1 // SPDX-License-Identifier: GPL-2.0-only
42 	struct kmem_cache **pkc = &pid_cache[level - 1];  in create_pid_cachep()
63 static struct ucounts *inc_pid_namespaces(struct user_namespace *ns)  in inc_pid_namespaces()  argument
65 	return inc_ucount(ns, current_euid(), UCOUNT_PID_NAMESPACES);  in inc_pid_namespaces()
78 	struct pid_namespace *ns;  in create_pid_namespace()  local
79 	unsigned int level = parent_pid_ns->level + 1;  in create_pid_namespace()
83 	err = -EINVAL;  in create_pid_namespace()
84 	if (!in_userns(parent_pid_ns->user_ns, user_ns))  in create_pid_namespace()
87 	err = -ENOSPC;  in create_pid_namespace()
94 	err = -ENOMEM;  in create_pid_namespace()
95 	ns = kmem_cache_zalloc(pid_ns_cachep, GFP_KERNEL);  in create_pid_namespace()
96 	if (ns == NULL)  in create_pid_namespace()
99 	idr_init(&ns->idr);  in create_pid_namespace()
101 	ns->pid_cachep = create_pid_cachep(level);  in create_pid_namespace()
102 	if (ns->pid_cachep == NULL)  in create_pid_namespace()
105 	err = ns_alloc_inum(&ns->ns);  in create_pid_namespace()
108 	ns->ns.ops = &pidns_operations;  in create_pid_namespace()
110 	ns->pid_max = PID_MAX_LIMIT;  in create_pid_namespace()
111 	err = register_pidns_sysctls(ns);  in create_pid_namespace()
115 	refcount_set(&ns->ns.count, 1);  in create_pid_namespace()
116 	ns->level = level;  in create_pid_namespace()
117 	ns->parent = get_pid_ns(parent_pid_ns);  in create_pid_namespace()
118 	ns->user_ns = get_user_ns(user_ns);  in create_pid_namespace()
119 	ns->ucounts = ucounts;  in create_pid_namespace()
120 	ns->pid_allocated = PIDNS_ADDING;  in create_pid_namespace()
121 	INIT_WORK(&ns->work, destroy_pid_namespace_work);  in create_pid_namespace()
124 	ns->memfd_noexec_scope = pidns_memfd_noexec_scope(parent_pid_ns);  in create_pid_namespace()
127 	return ns;  in create_pid_namespace()
130 	ns_free_inum(&ns->ns);  in create_pid_namespace()
132 	idr_destroy(&ns->idr);  in create_pid_namespace()
133 	kmem_cache_free(pid_ns_cachep, ns);  in create_pid_namespace()
142 	struct pid_namespace *ns = container_of(p, struct pid_namespace, rcu);  in delayed_free_pidns()  local
144 	dec_pid_namespaces(ns->ucounts);  in delayed_free_pidns()
145 	put_user_ns(ns->user_ns);  in delayed_free_pidns()
147 	kmem_cache_free(pid_ns_cachep, ns);  in delayed_free_pidns()
150 static void destroy_pid_namespace(struct pid_namespace *ns)  in destroy_pid_namespace()  argument
152 	unregister_pidns_sysctls(ns);  in destroy_pid_namespace()
154 	ns_free_inum(&ns->ns);  in destroy_pid_namespace()
156 	idr_destroy(&ns->idr);  in destroy_pid_namespace()
157 	call_rcu(&ns->rcu, delayed_free_pidns);  in destroy_pid_namespace()
162 	struct pid_namespace *ns =  in destroy_pid_namespace_work()  local
168 		parent = ns->parent;  in destroy_pid_namespace_work()
169 		destroy_pid_namespace(ns);  in destroy_pid_namespace_work()
170 		ns = parent;  in destroy_pid_namespace_work()
171 	} while (ns != &init_pid_ns && refcount_dec_and_test(&ns->ns.count));  in destroy_pid_namespace_work()
180 		return ERR_PTR(-EINVAL);  in copy_pid_ns()
184 void put_pid_ns(struct pid_namespace *ns)  in put_pid_ns()  argument
186 	if (ns && ns != &init_pid_ns && refcount_dec_and_test(&ns->ns.count))  in put_pid_ns()
187 		schedule_work(&ns->work);  in put_pid_ns()
207 	spin_lock_irq(&me->sighand->siglock);  in zap_pid_ns_processes()
208 	me->sighand->action[SIGCHLD - 1].sa.sa_handler = SIG_IGN;  in zap_pid_ns_processes()
209 	spin_unlock_irq(&me->sighand->siglock);  in zap_pid_ns_processes()
212 	 * The last thread in the cgroup-init thread group is terminating.  in zap_pid_ns_processes()
216 	 * Note:  This signals each threads in the namespace - even those that  in zap_pid_ns_processes()
227 	idr_for_each_entry_continue(&pid_ns->idr, pid, nr) {  in zap_pid_ns_processes()
243 		rc = kernel_wait4(-1, NULL, __WALL, NULL);  in zap_pid_ns_processes()
244 	} while (rc != -ECHILD);  in zap_pid_ns_processes()
253 	 * to pid_ns->child_reaper.  Thus pidns->child_reaper needs to  in zap_pid_ns_processes()
256 	 * The code relies on the pid_ns->child_reaper ignoring  in zap_pid_ns_processes()
271 		if (pid_ns->pid_allocated == init_pids)  in zap_pid_ns_processes()
277 	if (pid_ns->reboot)  in zap_pid_ns_processes()
278 		current->signal->group_exit_code = pid_ns->reboot;  in zap_pid_ns_processes()
292 	if (write && !checkpoint_restore_ns_capable(pid_ns->user_ns))  in pid_ns_ctl_handler()
293 		return -EPERM;  in pid_ns_ctl_handler()
295 	next = idr_get_cursor(&pid_ns->idr) - 1;  in pid_ns_ctl_handler()
298 	tmp.extra2 = &pid_ns->pid_max;  in pid_ns_ctl_handler()
301 		idr_set_cursor(&pid_ns->idr, next + 1);  in pid_ns_ctl_handler()
326 		pid_ns->reboot = SIGHUP;  in reboot_pid_ns()
331 		pid_ns->reboot = SIGINT;  in reboot_pid_ns()
334 		return -EINVAL;  in reboot_pid_ns()
338 	send_sig(SIGKILL, pid_ns->child_reaper, 1);  in reboot_pid_ns()
347 static inline struct pid_namespace *to_pid_ns(struct ns_common *ns)  in to_pid_ns()  argument
349 	return container_of(ns, struct pid_namespace, ns);  in to_pid_ns()
354 	struct pid_namespace *ns;  in pidns_get()  local
357 	ns = task_active_pid_ns(task);  in pidns_get()
358 	if (ns)  in pidns_get()
359 		get_pid_ns(ns);  in pidns_get()
362 	return ns ? &ns->ns : NULL;  in pidns_get()
367 	struct pid_namespace *ns = NULL;  in pidns_for_children_get()  local
370 	if (task->nsproxy) {  in pidns_for_children_get()
371 		ns = task->nsproxy->pid_ns_for_children;  in pidns_for_children_get()
372 		get_pid_ns(ns);  in pidns_for_children_get()
376 	if (ns) {  in pidns_for_children_get()
378 		if (!ns->child_reaper) {  in pidns_for_children_get()
379 			put_pid_ns(ns);  in pidns_for_children_get()
380 			ns = NULL;  in pidns_for_children_get()
385 	return ns ? &ns->ns : NULL;  in pidns_for_children_get()
388 static void pidns_put(struct ns_common *ns)  in pidns_put()  argument
390 	put_pid_ns(to_pid_ns(ns));  in pidns_put()
393 static int pidns_install(struct nsset *nsset, struct ns_common *ns)  in pidns_install()  argument
395 	struct nsproxy *nsproxy = nsset->nsproxy;  in pidns_install()
397 	struct pid_namespace *ancestor, *new = to_pid_ns(ns);  in pidns_install()
399 	if (!ns_capable(new->user_ns, CAP_SYS_ADMIN) ||  in pidns_install()
400 	    !ns_capable(nsset->cred->user_ns, CAP_SYS_ADMIN))  in pidns_install()
401 		return -EPERM;  in pidns_install()
411 	if (new->level < active->level)  in pidns_install()
412 		return -EINVAL;  in pidns_install()
415 	while (ancestor->level > active->level)  in pidns_install()
416 		ancestor = ancestor->parent;  in pidns_install()
418 		return -EINVAL;  in pidns_install()
420 	put_pid_ns(nsproxy->pid_ns_for_children);  in pidns_install()
421 	nsproxy->pid_ns_for_children = get_pid_ns(new);  in pidns_install()
425 static struct ns_common *pidns_get_parent(struct ns_common *ns)  in pidns_get_parent()  argument
431 	pid_ns = p = to_pid_ns(ns)->parent;  in pidns_get_parent()
434 			return ERR_PTR(-EPERM);  in pidns_get_parent()
437 		p = p->parent;  in pidns_get_parent()
440 	return &get_pid_ns(pid_ns)->ns;  in pidns_get_parent()
443 static struct user_namespace *pidns_owner(struct ns_common *ns)  in pidns_owner()  argument
445 	return to_pid_ns(ns)->user_ns;  in pidns_owner()