Loading...
1/*
2 * This program is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU General Public License as
4 * published by the Free Software Foundation, version 2 of the
5 * License.
6 */
7
8#include <linux/export.h>
9#include <linux/nsproxy.h>
10#include <linux/slab.h>
11#include <linux/user_namespace.h>
12#include <linux/proc_ns.h>
13#include <linux/highuid.h>
14#include <linux/cred.h>
15#include <linux/securebits.h>
16#include <linux/keyctl.h>
17#include <linux/key-type.h>
18#include <keys/user-type.h>
19#include <linux/seq_file.h>
20#include <linux/fs.h>
21#include <linux/uaccess.h>
22#include <linux/ctype.h>
23#include <linux/projid.h>
24#include <linux/fs_struct.h>
25
26static struct kmem_cache *user_ns_cachep __read_mostly;
27static DEFINE_MUTEX(userns_state_mutex);
28
29static bool new_idmap_permitted(const struct file *file,
30 struct user_namespace *ns, int cap_setid,
31 struct uid_gid_map *map);
32static void free_user_ns(struct work_struct *work);
33
34static struct ucounts *inc_user_namespaces(struct user_namespace *ns, kuid_t uid)
35{
36 return inc_ucount(ns, uid, UCOUNT_USER_NAMESPACES);
37}
38
39static void dec_user_namespaces(struct ucounts *ucounts)
40{
41 return dec_ucount(ucounts, UCOUNT_USER_NAMESPACES);
42}
43
44static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
45{
46 /* Start with the same capabilities as init but useless for doing
47 * anything as the capabilities are bound to the new user namespace.
48 */
49 cred->securebits = SECUREBITS_DEFAULT;
50 cred->cap_inheritable = CAP_EMPTY_SET;
51 cred->cap_permitted = CAP_FULL_SET;
52 cred->cap_effective = CAP_FULL_SET;
53 cred->cap_ambient = CAP_EMPTY_SET;
54 cred->cap_bset = CAP_FULL_SET;
55#ifdef CONFIG_KEYS
56 key_put(cred->request_key_auth);
57 cred->request_key_auth = NULL;
58#endif
59 /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
60 cred->user_ns = user_ns;
61}
62
63/*
64 * Create a new user namespace, deriving the creator from the user in the
65 * passed credentials, and replacing that user with the new root user for the
66 * new namespace.
67 *
68 * This is called by copy_creds(), which will finish setting the target task's
69 * credentials.
70 */
71int create_user_ns(struct cred *new)
72{
73 struct user_namespace *ns, *parent_ns = new->user_ns;
74 kuid_t owner = new->euid;
75 kgid_t group = new->egid;
76 struct ucounts *ucounts;
77 int ret, i;
78
79 ret = -ENOSPC;
80 if (parent_ns->level > 32)
81 goto fail;
82
83 ucounts = inc_user_namespaces(parent_ns, owner);
84 if (!ucounts)
85 goto fail;
86
87 /*
88 * Verify that we can not violate the policy of which files
89 * may be accessed that is specified by the root directory,
90 * by verifing that the root directory is at the root of the
91 * mount namespace which allows all files to be accessed.
92 */
93 ret = -EPERM;
94 if (current_chrooted())
95 goto fail_dec;
96
97 /* The creator needs a mapping in the parent user namespace
98 * or else we won't be able to reasonably tell userspace who
99 * created a user_namespace.
100 */
101 ret = -EPERM;
102 if (!kuid_has_mapping(parent_ns, owner) ||
103 !kgid_has_mapping(parent_ns, group))
104 goto fail_dec;
105
106 ret = -ENOMEM;
107 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
108 if (!ns)
109 goto fail_dec;
110
111 ret = ns_alloc_inum(&ns->ns);
112 if (ret)
113 goto fail_free;
114 ns->ns.ops = &userns_operations;
115
116 atomic_set(&ns->count, 1);
117 /* Leave the new->user_ns reference with the new user namespace. */
118 ns->parent = parent_ns;
119 ns->level = parent_ns->level + 1;
120 ns->owner = owner;
121 ns->group = group;
122 INIT_WORK(&ns->work, free_user_ns);
123 for (i = 0; i < UCOUNT_COUNTS; i++) {
124 ns->ucount_max[i] = INT_MAX;
125 }
126 ns->ucounts = ucounts;
127
128 /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
129 mutex_lock(&userns_state_mutex);
130 ns->flags = parent_ns->flags;
131 mutex_unlock(&userns_state_mutex);
132
133#ifdef CONFIG_PERSISTENT_KEYRINGS
134 init_rwsem(&ns->persistent_keyring_register_sem);
135#endif
136 ret = -ENOMEM;
137 if (!setup_userns_sysctls(ns))
138 goto fail_keyring;
139
140 set_cred_user_ns(new, ns);
141 return 0;
142fail_keyring:
143#ifdef CONFIG_PERSISTENT_KEYRINGS
144 key_put(ns->persistent_keyring_register);
145#endif
146 ns_free_inum(&ns->ns);
147fail_free:
148 kmem_cache_free(user_ns_cachep, ns);
149fail_dec:
150 dec_user_namespaces(ucounts);
151fail:
152 return ret;
153}
154
155int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
156{
157 struct cred *cred;
158 int err = -ENOMEM;
159
160 if (!(unshare_flags & CLONE_NEWUSER))
161 return 0;
162
163 cred = prepare_creds();
164 if (cred) {
165 err = create_user_ns(cred);
166 if (err)
167 put_cred(cred);
168 else
169 *new_cred = cred;
170 }
171
172 return err;
173}
174
175static void free_user_ns(struct work_struct *work)
176{
177 struct user_namespace *parent, *ns =
178 container_of(work, struct user_namespace, work);
179
180 do {
181 struct ucounts *ucounts = ns->ucounts;
182 parent = ns->parent;
183 retire_userns_sysctls(ns);
184#ifdef CONFIG_PERSISTENT_KEYRINGS
185 key_put(ns->persistent_keyring_register);
186#endif
187 ns_free_inum(&ns->ns);
188 kmem_cache_free(user_ns_cachep, ns);
189 dec_user_namespaces(ucounts);
190 ns = parent;
191 } while (atomic_dec_and_test(&parent->count));
192}
193
194void __put_user_ns(struct user_namespace *ns)
195{
196 schedule_work(&ns->work);
197}
198EXPORT_SYMBOL(__put_user_ns);
199
200static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
201{
202 unsigned idx, extents;
203 u32 first, last, id2;
204
205 id2 = id + count - 1;
206
207 /* Find the matching extent */
208 extents = map->nr_extents;
209 smp_rmb();
210 for (idx = 0; idx < extents; idx++) {
211 first = map->extent[idx].first;
212 last = first + map->extent[idx].count - 1;
213 if (id >= first && id <= last &&
214 (id2 >= first && id2 <= last))
215 break;
216 }
217 /* Map the id or note failure */
218 if (idx < extents)
219 id = (id - first) + map->extent[idx].lower_first;
220 else
221 id = (u32) -1;
222
223 return id;
224}
225
226static u32 map_id_down(struct uid_gid_map *map, u32 id)
227{
228 unsigned idx, extents;
229 u32 first, last;
230
231 /* Find the matching extent */
232 extents = map->nr_extents;
233 smp_rmb();
234 for (idx = 0; idx < extents; idx++) {
235 first = map->extent[idx].first;
236 last = first + map->extent[idx].count - 1;
237 if (id >= first && id <= last)
238 break;
239 }
240 /* Map the id or note failure */
241 if (idx < extents)
242 id = (id - first) + map->extent[idx].lower_first;
243 else
244 id = (u32) -1;
245
246 return id;
247}
248
249static u32 map_id_up(struct uid_gid_map *map, u32 id)
250{
251 unsigned idx, extents;
252 u32 first, last;
253
254 /* Find the matching extent */
255 extents = map->nr_extents;
256 smp_rmb();
257 for (idx = 0; idx < extents; idx++) {
258 first = map->extent[idx].lower_first;
259 last = first + map->extent[idx].count - 1;
260 if (id >= first && id <= last)
261 break;
262 }
263 /* Map the id or note failure */
264 if (idx < extents)
265 id = (id - first) + map->extent[idx].first;
266 else
267 id = (u32) -1;
268
269 return id;
270}
271
272/**
273 * make_kuid - Map a user-namespace uid pair into a kuid.
274 * @ns: User namespace that the uid is in
275 * @uid: User identifier
276 *
277 * Maps a user-namespace uid pair into a kernel internal kuid,
278 * and returns that kuid.
279 *
280 * When there is no mapping defined for the user-namespace uid
281 * pair INVALID_UID is returned. Callers are expected to test
282 * for and handle INVALID_UID being returned. INVALID_UID
283 * may be tested for using uid_valid().
284 */
285kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
286{
287 /* Map the uid to a global kernel uid */
288 return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
289}
290EXPORT_SYMBOL(make_kuid);
291
292/**
293 * from_kuid - Create a uid from a kuid user-namespace pair.
294 * @targ: The user namespace we want a uid in.
295 * @kuid: The kernel internal uid to start with.
296 *
297 * Map @kuid into the user-namespace specified by @targ and
298 * return the resulting uid.
299 *
300 * There is always a mapping into the initial user_namespace.
301 *
302 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
303 */
304uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
305{
306 /* Map the uid from a global kernel uid */
307 return map_id_up(&targ->uid_map, __kuid_val(kuid));
308}
309EXPORT_SYMBOL(from_kuid);
310
311/**
312 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
313 * @targ: The user namespace we want a uid in.
314 * @kuid: The kernel internal uid to start with.
315 *
316 * Map @kuid into the user-namespace specified by @targ and
317 * return the resulting uid.
318 *
319 * There is always a mapping into the initial user_namespace.
320 *
321 * Unlike from_kuid from_kuid_munged never fails and always
322 * returns a valid uid. This makes from_kuid_munged appropriate
323 * for use in syscalls like stat and getuid where failing the
324 * system call and failing to provide a valid uid are not an
325 * options.
326 *
327 * If @kuid has no mapping in @targ overflowuid is returned.
328 */
329uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
330{
331 uid_t uid;
332 uid = from_kuid(targ, kuid);
333
334 if (uid == (uid_t) -1)
335 uid = overflowuid;
336 return uid;
337}
338EXPORT_SYMBOL(from_kuid_munged);
339
340/**
341 * make_kgid - Map a user-namespace gid pair into a kgid.
342 * @ns: User namespace that the gid is in
343 * @gid: group identifier
344 *
345 * Maps a user-namespace gid pair into a kernel internal kgid,
346 * and returns that kgid.
347 *
348 * When there is no mapping defined for the user-namespace gid
349 * pair INVALID_GID is returned. Callers are expected to test
350 * for and handle INVALID_GID being returned. INVALID_GID may be
351 * tested for using gid_valid().
352 */
353kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
354{
355 /* Map the gid to a global kernel gid */
356 return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
357}
358EXPORT_SYMBOL(make_kgid);
359
360/**
361 * from_kgid - Create a gid from a kgid user-namespace pair.
362 * @targ: The user namespace we want a gid in.
363 * @kgid: The kernel internal gid to start with.
364 *
365 * Map @kgid into the user-namespace specified by @targ and
366 * return the resulting gid.
367 *
368 * There is always a mapping into the initial user_namespace.
369 *
370 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
371 */
372gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
373{
374 /* Map the gid from a global kernel gid */
375 return map_id_up(&targ->gid_map, __kgid_val(kgid));
376}
377EXPORT_SYMBOL(from_kgid);
378
379/**
380 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
381 * @targ: The user namespace we want a gid in.
382 * @kgid: The kernel internal gid to start with.
383 *
384 * Map @kgid into the user-namespace specified by @targ and
385 * return the resulting gid.
386 *
387 * There is always a mapping into the initial user_namespace.
388 *
389 * Unlike from_kgid from_kgid_munged never fails and always
390 * returns a valid gid. This makes from_kgid_munged appropriate
391 * for use in syscalls like stat and getgid where failing the
392 * system call and failing to provide a valid gid are not options.
393 *
394 * If @kgid has no mapping in @targ overflowgid is returned.
395 */
396gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
397{
398 gid_t gid;
399 gid = from_kgid(targ, kgid);
400
401 if (gid == (gid_t) -1)
402 gid = overflowgid;
403 return gid;
404}
405EXPORT_SYMBOL(from_kgid_munged);
406
407/**
408 * make_kprojid - Map a user-namespace projid pair into a kprojid.
409 * @ns: User namespace that the projid is in
410 * @projid: Project identifier
411 *
412 * Maps a user-namespace uid pair into a kernel internal kuid,
413 * and returns that kuid.
414 *
415 * When there is no mapping defined for the user-namespace projid
416 * pair INVALID_PROJID is returned. Callers are expected to test
417 * for and handle handle INVALID_PROJID being returned. INVALID_PROJID
418 * may be tested for using projid_valid().
419 */
420kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
421{
422 /* Map the uid to a global kernel uid */
423 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
424}
425EXPORT_SYMBOL(make_kprojid);
426
427/**
428 * from_kprojid - Create a projid from a kprojid user-namespace pair.
429 * @targ: The user namespace we want a projid in.
430 * @kprojid: The kernel internal project identifier to start with.
431 *
432 * Map @kprojid into the user-namespace specified by @targ and
433 * return the resulting projid.
434 *
435 * There is always a mapping into the initial user_namespace.
436 *
437 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
438 */
439projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
440{
441 /* Map the uid from a global kernel uid */
442 return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
443}
444EXPORT_SYMBOL(from_kprojid);
445
446/**
447 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
448 * @targ: The user namespace we want a projid in.
449 * @kprojid: The kernel internal projid to start with.
450 *
451 * Map @kprojid into the user-namespace specified by @targ and
452 * return the resulting projid.
453 *
454 * There is always a mapping into the initial user_namespace.
455 *
456 * Unlike from_kprojid from_kprojid_munged never fails and always
457 * returns a valid projid. This makes from_kprojid_munged
458 * appropriate for use in syscalls like stat and where
459 * failing the system call and failing to provide a valid projid are
460 * not an options.
461 *
462 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
463 */
464projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
465{
466 projid_t projid;
467 projid = from_kprojid(targ, kprojid);
468
469 if (projid == (projid_t) -1)
470 projid = OVERFLOW_PROJID;
471 return projid;
472}
473EXPORT_SYMBOL(from_kprojid_munged);
474
475
476static int uid_m_show(struct seq_file *seq, void *v)
477{
478 struct user_namespace *ns = seq->private;
479 struct uid_gid_extent *extent = v;
480 struct user_namespace *lower_ns;
481 uid_t lower;
482
483 lower_ns = seq_user_ns(seq);
484 if ((lower_ns == ns) && lower_ns->parent)
485 lower_ns = lower_ns->parent;
486
487 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
488
489 seq_printf(seq, "%10u %10u %10u\n",
490 extent->first,
491 lower,
492 extent->count);
493
494 return 0;
495}
496
497static int gid_m_show(struct seq_file *seq, void *v)
498{
499 struct user_namespace *ns = seq->private;
500 struct uid_gid_extent *extent = v;
501 struct user_namespace *lower_ns;
502 gid_t lower;
503
504 lower_ns = seq_user_ns(seq);
505 if ((lower_ns == ns) && lower_ns->parent)
506 lower_ns = lower_ns->parent;
507
508 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
509
510 seq_printf(seq, "%10u %10u %10u\n",
511 extent->first,
512 lower,
513 extent->count);
514
515 return 0;
516}
517
518static int projid_m_show(struct seq_file *seq, void *v)
519{
520 struct user_namespace *ns = seq->private;
521 struct uid_gid_extent *extent = v;
522 struct user_namespace *lower_ns;
523 projid_t lower;
524
525 lower_ns = seq_user_ns(seq);
526 if ((lower_ns == ns) && lower_ns->parent)
527 lower_ns = lower_ns->parent;
528
529 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
530
531 seq_printf(seq, "%10u %10u %10u\n",
532 extent->first,
533 lower,
534 extent->count);
535
536 return 0;
537}
538
539static void *m_start(struct seq_file *seq, loff_t *ppos,
540 struct uid_gid_map *map)
541{
542 struct uid_gid_extent *extent = NULL;
543 loff_t pos = *ppos;
544
545 if (pos < map->nr_extents)
546 extent = &map->extent[pos];
547
548 return extent;
549}
550
551static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
552{
553 struct user_namespace *ns = seq->private;
554
555 return m_start(seq, ppos, &ns->uid_map);
556}
557
558static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
559{
560 struct user_namespace *ns = seq->private;
561
562 return m_start(seq, ppos, &ns->gid_map);
563}
564
565static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
566{
567 struct user_namespace *ns = seq->private;
568
569 return m_start(seq, ppos, &ns->projid_map);
570}
571
572static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
573{
574 (*pos)++;
575 return seq->op->start(seq, pos);
576}
577
578static void m_stop(struct seq_file *seq, void *v)
579{
580 return;
581}
582
583const struct seq_operations proc_uid_seq_operations = {
584 .start = uid_m_start,
585 .stop = m_stop,
586 .next = m_next,
587 .show = uid_m_show,
588};
589
590const struct seq_operations proc_gid_seq_operations = {
591 .start = gid_m_start,
592 .stop = m_stop,
593 .next = m_next,
594 .show = gid_m_show,
595};
596
597const struct seq_operations proc_projid_seq_operations = {
598 .start = projid_m_start,
599 .stop = m_stop,
600 .next = m_next,
601 .show = projid_m_show,
602};
603
604static bool mappings_overlap(struct uid_gid_map *new_map,
605 struct uid_gid_extent *extent)
606{
607 u32 upper_first, lower_first, upper_last, lower_last;
608 unsigned idx;
609
610 upper_first = extent->first;
611 lower_first = extent->lower_first;
612 upper_last = upper_first + extent->count - 1;
613 lower_last = lower_first + extent->count - 1;
614
615 for (idx = 0; idx < new_map->nr_extents; idx++) {
616 u32 prev_upper_first, prev_lower_first;
617 u32 prev_upper_last, prev_lower_last;
618 struct uid_gid_extent *prev;
619
620 prev = &new_map->extent[idx];
621
622 prev_upper_first = prev->first;
623 prev_lower_first = prev->lower_first;
624 prev_upper_last = prev_upper_first + prev->count - 1;
625 prev_lower_last = prev_lower_first + prev->count - 1;
626
627 /* Does the upper range intersect a previous extent? */
628 if ((prev_upper_first <= upper_last) &&
629 (prev_upper_last >= upper_first))
630 return true;
631
632 /* Does the lower range intersect a previous extent? */
633 if ((prev_lower_first <= lower_last) &&
634 (prev_lower_last >= lower_first))
635 return true;
636 }
637 return false;
638}
639
640static ssize_t map_write(struct file *file, const char __user *buf,
641 size_t count, loff_t *ppos,
642 int cap_setid,
643 struct uid_gid_map *map,
644 struct uid_gid_map *parent_map)
645{
646 struct seq_file *seq = file->private_data;
647 struct user_namespace *ns = seq->private;
648 struct uid_gid_map new_map;
649 unsigned idx;
650 struct uid_gid_extent *extent = NULL;
651 char *kbuf = NULL, *pos, *next_line;
652 ssize_t ret = -EINVAL;
653
654 /*
655 * The userns_state_mutex serializes all writes to any given map.
656 *
657 * Any map is only ever written once.
658 *
659 * An id map fits within 1 cache line on most architectures.
660 *
661 * On read nothing needs to be done unless you are on an
662 * architecture with a crazy cache coherency model like alpha.
663 *
664 * There is a one time data dependency between reading the
665 * count of the extents and the values of the extents. The
666 * desired behavior is to see the values of the extents that
667 * were written before the count of the extents.
668 *
669 * To achieve this smp_wmb() is used on guarantee the write
670 * order and smp_rmb() is guaranteed that we don't have crazy
671 * architectures returning stale data.
672 */
673 mutex_lock(&userns_state_mutex);
674
675 ret = -EPERM;
676 /* Only allow one successful write to the map */
677 if (map->nr_extents != 0)
678 goto out;
679
680 /*
681 * Adjusting namespace settings requires capabilities on the target.
682 */
683 if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
684 goto out;
685
686 /* Only allow < page size writes at the beginning of the file */
687 ret = -EINVAL;
688 if ((*ppos != 0) || (count >= PAGE_SIZE))
689 goto out;
690
691 /* Slurp in the user data */
692 kbuf = memdup_user_nul(buf, count);
693 if (IS_ERR(kbuf)) {
694 ret = PTR_ERR(kbuf);
695 kbuf = NULL;
696 goto out;
697 }
698
699 /* Parse the user data */
700 ret = -EINVAL;
701 pos = kbuf;
702 new_map.nr_extents = 0;
703 for (; pos; pos = next_line) {
704 extent = &new_map.extent[new_map.nr_extents];
705
706 /* Find the end of line and ensure I don't look past it */
707 next_line = strchr(pos, '\n');
708 if (next_line) {
709 *next_line = '\0';
710 next_line++;
711 if (*next_line == '\0')
712 next_line = NULL;
713 }
714
715 pos = skip_spaces(pos);
716 extent->first = simple_strtoul(pos, &pos, 10);
717 if (!isspace(*pos))
718 goto out;
719
720 pos = skip_spaces(pos);
721 extent->lower_first = simple_strtoul(pos, &pos, 10);
722 if (!isspace(*pos))
723 goto out;
724
725 pos = skip_spaces(pos);
726 extent->count = simple_strtoul(pos, &pos, 10);
727 if (*pos && !isspace(*pos))
728 goto out;
729
730 /* Verify there is not trailing junk on the line */
731 pos = skip_spaces(pos);
732 if (*pos != '\0')
733 goto out;
734
735 /* Verify we have been given valid starting values */
736 if ((extent->first == (u32) -1) ||
737 (extent->lower_first == (u32) -1))
738 goto out;
739
740 /* Verify count is not zero and does not cause the
741 * extent to wrap
742 */
743 if ((extent->first + extent->count) <= extent->first)
744 goto out;
745 if ((extent->lower_first + extent->count) <=
746 extent->lower_first)
747 goto out;
748
749 /* Do the ranges in extent overlap any previous extents? */
750 if (mappings_overlap(&new_map, extent))
751 goto out;
752
753 new_map.nr_extents++;
754
755 /* Fail if the file contains too many extents */
756 if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) &&
757 (next_line != NULL))
758 goto out;
759 }
760 /* Be very certaint the new map actually exists */
761 if (new_map.nr_extents == 0)
762 goto out;
763
764 ret = -EPERM;
765 /* Validate the user is allowed to use user id's mapped to. */
766 if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
767 goto out;
768
769 /* Map the lower ids from the parent user namespace to the
770 * kernel global id space.
771 */
772 for (idx = 0; idx < new_map.nr_extents; idx++) {
773 u32 lower_first;
774 extent = &new_map.extent[idx];
775
776 lower_first = map_id_range_down(parent_map,
777 extent->lower_first,
778 extent->count);
779
780 /* Fail if we can not map the specified extent to
781 * the kernel global id space.
782 */
783 if (lower_first == (u32) -1)
784 goto out;
785
786 extent->lower_first = lower_first;
787 }
788
789 /* Install the map */
790 memcpy(map->extent, new_map.extent,
791 new_map.nr_extents*sizeof(new_map.extent[0]));
792 smp_wmb();
793 map->nr_extents = new_map.nr_extents;
794
795 *ppos = count;
796 ret = count;
797out:
798 mutex_unlock(&userns_state_mutex);
799 kfree(kbuf);
800 return ret;
801}
802
803ssize_t proc_uid_map_write(struct file *file, const char __user *buf,
804 size_t size, loff_t *ppos)
805{
806 struct seq_file *seq = file->private_data;
807 struct user_namespace *ns = seq->private;
808 struct user_namespace *seq_ns = seq_user_ns(seq);
809
810 if (!ns->parent)
811 return -EPERM;
812
813 if ((seq_ns != ns) && (seq_ns != ns->parent))
814 return -EPERM;
815
816 return map_write(file, buf, size, ppos, CAP_SETUID,
817 &ns->uid_map, &ns->parent->uid_map);
818}
819
820ssize_t proc_gid_map_write(struct file *file, const char __user *buf,
821 size_t size, loff_t *ppos)
822{
823 struct seq_file *seq = file->private_data;
824 struct user_namespace *ns = seq->private;
825 struct user_namespace *seq_ns = seq_user_ns(seq);
826
827 if (!ns->parent)
828 return -EPERM;
829
830 if ((seq_ns != ns) && (seq_ns != ns->parent))
831 return -EPERM;
832
833 return map_write(file, buf, size, ppos, CAP_SETGID,
834 &ns->gid_map, &ns->parent->gid_map);
835}
836
837ssize_t proc_projid_map_write(struct file *file, const char __user *buf,
838 size_t size, loff_t *ppos)
839{
840 struct seq_file *seq = file->private_data;
841 struct user_namespace *ns = seq->private;
842 struct user_namespace *seq_ns = seq_user_ns(seq);
843
844 if (!ns->parent)
845 return -EPERM;
846
847 if ((seq_ns != ns) && (seq_ns != ns->parent))
848 return -EPERM;
849
850 /* Anyone can set any valid project id no capability needed */
851 return map_write(file, buf, size, ppos, -1,
852 &ns->projid_map, &ns->parent->projid_map);
853}
854
855static bool new_idmap_permitted(const struct file *file,
856 struct user_namespace *ns, int cap_setid,
857 struct uid_gid_map *new_map)
858{
859 const struct cred *cred = file->f_cred;
860 /* Don't allow mappings that would allow anything that wouldn't
861 * be allowed without the establishment of unprivileged mappings.
862 */
863 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
864 uid_eq(ns->owner, cred->euid)) {
865 u32 id = new_map->extent[0].lower_first;
866 if (cap_setid == CAP_SETUID) {
867 kuid_t uid = make_kuid(ns->parent, id);
868 if (uid_eq(uid, cred->euid))
869 return true;
870 } else if (cap_setid == CAP_SETGID) {
871 kgid_t gid = make_kgid(ns->parent, id);
872 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
873 gid_eq(gid, cred->egid))
874 return true;
875 }
876 }
877
878 /* Allow anyone to set a mapping that doesn't require privilege */
879 if (!cap_valid(cap_setid))
880 return true;
881
882 /* Allow the specified ids if we have the appropriate capability
883 * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
884 * And the opener of the id file also had the approprpiate capability.
885 */
886 if (ns_capable(ns->parent, cap_setid) &&
887 file_ns_capable(file, ns->parent, cap_setid))
888 return true;
889
890 return false;
891}
892
893int proc_setgroups_show(struct seq_file *seq, void *v)
894{
895 struct user_namespace *ns = seq->private;
896 unsigned long userns_flags = ACCESS_ONCE(ns->flags);
897
898 seq_printf(seq, "%s\n",
899 (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
900 "allow" : "deny");
901 return 0;
902}
903
904ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
905 size_t count, loff_t *ppos)
906{
907 struct seq_file *seq = file->private_data;
908 struct user_namespace *ns = seq->private;
909 char kbuf[8], *pos;
910 bool setgroups_allowed;
911 ssize_t ret;
912
913 /* Only allow a very narrow range of strings to be written */
914 ret = -EINVAL;
915 if ((*ppos != 0) || (count >= sizeof(kbuf)))
916 goto out;
917
918 /* What was written? */
919 ret = -EFAULT;
920 if (copy_from_user(kbuf, buf, count))
921 goto out;
922 kbuf[count] = '\0';
923 pos = kbuf;
924
925 /* What is being requested? */
926 ret = -EINVAL;
927 if (strncmp(pos, "allow", 5) == 0) {
928 pos += 5;
929 setgroups_allowed = true;
930 }
931 else if (strncmp(pos, "deny", 4) == 0) {
932 pos += 4;
933 setgroups_allowed = false;
934 }
935 else
936 goto out;
937
938 /* Verify there is not trailing junk on the line */
939 pos = skip_spaces(pos);
940 if (*pos != '\0')
941 goto out;
942
943 ret = -EPERM;
944 mutex_lock(&userns_state_mutex);
945 if (setgroups_allowed) {
946 /* Enabling setgroups after setgroups has been disabled
947 * is not allowed.
948 */
949 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
950 goto out_unlock;
951 } else {
952 /* Permanently disabling setgroups after setgroups has
953 * been enabled by writing the gid_map is not allowed.
954 */
955 if (ns->gid_map.nr_extents != 0)
956 goto out_unlock;
957 ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
958 }
959 mutex_unlock(&userns_state_mutex);
960
961 /* Report a successful write */
962 *ppos = count;
963 ret = count;
964out:
965 return ret;
966out_unlock:
967 mutex_unlock(&userns_state_mutex);
968 goto out;
969}
970
971bool userns_may_setgroups(const struct user_namespace *ns)
972{
973 bool allowed;
974
975 mutex_lock(&userns_state_mutex);
976 /* It is not safe to use setgroups until a gid mapping in
977 * the user namespace has been established.
978 */
979 allowed = ns->gid_map.nr_extents != 0;
980 /* Is setgroups allowed? */
981 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
982 mutex_unlock(&userns_state_mutex);
983
984 return allowed;
985}
986
987/*
988 * Returns true if @ns is the same namespace as or a descendant of
989 * @target_ns.
990 */
991bool current_in_userns(const struct user_namespace *target_ns)
992{
993 struct user_namespace *ns;
994 for (ns = current_user_ns(); ns; ns = ns->parent) {
995 if (ns == target_ns)
996 return true;
997 }
998 return false;
999}
1000
1001static inline struct user_namespace *to_user_ns(struct ns_common *ns)
1002{
1003 return container_of(ns, struct user_namespace, ns);
1004}
1005
1006static struct ns_common *userns_get(struct task_struct *task)
1007{
1008 struct user_namespace *user_ns;
1009
1010 rcu_read_lock();
1011 user_ns = get_user_ns(__task_cred(task)->user_ns);
1012 rcu_read_unlock();
1013
1014 return user_ns ? &user_ns->ns : NULL;
1015}
1016
1017static void userns_put(struct ns_common *ns)
1018{
1019 put_user_ns(to_user_ns(ns));
1020}
1021
1022static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
1023{
1024 struct user_namespace *user_ns = to_user_ns(ns);
1025 struct cred *cred;
1026
1027 /* Don't allow gaining capabilities by reentering
1028 * the same user namespace.
1029 */
1030 if (user_ns == current_user_ns())
1031 return -EINVAL;
1032
1033 /* Tasks that share a thread group must share a user namespace */
1034 if (!thread_group_empty(current))
1035 return -EINVAL;
1036
1037 if (current->fs->users != 1)
1038 return -EINVAL;
1039
1040 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
1041 return -EPERM;
1042
1043 cred = prepare_creds();
1044 if (!cred)
1045 return -ENOMEM;
1046
1047 put_user_ns(cred->user_ns);
1048 set_cred_user_ns(cred, get_user_ns(user_ns));
1049
1050 return commit_creds(cred);
1051}
1052
1053struct ns_common *ns_get_owner(struct ns_common *ns)
1054{
1055 struct user_namespace *my_user_ns = current_user_ns();
1056 struct user_namespace *owner, *p;
1057
1058 /* See if the owner is in the current user namespace */
1059 owner = p = ns->ops->owner(ns);
1060 for (;;) {
1061 if (!p)
1062 return ERR_PTR(-EPERM);
1063 if (p == my_user_ns)
1064 break;
1065 p = p->parent;
1066 }
1067
1068 return &get_user_ns(owner)->ns;
1069}
1070
1071static struct user_namespace *userns_owner(struct ns_common *ns)
1072{
1073 return to_user_ns(ns)->parent;
1074}
1075
1076const struct proc_ns_operations userns_operations = {
1077 .name = "user",
1078 .type = CLONE_NEWUSER,
1079 .get = userns_get,
1080 .put = userns_put,
1081 .install = userns_install,
1082 .owner = userns_owner,
1083 .get_parent = ns_get_owner,
1084};
1085
1086static __init int user_namespaces_init(void)
1087{
1088 user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC);
1089 return 0;
1090}
1091subsys_initcall(user_namespaces_init);
1// SPDX-License-Identifier: GPL-2.0-only
2
3#include <linux/export.h>
4#include <linux/nsproxy.h>
5#include <linux/slab.h>
6#include <linux/sched/signal.h>
7#include <linux/user_namespace.h>
8#include <linux/proc_ns.h>
9#include <linux/highuid.h>
10#include <linux/cred.h>
11#include <linux/securebits.h>
12#include <linux/security.h>
13#include <linux/keyctl.h>
14#include <linux/key-type.h>
15#include <keys/user-type.h>
16#include <linux/seq_file.h>
17#include <linux/fs.h>
18#include <linux/uaccess.h>
19#include <linux/ctype.h>
20#include <linux/projid.h>
21#include <linux/fs_struct.h>
22#include <linux/bsearch.h>
23#include <linux/sort.h>
24
25static struct kmem_cache *user_ns_cachep __ro_after_init;
26static DEFINE_MUTEX(userns_state_mutex);
27
28static bool new_idmap_permitted(const struct file *file,
29 struct user_namespace *ns, int cap_setid,
30 struct uid_gid_map *map);
31static void free_user_ns(struct work_struct *work);
32
33static struct ucounts *inc_user_namespaces(struct user_namespace *ns, kuid_t uid)
34{
35 return inc_ucount(ns, uid, UCOUNT_USER_NAMESPACES);
36}
37
38static void dec_user_namespaces(struct ucounts *ucounts)
39{
40 return dec_ucount(ucounts, UCOUNT_USER_NAMESPACES);
41}
42
43static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
44{
45 /* Start with the same capabilities as init but useless for doing
46 * anything as the capabilities are bound to the new user namespace.
47 */
48 cred->securebits = SECUREBITS_DEFAULT;
49 cred->cap_inheritable = CAP_EMPTY_SET;
50 cred->cap_permitted = CAP_FULL_SET;
51 cred->cap_effective = CAP_FULL_SET;
52 cred->cap_ambient = CAP_EMPTY_SET;
53 cred->cap_bset = CAP_FULL_SET;
54#ifdef CONFIG_KEYS
55 key_put(cred->request_key_auth);
56 cred->request_key_auth = NULL;
57#endif
58 /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
59 cred->user_ns = user_ns;
60}
61
62static unsigned long enforced_nproc_rlimit(void)
63{
64 unsigned long limit = RLIM_INFINITY;
65
66 /* Is RLIMIT_NPROC currently enforced? */
67 if (!uid_eq(current_uid(), GLOBAL_ROOT_UID) ||
68 (current_user_ns() != &init_user_ns))
69 limit = rlimit(RLIMIT_NPROC);
70
71 return limit;
72}
73
74/*
75 * Create a new user namespace, deriving the creator from the user in the
76 * passed credentials, and replacing that user with the new root user for the
77 * new namespace.
78 *
79 * This is called by copy_creds(), which will finish setting the target task's
80 * credentials.
81 */
82int create_user_ns(struct cred *new)
83{
84 struct user_namespace *ns, *parent_ns = new->user_ns;
85 kuid_t owner = new->euid;
86 kgid_t group = new->egid;
87 struct ucounts *ucounts;
88 int ret, i;
89
90 ret = -ENOSPC;
91 if (parent_ns->level > 32)
92 goto fail;
93
94 ucounts = inc_user_namespaces(parent_ns, owner);
95 if (!ucounts)
96 goto fail;
97
98 /*
99 * Verify that we can not violate the policy of which files
100 * may be accessed that is specified by the root directory,
101 * by verifying that the root directory is at the root of the
102 * mount namespace which allows all files to be accessed.
103 */
104 ret = -EPERM;
105 if (current_chrooted())
106 goto fail_dec;
107
108 /* The creator needs a mapping in the parent user namespace
109 * or else we won't be able to reasonably tell userspace who
110 * created a user_namespace.
111 */
112 ret = -EPERM;
113 if (!kuid_has_mapping(parent_ns, owner) ||
114 !kgid_has_mapping(parent_ns, group))
115 goto fail_dec;
116
117 ret = security_create_user_ns(new);
118 if (ret < 0)
119 goto fail_dec;
120
121 ret = -ENOMEM;
122 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
123 if (!ns)
124 goto fail_dec;
125
126 ns->parent_could_setfcap = cap_raised(new->cap_effective, CAP_SETFCAP);
127 ret = ns_alloc_inum(&ns->ns);
128 if (ret)
129 goto fail_free;
130 ns->ns.ops = &userns_operations;
131
132 refcount_set(&ns->ns.count, 1);
133 /* Leave the new->user_ns reference with the new user namespace. */
134 ns->parent = parent_ns;
135 ns->level = parent_ns->level + 1;
136 ns->owner = owner;
137 ns->group = group;
138 INIT_WORK(&ns->work, free_user_ns);
139 for (i = 0; i < UCOUNT_COUNTS; i++) {
140 ns->ucount_max[i] = INT_MAX;
141 }
142 set_userns_rlimit_max(ns, UCOUNT_RLIMIT_NPROC, enforced_nproc_rlimit());
143 set_userns_rlimit_max(ns, UCOUNT_RLIMIT_MSGQUEUE, rlimit(RLIMIT_MSGQUEUE));
144 set_userns_rlimit_max(ns, UCOUNT_RLIMIT_SIGPENDING, rlimit(RLIMIT_SIGPENDING));
145 set_userns_rlimit_max(ns, UCOUNT_RLIMIT_MEMLOCK, rlimit(RLIMIT_MEMLOCK));
146 ns->ucounts = ucounts;
147
148 /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
149 mutex_lock(&userns_state_mutex);
150 ns->flags = parent_ns->flags;
151 mutex_unlock(&userns_state_mutex);
152
153#ifdef CONFIG_KEYS
154 INIT_LIST_HEAD(&ns->keyring_name_list);
155 init_rwsem(&ns->keyring_sem);
156#endif
157 ret = -ENOMEM;
158 if (!setup_userns_sysctls(ns))
159 goto fail_keyring;
160
161 set_cred_user_ns(new, ns);
162 return 0;
163fail_keyring:
164#ifdef CONFIG_PERSISTENT_KEYRINGS
165 key_put(ns->persistent_keyring_register);
166#endif
167 ns_free_inum(&ns->ns);
168fail_free:
169 kmem_cache_free(user_ns_cachep, ns);
170fail_dec:
171 dec_user_namespaces(ucounts);
172fail:
173 return ret;
174}
175
176int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
177{
178 struct cred *cred;
179 int err = -ENOMEM;
180
181 if (!(unshare_flags & CLONE_NEWUSER))
182 return 0;
183
184 cred = prepare_creds();
185 if (cred) {
186 err = create_user_ns(cred);
187 if (err)
188 put_cred(cred);
189 else
190 *new_cred = cred;
191 }
192
193 return err;
194}
195
196static void free_user_ns(struct work_struct *work)
197{
198 struct user_namespace *parent, *ns =
199 container_of(work, struct user_namespace, work);
200
201 do {
202 struct ucounts *ucounts = ns->ucounts;
203 parent = ns->parent;
204 if (ns->gid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
205 kfree(ns->gid_map.forward);
206 kfree(ns->gid_map.reverse);
207 }
208 if (ns->uid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
209 kfree(ns->uid_map.forward);
210 kfree(ns->uid_map.reverse);
211 }
212 if (ns->projid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
213 kfree(ns->projid_map.forward);
214 kfree(ns->projid_map.reverse);
215 }
216#if IS_ENABLED(CONFIG_BINFMT_MISC)
217 kfree(ns->binfmt_misc);
218#endif
219 retire_userns_sysctls(ns);
220 key_free_user_ns(ns);
221 ns_free_inum(&ns->ns);
222 kmem_cache_free(user_ns_cachep, ns);
223 dec_user_namespaces(ucounts);
224 ns = parent;
225 } while (refcount_dec_and_test(&parent->ns.count));
226}
227
228void __put_user_ns(struct user_namespace *ns)
229{
230 schedule_work(&ns->work);
231}
232EXPORT_SYMBOL(__put_user_ns);
233
234/*
235 * struct idmap_key - holds the information necessary to find an idmapping in a
236 * sorted idmap array. It is passed to cmp_map_id() as first argument.
237 */
238struct idmap_key {
239 bool map_up; /* true -> id from kid; false -> kid from id */
240 u32 id; /* id to find */
241 u32 count; /* == 0 unless used with map_id_range_down() */
242};
243
244/*
245 * cmp_map_id - Function to be passed to bsearch() to find the requested
246 * idmapping. Expects struct idmap_key to be passed via @k.
247 */
248static int cmp_map_id(const void *k, const void *e)
249{
250 u32 first, last, id2;
251 const struct idmap_key *key = k;
252 const struct uid_gid_extent *el = e;
253
254 id2 = key->id + key->count - 1;
255
256 /* handle map_id_{down,up}() */
257 if (key->map_up)
258 first = el->lower_first;
259 else
260 first = el->first;
261
262 last = first + el->count - 1;
263
264 if (key->id >= first && key->id <= last &&
265 (id2 >= first && id2 <= last))
266 return 0;
267
268 if (key->id < first || id2 < first)
269 return -1;
270
271 return 1;
272}
273
274/*
275 * map_id_range_down_max - Find idmap via binary search in ordered idmap array.
276 * Can only be called if number of mappings exceeds UID_GID_MAP_MAX_BASE_EXTENTS.
277 */
278static struct uid_gid_extent *
279map_id_range_down_max(unsigned extents, struct uid_gid_map *map, u32 id, u32 count)
280{
281 struct idmap_key key;
282
283 key.map_up = false;
284 key.count = count;
285 key.id = id;
286
287 return bsearch(&key, map->forward, extents,
288 sizeof(struct uid_gid_extent), cmp_map_id);
289}
290
291/*
292 * map_id_range_down_base - Find idmap via binary search in static extent array.
293 * Can only be called if number of mappings is equal or less than
294 * UID_GID_MAP_MAX_BASE_EXTENTS.
295 */
296static struct uid_gid_extent *
297map_id_range_down_base(unsigned extents, struct uid_gid_map *map, u32 id, u32 count)
298{
299 unsigned idx;
300 u32 first, last, id2;
301
302 id2 = id + count - 1;
303
304 /* Find the matching extent */
305 for (idx = 0; idx < extents; idx++) {
306 first = map->extent[idx].first;
307 last = first + map->extent[idx].count - 1;
308 if (id >= first && id <= last &&
309 (id2 >= first && id2 <= last))
310 return &map->extent[idx];
311 }
312 return NULL;
313}
314
315static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
316{
317 struct uid_gid_extent *extent;
318 unsigned extents = map->nr_extents;
319 smp_rmb();
320
321 if (extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
322 extent = map_id_range_down_base(extents, map, id, count);
323 else
324 extent = map_id_range_down_max(extents, map, id, count);
325
326 /* Map the id or note failure */
327 if (extent)
328 id = (id - extent->first) + extent->lower_first;
329 else
330 id = (u32) -1;
331
332 return id;
333}
334
335u32 map_id_down(struct uid_gid_map *map, u32 id)
336{
337 return map_id_range_down(map, id, 1);
338}
339
340/*
341 * map_id_up_base - Find idmap via binary search in static extent array.
342 * Can only be called if number of mappings is equal or less than
343 * UID_GID_MAP_MAX_BASE_EXTENTS.
344 */
345static struct uid_gid_extent *
346map_id_up_base(unsigned extents, struct uid_gid_map *map, u32 id)
347{
348 unsigned idx;
349 u32 first, last;
350
351 /* Find the matching extent */
352 for (idx = 0; idx < extents; idx++) {
353 first = map->extent[idx].lower_first;
354 last = first + map->extent[idx].count - 1;
355 if (id >= first && id <= last)
356 return &map->extent[idx];
357 }
358 return NULL;
359}
360
361/*
362 * map_id_up_max - Find idmap via binary search in ordered idmap array.
363 * Can only be called if number of mappings exceeds UID_GID_MAP_MAX_BASE_EXTENTS.
364 */
365static struct uid_gid_extent *
366map_id_up_max(unsigned extents, struct uid_gid_map *map, u32 id)
367{
368 struct idmap_key key;
369
370 key.map_up = true;
371 key.count = 1;
372 key.id = id;
373
374 return bsearch(&key, map->reverse, extents,
375 sizeof(struct uid_gid_extent), cmp_map_id);
376}
377
378u32 map_id_up(struct uid_gid_map *map, u32 id)
379{
380 struct uid_gid_extent *extent;
381 unsigned extents = map->nr_extents;
382 smp_rmb();
383
384 if (extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
385 extent = map_id_up_base(extents, map, id);
386 else
387 extent = map_id_up_max(extents, map, id);
388
389 /* Map the id or note failure */
390 if (extent)
391 id = (id - extent->lower_first) + extent->first;
392 else
393 id = (u32) -1;
394
395 return id;
396}
397
398/**
399 * make_kuid - Map a user-namespace uid pair into a kuid.
400 * @ns: User namespace that the uid is in
401 * @uid: User identifier
402 *
403 * Maps a user-namespace uid pair into a kernel internal kuid,
404 * and returns that kuid.
405 *
406 * When there is no mapping defined for the user-namespace uid
407 * pair INVALID_UID is returned. Callers are expected to test
408 * for and handle INVALID_UID being returned. INVALID_UID
409 * may be tested for using uid_valid().
410 */
411kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
412{
413 /* Map the uid to a global kernel uid */
414 return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
415}
416EXPORT_SYMBOL(make_kuid);
417
418/**
419 * from_kuid - Create a uid from a kuid user-namespace pair.
420 * @targ: The user namespace we want a uid in.
421 * @kuid: The kernel internal uid to start with.
422 *
423 * Map @kuid into the user-namespace specified by @targ and
424 * return the resulting uid.
425 *
426 * There is always a mapping into the initial user_namespace.
427 *
428 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
429 */
430uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
431{
432 /* Map the uid from a global kernel uid */
433 return map_id_up(&targ->uid_map, __kuid_val(kuid));
434}
435EXPORT_SYMBOL(from_kuid);
436
437/**
438 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
439 * @targ: The user namespace we want a uid in.
440 * @kuid: The kernel internal uid to start with.
441 *
442 * Map @kuid into the user-namespace specified by @targ and
443 * return the resulting uid.
444 *
445 * There is always a mapping into the initial user_namespace.
446 *
447 * Unlike from_kuid from_kuid_munged never fails and always
448 * returns a valid uid. This makes from_kuid_munged appropriate
449 * for use in syscalls like stat and getuid where failing the
450 * system call and failing to provide a valid uid are not an
451 * options.
452 *
453 * If @kuid has no mapping in @targ overflowuid is returned.
454 */
455uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
456{
457 uid_t uid;
458 uid = from_kuid(targ, kuid);
459
460 if (uid == (uid_t) -1)
461 uid = overflowuid;
462 return uid;
463}
464EXPORT_SYMBOL(from_kuid_munged);
465
466/**
467 * make_kgid - Map a user-namespace gid pair into a kgid.
468 * @ns: User namespace that the gid is in
469 * @gid: group identifier
470 *
471 * Maps a user-namespace gid pair into a kernel internal kgid,
472 * and returns that kgid.
473 *
474 * When there is no mapping defined for the user-namespace gid
475 * pair INVALID_GID is returned. Callers are expected to test
476 * for and handle INVALID_GID being returned. INVALID_GID may be
477 * tested for using gid_valid().
478 */
479kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
480{
481 /* Map the gid to a global kernel gid */
482 return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
483}
484EXPORT_SYMBOL(make_kgid);
485
486/**
487 * from_kgid - Create a gid from a kgid user-namespace pair.
488 * @targ: The user namespace we want a gid in.
489 * @kgid: The kernel internal gid to start with.
490 *
491 * Map @kgid into the user-namespace specified by @targ and
492 * return the resulting gid.
493 *
494 * There is always a mapping into the initial user_namespace.
495 *
496 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
497 */
498gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
499{
500 /* Map the gid from a global kernel gid */
501 return map_id_up(&targ->gid_map, __kgid_val(kgid));
502}
503EXPORT_SYMBOL(from_kgid);
504
505/**
506 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
507 * @targ: The user namespace we want a gid in.
508 * @kgid: The kernel internal gid to start with.
509 *
510 * Map @kgid into the user-namespace specified by @targ and
511 * return the resulting gid.
512 *
513 * There is always a mapping into the initial user_namespace.
514 *
515 * Unlike from_kgid from_kgid_munged never fails and always
516 * returns a valid gid. This makes from_kgid_munged appropriate
517 * for use in syscalls like stat and getgid where failing the
518 * system call and failing to provide a valid gid are not options.
519 *
520 * If @kgid has no mapping in @targ overflowgid is returned.
521 */
522gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
523{
524 gid_t gid;
525 gid = from_kgid(targ, kgid);
526
527 if (gid == (gid_t) -1)
528 gid = overflowgid;
529 return gid;
530}
531EXPORT_SYMBOL(from_kgid_munged);
532
533/**
534 * make_kprojid - Map a user-namespace projid pair into a kprojid.
535 * @ns: User namespace that the projid is in
536 * @projid: Project identifier
537 *
538 * Maps a user-namespace uid pair into a kernel internal kuid,
539 * and returns that kuid.
540 *
541 * When there is no mapping defined for the user-namespace projid
542 * pair INVALID_PROJID is returned. Callers are expected to test
543 * for and handle INVALID_PROJID being returned. INVALID_PROJID
544 * may be tested for using projid_valid().
545 */
546kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
547{
548 /* Map the uid to a global kernel uid */
549 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
550}
551EXPORT_SYMBOL(make_kprojid);
552
553/**
554 * from_kprojid - Create a projid from a kprojid user-namespace pair.
555 * @targ: The user namespace we want a projid in.
556 * @kprojid: The kernel internal project identifier to start with.
557 *
558 * Map @kprojid into the user-namespace specified by @targ and
559 * return the resulting projid.
560 *
561 * There is always a mapping into the initial user_namespace.
562 *
563 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
564 */
565projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
566{
567 /* Map the uid from a global kernel uid */
568 return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
569}
570EXPORT_SYMBOL(from_kprojid);
571
572/**
573 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
574 * @targ: The user namespace we want a projid in.
575 * @kprojid: The kernel internal projid to start with.
576 *
577 * Map @kprojid into the user-namespace specified by @targ and
578 * return the resulting projid.
579 *
580 * There is always a mapping into the initial user_namespace.
581 *
582 * Unlike from_kprojid from_kprojid_munged never fails and always
583 * returns a valid projid. This makes from_kprojid_munged
584 * appropriate for use in syscalls like stat and where
585 * failing the system call and failing to provide a valid projid are
586 * not an options.
587 *
588 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
589 */
590projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
591{
592 projid_t projid;
593 projid = from_kprojid(targ, kprojid);
594
595 if (projid == (projid_t) -1)
596 projid = OVERFLOW_PROJID;
597 return projid;
598}
599EXPORT_SYMBOL(from_kprojid_munged);
600
601
602static int uid_m_show(struct seq_file *seq, void *v)
603{
604 struct user_namespace *ns = seq->private;
605 struct uid_gid_extent *extent = v;
606 struct user_namespace *lower_ns;
607 uid_t lower;
608
609 lower_ns = seq_user_ns(seq);
610 if ((lower_ns == ns) && lower_ns->parent)
611 lower_ns = lower_ns->parent;
612
613 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
614
615 seq_printf(seq, "%10u %10u %10u\n",
616 extent->first,
617 lower,
618 extent->count);
619
620 return 0;
621}
622
623static int gid_m_show(struct seq_file *seq, void *v)
624{
625 struct user_namespace *ns = seq->private;
626 struct uid_gid_extent *extent = v;
627 struct user_namespace *lower_ns;
628 gid_t lower;
629
630 lower_ns = seq_user_ns(seq);
631 if ((lower_ns == ns) && lower_ns->parent)
632 lower_ns = lower_ns->parent;
633
634 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
635
636 seq_printf(seq, "%10u %10u %10u\n",
637 extent->first,
638 lower,
639 extent->count);
640
641 return 0;
642}
643
644static int projid_m_show(struct seq_file *seq, void *v)
645{
646 struct user_namespace *ns = seq->private;
647 struct uid_gid_extent *extent = v;
648 struct user_namespace *lower_ns;
649 projid_t lower;
650
651 lower_ns = seq_user_ns(seq);
652 if ((lower_ns == ns) && lower_ns->parent)
653 lower_ns = lower_ns->parent;
654
655 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
656
657 seq_printf(seq, "%10u %10u %10u\n",
658 extent->first,
659 lower,
660 extent->count);
661
662 return 0;
663}
664
665static void *m_start(struct seq_file *seq, loff_t *ppos,
666 struct uid_gid_map *map)
667{
668 loff_t pos = *ppos;
669 unsigned extents = map->nr_extents;
670 smp_rmb();
671
672 if (pos >= extents)
673 return NULL;
674
675 if (extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
676 return &map->extent[pos];
677
678 return &map->forward[pos];
679}
680
681static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
682{
683 struct user_namespace *ns = seq->private;
684
685 return m_start(seq, ppos, &ns->uid_map);
686}
687
688static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
689{
690 struct user_namespace *ns = seq->private;
691
692 return m_start(seq, ppos, &ns->gid_map);
693}
694
695static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
696{
697 struct user_namespace *ns = seq->private;
698
699 return m_start(seq, ppos, &ns->projid_map);
700}
701
702static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
703{
704 (*pos)++;
705 return seq->op->start(seq, pos);
706}
707
708static void m_stop(struct seq_file *seq, void *v)
709{
710 return;
711}
712
713const struct seq_operations proc_uid_seq_operations = {
714 .start = uid_m_start,
715 .stop = m_stop,
716 .next = m_next,
717 .show = uid_m_show,
718};
719
720const struct seq_operations proc_gid_seq_operations = {
721 .start = gid_m_start,
722 .stop = m_stop,
723 .next = m_next,
724 .show = gid_m_show,
725};
726
727const struct seq_operations proc_projid_seq_operations = {
728 .start = projid_m_start,
729 .stop = m_stop,
730 .next = m_next,
731 .show = projid_m_show,
732};
733
734static bool mappings_overlap(struct uid_gid_map *new_map,
735 struct uid_gid_extent *extent)
736{
737 u32 upper_first, lower_first, upper_last, lower_last;
738 unsigned idx;
739
740 upper_first = extent->first;
741 lower_first = extent->lower_first;
742 upper_last = upper_first + extent->count - 1;
743 lower_last = lower_first + extent->count - 1;
744
745 for (idx = 0; idx < new_map->nr_extents; idx++) {
746 u32 prev_upper_first, prev_lower_first;
747 u32 prev_upper_last, prev_lower_last;
748 struct uid_gid_extent *prev;
749
750 if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
751 prev = &new_map->extent[idx];
752 else
753 prev = &new_map->forward[idx];
754
755 prev_upper_first = prev->first;
756 prev_lower_first = prev->lower_first;
757 prev_upper_last = prev_upper_first + prev->count - 1;
758 prev_lower_last = prev_lower_first + prev->count - 1;
759
760 /* Does the upper range intersect a previous extent? */
761 if ((prev_upper_first <= upper_last) &&
762 (prev_upper_last >= upper_first))
763 return true;
764
765 /* Does the lower range intersect a previous extent? */
766 if ((prev_lower_first <= lower_last) &&
767 (prev_lower_last >= lower_first))
768 return true;
769 }
770 return false;
771}
772
773/*
774 * insert_extent - Safely insert a new idmap extent into struct uid_gid_map.
775 * Takes care to allocate a 4K block of memory if the number of mappings exceeds
776 * UID_GID_MAP_MAX_BASE_EXTENTS.
777 */
778static int insert_extent(struct uid_gid_map *map, struct uid_gid_extent *extent)
779{
780 struct uid_gid_extent *dest;
781
782 if (map->nr_extents == UID_GID_MAP_MAX_BASE_EXTENTS) {
783 struct uid_gid_extent *forward;
784
785 /* Allocate memory for 340 mappings. */
786 forward = kmalloc_array(UID_GID_MAP_MAX_EXTENTS,
787 sizeof(struct uid_gid_extent),
788 GFP_KERNEL);
789 if (!forward)
790 return -ENOMEM;
791
792 /* Copy over memory. Only set up memory for the forward pointer.
793 * Defer the memory setup for the reverse pointer.
794 */
795 memcpy(forward, map->extent,
796 map->nr_extents * sizeof(map->extent[0]));
797
798 map->forward = forward;
799 map->reverse = NULL;
800 }
801
802 if (map->nr_extents < UID_GID_MAP_MAX_BASE_EXTENTS)
803 dest = &map->extent[map->nr_extents];
804 else
805 dest = &map->forward[map->nr_extents];
806
807 *dest = *extent;
808 map->nr_extents++;
809 return 0;
810}
811
812/* cmp function to sort() forward mappings */
813static int cmp_extents_forward(const void *a, const void *b)
814{
815 const struct uid_gid_extent *e1 = a;
816 const struct uid_gid_extent *e2 = b;
817
818 if (e1->first < e2->first)
819 return -1;
820
821 if (e1->first > e2->first)
822 return 1;
823
824 return 0;
825}
826
827/* cmp function to sort() reverse mappings */
828static int cmp_extents_reverse(const void *a, const void *b)
829{
830 const struct uid_gid_extent *e1 = a;
831 const struct uid_gid_extent *e2 = b;
832
833 if (e1->lower_first < e2->lower_first)
834 return -1;
835
836 if (e1->lower_first > e2->lower_first)
837 return 1;
838
839 return 0;
840}
841
842/*
843 * sort_idmaps - Sorts an array of idmap entries.
844 * Can only be called if number of mappings exceeds UID_GID_MAP_MAX_BASE_EXTENTS.
845 */
846static int sort_idmaps(struct uid_gid_map *map)
847{
848 if (map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
849 return 0;
850
851 /* Sort forward array. */
852 sort(map->forward, map->nr_extents, sizeof(struct uid_gid_extent),
853 cmp_extents_forward, NULL);
854
855 /* Only copy the memory from forward we actually need. */
856 map->reverse = kmemdup_array(map->forward, map->nr_extents,
857 sizeof(struct uid_gid_extent), GFP_KERNEL);
858 if (!map->reverse)
859 return -ENOMEM;
860
861 /* Sort reverse array. */
862 sort(map->reverse, map->nr_extents, sizeof(struct uid_gid_extent),
863 cmp_extents_reverse, NULL);
864
865 return 0;
866}
867
868/**
869 * verify_root_map() - check the uid 0 mapping
870 * @file: idmapping file
871 * @map_ns: user namespace of the target process
872 * @new_map: requested idmap
873 *
874 * If a process requests mapping parent uid 0 into the new ns, verify that the
875 * process writing the map had the CAP_SETFCAP capability as the target process
876 * will be able to write fscaps that are valid in ancestor user namespaces.
877 *
878 * Return: true if the mapping is allowed, false if not.
879 */
880static bool verify_root_map(const struct file *file,
881 struct user_namespace *map_ns,
882 struct uid_gid_map *new_map)
883{
884 int idx;
885 const struct user_namespace *file_ns = file->f_cred->user_ns;
886 struct uid_gid_extent *extent0 = NULL;
887
888 for (idx = 0; idx < new_map->nr_extents; idx++) {
889 if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
890 extent0 = &new_map->extent[idx];
891 else
892 extent0 = &new_map->forward[idx];
893 if (extent0->lower_first == 0)
894 break;
895
896 extent0 = NULL;
897 }
898
899 if (!extent0)
900 return true;
901
902 if (map_ns == file_ns) {
903 /* The process unshared its ns and is writing to its own
904 * /proc/self/uid_map. User already has full capabilites in
905 * the new namespace. Verify that the parent had CAP_SETFCAP
906 * when it unshared.
907 * */
908 if (!file_ns->parent_could_setfcap)
909 return false;
910 } else {
911 /* Process p1 is writing to uid_map of p2, who is in a child
912 * user namespace to p1's. Verify that the opener of the map
913 * file has CAP_SETFCAP against the parent of the new map
914 * namespace */
915 if (!file_ns_capable(file, map_ns->parent, CAP_SETFCAP))
916 return false;
917 }
918
919 return true;
920}
921
922static ssize_t map_write(struct file *file, const char __user *buf,
923 size_t count, loff_t *ppos,
924 int cap_setid,
925 struct uid_gid_map *map,
926 struct uid_gid_map *parent_map)
927{
928 struct seq_file *seq = file->private_data;
929 struct user_namespace *map_ns = seq->private;
930 struct uid_gid_map new_map;
931 unsigned idx;
932 struct uid_gid_extent extent;
933 char *kbuf, *pos, *next_line;
934 ssize_t ret;
935
936 /* Only allow < page size writes at the beginning of the file */
937 if ((*ppos != 0) || (count >= PAGE_SIZE))
938 return -EINVAL;
939
940 /* Slurp in the user data */
941 kbuf = memdup_user_nul(buf, count);
942 if (IS_ERR(kbuf))
943 return PTR_ERR(kbuf);
944
945 /*
946 * The userns_state_mutex serializes all writes to any given map.
947 *
948 * Any map is only ever written once.
949 *
950 * An id map fits within 1 cache line on most architectures.
951 *
952 * On read nothing needs to be done unless you are on an
953 * architecture with a crazy cache coherency model like alpha.
954 *
955 * There is a one time data dependency between reading the
956 * count of the extents and the values of the extents. The
957 * desired behavior is to see the values of the extents that
958 * were written before the count of the extents.
959 *
960 * To achieve this smp_wmb() is used on guarantee the write
961 * order and smp_rmb() is guaranteed that we don't have crazy
962 * architectures returning stale data.
963 */
964 mutex_lock(&userns_state_mutex);
965
966 memset(&new_map, 0, sizeof(struct uid_gid_map));
967
968 ret = -EPERM;
969 /* Only allow one successful write to the map */
970 if (map->nr_extents != 0)
971 goto out;
972
973 /*
974 * Adjusting namespace settings requires capabilities on the target.
975 */
976 if (cap_valid(cap_setid) && !file_ns_capable(file, map_ns, CAP_SYS_ADMIN))
977 goto out;
978
979 /* Parse the user data */
980 ret = -EINVAL;
981 pos = kbuf;
982 for (; pos; pos = next_line) {
983
984 /* Find the end of line and ensure I don't look past it */
985 next_line = strchr(pos, '\n');
986 if (next_line) {
987 *next_line = '\0';
988 next_line++;
989 if (*next_line == '\0')
990 next_line = NULL;
991 }
992
993 pos = skip_spaces(pos);
994 extent.first = simple_strtoul(pos, &pos, 10);
995 if (!isspace(*pos))
996 goto out;
997
998 pos = skip_spaces(pos);
999 extent.lower_first = simple_strtoul(pos, &pos, 10);
1000 if (!isspace(*pos))
1001 goto out;
1002
1003 pos = skip_spaces(pos);
1004 extent.count = simple_strtoul(pos, &pos, 10);
1005 if (*pos && !isspace(*pos))
1006 goto out;
1007
1008 /* Verify there is not trailing junk on the line */
1009 pos = skip_spaces(pos);
1010 if (*pos != '\0')
1011 goto out;
1012
1013 /* Verify we have been given valid starting values */
1014 if ((extent.first == (u32) -1) ||
1015 (extent.lower_first == (u32) -1))
1016 goto out;
1017
1018 /* Verify count is not zero and does not cause the
1019 * extent to wrap
1020 */
1021 if ((extent.first + extent.count) <= extent.first)
1022 goto out;
1023 if ((extent.lower_first + extent.count) <=
1024 extent.lower_first)
1025 goto out;
1026
1027 /* Do the ranges in extent overlap any previous extents? */
1028 if (mappings_overlap(&new_map, &extent))
1029 goto out;
1030
1031 if ((new_map.nr_extents + 1) == UID_GID_MAP_MAX_EXTENTS &&
1032 (next_line != NULL))
1033 goto out;
1034
1035 ret = insert_extent(&new_map, &extent);
1036 if (ret < 0)
1037 goto out;
1038 ret = -EINVAL;
1039 }
1040 /* Be very certain the new map actually exists */
1041 if (new_map.nr_extents == 0)
1042 goto out;
1043
1044 ret = -EPERM;
1045 /* Validate the user is allowed to use user id's mapped to. */
1046 if (!new_idmap_permitted(file, map_ns, cap_setid, &new_map))
1047 goto out;
1048
1049 ret = -EPERM;
1050 /* Map the lower ids from the parent user namespace to the
1051 * kernel global id space.
1052 */
1053 for (idx = 0; idx < new_map.nr_extents; idx++) {
1054 struct uid_gid_extent *e;
1055 u32 lower_first;
1056
1057 if (new_map.nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
1058 e = &new_map.extent[idx];
1059 else
1060 e = &new_map.forward[idx];
1061
1062 lower_first = map_id_range_down(parent_map,
1063 e->lower_first,
1064 e->count);
1065
1066 /* Fail if we can not map the specified extent to
1067 * the kernel global id space.
1068 */
1069 if (lower_first == (u32) -1)
1070 goto out;
1071
1072 e->lower_first = lower_first;
1073 }
1074
1075 /*
1076 * If we want to use binary search for lookup, this clones the extent
1077 * array and sorts both copies.
1078 */
1079 ret = sort_idmaps(&new_map);
1080 if (ret < 0)
1081 goto out;
1082
1083 /* Install the map */
1084 if (new_map.nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) {
1085 memcpy(map->extent, new_map.extent,
1086 new_map.nr_extents * sizeof(new_map.extent[0]));
1087 } else {
1088 map->forward = new_map.forward;
1089 map->reverse = new_map.reverse;
1090 }
1091 smp_wmb();
1092 map->nr_extents = new_map.nr_extents;
1093
1094 *ppos = count;
1095 ret = count;
1096out:
1097 if (ret < 0 && new_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
1098 kfree(new_map.forward);
1099 kfree(new_map.reverse);
1100 map->forward = NULL;
1101 map->reverse = NULL;
1102 map->nr_extents = 0;
1103 }
1104
1105 mutex_unlock(&userns_state_mutex);
1106 kfree(kbuf);
1107 return ret;
1108}
1109
1110ssize_t proc_uid_map_write(struct file *file, const char __user *buf,
1111 size_t size, loff_t *ppos)
1112{
1113 struct seq_file *seq = file->private_data;
1114 struct user_namespace *ns = seq->private;
1115 struct user_namespace *seq_ns = seq_user_ns(seq);
1116
1117 if (!ns->parent)
1118 return -EPERM;
1119
1120 if ((seq_ns != ns) && (seq_ns != ns->parent))
1121 return -EPERM;
1122
1123 return map_write(file, buf, size, ppos, CAP_SETUID,
1124 &ns->uid_map, &ns->parent->uid_map);
1125}
1126
1127ssize_t proc_gid_map_write(struct file *file, const char __user *buf,
1128 size_t size, loff_t *ppos)
1129{
1130 struct seq_file *seq = file->private_data;
1131 struct user_namespace *ns = seq->private;
1132 struct user_namespace *seq_ns = seq_user_ns(seq);
1133
1134 if (!ns->parent)
1135 return -EPERM;
1136
1137 if ((seq_ns != ns) && (seq_ns != ns->parent))
1138 return -EPERM;
1139
1140 return map_write(file, buf, size, ppos, CAP_SETGID,
1141 &ns->gid_map, &ns->parent->gid_map);
1142}
1143
1144ssize_t proc_projid_map_write(struct file *file, const char __user *buf,
1145 size_t size, loff_t *ppos)
1146{
1147 struct seq_file *seq = file->private_data;
1148 struct user_namespace *ns = seq->private;
1149 struct user_namespace *seq_ns = seq_user_ns(seq);
1150
1151 if (!ns->parent)
1152 return -EPERM;
1153
1154 if ((seq_ns != ns) && (seq_ns != ns->parent))
1155 return -EPERM;
1156
1157 /* Anyone can set any valid project id no capability needed */
1158 return map_write(file, buf, size, ppos, -1,
1159 &ns->projid_map, &ns->parent->projid_map);
1160}
1161
1162static bool new_idmap_permitted(const struct file *file,
1163 struct user_namespace *ns, int cap_setid,
1164 struct uid_gid_map *new_map)
1165{
1166 const struct cred *cred = file->f_cred;
1167
1168 if (cap_setid == CAP_SETUID && !verify_root_map(file, ns, new_map))
1169 return false;
1170
1171 /* Don't allow mappings that would allow anything that wouldn't
1172 * be allowed without the establishment of unprivileged mappings.
1173 */
1174 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
1175 uid_eq(ns->owner, cred->euid)) {
1176 u32 id = new_map->extent[0].lower_first;
1177 if (cap_setid == CAP_SETUID) {
1178 kuid_t uid = make_kuid(ns->parent, id);
1179 if (uid_eq(uid, cred->euid))
1180 return true;
1181 } else if (cap_setid == CAP_SETGID) {
1182 kgid_t gid = make_kgid(ns->parent, id);
1183 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
1184 gid_eq(gid, cred->egid))
1185 return true;
1186 }
1187 }
1188
1189 /* Allow anyone to set a mapping that doesn't require privilege */
1190 if (!cap_valid(cap_setid))
1191 return true;
1192
1193 /* Allow the specified ids if we have the appropriate capability
1194 * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
1195 * And the opener of the id file also has the appropriate capability.
1196 */
1197 if (ns_capable(ns->parent, cap_setid) &&
1198 file_ns_capable(file, ns->parent, cap_setid))
1199 return true;
1200
1201 return false;
1202}
1203
1204int proc_setgroups_show(struct seq_file *seq, void *v)
1205{
1206 struct user_namespace *ns = seq->private;
1207 unsigned long userns_flags = READ_ONCE(ns->flags);
1208
1209 seq_printf(seq, "%s\n",
1210 (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
1211 "allow" : "deny");
1212 return 0;
1213}
1214
1215ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
1216 size_t count, loff_t *ppos)
1217{
1218 struct seq_file *seq = file->private_data;
1219 struct user_namespace *ns = seq->private;
1220 char kbuf[8], *pos;
1221 bool setgroups_allowed;
1222 ssize_t ret;
1223
1224 /* Only allow a very narrow range of strings to be written */
1225 ret = -EINVAL;
1226 if ((*ppos != 0) || (count >= sizeof(kbuf)))
1227 goto out;
1228
1229 /* What was written? */
1230 ret = -EFAULT;
1231 if (copy_from_user(kbuf, buf, count))
1232 goto out;
1233 kbuf[count] = '\0';
1234 pos = kbuf;
1235
1236 /* What is being requested? */
1237 ret = -EINVAL;
1238 if (strncmp(pos, "allow", 5) == 0) {
1239 pos += 5;
1240 setgroups_allowed = true;
1241 }
1242 else if (strncmp(pos, "deny", 4) == 0) {
1243 pos += 4;
1244 setgroups_allowed = false;
1245 }
1246 else
1247 goto out;
1248
1249 /* Verify there is not trailing junk on the line */
1250 pos = skip_spaces(pos);
1251 if (*pos != '\0')
1252 goto out;
1253
1254 ret = -EPERM;
1255 mutex_lock(&userns_state_mutex);
1256 if (setgroups_allowed) {
1257 /* Enabling setgroups after setgroups has been disabled
1258 * is not allowed.
1259 */
1260 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
1261 goto out_unlock;
1262 } else {
1263 /* Permanently disabling setgroups after setgroups has
1264 * been enabled by writing the gid_map is not allowed.
1265 */
1266 if (ns->gid_map.nr_extents != 0)
1267 goto out_unlock;
1268 ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
1269 }
1270 mutex_unlock(&userns_state_mutex);
1271
1272 /* Report a successful write */
1273 *ppos = count;
1274 ret = count;
1275out:
1276 return ret;
1277out_unlock:
1278 mutex_unlock(&userns_state_mutex);
1279 goto out;
1280}
1281
1282bool userns_may_setgroups(const struct user_namespace *ns)
1283{
1284 bool allowed;
1285
1286 mutex_lock(&userns_state_mutex);
1287 /* It is not safe to use setgroups until a gid mapping in
1288 * the user namespace has been established.
1289 */
1290 allowed = ns->gid_map.nr_extents != 0;
1291 /* Is setgroups allowed? */
1292 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
1293 mutex_unlock(&userns_state_mutex);
1294
1295 return allowed;
1296}
1297
1298/*
1299 * Returns true if @child is the same namespace or a descendant of
1300 * @ancestor.
1301 */
1302bool in_userns(const struct user_namespace *ancestor,
1303 const struct user_namespace *child)
1304{
1305 const struct user_namespace *ns;
1306 for (ns = child; ns->level > ancestor->level; ns = ns->parent)
1307 ;
1308 return (ns == ancestor);
1309}
1310
1311bool current_in_userns(const struct user_namespace *target_ns)
1312{
1313 return in_userns(target_ns, current_user_ns());
1314}
1315EXPORT_SYMBOL(current_in_userns);
1316
1317static inline struct user_namespace *to_user_ns(struct ns_common *ns)
1318{
1319 return container_of(ns, struct user_namespace, ns);
1320}
1321
1322static struct ns_common *userns_get(struct task_struct *task)
1323{
1324 struct user_namespace *user_ns;
1325
1326 rcu_read_lock();
1327 user_ns = get_user_ns(__task_cred(task)->user_ns);
1328 rcu_read_unlock();
1329
1330 return user_ns ? &user_ns->ns : NULL;
1331}
1332
1333static void userns_put(struct ns_common *ns)
1334{
1335 put_user_ns(to_user_ns(ns));
1336}
1337
1338static int userns_install(struct nsset *nsset, struct ns_common *ns)
1339{
1340 struct user_namespace *user_ns = to_user_ns(ns);
1341 struct cred *cred;
1342
1343 /* Don't allow gaining capabilities by reentering
1344 * the same user namespace.
1345 */
1346 if (user_ns == current_user_ns())
1347 return -EINVAL;
1348
1349 /* Tasks that share a thread group must share a user namespace */
1350 if (!thread_group_empty(current))
1351 return -EINVAL;
1352
1353 if (current->fs->users != 1)
1354 return -EINVAL;
1355
1356 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
1357 return -EPERM;
1358
1359 cred = nsset_cred(nsset);
1360 if (!cred)
1361 return -EINVAL;
1362
1363 put_user_ns(cred->user_ns);
1364 set_cred_user_ns(cred, get_user_ns(user_ns));
1365
1366 if (set_cred_ucounts(cred) < 0)
1367 return -EINVAL;
1368
1369 return 0;
1370}
1371
1372struct ns_common *ns_get_owner(struct ns_common *ns)
1373{
1374 struct user_namespace *my_user_ns = current_user_ns();
1375 struct user_namespace *owner, *p;
1376
1377 /* See if the owner is in the current user namespace */
1378 owner = p = ns->ops->owner(ns);
1379 for (;;) {
1380 if (!p)
1381 return ERR_PTR(-EPERM);
1382 if (p == my_user_ns)
1383 break;
1384 p = p->parent;
1385 }
1386
1387 return &get_user_ns(owner)->ns;
1388}
1389
1390static struct user_namespace *userns_owner(struct ns_common *ns)
1391{
1392 return to_user_ns(ns)->parent;
1393}
1394
1395const struct proc_ns_operations userns_operations = {
1396 .name = "user",
1397 .type = CLONE_NEWUSER,
1398 .get = userns_get,
1399 .put = userns_put,
1400 .install = userns_install,
1401 .owner = userns_owner,
1402 .get_parent = ns_get_owner,
1403};
1404
1405static __init int user_namespaces_init(void)
1406{
1407 user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC | SLAB_ACCOUNT);
1408 return 0;
1409}
1410subsys_initcall(user_namespaces_init);