user_namespace.c 26 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012
  1. /*
  2. * This program is free software; you can redistribute it and/or
  3. * modify it under the terms of the GNU General Public License as
  4. * published by the Free Software Foundation, version 2 of the
  5. * License.
  6. */
  7. #include <linux/export.h>
  8. #include <linux/nsproxy.h>
  9. #include <linux/slab.h>
  10. #include <linux/user_namespace.h>
  11. #include <linux/proc_ns.h>
  12. #include <linux/highuid.h>
  13. #include <linux/cred.h>
  14. #include <linux/securebits.h>
  15. #include <linux/keyctl.h>
  16. #include <linux/key-type.h>
  17. #include <keys/user-type.h>
  18. #include <linux/seq_file.h>
  19. #include <linux/fs.h>
  20. #include <linux/uaccess.h>
  21. #include <linux/ctype.h>
  22. #include <linux/projid.h>
  23. #include <linux/fs_struct.h>
  24. static struct kmem_cache *user_ns_cachep __read_mostly;
  25. static DEFINE_MUTEX(userns_state_mutex);
  26. static bool new_idmap_permitted(const struct file *file,
  27. struct user_namespace *ns, int cap_setid,
  28. struct uid_gid_map *map);
  29. static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
  30. {
  31. /* Start with the same capabilities as init but useless for doing
  32. * anything as the capabilities are bound to the new user namespace.
  33. */
  34. cred->securebits = SECUREBITS_DEFAULT;
  35. cred->cap_inheritable = CAP_EMPTY_SET;
  36. cred->cap_permitted = CAP_FULL_SET;
  37. cred->cap_effective = CAP_FULL_SET;
  38. cred->cap_ambient = CAP_EMPTY_SET;
  39. cred->cap_bset = CAP_FULL_SET;
  40. #ifdef CONFIG_KEYS
  41. key_put(cred->request_key_auth);
  42. cred->request_key_auth = NULL;
  43. #endif
  44. /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
  45. cred->user_ns = user_ns;
  46. }
  47. /*
  48. * Create a new user namespace, deriving the creator from the user in the
  49. * passed credentials, and replacing that user with the new root user for the
  50. * new namespace.
  51. *
  52. * This is called by copy_creds(), which will finish setting the target task's
  53. * credentials.
  54. */
  55. int create_user_ns(struct cred *new)
  56. {
  57. struct user_namespace *ns, *parent_ns = new->user_ns;
  58. kuid_t owner = new->euid;
  59. kgid_t group = new->egid;
  60. int ret;
  61. if (parent_ns->level > 32)
  62. return -EUSERS;
  63. /*
  64. * Verify that we can not violate the policy of which files
  65. * may be accessed that is specified by the root directory,
  66. * by verifing that the root directory is at the root of the
  67. * mount namespace which allows all files to be accessed.
  68. */
  69. if (current_chrooted())
  70. return -EPERM;
  71. /* The creator needs a mapping in the parent user namespace
  72. * or else we won't be able to reasonably tell userspace who
  73. * created a user_namespace.
  74. */
  75. if (!kuid_has_mapping(parent_ns, owner) ||
  76. !kgid_has_mapping(parent_ns, group))
  77. return -EPERM;
  78. ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
  79. if (!ns)
  80. return -ENOMEM;
  81. ret = ns_alloc_inum(&ns->ns);
  82. if (ret) {
  83. kmem_cache_free(user_ns_cachep, ns);
  84. return ret;
  85. }
  86. ns->ns.ops = &userns_operations;
  87. atomic_set(&ns->count, 1);
  88. /* Leave the new->user_ns reference with the new user namespace. */
  89. ns->parent = parent_ns;
  90. ns->level = parent_ns->level + 1;
  91. ns->owner = owner;
  92. ns->group = group;
  93. /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
  94. mutex_lock(&userns_state_mutex);
  95. ns->flags = parent_ns->flags;
  96. mutex_unlock(&userns_state_mutex);
  97. set_cred_user_ns(new, ns);
  98. #ifdef CONFIG_PERSISTENT_KEYRINGS
  99. init_rwsem(&ns->persistent_keyring_register_sem);
  100. #endif
  101. return 0;
  102. }
  103. int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
  104. {
  105. struct cred *cred;
  106. int err = -ENOMEM;
  107. if (!(unshare_flags & CLONE_NEWUSER))
  108. return 0;
  109. cred = prepare_creds();
  110. if (cred) {
  111. err = create_user_ns(cred);
  112. if (err)
  113. put_cred(cred);
  114. else
  115. *new_cred = cred;
  116. }
  117. return err;
  118. }
  119. void free_user_ns(struct user_namespace *ns)
  120. {
  121. struct user_namespace *parent;
  122. do {
  123. parent = ns->parent;
  124. #ifdef CONFIG_PERSISTENT_KEYRINGS
  125. key_put(ns->persistent_keyring_register);
  126. #endif
  127. ns_free_inum(&ns->ns);
  128. kmem_cache_free(user_ns_cachep, ns);
  129. ns = parent;
  130. } while (atomic_dec_and_test(&parent->count));
  131. }
  132. EXPORT_SYMBOL(free_user_ns);
  133. static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
  134. {
  135. unsigned idx, extents;
  136. u32 first, last, id2;
  137. id2 = id + count - 1;
  138. /* Find the matching extent */
  139. extents = map->nr_extents;
  140. smp_rmb();
  141. for (idx = 0; idx < extents; idx++) {
  142. first = map->extent[idx].first;
  143. last = first + map->extent[idx].count - 1;
  144. if (id >= first && id <= last &&
  145. (id2 >= first && id2 <= last))
  146. break;
  147. }
  148. /* Map the id or note failure */
  149. if (idx < extents)
  150. id = (id - first) + map->extent[idx].lower_first;
  151. else
  152. id = (u32) -1;
  153. return id;
  154. }
  155. static u32 map_id_down(struct uid_gid_map *map, u32 id)
  156. {
  157. unsigned idx, extents;
  158. u32 first, last;
  159. /* Find the matching extent */
  160. extents = map->nr_extents;
  161. smp_rmb();
  162. for (idx = 0; idx < extents; idx++) {
  163. first = map->extent[idx].first;
  164. last = first + map->extent[idx].count - 1;
  165. if (id >= first && id <= last)
  166. break;
  167. }
  168. /* Map the id or note failure */
  169. if (idx < extents)
  170. id = (id - first) + map->extent[idx].lower_first;
  171. else
  172. id = (u32) -1;
  173. return id;
  174. }
  175. static u32 map_id_up(struct uid_gid_map *map, u32 id)
  176. {
  177. unsigned idx, extents;
  178. u32 first, last;
  179. /* Find the matching extent */
  180. extents = map->nr_extents;
  181. smp_rmb();
  182. for (idx = 0; idx < extents; idx++) {
  183. first = map->extent[idx].lower_first;
  184. last = first + map->extent[idx].count - 1;
  185. if (id >= first && id <= last)
  186. break;
  187. }
  188. /* Map the id or note failure */
  189. if (idx < extents)
  190. id = (id - first) + map->extent[idx].first;
  191. else
  192. id = (u32) -1;
  193. return id;
  194. }
  195. /**
  196. * make_kuid - Map a user-namespace uid pair into a kuid.
  197. * @ns: User namespace that the uid is in
  198. * @uid: User identifier
  199. *
  200. * Maps a user-namespace uid pair into a kernel internal kuid,
  201. * and returns that kuid.
  202. *
  203. * When there is no mapping defined for the user-namespace uid
  204. * pair INVALID_UID is returned. Callers are expected to test
  205. * for and handle INVALID_UID being returned. INVALID_UID
  206. * may be tested for using uid_valid().
  207. */
  208. kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
  209. {
  210. /* Map the uid to a global kernel uid */
  211. return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
  212. }
  213. EXPORT_SYMBOL(make_kuid);
  214. /**
  215. * from_kuid - Create a uid from a kuid user-namespace pair.
  216. * @targ: The user namespace we want a uid in.
  217. * @kuid: The kernel internal uid to start with.
  218. *
  219. * Map @kuid into the user-namespace specified by @targ and
  220. * return the resulting uid.
  221. *
  222. * There is always a mapping into the initial user_namespace.
  223. *
  224. * If @kuid has no mapping in @targ (uid_t)-1 is returned.
  225. */
  226. uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
  227. {
  228. /* Map the uid from a global kernel uid */
  229. return map_id_up(&targ->uid_map, __kuid_val(kuid));
  230. }
  231. EXPORT_SYMBOL(from_kuid);
  232. /**
  233. * from_kuid_munged - Create a uid from a kuid user-namespace pair.
  234. * @targ: The user namespace we want a uid in.
  235. * @kuid: The kernel internal uid to start with.
  236. *
  237. * Map @kuid into the user-namespace specified by @targ and
  238. * return the resulting uid.
  239. *
  240. * There is always a mapping into the initial user_namespace.
  241. *
  242. * Unlike from_kuid from_kuid_munged never fails and always
  243. * returns a valid uid. This makes from_kuid_munged appropriate
  244. * for use in syscalls like stat and getuid where failing the
  245. * system call and failing to provide a valid uid are not an
  246. * options.
  247. *
  248. * If @kuid has no mapping in @targ overflowuid is returned.
  249. */
  250. uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
  251. {
  252. uid_t uid;
  253. uid = from_kuid(targ, kuid);
  254. if (uid == (uid_t) -1)
  255. uid = overflowuid;
  256. return uid;
  257. }
  258. EXPORT_SYMBOL(from_kuid_munged);
  259. /**
  260. * make_kgid - Map a user-namespace gid pair into a kgid.
  261. * @ns: User namespace that the gid is in
  262. * @gid: group identifier
  263. *
  264. * Maps a user-namespace gid pair into a kernel internal kgid,
  265. * and returns that kgid.
  266. *
  267. * When there is no mapping defined for the user-namespace gid
  268. * pair INVALID_GID is returned. Callers are expected to test
  269. * for and handle INVALID_GID being returned. INVALID_GID may be
  270. * tested for using gid_valid().
  271. */
  272. kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
  273. {
  274. /* Map the gid to a global kernel gid */
  275. return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
  276. }
  277. EXPORT_SYMBOL(make_kgid);
  278. /**
  279. * from_kgid - Create a gid from a kgid user-namespace pair.
  280. * @targ: The user namespace we want a gid in.
  281. * @kgid: The kernel internal gid to start with.
  282. *
  283. * Map @kgid into the user-namespace specified by @targ and
  284. * return the resulting gid.
  285. *
  286. * There is always a mapping into the initial user_namespace.
  287. *
  288. * If @kgid has no mapping in @targ (gid_t)-1 is returned.
  289. */
  290. gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
  291. {
  292. /* Map the gid from a global kernel gid */
  293. return map_id_up(&targ->gid_map, __kgid_val(kgid));
  294. }
  295. EXPORT_SYMBOL(from_kgid);
  296. /**
  297. * from_kgid_munged - Create a gid from a kgid user-namespace pair.
  298. * @targ: The user namespace we want a gid in.
  299. * @kgid: The kernel internal gid to start with.
  300. *
  301. * Map @kgid into the user-namespace specified by @targ and
  302. * return the resulting gid.
  303. *
  304. * There is always a mapping into the initial user_namespace.
  305. *
  306. * Unlike from_kgid from_kgid_munged never fails and always
  307. * returns a valid gid. This makes from_kgid_munged appropriate
  308. * for use in syscalls like stat and getgid where failing the
  309. * system call and failing to provide a valid gid are not options.
  310. *
  311. * If @kgid has no mapping in @targ overflowgid is returned.
  312. */
  313. gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
  314. {
  315. gid_t gid;
  316. gid = from_kgid(targ, kgid);
  317. if (gid == (gid_t) -1)
  318. gid = overflowgid;
  319. return gid;
  320. }
  321. EXPORT_SYMBOL(from_kgid_munged);
  322. /**
  323. * make_kprojid - Map a user-namespace projid pair into a kprojid.
  324. * @ns: User namespace that the projid is in
  325. * @projid: Project identifier
  326. *
  327. * Maps a user-namespace uid pair into a kernel internal kuid,
  328. * and returns that kuid.
  329. *
  330. * When there is no mapping defined for the user-namespace projid
  331. * pair INVALID_PROJID is returned. Callers are expected to test
  332. * for and handle handle INVALID_PROJID being returned. INVALID_PROJID
  333. * may be tested for using projid_valid().
  334. */
  335. kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
  336. {
  337. /* Map the uid to a global kernel uid */
  338. return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
  339. }
  340. EXPORT_SYMBOL(make_kprojid);
  341. /**
  342. * from_kprojid - Create a projid from a kprojid user-namespace pair.
  343. * @targ: The user namespace we want a projid in.
  344. * @kprojid: The kernel internal project identifier to start with.
  345. *
  346. * Map @kprojid into the user-namespace specified by @targ and
  347. * return the resulting projid.
  348. *
  349. * There is always a mapping into the initial user_namespace.
  350. *
  351. * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
  352. */
  353. projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
  354. {
  355. /* Map the uid from a global kernel uid */
  356. return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
  357. }
  358. EXPORT_SYMBOL(from_kprojid);
  359. /**
  360. * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
  361. * @targ: The user namespace we want a projid in.
  362. * @kprojid: The kernel internal projid to start with.
  363. *
  364. * Map @kprojid into the user-namespace specified by @targ and
  365. * return the resulting projid.
  366. *
  367. * There is always a mapping into the initial user_namespace.
  368. *
  369. * Unlike from_kprojid from_kprojid_munged never fails and always
  370. * returns a valid projid. This makes from_kprojid_munged
  371. * appropriate for use in syscalls like stat and where
  372. * failing the system call and failing to provide a valid projid are
  373. * not an options.
  374. *
  375. * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
  376. */
  377. projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
  378. {
  379. projid_t projid;
  380. projid = from_kprojid(targ, kprojid);
  381. if (projid == (projid_t) -1)
  382. projid = OVERFLOW_PROJID;
  383. return projid;
  384. }
  385. EXPORT_SYMBOL(from_kprojid_munged);
  386. static int uid_m_show(struct seq_file *seq, void *v)
  387. {
  388. struct user_namespace *ns = seq->private;
  389. struct uid_gid_extent *extent = v;
  390. struct user_namespace *lower_ns;
  391. uid_t lower;
  392. lower_ns = seq_user_ns(seq);
  393. if ((lower_ns == ns) && lower_ns->parent)
  394. lower_ns = lower_ns->parent;
  395. lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
  396. seq_printf(seq, "%10u %10u %10u\n",
  397. extent->first,
  398. lower,
  399. extent->count);
  400. return 0;
  401. }
  402. static int gid_m_show(struct seq_file *seq, void *v)
  403. {
  404. struct user_namespace *ns = seq->private;
  405. struct uid_gid_extent *extent = v;
  406. struct user_namespace *lower_ns;
  407. gid_t lower;
  408. lower_ns = seq_user_ns(seq);
  409. if ((lower_ns == ns) && lower_ns->parent)
  410. lower_ns = lower_ns->parent;
  411. lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
  412. seq_printf(seq, "%10u %10u %10u\n",
  413. extent->first,
  414. lower,
  415. extent->count);
  416. return 0;
  417. }
  418. static int projid_m_show(struct seq_file *seq, void *v)
  419. {
  420. struct user_namespace *ns = seq->private;
  421. struct uid_gid_extent *extent = v;
  422. struct user_namespace *lower_ns;
  423. projid_t lower;
  424. lower_ns = seq_user_ns(seq);
  425. if ((lower_ns == ns) && lower_ns->parent)
  426. lower_ns = lower_ns->parent;
  427. lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
  428. seq_printf(seq, "%10u %10u %10u\n",
  429. extent->first,
  430. lower,
  431. extent->count);
  432. return 0;
  433. }
  434. static void *m_start(struct seq_file *seq, loff_t *ppos,
  435. struct uid_gid_map *map)
  436. {
  437. struct uid_gid_extent *extent = NULL;
  438. loff_t pos = *ppos;
  439. if (pos < map->nr_extents)
  440. extent = &map->extent[pos];
  441. return extent;
  442. }
  443. static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
  444. {
  445. struct user_namespace *ns = seq->private;
  446. return m_start(seq, ppos, &ns->uid_map);
  447. }
  448. static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
  449. {
  450. struct user_namespace *ns = seq->private;
  451. return m_start(seq, ppos, &ns->gid_map);
  452. }
  453. static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
  454. {
  455. struct user_namespace *ns = seq->private;
  456. return m_start(seq, ppos, &ns->projid_map);
  457. }
  458. static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
  459. {
  460. (*pos)++;
  461. return seq->op->start(seq, pos);
  462. }
  463. static void m_stop(struct seq_file *seq, void *v)
  464. {
  465. return;
  466. }
  467. const struct seq_operations proc_uid_seq_operations = {
  468. .start = uid_m_start,
  469. .stop = m_stop,
  470. .next = m_next,
  471. .show = uid_m_show,
  472. };
  473. const struct seq_operations proc_gid_seq_operations = {
  474. .start = gid_m_start,
  475. .stop = m_stop,
  476. .next = m_next,
  477. .show = gid_m_show,
  478. };
  479. const struct seq_operations proc_projid_seq_operations = {
  480. .start = projid_m_start,
  481. .stop = m_stop,
  482. .next = m_next,
  483. .show = projid_m_show,
  484. };
  485. static bool mappings_overlap(struct uid_gid_map *new_map,
  486. struct uid_gid_extent *extent)
  487. {
  488. u32 upper_first, lower_first, upper_last, lower_last;
  489. unsigned idx;
  490. upper_first = extent->first;
  491. lower_first = extent->lower_first;
  492. upper_last = upper_first + extent->count - 1;
  493. lower_last = lower_first + extent->count - 1;
  494. for (idx = 0; idx < new_map->nr_extents; idx++) {
  495. u32 prev_upper_first, prev_lower_first;
  496. u32 prev_upper_last, prev_lower_last;
  497. struct uid_gid_extent *prev;
  498. prev = &new_map->extent[idx];
  499. prev_upper_first = prev->first;
  500. prev_lower_first = prev->lower_first;
  501. prev_upper_last = prev_upper_first + prev->count - 1;
  502. prev_lower_last = prev_lower_first + prev->count - 1;
  503. /* Does the upper range intersect a previous extent? */
  504. if ((prev_upper_first <= upper_last) &&
  505. (prev_upper_last >= upper_first))
  506. return true;
  507. /* Does the lower range intersect a previous extent? */
  508. if ((prev_lower_first <= lower_last) &&
  509. (prev_lower_last >= lower_first))
  510. return true;
  511. }
  512. return false;
  513. }
  514. static ssize_t map_write(struct file *file, const char __user *buf,
  515. size_t count, loff_t *ppos,
  516. int cap_setid,
  517. struct uid_gid_map *map,
  518. struct uid_gid_map *parent_map)
  519. {
  520. struct seq_file *seq = file->private_data;
  521. struct user_namespace *ns = seq->private;
  522. struct uid_gid_map new_map;
  523. unsigned idx;
  524. struct uid_gid_extent *extent = NULL;
  525. unsigned long page;
  526. char *kbuf, *pos, *next_line;
  527. ssize_t ret;
  528. /* Only allow < page size writes at the beginning of the file */
  529. if ((*ppos != 0) || (count >= PAGE_SIZE))
  530. return -EINVAL;
  531. /* Get a buffer */
  532. page = __get_free_page(GFP_TEMPORARY);
  533. kbuf = (char *) page;
  534. if (!page)
  535. return -ENOMEM;
  536. /* Slurp in the user data */
  537. if (copy_from_user(kbuf, buf, count)) {
  538. free_page(page);
  539. return -EFAULT;
  540. }
  541. kbuf[count] = '\0';
  542. /*
  543. * The userns_state_mutex serializes all writes to any given map.
  544. *
  545. * Any map is only ever written once.
  546. *
  547. * An id map fits within 1 cache line on most architectures.
  548. *
  549. * On read nothing needs to be done unless you are on an
  550. * architecture with a crazy cache coherency model like alpha.
  551. *
  552. * There is a one time data dependency between reading the
  553. * count of the extents and the values of the extents. The
  554. * desired behavior is to see the values of the extents that
  555. * were written before the count of the extents.
  556. *
  557. * To achieve this smp_wmb() is used on guarantee the write
  558. * order and smp_rmb() is guaranteed that we don't have crazy
  559. * architectures returning stale data.
  560. */
  561. mutex_lock(&userns_state_mutex);
  562. ret = -EPERM;
  563. /* Only allow one successful write to the map */
  564. if (map->nr_extents != 0)
  565. goto out;
  566. /*
  567. * Adjusting namespace settings requires capabilities on the target.
  568. */
  569. if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
  570. goto out;
  571. /* Parse the user data */
  572. ret = -EINVAL;
  573. pos = kbuf;
  574. new_map.nr_extents = 0;
  575. for (; pos; pos = next_line) {
  576. extent = &new_map.extent[new_map.nr_extents];
  577. /* Find the end of line and ensure I don't look past it */
  578. next_line = strchr(pos, '\n');
  579. if (next_line) {
  580. *next_line = '\0';
  581. next_line++;
  582. if (*next_line == '\0')
  583. next_line = NULL;
  584. }
  585. pos = skip_spaces(pos);
  586. extent->first = simple_strtoul(pos, &pos, 10);
  587. if (!isspace(*pos))
  588. goto out;
  589. pos = skip_spaces(pos);
  590. extent->lower_first = simple_strtoul(pos, &pos, 10);
  591. if (!isspace(*pos))
  592. goto out;
  593. pos = skip_spaces(pos);
  594. extent->count = simple_strtoul(pos, &pos, 10);
  595. if (*pos && !isspace(*pos))
  596. goto out;
  597. /* Verify there is not trailing junk on the line */
  598. pos = skip_spaces(pos);
  599. if (*pos != '\0')
  600. goto out;
  601. /* Verify we have been given valid starting values */
  602. if ((extent->first == (u32) -1) ||
  603. (extent->lower_first == (u32) -1))
  604. goto out;
  605. /* Verify count is not zero and does not cause the
  606. * extent to wrap
  607. */
  608. if ((extent->first + extent->count) <= extent->first)
  609. goto out;
  610. if ((extent->lower_first + extent->count) <=
  611. extent->lower_first)
  612. goto out;
  613. /* Do the ranges in extent overlap any previous extents? */
  614. if (mappings_overlap(&new_map, extent))
  615. goto out;
  616. new_map.nr_extents++;
  617. /* Fail if the file contains too many extents */
  618. if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) &&
  619. (next_line != NULL))
  620. goto out;
  621. }
  622. /* Be very certaint the new map actually exists */
  623. if (new_map.nr_extents == 0)
  624. goto out;
  625. ret = -EPERM;
  626. /* Validate the user is allowed to use user id's mapped to. */
  627. if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
  628. goto out;
  629. /* Map the lower ids from the parent user namespace to the
  630. * kernel global id space.
  631. */
  632. for (idx = 0; idx < new_map.nr_extents; idx++) {
  633. u32 lower_first;
  634. extent = &new_map.extent[idx];
  635. lower_first = map_id_range_down(parent_map,
  636. extent->lower_first,
  637. extent->count);
  638. /* Fail if we can not map the specified extent to
  639. * the kernel global id space.
  640. */
  641. if (lower_first == (u32) -1)
  642. goto out;
  643. extent->lower_first = lower_first;
  644. }
  645. /* Install the map */
  646. memcpy(map->extent, new_map.extent,
  647. new_map.nr_extents*sizeof(new_map.extent[0]));
  648. smp_wmb();
  649. map->nr_extents = new_map.nr_extents;
  650. *ppos = count;
  651. ret = count;
  652. out:
  653. mutex_unlock(&userns_state_mutex);
  654. if (page)
  655. free_page(page);
  656. return ret;
  657. }
  658. ssize_t proc_uid_map_write(struct file *file, const char __user *buf,
  659. size_t size, loff_t *ppos)
  660. {
  661. struct seq_file *seq = file->private_data;
  662. struct user_namespace *ns = seq->private;
  663. struct user_namespace *seq_ns = seq_user_ns(seq);
  664. if (!ns->parent)
  665. return -EPERM;
  666. if ((seq_ns != ns) && (seq_ns != ns->parent))
  667. return -EPERM;
  668. return map_write(file, buf, size, ppos, CAP_SETUID,
  669. &ns->uid_map, &ns->parent->uid_map);
  670. }
  671. ssize_t proc_gid_map_write(struct file *file, const char __user *buf,
  672. size_t size, loff_t *ppos)
  673. {
  674. struct seq_file *seq = file->private_data;
  675. struct user_namespace *ns = seq->private;
  676. struct user_namespace *seq_ns = seq_user_ns(seq);
  677. if (!ns->parent)
  678. return -EPERM;
  679. if ((seq_ns != ns) && (seq_ns != ns->parent))
  680. return -EPERM;
  681. return map_write(file, buf, size, ppos, CAP_SETGID,
  682. &ns->gid_map, &ns->parent->gid_map);
  683. }
  684. ssize_t proc_projid_map_write(struct file *file, const char __user *buf,
  685. size_t size, loff_t *ppos)
  686. {
  687. struct seq_file *seq = file->private_data;
  688. struct user_namespace *ns = seq->private;
  689. struct user_namespace *seq_ns = seq_user_ns(seq);
  690. if (!ns->parent)
  691. return -EPERM;
  692. if ((seq_ns != ns) && (seq_ns != ns->parent))
  693. return -EPERM;
  694. /* Anyone can set any valid project id no capability needed */
  695. return map_write(file, buf, size, ppos, -1,
  696. &ns->projid_map, &ns->parent->projid_map);
  697. }
  698. static bool new_idmap_permitted(const struct file *file,
  699. struct user_namespace *ns, int cap_setid,
  700. struct uid_gid_map *new_map)
  701. {
  702. const struct cred *cred = file->f_cred;
  703. /* Don't allow mappings that would allow anything that wouldn't
  704. * be allowed without the establishment of unprivileged mappings.
  705. */
  706. if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
  707. uid_eq(ns->owner, cred->euid)) {
  708. u32 id = new_map->extent[0].lower_first;
  709. if (cap_setid == CAP_SETUID) {
  710. kuid_t uid = make_kuid(ns->parent, id);
  711. if (uid_eq(uid, cred->euid))
  712. return true;
  713. } else if (cap_setid == CAP_SETGID) {
  714. kgid_t gid = make_kgid(ns->parent, id);
  715. if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
  716. gid_eq(gid, cred->egid))
  717. return true;
  718. }
  719. }
  720. /* Allow anyone to set a mapping that doesn't require privilege */
  721. if (!cap_valid(cap_setid))
  722. return true;
  723. /* Allow the specified ids if we have the appropriate capability
  724. * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
  725. * And the opener of the id file also had the approprpiate capability.
  726. */
  727. if (ns_capable(ns->parent, cap_setid) &&
  728. file_ns_capable(file, ns->parent, cap_setid))
  729. return true;
  730. return false;
  731. }
  732. int proc_setgroups_show(struct seq_file *seq, void *v)
  733. {
  734. struct user_namespace *ns = seq->private;
  735. unsigned long userns_flags = ACCESS_ONCE(ns->flags);
  736. seq_printf(seq, "%s\n",
  737. (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
  738. "allow" : "deny");
  739. return 0;
  740. }
  741. ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
  742. size_t count, loff_t *ppos)
  743. {
  744. struct seq_file *seq = file->private_data;
  745. struct user_namespace *ns = seq->private;
  746. char kbuf[8], *pos;
  747. bool setgroups_allowed;
  748. ssize_t ret;
  749. /* Only allow a very narrow range of strings to be written */
  750. ret = -EINVAL;
  751. if ((*ppos != 0) || (count >= sizeof(kbuf)))
  752. goto out;
  753. /* What was written? */
  754. ret = -EFAULT;
  755. if (copy_from_user(kbuf, buf, count))
  756. goto out;
  757. kbuf[count] = '\0';
  758. pos = kbuf;
  759. /* What is being requested? */
  760. ret = -EINVAL;
  761. if (strncmp(pos, "allow", 5) == 0) {
  762. pos += 5;
  763. setgroups_allowed = true;
  764. }
  765. else if (strncmp(pos, "deny", 4) == 0) {
  766. pos += 4;
  767. setgroups_allowed = false;
  768. }
  769. else
  770. goto out;
  771. /* Verify there is not trailing junk on the line */
  772. pos = skip_spaces(pos);
  773. if (*pos != '\0')
  774. goto out;
  775. ret = -EPERM;
  776. mutex_lock(&userns_state_mutex);
  777. if (setgroups_allowed) {
  778. /* Enabling setgroups after setgroups has been disabled
  779. * is not allowed.
  780. */
  781. if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
  782. goto out_unlock;
  783. } else {
  784. /* Permanently disabling setgroups after setgroups has
  785. * been enabled by writing the gid_map is not allowed.
  786. */
  787. if (ns->gid_map.nr_extents != 0)
  788. goto out_unlock;
  789. ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
  790. }
  791. mutex_unlock(&userns_state_mutex);
  792. /* Report a successful write */
  793. *ppos = count;
  794. ret = count;
  795. out:
  796. return ret;
  797. out_unlock:
  798. mutex_unlock(&userns_state_mutex);
  799. goto out;
  800. }
  801. bool userns_may_setgroups(const struct user_namespace *ns)
  802. {
  803. bool allowed;
  804. mutex_lock(&userns_state_mutex);
  805. /* It is not safe to use setgroups until a gid mapping in
  806. * the user namespace has been established.
  807. */
  808. allowed = ns->gid_map.nr_extents != 0;
  809. /* Is setgroups allowed? */
  810. allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
  811. mutex_unlock(&userns_state_mutex);
  812. return allowed;
  813. }
  814. static inline struct user_namespace *to_user_ns(struct ns_common *ns)
  815. {
  816. return container_of(ns, struct user_namespace, ns);
  817. }
  818. static struct ns_common *userns_get(struct task_struct *task)
  819. {
  820. struct user_namespace *user_ns;
  821. rcu_read_lock();
  822. user_ns = get_user_ns(__task_cred(task)->user_ns);
  823. rcu_read_unlock();
  824. return user_ns ? &user_ns->ns : NULL;
  825. }
  826. static void userns_put(struct ns_common *ns)
  827. {
  828. put_user_ns(to_user_ns(ns));
  829. }
  830. static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
  831. {
  832. struct user_namespace *user_ns = to_user_ns(ns);
  833. struct cred *cred;
  834. /* Don't allow gaining capabilities by reentering
  835. * the same user namespace.
  836. */
  837. if (user_ns == current_user_ns())
  838. return -EINVAL;
  839. /* Tasks that share a thread group must share a user namespace */
  840. if (!thread_group_empty(current))
  841. return -EINVAL;
  842. if (current->fs->users != 1)
  843. return -EINVAL;
  844. if (!ns_capable(user_ns, CAP_SYS_ADMIN))
  845. return -EPERM;
  846. cred = prepare_creds();
  847. if (!cred)
  848. return -ENOMEM;
  849. put_user_ns(cred->user_ns);
  850. set_cred_user_ns(cred, get_user_ns(user_ns));
  851. return commit_creds(cred);
  852. }
  853. const struct proc_ns_operations userns_operations = {
  854. .name = "user",
  855. .type = CLONE_NEWUSER,
  856. .get = userns_get,
  857. .put = userns_put,
  858. .install = userns_install,
  859. };
  860. static __init int user_namespaces_init(void)
  861. {
  862. user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC);
  863. return 0;
  864. }
  865. subsys_initcall(user_namespaces_init);