user_namespace.c 27 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092
  1. /*
  2. * This program is free software; you can redistribute it and/or
  3. * modify it under the terms of the GNU General Public License as
  4. * published by the Free Software Foundation, version 2 of the
  5. * License.
  6. */
  7. #include <linux/export.h>
  8. #include <linux/nsproxy.h>
  9. #include <linux/slab.h>
  10. #include <linux/user_namespace.h>
  11. #include <linux/proc_ns.h>
  12. #include <linux/highuid.h>
  13. #include <linux/cred.h>
  14. #include <linux/securebits.h>
  15. #include <linux/keyctl.h>
  16. #include <linux/key-type.h>
  17. #include <keys/user-type.h>
  18. #include <linux/seq_file.h>
  19. #include <linux/fs.h>
  20. #include <linux/uaccess.h>
  21. #include <linux/ctype.h>
  22. #include <linux/projid.h>
  23. #include <linux/fs_struct.h>
  24. static struct kmem_cache *user_ns_cachep __read_mostly;
  25. static DEFINE_MUTEX(userns_state_mutex);
  26. static bool new_idmap_permitted(const struct file *file,
  27. struct user_namespace *ns, int cap_setid,
  28. struct uid_gid_map *map);
  29. static void free_user_ns(struct work_struct *work);
  30. static struct ucounts *inc_user_namespaces(struct user_namespace *ns, kuid_t uid)
  31. {
  32. return inc_ucount(ns, uid, UCOUNT_USER_NAMESPACES);
  33. }
  34. static void dec_user_namespaces(struct ucounts *ucounts)
  35. {
  36. return dec_ucount(ucounts, UCOUNT_USER_NAMESPACES);
  37. }
  38. static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
  39. {
  40. /* Start with the same capabilities as init but useless for doing
  41. * anything as the capabilities are bound to the new user namespace.
  42. */
  43. cred->securebits = SECUREBITS_DEFAULT;
  44. cred->cap_inheritable = CAP_EMPTY_SET;
  45. cred->cap_permitted = CAP_FULL_SET;
  46. cred->cap_effective = CAP_FULL_SET;
  47. cred->cap_ambient = CAP_EMPTY_SET;
  48. cred->cap_bset = CAP_FULL_SET;
  49. #ifdef CONFIG_KEYS
  50. key_put(cred->request_key_auth);
  51. cred->request_key_auth = NULL;
  52. #endif
  53. /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
  54. cred->user_ns = user_ns;
  55. }
  56. /*
  57. * Create a new user namespace, deriving the creator from the user in the
  58. * passed credentials, and replacing that user with the new root user for the
  59. * new namespace.
  60. *
  61. * This is called by copy_creds(), which will finish setting the target task's
  62. * credentials.
  63. */
  64. int create_user_ns(struct cred *new)
  65. {
  66. struct user_namespace *ns, *parent_ns = new->user_ns;
  67. kuid_t owner = new->euid;
  68. kgid_t group = new->egid;
  69. struct ucounts *ucounts;
  70. int ret, i;
  71. ret = -ENOSPC;
  72. if (parent_ns->level > 32)
  73. goto fail;
  74. ucounts = inc_user_namespaces(parent_ns, owner);
  75. if (!ucounts)
  76. goto fail;
  77. /*
  78. * Verify that we can not violate the policy of which files
  79. * may be accessed that is specified by the root directory,
  80. * by verifing that the root directory is at the root of the
  81. * mount namespace which allows all files to be accessed.
  82. */
  83. ret = -EPERM;
  84. if (current_chrooted())
  85. goto fail_dec;
  86. /* The creator needs a mapping in the parent user namespace
  87. * or else we won't be able to reasonably tell userspace who
  88. * created a user_namespace.
  89. */
  90. ret = -EPERM;
  91. if (!kuid_has_mapping(parent_ns, owner) ||
  92. !kgid_has_mapping(parent_ns, group))
  93. goto fail_dec;
  94. ret = -ENOMEM;
  95. ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
  96. if (!ns)
  97. goto fail_dec;
  98. ret = ns_alloc_inum(&ns->ns);
  99. if (ret)
  100. goto fail_free;
  101. ns->ns.ops = &userns_operations;
  102. atomic_set(&ns->count, 1);
  103. /* Leave the new->user_ns reference with the new user namespace. */
  104. ns->parent = parent_ns;
  105. ns->level = parent_ns->level + 1;
  106. ns->owner = owner;
  107. ns->group = group;
  108. INIT_WORK(&ns->work, free_user_ns);
  109. for (i = 0; i < UCOUNT_COUNTS; i++) {
  110. ns->ucount_max[i] = INT_MAX;
  111. }
  112. ns->ucounts = ucounts;
  113. /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
  114. mutex_lock(&userns_state_mutex);
  115. ns->flags = parent_ns->flags;
  116. mutex_unlock(&userns_state_mutex);
  117. #ifdef CONFIG_PERSISTENT_KEYRINGS
  118. init_rwsem(&ns->persistent_keyring_register_sem);
  119. #endif
  120. ret = -ENOMEM;
  121. if (!setup_userns_sysctls(ns))
  122. goto fail_keyring;
  123. set_cred_user_ns(new, ns);
  124. return 0;
  125. fail_keyring:
  126. #ifdef CONFIG_PERSISTENT_KEYRINGS
  127. key_put(ns->persistent_keyring_register);
  128. #endif
  129. ns_free_inum(&ns->ns);
  130. fail_free:
  131. kmem_cache_free(user_ns_cachep, ns);
  132. fail_dec:
  133. dec_user_namespaces(ucounts);
  134. fail:
  135. return ret;
  136. }
  137. int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
  138. {
  139. struct cred *cred;
  140. int err = -ENOMEM;
  141. if (!(unshare_flags & CLONE_NEWUSER))
  142. return 0;
  143. cred = prepare_creds();
  144. if (cred) {
  145. err = create_user_ns(cred);
  146. if (err)
  147. put_cred(cred);
  148. else
  149. *new_cred = cred;
  150. }
  151. return err;
  152. }
  153. static void free_user_ns(struct work_struct *work)
  154. {
  155. struct user_namespace *parent, *ns =
  156. container_of(work, struct user_namespace, work);
  157. do {
  158. struct ucounts *ucounts = ns->ucounts;
  159. parent = ns->parent;
  160. retire_userns_sysctls(ns);
  161. #ifdef CONFIG_PERSISTENT_KEYRINGS
  162. key_put(ns->persistent_keyring_register);
  163. #endif
  164. ns_free_inum(&ns->ns);
  165. kmem_cache_free(user_ns_cachep, ns);
  166. dec_user_namespaces(ucounts);
  167. ns = parent;
  168. } while (atomic_dec_and_test(&parent->count));
  169. }
  170. void __put_user_ns(struct user_namespace *ns)
  171. {
  172. schedule_work(&ns->work);
  173. }
  174. EXPORT_SYMBOL(__put_user_ns);
  175. static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
  176. {
  177. unsigned idx, extents;
  178. u32 first, last, id2;
  179. id2 = id + count - 1;
  180. /* Find the matching extent */
  181. extents = map->nr_extents;
  182. smp_rmb();
  183. for (idx = 0; idx < extents; idx++) {
  184. first = map->extent[idx].first;
  185. last = first + map->extent[idx].count - 1;
  186. if (id >= first && id <= last &&
  187. (id2 >= first && id2 <= last))
  188. break;
  189. }
  190. /* Map the id or note failure */
  191. if (idx < extents)
  192. id = (id - first) + map->extent[idx].lower_first;
  193. else
  194. id = (u32) -1;
  195. return id;
  196. }
  197. static u32 map_id_down(struct uid_gid_map *map, u32 id)
  198. {
  199. unsigned idx, extents;
  200. u32 first, last;
  201. /* Find the matching extent */
  202. extents = map->nr_extents;
  203. smp_rmb();
  204. for (idx = 0; idx < extents; idx++) {
  205. first = map->extent[idx].first;
  206. last = first + map->extent[idx].count - 1;
  207. if (id >= first && id <= last)
  208. break;
  209. }
  210. /* Map the id or note failure */
  211. if (idx < extents)
  212. id = (id - first) + map->extent[idx].lower_first;
  213. else
  214. id = (u32) -1;
  215. return id;
  216. }
  217. static u32 map_id_up(struct uid_gid_map *map, u32 id)
  218. {
  219. unsigned idx, extents;
  220. u32 first, last;
  221. /* Find the matching extent */
  222. extents = map->nr_extents;
  223. smp_rmb();
  224. for (idx = 0; idx < extents; idx++) {
  225. first = map->extent[idx].lower_first;
  226. last = first + map->extent[idx].count - 1;
  227. if (id >= first && id <= last)
  228. break;
  229. }
  230. /* Map the id or note failure */
  231. if (idx < extents)
  232. id = (id - first) + map->extent[idx].first;
  233. else
  234. id = (u32) -1;
  235. return id;
  236. }
  237. /**
  238. * make_kuid - Map a user-namespace uid pair into a kuid.
  239. * @ns: User namespace that the uid is in
  240. * @uid: User identifier
  241. *
  242. * Maps a user-namespace uid pair into a kernel internal kuid,
  243. * and returns that kuid.
  244. *
  245. * When there is no mapping defined for the user-namespace uid
  246. * pair INVALID_UID is returned. Callers are expected to test
  247. * for and handle INVALID_UID being returned. INVALID_UID
  248. * may be tested for using uid_valid().
  249. */
  250. kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
  251. {
  252. /* Map the uid to a global kernel uid */
  253. return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
  254. }
  255. EXPORT_SYMBOL(make_kuid);
  256. /**
  257. * from_kuid - Create a uid from a kuid user-namespace pair.
  258. * @targ: The user namespace we want a uid in.
  259. * @kuid: The kernel internal uid to start with.
  260. *
  261. * Map @kuid into the user-namespace specified by @targ and
  262. * return the resulting uid.
  263. *
  264. * There is always a mapping into the initial user_namespace.
  265. *
  266. * If @kuid has no mapping in @targ (uid_t)-1 is returned.
  267. */
  268. uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
  269. {
  270. /* Map the uid from a global kernel uid */
  271. return map_id_up(&targ->uid_map, __kuid_val(kuid));
  272. }
  273. EXPORT_SYMBOL(from_kuid);
  274. /**
  275. * from_kuid_munged - Create a uid from a kuid user-namespace pair.
  276. * @targ: The user namespace we want a uid in.
  277. * @kuid: The kernel internal uid to start with.
  278. *
  279. * Map @kuid into the user-namespace specified by @targ and
  280. * return the resulting uid.
  281. *
  282. * There is always a mapping into the initial user_namespace.
  283. *
  284. * Unlike from_kuid from_kuid_munged never fails and always
  285. * returns a valid uid. This makes from_kuid_munged appropriate
  286. * for use in syscalls like stat and getuid where failing the
  287. * system call and failing to provide a valid uid are not an
  288. * options.
  289. *
  290. * If @kuid has no mapping in @targ overflowuid is returned.
  291. */
  292. uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
  293. {
  294. uid_t uid;
  295. uid = from_kuid(targ, kuid);
  296. if (uid == (uid_t) -1)
  297. uid = overflowuid;
  298. return uid;
  299. }
  300. EXPORT_SYMBOL(from_kuid_munged);
  301. /**
  302. * make_kgid - Map a user-namespace gid pair into a kgid.
  303. * @ns: User namespace that the gid is in
  304. * @gid: group identifier
  305. *
  306. * Maps a user-namespace gid pair into a kernel internal kgid,
  307. * and returns that kgid.
  308. *
  309. * When there is no mapping defined for the user-namespace gid
  310. * pair INVALID_GID is returned. Callers are expected to test
  311. * for and handle INVALID_GID being returned. INVALID_GID may be
  312. * tested for using gid_valid().
  313. */
  314. kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
  315. {
  316. /* Map the gid to a global kernel gid */
  317. return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
  318. }
  319. EXPORT_SYMBOL(make_kgid);
  320. /**
  321. * from_kgid - Create a gid from a kgid user-namespace pair.
  322. * @targ: The user namespace we want a gid in.
  323. * @kgid: The kernel internal gid to start with.
  324. *
  325. * Map @kgid into the user-namespace specified by @targ and
  326. * return the resulting gid.
  327. *
  328. * There is always a mapping into the initial user_namespace.
  329. *
  330. * If @kgid has no mapping in @targ (gid_t)-1 is returned.
  331. */
  332. gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
  333. {
  334. /* Map the gid from a global kernel gid */
  335. return map_id_up(&targ->gid_map, __kgid_val(kgid));
  336. }
  337. EXPORT_SYMBOL(from_kgid);
  338. /**
  339. * from_kgid_munged - Create a gid from a kgid user-namespace pair.
  340. * @targ: The user namespace we want a gid in.
  341. * @kgid: The kernel internal gid to start with.
  342. *
  343. * Map @kgid into the user-namespace specified by @targ and
  344. * return the resulting gid.
  345. *
  346. * There is always a mapping into the initial user_namespace.
  347. *
  348. * Unlike from_kgid from_kgid_munged never fails and always
  349. * returns a valid gid. This makes from_kgid_munged appropriate
  350. * for use in syscalls like stat and getgid where failing the
  351. * system call and failing to provide a valid gid are not options.
  352. *
  353. * If @kgid has no mapping in @targ overflowgid is returned.
  354. */
  355. gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
  356. {
  357. gid_t gid;
  358. gid = from_kgid(targ, kgid);
  359. if (gid == (gid_t) -1)
  360. gid = overflowgid;
  361. return gid;
  362. }
  363. EXPORT_SYMBOL(from_kgid_munged);
  364. /**
  365. * make_kprojid - Map a user-namespace projid pair into a kprojid.
  366. * @ns: User namespace that the projid is in
  367. * @projid: Project identifier
  368. *
  369. * Maps a user-namespace uid pair into a kernel internal kuid,
  370. * and returns that kuid.
  371. *
  372. * When there is no mapping defined for the user-namespace projid
  373. * pair INVALID_PROJID is returned. Callers are expected to test
  374. * for and handle handle INVALID_PROJID being returned. INVALID_PROJID
  375. * may be tested for using projid_valid().
  376. */
  377. kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
  378. {
  379. /* Map the uid to a global kernel uid */
  380. return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
  381. }
  382. EXPORT_SYMBOL(make_kprojid);
  383. /**
  384. * from_kprojid - Create a projid from a kprojid user-namespace pair.
  385. * @targ: The user namespace we want a projid in.
  386. * @kprojid: The kernel internal project identifier to start with.
  387. *
  388. * Map @kprojid into the user-namespace specified by @targ and
  389. * return the resulting projid.
  390. *
  391. * There is always a mapping into the initial user_namespace.
  392. *
  393. * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
  394. */
  395. projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
  396. {
  397. /* Map the uid from a global kernel uid */
  398. return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
  399. }
  400. EXPORT_SYMBOL(from_kprojid);
  401. /**
  402. * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
  403. * @targ: The user namespace we want a projid in.
  404. * @kprojid: The kernel internal projid to start with.
  405. *
  406. * Map @kprojid into the user-namespace specified by @targ and
  407. * return the resulting projid.
  408. *
  409. * There is always a mapping into the initial user_namespace.
  410. *
  411. * Unlike from_kprojid from_kprojid_munged never fails and always
  412. * returns a valid projid. This makes from_kprojid_munged
  413. * appropriate for use in syscalls like stat and where
  414. * failing the system call and failing to provide a valid projid are
  415. * not an options.
  416. *
  417. * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
  418. */
  419. projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
  420. {
  421. projid_t projid;
  422. projid = from_kprojid(targ, kprojid);
  423. if (projid == (projid_t) -1)
  424. projid = OVERFLOW_PROJID;
  425. return projid;
  426. }
  427. EXPORT_SYMBOL(from_kprojid_munged);
  428. static int uid_m_show(struct seq_file *seq, void *v)
  429. {
  430. struct user_namespace *ns = seq->private;
  431. struct uid_gid_extent *extent = v;
  432. struct user_namespace *lower_ns;
  433. uid_t lower;
  434. lower_ns = seq_user_ns(seq);
  435. if ((lower_ns == ns) && lower_ns->parent)
  436. lower_ns = lower_ns->parent;
  437. lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
  438. seq_printf(seq, "%10u %10u %10u\n",
  439. extent->first,
  440. lower,
  441. extent->count);
  442. return 0;
  443. }
  444. static int gid_m_show(struct seq_file *seq, void *v)
  445. {
  446. struct user_namespace *ns = seq->private;
  447. struct uid_gid_extent *extent = v;
  448. struct user_namespace *lower_ns;
  449. gid_t lower;
  450. lower_ns = seq_user_ns(seq);
  451. if ((lower_ns == ns) && lower_ns->parent)
  452. lower_ns = lower_ns->parent;
  453. lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
  454. seq_printf(seq, "%10u %10u %10u\n",
  455. extent->first,
  456. lower,
  457. extent->count);
  458. return 0;
  459. }
  460. static int projid_m_show(struct seq_file *seq, void *v)
  461. {
  462. struct user_namespace *ns = seq->private;
  463. struct uid_gid_extent *extent = v;
  464. struct user_namespace *lower_ns;
  465. projid_t lower;
  466. lower_ns = seq_user_ns(seq);
  467. if ((lower_ns == ns) && lower_ns->parent)
  468. lower_ns = lower_ns->parent;
  469. lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
  470. seq_printf(seq, "%10u %10u %10u\n",
  471. extent->first,
  472. lower,
  473. extent->count);
  474. return 0;
  475. }
  476. static void *m_start(struct seq_file *seq, loff_t *ppos,
  477. struct uid_gid_map *map)
  478. {
  479. struct uid_gid_extent *extent = NULL;
  480. loff_t pos = *ppos;
  481. if (pos < map->nr_extents)
  482. extent = &map->extent[pos];
  483. return extent;
  484. }
  485. static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
  486. {
  487. struct user_namespace *ns = seq->private;
  488. return m_start(seq, ppos, &ns->uid_map);
  489. }
  490. static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
  491. {
  492. struct user_namespace *ns = seq->private;
  493. return m_start(seq, ppos, &ns->gid_map);
  494. }
  495. static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
  496. {
  497. struct user_namespace *ns = seq->private;
  498. return m_start(seq, ppos, &ns->projid_map);
  499. }
  500. static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
  501. {
  502. (*pos)++;
  503. return seq->op->start(seq, pos);
  504. }
  505. static void m_stop(struct seq_file *seq, void *v)
  506. {
  507. return;
  508. }
  509. const struct seq_operations proc_uid_seq_operations = {
  510. .start = uid_m_start,
  511. .stop = m_stop,
  512. .next = m_next,
  513. .show = uid_m_show,
  514. };
  515. const struct seq_operations proc_gid_seq_operations = {
  516. .start = gid_m_start,
  517. .stop = m_stop,
  518. .next = m_next,
  519. .show = gid_m_show,
  520. };
  521. const struct seq_operations proc_projid_seq_operations = {
  522. .start = projid_m_start,
  523. .stop = m_stop,
  524. .next = m_next,
  525. .show = projid_m_show,
  526. };
  527. static bool mappings_overlap(struct uid_gid_map *new_map,
  528. struct uid_gid_extent *extent)
  529. {
  530. u32 upper_first, lower_first, upper_last, lower_last;
  531. unsigned idx;
  532. upper_first = extent->first;
  533. lower_first = extent->lower_first;
  534. upper_last = upper_first + extent->count - 1;
  535. lower_last = lower_first + extent->count - 1;
  536. for (idx = 0; idx < new_map->nr_extents; idx++) {
  537. u32 prev_upper_first, prev_lower_first;
  538. u32 prev_upper_last, prev_lower_last;
  539. struct uid_gid_extent *prev;
  540. prev = &new_map->extent[idx];
  541. prev_upper_first = prev->first;
  542. prev_lower_first = prev->lower_first;
  543. prev_upper_last = prev_upper_first + prev->count - 1;
  544. prev_lower_last = prev_lower_first + prev->count - 1;
  545. /* Does the upper range intersect a previous extent? */
  546. if ((prev_upper_first <= upper_last) &&
  547. (prev_upper_last >= upper_first))
  548. return true;
  549. /* Does the lower range intersect a previous extent? */
  550. if ((prev_lower_first <= lower_last) &&
  551. (prev_lower_last >= lower_first))
  552. return true;
  553. }
  554. return false;
  555. }
  556. static ssize_t map_write(struct file *file, const char __user *buf,
  557. size_t count, loff_t *ppos,
  558. int cap_setid,
  559. struct uid_gid_map *map,
  560. struct uid_gid_map *parent_map)
  561. {
  562. struct seq_file *seq = file->private_data;
  563. struct user_namespace *ns = seq->private;
  564. struct uid_gid_map new_map;
  565. unsigned idx;
  566. struct uid_gid_extent *extent = NULL;
  567. char *kbuf = NULL, *pos, *next_line;
  568. ssize_t ret = -EINVAL;
  569. /*
  570. * The userns_state_mutex serializes all writes to any given map.
  571. *
  572. * Any map is only ever written once.
  573. *
  574. * An id map fits within 1 cache line on most architectures.
  575. *
  576. * On read nothing needs to be done unless you are on an
  577. * architecture with a crazy cache coherency model like alpha.
  578. *
  579. * There is a one time data dependency between reading the
  580. * count of the extents and the values of the extents. The
  581. * desired behavior is to see the values of the extents that
  582. * were written before the count of the extents.
  583. *
  584. * To achieve this smp_wmb() is used on guarantee the write
  585. * order and smp_rmb() is guaranteed that we don't have crazy
  586. * architectures returning stale data.
  587. */
  588. mutex_lock(&userns_state_mutex);
  589. ret = -EPERM;
  590. /* Only allow one successful write to the map */
  591. if (map->nr_extents != 0)
  592. goto out;
  593. /*
  594. * Adjusting namespace settings requires capabilities on the target.
  595. */
  596. if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
  597. goto out;
  598. /* Only allow < page size writes at the beginning of the file */
  599. ret = -EINVAL;
  600. if ((*ppos != 0) || (count >= PAGE_SIZE))
  601. goto out;
  602. /* Slurp in the user data */
  603. kbuf = memdup_user_nul(buf, count);
  604. if (IS_ERR(kbuf)) {
  605. ret = PTR_ERR(kbuf);
  606. kbuf = NULL;
  607. goto out;
  608. }
  609. /* Parse the user data */
  610. ret = -EINVAL;
  611. pos = kbuf;
  612. new_map.nr_extents = 0;
  613. for (; pos; pos = next_line) {
  614. extent = &new_map.extent[new_map.nr_extents];
  615. /* Find the end of line and ensure I don't look past it */
  616. next_line = strchr(pos, '\n');
  617. if (next_line) {
  618. *next_line = '\0';
  619. next_line++;
  620. if (*next_line == '\0')
  621. next_line = NULL;
  622. }
  623. pos = skip_spaces(pos);
  624. extent->first = simple_strtoul(pos, &pos, 10);
  625. if (!isspace(*pos))
  626. goto out;
  627. pos = skip_spaces(pos);
  628. extent->lower_first = simple_strtoul(pos, &pos, 10);
  629. if (!isspace(*pos))
  630. goto out;
  631. pos = skip_spaces(pos);
  632. extent->count = simple_strtoul(pos, &pos, 10);
  633. if (*pos && !isspace(*pos))
  634. goto out;
  635. /* Verify there is not trailing junk on the line */
  636. pos = skip_spaces(pos);
  637. if (*pos != '\0')
  638. goto out;
  639. /* Verify we have been given valid starting values */
  640. if ((extent->first == (u32) -1) ||
  641. (extent->lower_first == (u32) -1))
  642. goto out;
  643. /* Verify count is not zero and does not cause the
  644. * extent to wrap
  645. */
  646. if ((extent->first + extent->count) <= extent->first)
  647. goto out;
  648. if ((extent->lower_first + extent->count) <=
  649. extent->lower_first)
  650. goto out;
  651. /* Do the ranges in extent overlap any previous extents? */
  652. if (mappings_overlap(&new_map, extent))
  653. goto out;
  654. new_map.nr_extents++;
  655. /* Fail if the file contains too many extents */
  656. if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) &&
  657. (next_line != NULL))
  658. goto out;
  659. }
  660. /* Be very certaint the new map actually exists */
  661. if (new_map.nr_extents == 0)
  662. goto out;
  663. ret = -EPERM;
  664. /* Validate the user is allowed to use user id's mapped to. */
  665. if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
  666. goto out;
  667. /* Map the lower ids from the parent user namespace to the
  668. * kernel global id space.
  669. */
  670. for (idx = 0; idx < new_map.nr_extents; idx++) {
  671. u32 lower_first;
  672. extent = &new_map.extent[idx];
  673. lower_first = map_id_range_down(parent_map,
  674. extent->lower_first,
  675. extent->count);
  676. /* Fail if we can not map the specified extent to
  677. * the kernel global id space.
  678. */
  679. if (lower_first == (u32) -1)
  680. goto out;
  681. extent->lower_first = lower_first;
  682. }
  683. /* Install the map */
  684. memcpy(map->extent, new_map.extent,
  685. new_map.nr_extents*sizeof(new_map.extent[0]));
  686. smp_wmb();
  687. map->nr_extents = new_map.nr_extents;
  688. *ppos = count;
  689. ret = count;
  690. out:
  691. mutex_unlock(&userns_state_mutex);
  692. kfree(kbuf);
  693. return ret;
  694. }
  695. ssize_t proc_uid_map_write(struct file *file, const char __user *buf,
  696. size_t size, loff_t *ppos)
  697. {
  698. struct seq_file *seq = file->private_data;
  699. struct user_namespace *ns = seq->private;
  700. struct user_namespace *seq_ns = seq_user_ns(seq);
  701. if (!ns->parent)
  702. return -EPERM;
  703. if ((seq_ns != ns) && (seq_ns != ns->parent))
  704. return -EPERM;
  705. return map_write(file, buf, size, ppos, CAP_SETUID,
  706. &ns->uid_map, &ns->parent->uid_map);
  707. }
  708. ssize_t proc_gid_map_write(struct file *file, const char __user *buf,
  709. size_t size, loff_t *ppos)
  710. {
  711. struct seq_file *seq = file->private_data;
  712. struct user_namespace *ns = seq->private;
  713. struct user_namespace *seq_ns = seq_user_ns(seq);
  714. if (!ns->parent)
  715. return -EPERM;
  716. if ((seq_ns != ns) && (seq_ns != ns->parent))
  717. return -EPERM;
  718. return map_write(file, buf, size, ppos, CAP_SETGID,
  719. &ns->gid_map, &ns->parent->gid_map);
  720. }
  721. ssize_t proc_projid_map_write(struct file *file, const char __user *buf,
  722. size_t size, loff_t *ppos)
  723. {
  724. struct seq_file *seq = file->private_data;
  725. struct user_namespace *ns = seq->private;
  726. struct user_namespace *seq_ns = seq_user_ns(seq);
  727. if (!ns->parent)
  728. return -EPERM;
  729. if ((seq_ns != ns) && (seq_ns != ns->parent))
  730. return -EPERM;
  731. /* Anyone can set any valid project id no capability needed */
  732. return map_write(file, buf, size, ppos, -1,
  733. &ns->projid_map, &ns->parent->projid_map);
  734. }
  735. static bool new_idmap_permitted(const struct file *file,
  736. struct user_namespace *ns, int cap_setid,
  737. struct uid_gid_map *new_map)
  738. {
  739. const struct cred *cred = file->f_cred;
  740. /* Don't allow mappings that would allow anything that wouldn't
  741. * be allowed without the establishment of unprivileged mappings.
  742. */
  743. if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
  744. uid_eq(ns->owner, cred->euid)) {
  745. u32 id = new_map->extent[0].lower_first;
  746. if (cap_setid == CAP_SETUID) {
  747. kuid_t uid = make_kuid(ns->parent, id);
  748. if (uid_eq(uid, cred->euid))
  749. return true;
  750. } else if (cap_setid == CAP_SETGID) {
  751. kgid_t gid = make_kgid(ns->parent, id);
  752. if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
  753. gid_eq(gid, cred->egid))
  754. return true;
  755. }
  756. }
  757. /* Allow anyone to set a mapping that doesn't require privilege */
  758. if (!cap_valid(cap_setid))
  759. return true;
  760. /* Allow the specified ids if we have the appropriate capability
  761. * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
  762. * And the opener of the id file also had the approprpiate capability.
  763. */
  764. if (ns_capable(ns->parent, cap_setid) &&
  765. file_ns_capable(file, ns->parent, cap_setid))
  766. return true;
  767. return false;
  768. }
  769. int proc_setgroups_show(struct seq_file *seq, void *v)
  770. {
  771. struct user_namespace *ns = seq->private;
  772. unsigned long userns_flags = ACCESS_ONCE(ns->flags);
  773. seq_printf(seq, "%s\n",
  774. (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
  775. "allow" : "deny");
  776. return 0;
  777. }
  778. ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
  779. size_t count, loff_t *ppos)
  780. {
  781. struct seq_file *seq = file->private_data;
  782. struct user_namespace *ns = seq->private;
  783. char kbuf[8], *pos;
  784. bool setgroups_allowed;
  785. ssize_t ret;
  786. /* Only allow a very narrow range of strings to be written */
  787. ret = -EINVAL;
  788. if ((*ppos != 0) || (count >= sizeof(kbuf)))
  789. goto out;
  790. /* What was written? */
  791. ret = -EFAULT;
  792. if (copy_from_user(kbuf, buf, count))
  793. goto out;
  794. kbuf[count] = '\0';
  795. pos = kbuf;
  796. /* What is being requested? */
  797. ret = -EINVAL;
  798. if (strncmp(pos, "allow", 5) == 0) {
  799. pos += 5;
  800. setgroups_allowed = true;
  801. }
  802. else if (strncmp(pos, "deny", 4) == 0) {
  803. pos += 4;
  804. setgroups_allowed = false;
  805. }
  806. else
  807. goto out;
  808. /* Verify there is not trailing junk on the line */
  809. pos = skip_spaces(pos);
  810. if (*pos != '\0')
  811. goto out;
  812. ret = -EPERM;
  813. mutex_lock(&userns_state_mutex);
  814. if (setgroups_allowed) {
  815. /* Enabling setgroups after setgroups has been disabled
  816. * is not allowed.
  817. */
  818. if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
  819. goto out_unlock;
  820. } else {
  821. /* Permanently disabling setgroups after setgroups has
  822. * been enabled by writing the gid_map is not allowed.
  823. */
  824. if (ns->gid_map.nr_extents != 0)
  825. goto out_unlock;
  826. ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
  827. }
  828. mutex_unlock(&userns_state_mutex);
  829. /* Report a successful write */
  830. *ppos = count;
  831. ret = count;
  832. out:
  833. return ret;
  834. out_unlock:
  835. mutex_unlock(&userns_state_mutex);
  836. goto out;
  837. }
  838. bool userns_may_setgroups(const struct user_namespace *ns)
  839. {
  840. bool allowed;
  841. mutex_lock(&userns_state_mutex);
  842. /* It is not safe to use setgroups until a gid mapping in
  843. * the user namespace has been established.
  844. */
  845. allowed = ns->gid_map.nr_extents != 0;
  846. /* Is setgroups allowed? */
  847. allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
  848. mutex_unlock(&userns_state_mutex);
  849. return allowed;
  850. }
  851. /*
  852. * Returns true if @ns is the same namespace as or a descendant of
  853. * @target_ns.
  854. */
  855. bool current_in_userns(const struct user_namespace *target_ns)
  856. {
  857. struct user_namespace *ns;
  858. for (ns = current_user_ns(); ns; ns = ns->parent) {
  859. if (ns == target_ns)
  860. return true;
  861. }
  862. return false;
  863. }
  864. static inline struct user_namespace *to_user_ns(struct ns_common *ns)
  865. {
  866. return container_of(ns, struct user_namespace, ns);
  867. }
  868. static struct ns_common *userns_get(struct task_struct *task)
  869. {
  870. struct user_namespace *user_ns;
  871. rcu_read_lock();
  872. user_ns = get_user_ns(__task_cred(task)->user_ns);
  873. rcu_read_unlock();
  874. return user_ns ? &user_ns->ns : NULL;
  875. }
  876. static void userns_put(struct ns_common *ns)
  877. {
  878. put_user_ns(to_user_ns(ns));
  879. }
  880. static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
  881. {
  882. struct user_namespace *user_ns = to_user_ns(ns);
  883. struct cred *cred;
  884. /* Don't allow gaining capabilities by reentering
  885. * the same user namespace.
  886. */
  887. if (user_ns == current_user_ns())
  888. return -EINVAL;
  889. /* Tasks that share a thread group must share a user namespace */
  890. if (!thread_group_empty(current))
  891. return -EINVAL;
  892. if (current->fs->users != 1)
  893. return -EINVAL;
  894. if (!ns_capable(user_ns, CAP_SYS_ADMIN))
  895. return -EPERM;
  896. cred = prepare_creds();
  897. if (!cred)
  898. return -ENOMEM;
  899. put_user_ns(cred->user_ns);
  900. set_cred_user_ns(cred, get_user_ns(user_ns));
  901. return commit_creds(cred);
  902. }
  903. struct ns_common *ns_get_owner(struct ns_common *ns)
  904. {
  905. struct user_namespace *my_user_ns = current_user_ns();
  906. struct user_namespace *owner, *p;
  907. /* See if the owner is in the current user namespace */
  908. owner = p = ns->ops->owner(ns);
  909. for (;;) {
  910. if (!p)
  911. return ERR_PTR(-EPERM);
  912. if (p == my_user_ns)
  913. break;
  914. p = p->parent;
  915. }
  916. return &get_user_ns(owner)->ns;
  917. }
  918. static struct user_namespace *userns_owner(struct ns_common *ns)
  919. {
  920. return to_user_ns(ns)->parent;
  921. }
  922. const struct proc_ns_operations userns_operations = {
  923. .name = "user",
  924. .type = CLONE_NEWUSER,
  925. .get = userns_get,
  926. .put = userns_put,
  927. .install = userns_install,
  928. .owner = userns_owner,
  929. .get_parent = ns_get_owner,
  930. };
  931. static __init int user_namespaces_init(void)
  932. {
  933. user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC);
  934. return 0;
  935. }
  936. subsys_initcall(user_namespaces_init);