Lines Matching +full:0 +full:ns
30 struct user_namespace *ns, int cap_setid,
34 static struct ucounts *inc_user_namespaces(struct user_namespace *ns, kuid_t uid) in inc_user_namespaces() argument
36 return inc_ucount(ns, uid, UCOUNT_USER_NAMESPACES); in inc_user_namespaces()
85 struct user_namespace *ns, *parent_ns = new->user_ns; in create_user_ns() local
119 if (ret < 0) in create_user_ns()
123 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL); in create_user_ns()
124 if (!ns) in create_user_ns()
127 ns->parent_could_setfcap = cap_raised(new->cap_effective, CAP_SETFCAP); in create_user_ns()
129 ret = ns_common_init(ns); in create_user_ns()
134 ns->parent = parent_ns; in create_user_ns()
135 ns->level = parent_ns->level + 1; in create_user_ns()
136 ns->owner = owner; in create_user_ns()
137 ns->group = group; in create_user_ns()
138 INIT_WORK(&ns->work, free_user_ns); in create_user_ns()
139 for (i = 0; i < UCOUNT_COUNTS; i++) { in create_user_ns()
140 ns->ucount_max[i] = INT_MAX; in create_user_ns()
142 set_userns_rlimit_max(ns, UCOUNT_RLIMIT_NPROC, enforced_nproc_rlimit()); in create_user_ns()
143 set_userns_rlimit_max(ns, UCOUNT_RLIMIT_MSGQUEUE, rlimit(RLIMIT_MSGQUEUE)); in create_user_ns()
144 set_userns_rlimit_max(ns, UCOUNT_RLIMIT_SIGPENDING, rlimit(RLIMIT_SIGPENDING)); in create_user_ns()
145 set_userns_rlimit_max(ns, UCOUNT_RLIMIT_MEMLOCK, rlimit(RLIMIT_MEMLOCK)); in create_user_ns()
146 ns->ucounts = ucounts; in create_user_ns()
150 ns->flags = parent_ns->flags; in create_user_ns()
154 INIT_LIST_HEAD(&ns->keyring_name_list); in create_user_ns()
155 init_rwsem(&ns->keyring_sem); in create_user_ns()
158 if (!setup_userns_sysctls(ns)) in create_user_ns()
161 set_cred_user_ns(new, ns); in create_user_ns()
162 ns_tree_add(ns); in create_user_ns()
163 return 0; in create_user_ns()
166 key_put(ns->persistent_keyring_register); in create_user_ns()
168 ns_common_free(ns); in create_user_ns()
170 kmem_cache_free(user_ns_cachep, ns); in create_user_ns()
183 return 0; in unshare_userns()
199 struct user_namespace *parent, *ns = in free_user_ns() local
203 struct ucounts *ucounts = ns->ucounts; in free_user_ns()
204 parent = ns->parent; in free_user_ns()
205 ns_tree_remove(ns); in free_user_ns()
206 if (ns->gid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) { in free_user_ns()
207 kfree(ns->gid_map.forward); in free_user_ns()
208 kfree(ns->gid_map.reverse); in free_user_ns()
210 if (ns->uid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) { in free_user_ns()
211 kfree(ns->uid_map.forward); in free_user_ns()
212 kfree(ns->uid_map.reverse); in free_user_ns()
214 if (ns->projid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) { in free_user_ns()
215 kfree(ns->projid_map.forward); in free_user_ns()
216 kfree(ns->projid_map.reverse); in free_user_ns()
219 kfree(ns->binfmt_misc); in free_user_ns()
221 retire_userns_sysctls(ns); in free_user_ns()
222 key_free_user_ns(ns); in free_user_ns()
223 ns_common_free(ns); in free_user_ns()
225 kfree_rcu(ns, ns.ns_rcu); in free_user_ns()
227 ns = parent; in free_user_ns()
231 void __put_user_ns(struct user_namespace *ns) in __put_user_ns() argument
233 schedule_work(&ns->work); in __put_user_ns()
269 return 0; in cmp_map_id()
308 for (idx = 0; idx < extents; idx++) { in map_id_range_down_base()
357 for (idx = 0; idx < extents; idx++) { in map_id_range_up_base()
411 * @ns: User namespace that the uid is in
422 kuid_t make_kuid(struct user_namespace *ns, uid_t uid) in make_kuid() argument
425 return KUIDT_INIT(map_id_down(&ns->uid_map, uid)); in make_kuid()
479 * @ns: User namespace that the gid is in
490 kgid_t make_kgid(struct user_namespace *ns, gid_t gid) in make_kgid() argument
493 return KGIDT_INIT(map_id_down(&ns->gid_map, gid)); in make_kgid()
546 * @ns: User namespace that the projid is in
557 kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid) in make_kprojid() argument
560 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid)); in make_kprojid()
615 struct user_namespace *ns = seq->private; in uid_m_show() local
621 if ((lower_ns == ns) && lower_ns->parent) in uid_m_show()
631 return 0; in uid_m_show()
636 struct user_namespace *ns = seq->private; in gid_m_show() local
642 if ((lower_ns == ns) && lower_ns->parent) in gid_m_show()
652 return 0; in gid_m_show()
657 struct user_namespace *ns = seq->private; in projid_m_show() local
663 if ((lower_ns == ns) && lower_ns->parent) in projid_m_show()
673 return 0; in projid_m_show()
694 struct user_namespace *ns = seq->private; in uid_m_start() local
696 return m_start(seq, ppos, &ns->uid_map); in uid_m_start()
701 struct user_namespace *ns = seq->private; in gid_m_start() local
703 return m_start(seq, ppos, &ns->gid_map); in gid_m_start()
708 struct user_namespace *ns = seq->private; in projid_m_start() local
710 return m_start(seq, ppos, &ns->projid_map); in projid_m_start()
756 for (idx = 0; idx < new_map->nr_extents; idx++) { in mappings_overlap()
807 map->nr_extents * sizeof(map->extent[0])); in insert_extent()
820 return 0; in insert_extent()
835 return 0; in cmp_extents_forward()
850 return 0; in cmp_extents_reverse()
860 return 0; in sort_idmaps()
876 return 0; in sort_idmaps()
880 * verify_root_map() - check the uid 0 mapping
885 * If a process requests mapping parent uid 0 into the new ns, verify that the
899 for (idx = 0; idx < new_map->nr_extents; idx++) { in verify_root_map()
904 if (extent0->lower_first == 0) in verify_root_map()
914 /* The process unshared its ns and is writing to its own in verify_root_map()
948 if ((*ppos != 0) || (count >= PAGE_SIZE)) in map_write()
977 memset(&new_map, 0, sizeof(struct uid_gid_map)); in map_write()
981 if (map->nr_extents != 0) in map_write()
998 *next_line = '\0'; in map_write()
1000 if (*next_line == '\0') in map_write()
1021 if (*pos != '\0') in map_write()
1047 if (ret < 0) in map_write()
1052 if (new_map.nr_extents == 0) in map_write()
1064 for (idx = 0; idx < new_map.nr_extents; idx++) { in map_write()
1091 if (ret < 0) in map_write()
1097 new_map.nr_extents * sizeof(new_map.extent[0])); in map_write()
1108 if (ret < 0 && new_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) { in map_write()
1113 map->nr_extents = 0; in map_write()
1125 struct user_namespace *ns = seq->private; in proc_uid_map_write() local
1128 if (!ns->parent) in proc_uid_map_write()
1131 if ((seq_ns != ns) && (seq_ns != ns->parent)) in proc_uid_map_write()
1135 &ns->uid_map, &ns->parent->uid_map); in proc_uid_map_write()
1142 struct user_namespace *ns = seq->private; in proc_gid_map_write() local
1145 if (!ns->parent) in proc_gid_map_write()
1148 if ((seq_ns != ns) && (seq_ns != ns->parent)) in proc_gid_map_write()
1152 &ns->gid_map, &ns->parent->gid_map); in proc_gid_map_write()
1159 struct user_namespace *ns = seq->private; in proc_projid_map_write() local
1162 if (!ns->parent) in proc_projid_map_write()
1165 if ((seq_ns != ns) && (seq_ns != ns->parent)) in proc_projid_map_write()
1170 &ns->projid_map, &ns->parent->projid_map); in proc_projid_map_write()
1174 struct user_namespace *ns, int cap_setid, in new_idmap_permitted() argument
1179 if (cap_setid == CAP_SETUID && !verify_root_map(file, ns, new_map)) in new_idmap_permitted()
1185 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) && in new_idmap_permitted()
1186 uid_eq(ns->owner, cred->euid)) { in new_idmap_permitted()
1187 u32 id = new_map->extent[0].lower_first; in new_idmap_permitted()
1189 kuid_t uid = make_kuid(ns->parent, id); in new_idmap_permitted()
1193 kgid_t gid = make_kgid(ns->parent, id); in new_idmap_permitted()
1194 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) && in new_idmap_permitted()
1208 if (ns_capable(ns->parent, cap_setid) && in new_idmap_permitted()
1209 file_ns_capable(file, ns->parent, cap_setid)) in new_idmap_permitted()
1217 struct user_namespace *ns = seq->private; in proc_setgroups_show() local
1218 unsigned long userns_flags = READ_ONCE(ns->flags); in proc_setgroups_show()
1223 return 0; in proc_setgroups_show()
1230 struct user_namespace *ns = seq->private; in proc_setgroups_write() local
1237 if ((*ppos != 0) || (count >= sizeof(kbuf))) in proc_setgroups_write()
1244 kbuf[count] = '\0'; in proc_setgroups_write()
1249 if (strncmp(pos, "allow", 5) == 0) { in proc_setgroups_write()
1253 else if (strncmp(pos, "deny", 4) == 0) { in proc_setgroups_write()
1262 if (*pos != '\0') in proc_setgroups_write()
1271 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED)) in proc_setgroups_write()
1277 if (ns->gid_map.nr_extents != 0) in proc_setgroups_write()
1279 ns->flags &= ~USERNS_SETGROUPS_ALLOWED; in proc_setgroups_write()
1293 bool userns_may_setgroups(const struct user_namespace *ns) in userns_may_setgroups() argument
1301 allowed = ns->gid_map.nr_extents != 0; in userns_may_setgroups()
1303 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED); in userns_may_setgroups()
1316 const struct user_namespace *ns; in in_userns() local
1317 for (ns = child; ns->level > ancestor->level; ns = ns->parent) in in_userns()
1319 return (ns == ancestor); in in_userns()
1336 return user_ns ? &user_ns->ns : NULL; in userns_get()
1339 static void userns_put(struct ns_common *ns) in userns_put() argument
1341 put_user_ns(to_user_ns(ns)); in userns_put()
1344 static int userns_install(struct nsset *nsset, struct ns_common *ns) in userns_install() argument
1346 struct user_namespace *user_ns = to_user_ns(ns); in userns_install()
1372 if (set_cred_ucounts(cred) < 0) in userns_install()
1375 return 0; in userns_install()
1378 struct ns_common *ns_get_owner(struct ns_common *ns) in ns_get_owner() argument
1384 owner = p = ns->ops->owner(ns); in ns_get_owner()
1393 return &get_user_ns(owner)->ns; in ns_get_owner()
1396 static struct user_namespace *userns_owner(struct ns_common *ns) in userns_owner() argument
1398 return to_user_ns(ns)->parent; in userns_owner()
1414 return 0; in user_namespaces_init()