)
  78. return -ENOMEM;
  79. ret = proc_alloc_inum(&ns->proc_inum);
  80. if (ret) {
  81. kmem_cache_free(user_ns_cachep, ns);
  82. return ret;
  83. }
  84. atomic_set(&ns->count, 1);
  85. /* Leave the new->user_ns reference with the new user namespace. */
  86. ns->parent = parent_ns;
  87. ns->level = parent_ns->level + 1;
  88. ns->owner = owner;
  89. ns->group = group;
  90. set_cred_user_ns(new, ns);
  91. #ifdef CONFIG_PERSISTENT_KEYRINGS
  92. init_rwsem(&ns->persistent_keyring_register_sem);
  93. #endif
  94. return 0;
  95. }
  96. int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
  97. {
  98. struct cred *cred;
  99. int err = -ENOMEM;
  100. if (!(unshare_flags & CLONE_NEWUSER))
  101. return 0;
  102. cred = prepare_creds();
  103. if (cred) {
  104. err = create_user_ns(cred);
  105. if (err)
  106. put_cred(cred);
  107. else
  108. *new_cred = cred;
  109. }
  110. return err;
  111. }
  112. void free_user_ns(struct user_namespace *ns)
  113. {
  114. struct user_namespace *parent;
  115. do {
  116. parent = ns->parent;
  117. #ifdef CONFIG_PERSISTENT_KEYRINGS
  118. key_put(ns->persistent_keyring_register);
  119. #endif
  120. proc_free_inum(ns->proc_inum);
  121. kmem_cache_free(user_ns_cachep, ns);
  122. ns = parent;
  123. } while (atomic_dec_and_test(&parent->count));
  124. }
  125. EXPORT_SYMBOL(free_user_ns);
  126. static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
  127. {
  128. unsigned idx, extents;
  129. u32 first, last, id2;
  130. id2 = id + count - 1;
  131. /* Find the matching extent */
  132. extents = map->nr_extents;
  133. smp_read_barrier_depends();
  134. for (idx = 0; idx < extents; idx++) {
  135. first = map->extent[idx].first;
  136. last = first + map->extent[idx].count - 1;
  137. if (id >= first && id <= last &&
  138. (id2 >= first && id2 <= last))
  139. break;
  140. }
  141. /* Map the id or note failure */
  142. if (idx < extents)
  143. id = (id - first) + map->extent[idx].lower_first;
  144. else
  145. id = (u32) -1;
  146. return id;
  147. }
  148. static u32 map_id_down(struct uid_gid_map *map, u32 id)
  149. {
  150. unsigned idx, extents;
  151. u32 first, last;
  152. /* Find the matching extent */
  153. extents = map->nr_extents;
  154. smp_read_barrier_depends();
  155. for (idx = 0; idx < extents; idx++) {
  156. first = map->extent[idx].first;
  157. last = first + map->extent[idx].count - 1;
  158. if (id >= first && id <= last)
  159. break;
  160. }
  161. /* Map the id or note failure */
  162. if (idx < extents)
  163. id = (id - first) + map->extent[idx].lower_first;
  164. else
  165. id = (u32) -1;
  166. return id;
  167. }
  168. static u32 map_id_up(struct uid_gid_map *map, u32 id)
  169. {
  170. unsigned idx, extents;
  171. u32 first, last;
  172. /* Find the matching extent */
  173. extents = map->nr_extents;
  174. smp_read_barrier_depends();
  175. for (idx = 0; idx < extents; idx++) {
  176. first = map->extent[idx].lower_first;
  177. last = first + map->extent[idx].count - 1;
  178. if (id >= first && id <= last)
  179. break;
  180. }
  181. /* Map the id or note failure */
  182. if (idx < extents)
  183. id = (id - first) + map->extent[idx].first;
  184. else
  185. id = (u32) -1;
  186. return id;
  187. }
  188. /**
  189. * make_kuid - Map a user-namespace uid pair into a kuid.
  190. * @ns: User namespace that the uid is in
  191. * @uid: User identifier
  192. *
  193. * Maps a user-namespace uid pair into a kernel internal kuid,
  194. * and returns that kuid.
  195. *
  196. * When there is no mapping defined for the user-namespace uid
  197. * pair INVALID_UID is returned. Callers are expected to test
  198. * for and handle handle INVALID_UID being returned. INVALID_UID
  199. * may be tested for using uid_valid().
  200. */
  201. kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
  202. {
  203. /* Map the uid to a global kernel uid */
  204. return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
  205. }
  206. EXPORT_SYMBOL(make_kuid);
  207. /**
  208. * from_kuid - Create a uid from a kuid user-namespace pair.
  209. * @targ: The user namespace we want a uid in.
  210. * @kuid: The kernel internal uid to start with.
  211. *
  212. * Map @kuid into the user-namespace specified by @targ and
  213. * return the resulting uid.
  214. *
  215. * There is always a mapping into the initial user_namespace.
  216. *
  217. * If @kuid has no mapping in @targ (uid_t)-1 is returned.
  218. */
  219. uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
  220. {
  221. /* Map the uid from a global kernel uid */
  222. return map_id_up(&targ->uid_map, __kuid_val(kuid));
  223. }
  224. EXPORT_SYMBOL(from_kuid);
  225. /**
  226. * from_kuid_munged - Create a uid from a kuid user-namespace pair.
  227. * @targ: The user namespace we want a uid in.
  228. * @kuid: The kernel internal uid to start with.
  229. *
  230. * Map @kuid into the user-namespace specified by @targ and
  231. * return the resulting uid.
  232. *
  233. * There is always a mapping into the initial user_namespace.
  234. *
  235. * Unlike from_kuid from_kuid_munged never fails and always
  236. * returns a valid uid. This makes from_kuid_munged appropriate
  237. * for use in syscalls like stat and getuid where failing the
  238. * system call and failing to provide a valid uid are not an
  239. * options.
  240. *
  241. * If @kuid has no mapping in @targ overflowuid is returned.
  242. */
  243. uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
  244. {
  245. uid_t uid;
  246. uid = from_kuid(targ, kuid);
  247. if (uid == (uid_t) -1)
  248. uid = overflowuid;
  249. return uid;
  250. }
  251. EXPORT_SYMBOL(from_kuid_munged);
  252. /**
  253. * make_kgid - Map a user-namespace gid pair into a kgid.
  254. * @ns: User namespace that the gid is in
  255. * @uid: group identifier
  256. *
  257. * Maps a user-namespace gid pair into a kernel internal kgid,
  258. * and returns that kgid.
  259. *
  260. * When there is no mapping defined for the user-namespace gid
  261. * pair INVALID_GID is returned. Callers are expected to test
  262. * for and handle INVALID_GID being returned. INVALID_GID may be
  263. * tested for using gid_valid().
  264. */
  265. kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
  266. {
  267. /* Map the gid to a global kernel gid */
  268. return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
  269. }
  270. EXPORT_SYMBOL(make_kgid);
  271. /**
  272. * from_kgid - Create a gid from a kgid user-namespace pair.
  273. * @targ: The user namespace we want a gid in.
  274. * @kgid: The kernel internal gid to start with.
  275. *
  276. * Map @kgid into the user-namespace specified by @targ and
  277. * return the resulting gid.
  278. *
  279. * There is always a mapping into the initial user_namespace.
  280. *
  281. * If @kgid has no mapping in @targ (gid_t)-1 is returned.
  282. */
  283. gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
  284. {
  285. /* Map the gid from a global kernel gid */
  286. return map_id_up(&targ->gid_map, __kgid_val(kgid));
  287. }
  288. EXPORT_SYMBOL(from_kgid);
  289. /**
  290. * from_kgid_munged - Create a gid from a kgid user-namespace pair.
  291. * @targ: The user namespace we want a gid in.
  292. * @kgid: The kernel internal gid to start with.
  293. *
  294. * Map @kgid into the user-namespace specified by @targ and
  295. * return the resulting gid.
  296. *
  297. * There is always a mapping into the initial user_namespace.
  298. *
  299. * Unlike from_kgid from_kgid_munged never fails and always
  300. * returns a valid gid. This makes from_kgid_munged appropriate
  301. * for use in syscalls like stat and getgid where failing the
  302. * system call and failing to provide a valid gid are not options.
  303. *
  304. * If @kgid has no mapping in @targ overflowgid is returned.
  305. */
  306. gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
  307. {
  308. gid_t gid;
  309. gid = from_kgid(targ, kgid);
  310. if (gid == (gid_t) -1)
  311. gid = overflowgid;
  312. return gid;
  313. }
  314. EXPORT_SYMBOL(from_kgid_munged);
  315. /**
  316. * make_kprojid - Map a user-namespace projid pair into a kprojid.
  317. * @ns: User namespace that the projid is in
  318. * @projid: Project identifier
  319. *
  320. * Maps a user-namespace uid pair into a kernel internal kuid,
  321. * and returns that kuid.
  322. *
  323. * When there is no mapping defined for the user-namespace projid
  324. * pair INVALID_PROJID is returned. Callers are expected to test
  325. * for and handle handle INVALID_PROJID being returned. INVALID_PROJID
  326. * may be tested for using projid_valid().
  327. */
  328. kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
  329. {
  330. /* Map the uid to a global kernel uid */
  331. return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
  332. }
  333. EXPORT_SYMBOL(make_kprojid);
  334. /**
  335. * from_kprojid - Create a projid from a kprojid user-namespace pair.
  336. * @targ: The user namespace we want a projid in.
  337. * @kprojid: The kernel internal project identifier to start with.
  338. *
  339. * Map @kprojid into the user-namespace specified by @targ and
  340. * return the resulting projid.
  341. *
  342. * There is always a mapping into the initial user_namespace.
  343. *
  344. * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
  345. */
  346. projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
  347. {
  348. /* Map the uid from a global kernel uid */
  349. return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
  350. }
  351. EXPORT_SYMBOL(from_kprojid);
  352. /**
  353. * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
  354. * @targ: The user namespace we want a projid in.
  355. * @kprojid: The kernel internal projid to start with.
  356. *
  357. * Map @kprojid into the user-namespace specified by @targ and
  358. * return the resulting projid.
  359. *
  360. * There is always a mapping into the initial user_namespace.
  361. *
  362. * Unlike from_kprojid from_kprojid_munged never fails and always
  363. * returns a valid projid. This makes from_kprojid_munged
  364. * appropriate for use in syscalls like stat and where
  365. * failing the system call and failing to provide a valid projid are
  366. * not an options.
  367. *
  368. * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
  369. */
  370. projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
  371. {
  372. projid_t projid;
  373. projid = from_kprojid(targ, kprojid);
  374. if (projid == (projid_t) -1)
  375. projid = OVERFLOW_PROJID;
  376. return projid;
  377. }
  378. EXPORT_SYMBOL(from_kprojid_munged);
  379. static int uid_m_show(struct seq_file *seq, void *v)
  380. {
  381. struct user_namespace *ns = seq->private;
  382. struct uid_gid_extent *extent = v;
  383. struct user_namespace *lower_ns;
  384. uid_t lower;
  385. lower_ns = seq_user_ns(seq);
  386. if ((lower_ns == ns) && lower_ns->parent)
  387. lower_ns = lower_ns->parent;
  388. lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
  389. seq_printf(seq, "%10u %10u %10u\n",
  390. extent->first,
  391. lower,
  392. extent->count);
  393. return 0;
  394. }
  395. static int gid_m_show(struct seq_file *seq, void *v)
  396. {
  397. struct user_namespace *ns = seq->private;
  398. struct uid_gid_extent *extent = v;
  399. struct user_namespace *lower_ns;
  400. gid_t lower;
  401. lower_ns = seq_user_ns(seq);
  402. if ((lower_ns == ns) && lower_ns->parent)
  403. lower_ns = lower_ns->parent;
  404. lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
  405. seq_printf(seq, "%10u %10u %10u\n",
  406. extent->first,
  407. lower,
  408. extent->count);
  409. return 0;
  410. }
  411. static int projid_m_show(struct seq_file *seq, void *v)
  412. {
  413. struct user_namespace *ns = seq->private;
  414. struct uid_gid_extent *extent = v;
  415. struct user_namespace *lower_ns;
  416. projid_t lower;
  417. lower_ns = seq_user_ns(seq);
  418. if ((lower_ns == ns) && lower_ns->parent)
  419. lower_ns = lower_ns->parent;
  420. lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
  421. seq_printf(seq, "%10u %10u %10u\n",
  422. extent->first,
  423. lower,
  424. extent->count);
  425. return 0;
  426. }
  427. static void *m_start(struct seq_file *seq, loff_t *ppos, struct uid_gid_map *map)
  428. {
  429. struct uid_gid_extent *extent = NULL;
  430. loff_t pos = *ppos;
  431. if (pos < map->nr_extents)
  432. extent = &map->extent[pos];
  433. return extent;
  434. }
  435. static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
  436. {
  437. struct user_namespace *ns = seq->private;
  438. return m_start(seq, ppos, &ns->uid_map);
  439. }
  440. static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
  441. {
  442. struct user_namespace *ns = seq->private;
  443. return m_start(seq, ppos, &ns->gid_map);
  444. }
  445. static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
  446. {
  447. struct user_namespace *ns = seq->private;
  448. return m_start(seq, ppos, &ns->projid_map);
  449. }
  450. static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
  451. {
  452. (*pos)++;
  453. return seq->op->start(seq, pos);
  454. }
  455. static void m_stop(struct seq_file *seq, void *v)
  456. {
  457. return;
  458. }
  459. struct seq_operations proc_uid_seq_operations = {
  460. .start = uid_m_start,
  461. .stop = m_stop,
  462. .next = m_next,
  463. .show = uid_m_show,
  464. };
  465. struct seq_operations proc_gid_seq_operations = {
  466. .start = gid_m_start,
  467. .stop = m_stop,
  468. .next = m_next,
  469. .show = gid_m_show,
  470. };
  471. struct seq_operations proc_projid_seq_operations = {
  472. .start = projid_m_start,
  473. .stop = m_stop,
  474. .next = m_next,
  475. .show = projid_m_show,
  476. };
  477. static bool mappings_overlap(struct uid_gid_map *new_map, struct uid_gid_extent *extent)
  478. {
  479. u32 upper_first, lower_first, upper_last, lower_last;
  480. unsigned idx;
  481. upper_first = extent->first;
  482. lower_first = extent->lower_first;
  483. upper_last = upper_first + extent->count - 1;
  484. lower_last = lower_first + extent->count - 1;
  485. for (idx = 0; idx < new_map->nr_extents; idx++) {
  486. u32 prev_upper_first, prev_lower_first;
  487. u32 prev_upper_last, prev_lower_last;
  488. struct uid_gid_extent *prev;
  489. prev = &new_map->extent[idx];
  490. prev_upper_first = prev->first;
  491. prev_lower_first = prev->lower_first;
  492. prev_upper_last = prev_upper_first + prev->count - 1;
  493. prev_lower_last = prev_lower_first + prev->count - 1;
  494. /* Does the upper range intersect a previous extent? */
  495. if ((prev_upper_first <= upper_last) &&
  496. (prev_upper_last >= upper_first))
  497. return true;
  498. /* Does the lower range intersect a previous extent? */
  499. if ((prev_lower_first <= lower_last) &&
  500. (prev_lower_last >= lower_first))
  501. return true;
  502. }
  503. return false;
  504. }
  505. static DEFINE_MUTEX(id_map_mutex);
  506. static ssize_t map_write(struct file *file, const char __user *buf,
  507. size_t count, loff_t *ppos,
  508. int cap_setid,
  509. struct uid_gid_map *map,
  510. struct uid_gid_map *parent_map)
  511. {
  512. struct seq_file *seq = file->private_data;
  513. struct user_namespace *ns = seq->private;
  514. struct uid_gid_map new_map;
  515. unsigned idx;
  516. struct uid_gid_extent *extent = NULL;
  517. unsigned long page = 0;
  518. char *kbuf, *pos, *next_line;
  519. ssize_t ret = -EINVAL;
  520. /*
  521. * The id_map_mutex serializes all writes to any given map.
  522. *
  523. * Any map is only ever written once.
  524. *
  525. * An id map fits within 1 cache line on most architectures.
  526. *
  527. * On read nothing needs to be done unless you are on an
  528. * architecture with a crazy cache coherency model like alpha.
  529. *
  530. * There is a one time data dependency between reading the
  531. * count of the extents and the values of the extents. The
  532. * desired behavior is to see the values of the extents that
  533. * were written before the count of the extents.
  534. *
  535. * To achieve this smp_wmb() is used on guarantee the write
  536. * order and smp_read_barrier_depends() is guaranteed that we
  537. * don't have crazy architectures returning stale data.
  538. *
  539. */
  540. mutex_lock(&id_map_mutex);
  541. ret = -EPERM;
  542. /* Only allow one successful write to the map */
  543. if (map->nr_extents != 0)
  544. goto out;
  545. /*
  546. * Adjusting namespace settings requires capabilities on the target.
  547. */
  548. if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
  549. goto out;
  550. /* Get a buffer */
  551. ret = -ENOMEM;
  552. page = __get_free_page(GFP_TEMPORARY);
  553. kbuf = (char *) page;
  554. if (!page)
  555. goto out;
  556. /* Only allow <= page size writes at the beginning of the file */
  557. ret = -EINVAL;
  558. if ((*ppos != 0) || (count >= PAGE_SIZE))
  559. goto out;
  560. /* Slurp in the user data */
  561. ret = -EFAULT;
  562. if (copy_from_user(kbuf, buf, count))
  563. goto out;
  564. kbuf[count] = '\0';
  565. /* Parse the user data */
  566. ret = -EINVAL;
  567. pos = kbuf;
  568. new_map.nr_extents = 0;
  569. for (;pos; pos = next_line) {
  570. extent = &new_map.extent[new_map.nr_extents];
  571. /* Find the end of line and ensure I don't look past it */
  572. next_line = strchr(pos, '\n');
  573. if (next_line) {
  574. *next_line = '\0';
  575. next_line++;
  576. if (*next_line == '\0')
  577. next_line = NULL;
  578. }
  579. pos = skip_spaces(pos);
  580. extent->first = simple_strtoul(pos, &pos, 10);
  581. if (!isspace(*pos))
  582. goto out;
  583. pos = skip_spaces(pos);
  584. extent->lower_first = simple_strtoul(pos, &pos, 10);
  585. if (!isspace(*pos))
  586. goto out;
  587. pos = skip_spaces(pos);
  588. extent->count = simple_strtoul(pos, &pos, 10);
  589. if (*pos && !isspace(*pos))
  590. goto out;
  591. /* Verify there is not trailing junk on the line */
  592. pos = skip_spaces(pos);
  593. if (*pos != '\0')
  594. goto out;
  595. /* Verify we have been given valid starting values */
  596. if ((extent->first == (u32) -1) ||
  597. (extent->lower_first == (u32) -1 ))
  598. goto out;
  599. /* Verify count is not zero and does not cause the extent to wrap */
  600. if ((extent->first + extent->count) <= extent->first)
  601. goto out;
  602. if ((extent->lower_first + extent->count) <= extent->lower_first)
  603. goto out;
  604. /* Do the ranges in extent overlap any previous extents? */
  605. if (mappings_overlap(&new_map, extent))
  606. goto out;
  607. new_map.nr_extents++;
  608. /* Fail if the file contains too many extents */
  609. if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) &&
  610. (next_line != NULL))
  611. goto out;
  612. }
  613. /* Be very certaint the new map actually exists */
  614. if (new_map.nr_extents == 0)
  615. goto out;
  616. ret = -EPERM;
  617. /* Validate the user is allowed to use user id's mapped to. */
  618. if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
  619. goto out;
  620. /* Map the lower ids from the parent user namespace to the
  621. * kernel global id space.
  622. */
  623. for (idx = 0; idx < new_map.nr_extents; idx++) {
  624. u32 lower_first;
  625. extent = &new_map.extent[idx];
  626. lower_first = map_id_range_down(parent_map,
  627. extent->lower_first,
  628. extent->count);
  629. /* Fail if we can not map the specified extent to
  630. * the kernel global id space.
  631. */
  632. if (lower_first == (u32) -1)
  633. goto out;
  634. extent->lower_first = lower_first;
  635. }
  636. /* Install the map */
  637. memcpy(map->extent, new_map.extent,
  638. new_map.nr_extents*sizeof(new_map.extent[0]));
  639. smp_wmb();
  640. map->nr_extents = new_map.nr_extents;
  641. *ppos = count;
  642. ret = count;
  643. out:
  644. mutex_unlock(&id_map_mutex);
  645. if (page)
  646. free_page(page);
  647. return ret;
  648. }
  649. ssize_t proc_uid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
  650. {
  651. struct seq_file *seq = file->private_data;
  652. struct user_namespace *ns = seq->private;
  653. struct user_namespace *seq_ns = seq_user_ns(seq);
  654. if (!ns->parent)
  655. return -EPERM;
  656. if ((seq_ns != ns) && (seq_ns != ns->parent))
  657. return -EPERM;
  658. return map_write(file, buf, size, ppos, CAP_SETUID,
  659. &ns->uid_map, &ns->parent->uid_map);
  660. }
  661. ssize_t proc_gid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
  662. {
  663. struct seq_file *seq = file->private_data;
  664. struct user_namespace *ns = seq->private;
  665. struct user_namespace *seq_ns = seq_user_ns(seq);
  666. if (!ns->parent)
  667. return -EPERM;
  668. if ((seq_ns != ns) && (seq_ns != ns->parent))
  669. return -EPERM;
  670. return map_write(file, buf, size, ppos, CAP_SETGID,
  671. &ns->gid_map, &ns->parent->gid_map);
  672. }
  673. ssize_t proc_projid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
  674. {
  675. struct seq_file *seq = file->private_data;
  676. struct user_namespace *ns = seq->private;
  677. struct user_namespace *seq_ns = seq_user_ns(seq);
  678. if (!ns->parent)
  679. return -EPERM;
  680. if ((seq_ns != ns) && (seq_ns != ns->parent))
  681. return -EPERM;
  682. /* Anyone can set any valid project id no capability needed */
  683. return map_write(file, buf, size, ppos, -1,
  684. &ns->projid_map, &ns->parent->projid_map);
  685. }
  686. static bool new_idmap_permitted(const struct file *file,
  687. struct user_namespace *ns, int cap_setid,
  688. struct uid_gid_map *new_map)
  689. {
  690. /* Allow mapping to your own filesystem ids */
  691. if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) {
  692. u32 id = new_map->extent[0].lower_first;
  693. if (cap_setid == CAP_SETUID) {
  694. kuid_t uid = make_kuid(ns->parent, id);
  695. if (uid_eq(uid, file->f_cred->fsuid))
  696. return true;
  697. }
  698. else if (cap_setid == CAP_SETGID) {
  699. kgid_t gid = make_kgid(ns->parent, id);
  700. if (gid_eq(gid, file->f_cred->fsgid))
  701. return true;
  702. }
  703. }
  704. /* Allow anyone to set a mapping that doesn't require privilege */
  705. if (!cap_valid(cap_setid))
  706. return true;
  707. /* Allow the specified ids if we have the appropriate capability
  708. * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
  709. * And the opener of the id file also had the approprpiate capability.
  710. */
  711. if (ns_capable(ns->parent, cap_setid) &&
  712. file_ns_capable(file, ns->parent, cap_setid))
  713. return true;
  714. return false;
  715. }
  716. static void *userns_get(struct task_struct *task)
  717. {
  718. struct user_namespace *user_ns;
  719. rcu_read_lock();
  720. user_ns = get_user_ns(__task_cred(task)->user_ns);
  721. rcu_read_unlock();
  722. return user_ns;
  723. }
  724. static void userns_put(void *ns)
  725. {
  726. put_user_ns(ns);
  727. }
  728. static int userns_install(struct nsproxy *nsproxy, void *ns)
  729. {
  730. struct user_namespace *user_ns = ns;
  731. struct cred *cred;
  732. /* Don't allow gaining capabilities by reentering
  733. * the same user namespace.
  734. */
  735. if (user_ns == current_user_ns())
  736. return -EINVAL;
  737. /* Threaded processes may not enter a different user namespace */
  738. if (atomic_read(&current->mm->mm_users) > 1)
  739. return -EINVAL;
  740. if (current->fs->users != 1)
  741. return -EINVAL;
  742. if (!ns_capable(user_ns, CAP_SYS_ADMIN))
  743. return -EPERM;
  744. cred = prepare_creds();
  745. if (!cred)
  746. return -ENOMEM;
  747. put_user_ns(cred->user_ns);
  748. set_cred_user_ns(cred, get_user_ns(user_ns));
  749. return commit_creds(cred);
  750. }
  751. static unsigned int userns_inum(void *ns)
  752. {
  753. struct user_namespace *user_ns = ns;
  754. return user_ns->proc_inum;
  755. }
  756. const struct proc_ns_operations userns_operations = {
  757. .name = "user",
  758. .type = CLONE_NEWUSER,
  759. .get = userns_get,
  760. .put = userns_put,
  761. .install = userns_install,
  762. .inum = userns_inum,
  763. };
  764. static __init int user_namespaces_init(void)
  765. {
  766. user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC);
  767. return 0;
  768. }
  769. module_init(user_namespaces_init);