Lines Matching +full:no +full:- +full:map
1 // SPDX-License-Identifier: GPL-2.0-only
14 #include <linux/key-type.h>
15 #include <keys/user-type.h>
31 struct uid_gid_map *map);
49 cred->securebits = SECUREBITS_DEFAULT; in set_cred_user_ns()
50 cred->cap_inheritable = CAP_EMPTY_SET; in set_cred_user_ns()
51 cred->cap_permitted = CAP_FULL_SET; in set_cred_user_ns()
52 cred->cap_effective = CAP_FULL_SET; in set_cred_user_ns()
53 cred->cap_ambient = CAP_EMPTY_SET; in set_cred_user_ns()
54 cred->cap_bset = CAP_FULL_SET; in set_cred_user_ns()
56 key_put(cred->request_key_auth); in set_cred_user_ns()
57 cred->request_key_auth = NULL; in set_cred_user_ns()
60 cred->user_ns = user_ns; in set_cred_user_ns()
85 struct user_namespace *ns, *parent_ns = new->user_ns; in create_user_ns()
86 kuid_t owner = new->euid; in create_user_ns()
87 kgid_t group = new->egid; in create_user_ns()
91 ret = -ENOSPC; in create_user_ns()
92 if (parent_ns->level > 32) in create_user_ns()
105 ret = -EPERM; in create_user_ns()
113 ret = -EPERM; in create_user_ns()
122 ret = -ENOMEM; in create_user_ns()
127 ns->parent_could_setfcap = cap_raised(new->cap_effective, CAP_SETFCAP); in create_user_ns()
133 /* Leave the new->user_ns reference with the new user namespace. */ in create_user_ns()
134 ns->parent = parent_ns; in create_user_ns()
135 ns->level = parent_ns->level + 1; in create_user_ns()
136 ns->owner = owner; in create_user_ns()
137 ns->group = group; in create_user_ns()
138 INIT_WORK(&ns->work, free_user_ns); in create_user_ns()
140 ns->ucount_max[i] = INT_MAX; in create_user_ns()
146 ns->ucounts = ucounts; in create_user_ns()
150 ns->flags = parent_ns->flags; in create_user_ns()
154 INIT_LIST_HEAD(&ns->keyring_name_list); in create_user_ns()
155 init_rwsem(&ns->keyring_sem); in create_user_ns()
157 ret = -ENOMEM; in create_user_ns()
166 key_put(ns->persistent_keyring_register); in create_user_ns()
180 int err = -ENOMEM; in unshare_userns()
203 struct ucounts *ucounts = ns->ucounts; in free_user_ns()
204 parent = ns->parent; in free_user_ns()
206 if (ns->gid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) { in free_user_ns()
207 kfree(ns->gid_map.forward); in free_user_ns()
208 kfree(ns->gid_map.reverse); in free_user_ns()
210 if (ns->uid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) { in free_user_ns()
211 kfree(ns->uid_map.forward); in free_user_ns()
212 kfree(ns->uid_map.reverse); in free_user_ns()
214 if (ns->projid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) { in free_user_ns()
215 kfree(ns->projid_map.forward); in free_user_ns()
216 kfree(ns->projid_map.reverse); in free_user_ns()
219 kfree(ns->binfmt_misc); in free_user_ns()
233 schedule_work(&ns->work); in __put_user_ns()
238 * struct idmap_key - holds the information necessary to find an idmapping in a
242 bool map_up; /* true -> id from kid; false -> kid from id */
248 * cmp_map_id - Function to be passed to bsearch() to find the requested
257 id2 = key->id + key->count - 1; in cmp_map_id()
260 if (key->map_up) in cmp_map_id()
261 first = el->lower_first; in cmp_map_id()
263 first = el->first; in cmp_map_id()
265 last = first + el->count - 1; in cmp_map_id()
267 if (key->id >= first && key->id <= last && in cmp_map_id()
271 if (key->id < first || id2 < first) in cmp_map_id()
272 return -1; in cmp_map_id()
278 * map_id_range_down_max - Find idmap via binary search in ordered idmap array.
282 map_id_range_down_max(unsigned extents, struct uid_gid_map *map, u32 id, u32 count) in map_id_range_down_max() argument
290 return bsearch(&key, map->forward, extents, in map_id_range_down_max()
295 * map_id_range_down_base - Find idmap via binary search in static extent array.
300 map_id_range_down_base(unsigned extents, struct uid_gid_map *map, u32 id, u32 count) in map_id_range_down_base() argument
305 id2 = id + count - 1; in map_id_range_down_base()
309 first = map->extent[idx].first; in map_id_range_down_base()
310 last = first + map->extent[idx].count - 1; in map_id_range_down_base()
313 return &map->extent[idx]; in map_id_range_down_base()
318 static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count) in map_id_range_down() argument
321 unsigned extents = map->nr_extents; in map_id_range_down()
325 extent = map_id_range_down_base(extents, map, id, count); in map_id_range_down()
327 extent = map_id_range_down_max(extents, map, id, count); in map_id_range_down()
329 /* Map the id or note failure */ in map_id_range_down()
331 id = (id - extent->first) + extent->lower_first; in map_id_range_down()
333 id = (u32) -1; in map_id_range_down()
338 u32 map_id_down(struct uid_gid_map *map, u32 id) in map_id_down() argument
340 return map_id_range_down(map, id, 1); in map_id_down()
344 * map_id_up_base - Find idmap via binary search in static extent array.
349 map_id_range_up_base(unsigned extents, struct uid_gid_map *map, u32 id, u32 count) in map_id_range_up_base() argument
354 id2 = id + count - 1; in map_id_range_up_base()
358 first = map->extent[idx].lower_first; in map_id_range_up_base()
359 last = first + map->extent[idx].count - 1; in map_id_range_up_base()
362 return &map->extent[idx]; in map_id_range_up_base()
368 * map_id_up_max - Find idmap via binary search in ordered idmap array.
372 map_id_range_up_max(unsigned extents, struct uid_gid_map *map, u32 id, u32 count) in map_id_range_up_max() argument
380 return bsearch(&key, map->reverse, extents, in map_id_range_up_max()
384 u32 map_id_range_up(struct uid_gid_map *map, u32 id, u32 count) in map_id_range_up() argument
387 unsigned extents = map->nr_extents; in map_id_range_up()
391 extent = map_id_range_up_base(extents, map, id, count); in map_id_range_up()
393 extent = map_id_range_up_max(extents, map, id, count); in map_id_range_up()
395 /* Map the id or note failure */ in map_id_range_up()
397 id = (id - extent->lower_first) + extent->first; in map_id_range_up()
399 id = (u32) -1; in map_id_range_up()
404 u32 map_id_up(struct uid_gid_map *map, u32 id) in map_id_up() argument
406 return map_id_range_up(map, id, 1); in map_id_up()
410 * make_kuid - Map a user-namespace uid pair into a kuid.
414 * Maps a user-namespace uid pair into a kernel internal kuid,
417 * When there is no mapping defined for the user-namespace uid
424 /* Map the uid to a global kernel uid */ in make_kuid()
425 return KUIDT_INIT(map_id_down(&ns->uid_map, uid)); in make_kuid()
430 * from_kuid - Create a uid from a kuid user-namespace pair.
434 * Map @kuid into the user-namespace specified by @targ and
439 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
443 /* Map the uid from a global kernel uid */ in from_kuid()
444 return map_id_up(&targ->uid_map, __kuid_val(kuid)); in from_kuid()
449 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
453 * Map @kuid into the user-namespace specified by @targ and
464 * If @kuid has no mapping in @targ overflowuid is returned.
471 if (uid == (uid_t) -1) in from_kuid_munged()
478 * make_kgid - Map a user-namespace gid pair into a kgid.
482 * Maps a user-namespace gid pair into a kernel internal kgid,
485 * When there is no mapping defined for the user-namespace gid
492 /* Map the gid to a global kernel gid */ in make_kgid()
493 return KGIDT_INIT(map_id_down(&ns->gid_map, gid)); in make_kgid()
498 * from_kgid - Create a gid from a kgid user-namespace pair.
502 * Map @kgid into the user-namespace specified by @targ and
507 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
511 /* Map the gid from a global kernel gid */ in from_kgid()
512 return map_id_up(&targ->gid_map, __kgid_val(kgid)); in from_kgid()
517 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
521 * Map @kgid into the user-namespace specified by @targ and
531 * If @kgid has no mapping in @targ overflowgid is returned.
538 if (gid == (gid_t) -1) in from_kgid_munged()
545 * make_kprojid - Map a user-namespace projid pair into a kprojid.
549 * Maps a user-namespace uid pair into a kernel internal kuid,
552 * When there is no mapping defined for the user-namespace projid
559 /* Map the uid to a global kernel uid */ in make_kprojid()
560 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid)); in make_kprojid()
565 * from_kprojid - Create a projid from a kprojid user-namespace pair.
569 * Map @kprojid into the user-namespace specified by @targ and
574 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
578 /* Map the uid from a global kernel uid */ in from_kprojid()
579 return map_id_up(&targ->projid_map, __kprojid_val(kprojid)); in from_kprojid()
584 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
588 * Map @kprojid into the user-namespace specified by @targ and
599 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
606 if (projid == (projid_t) -1) in from_kprojid_munged()
615 struct user_namespace *ns = seq->private; in uid_m_show()
621 if ((lower_ns == ns) && lower_ns->parent) in uid_m_show()
622 lower_ns = lower_ns->parent; in uid_m_show()
624 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first)); in uid_m_show()
627 extent->first, in uid_m_show()
629 extent->count); in uid_m_show()
636 struct user_namespace *ns = seq->private; in gid_m_show()
642 if ((lower_ns == ns) && lower_ns->parent) in gid_m_show()
643 lower_ns = lower_ns->parent; in gid_m_show()
645 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first)); in gid_m_show()
648 extent->first, in gid_m_show()
650 extent->count); in gid_m_show()
657 struct user_namespace *ns = seq->private; in projid_m_show()
663 if ((lower_ns == ns) && lower_ns->parent) in projid_m_show()
664 lower_ns = lower_ns->parent; in projid_m_show()
666 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first)); in projid_m_show()
669 extent->first, in projid_m_show()
671 extent->count); in projid_m_show()
677 struct uid_gid_map *map) in m_start() argument
680 unsigned extents = map->nr_extents; in m_start()
687 return &map->extent[pos]; in m_start()
689 return &map->forward[pos]; in m_start()
694 struct user_namespace *ns = seq->private; in uid_m_start()
696 return m_start(seq, ppos, &ns->uid_map); in uid_m_start()
701 struct user_namespace *ns = seq->private; in gid_m_start()
703 return m_start(seq, ppos, &ns->gid_map); in gid_m_start()
708 struct user_namespace *ns = seq->private; in projid_m_start()
710 return m_start(seq, ppos, &ns->projid_map); in projid_m_start()
716 return seq->op->start(seq, pos); in m_next()
751 upper_first = extent->first; in mappings_overlap()
752 lower_first = extent->lower_first; in mappings_overlap()
753 upper_last = upper_first + extent->count - 1; in mappings_overlap()
754 lower_last = lower_first + extent->count - 1; in mappings_overlap()
756 for (idx = 0; idx < new_map->nr_extents; idx++) { in mappings_overlap()
761 if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) in mappings_overlap()
762 prev = &new_map->extent[idx]; in mappings_overlap()
764 prev = &new_map->forward[idx]; in mappings_overlap()
766 prev_upper_first = prev->first; in mappings_overlap()
767 prev_lower_first = prev->lower_first; in mappings_overlap()
768 prev_upper_last = prev_upper_first + prev->count - 1; in mappings_overlap()
769 prev_lower_last = prev_lower_first + prev->count - 1; in mappings_overlap()
785 * insert_extent - Safely insert a new idmap extent into struct uid_gid_map.
789 static int insert_extent(struct uid_gid_map *map, struct uid_gid_extent *extent) in insert_extent() argument
793 if (map->nr_extents == UID_GID_MAP_MAX_BASE_EXTENTS) { in insert_extent()
801 return -ENOMEM; in insert_extent()
806 memcpy(forward, map->extent, in insert_extent()
807 map->nr_extents * sizeof(map->extent[0])); in insert_extent()
809 map->forward = forward; in insert_extent()
810 map->reverse = NULL; in insert_extent()
813 if (map->nr_extents < UID_GID_MAP_MAX_BASE_EXTENTS) in insert_extent()
814 dest = &map->extent[map->nr_extents]; in insert_extent()
816 dest = &map->forward[map->nr_extents]; in insert_extent()
819 map->nr_extents++; in insert_extent()
829 if (e1->first < e2->first) in cmp_extents_forward()
830 return -1; in cmp_extents_forward()
832 if (e1->first > e2->first) in cmp_extents_forward()
844 if (e1->lower_first < e2->lower_first) in cmp_extents_reverse()
845 return -1; in cmp_extents_reverse()
847 if (e1->lower_first > e2->lower_first) in cmp_extents_reverse()
854 * sort_idmaps - Sorts an array of idmap entries.
857 static int sort_idmaps(struct uid_gid_map *map) in sort_idmaps() argument
859 if (map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) in sort_idmaps()
863 sort(map->forward, map->nr_extents, sizeof(struct uid_gid_extent), in sort_idmaps()
867 map->reverse = kmemdup_array(map->forward, map->nr_extents, in sort_idmaps()
869 if (!map->reverse) in sort_idmaps()
870 return -ENOMEM; in sort_idmaps()
873 sort(map->reverse, map->nr_extents, sizeof(struct uid_gid_extent), in sort_idmaps()
880 * verify_root_map() - check the uid 0 mapping
886 * process writing the map had the CAP_SETFCAP capability as the target process
896 const struct user_namespace *file_ns = file->f_cred->user_ns; in verify_root_map()
899 for (idx = 0; idx < new_map->nr_extents; idx++) { in verify_root_map()
900 if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) in verify_root_map()
901 extent0 = &new_map->extent[idx]; in verify_root_map()
903 extent0 = &new_map->forward[idx]; in verify_root_map()
904 if (extent0->lower_first == 0) in verify_root_map()
919 if (!file_ns->parent_could_setfcap) in verify_root_map()
923 * user namespace to p1's. Verify that the opener of the map in verify_root_map()
924 * file has CAP_SETFCAP against the parent of the new map in verify_root_map()
926 if (!file_ns_capable(file, map_ns->parent, CAP_SETFCAP)) in verify_root_map()
936 struct uid_gid_map *map, in map_write() argument
939 struct seq_file *seq = file->private_data; in map_write()
940 struct user_namespace *map_ns = seq->private; in map_write()
949 return -EINVAL; in map_write()
957 * The userns_state_mutex serializes all writes to any given map. in map_write()
959 * Any map is only ever written once. in map_write()
961 * An id map fits within 1 cache line on most architectures. in map_write()
979 ret = -EPERM; in map_write()
980 /* Only allow one successful write to the map */ in map_write()
981 if (map->nr_extents != 0) in map_write()
991 ret = -EINVAL; in map_write()
1025 if ((extent.first == (u32) -1) || in map_write()
1026 (extent.lower_first == (u32) -1)) in map_write()
1049 ret = -EINVAL; in map_write()
1051 /* Be very certain the new map actually exists */ in map_write()
1055 ret = -EPERM; in map_write()
1060 ret = -EPERM; in map_write()
1061 /* Map the lower ids from the parent user namespace to the in map_write()
1074 e->lower_first, in map_write()
1075 e->count); in map_write()
1077 /* Fail if we can not map the specified extent to in map_write()
1080 if (lower_first == (u32) -1) in map_write()
1083 e->lower_first = lower_first; in map_write()
1094 /* Install the map */ in map_write()
1096 memcpy(map->extent, new_map.extent, in map_write()
1099 map->forward = new_map.forward; in map_write()
1100 map->reverse = new_map.reverse; in map_write()
1103 map->nr_extents = new_map.nr_extents; in map_write()
1111 map->forward = NULL; in map_write()
1112 map->reverse = NULL; in map_write()
1113 map->nr_extents = 0; in map_write()
1124 struct seq_file *seq = file->private_data; in proc_uid_map_write()
1125 struct user_namespace *ns = seq->private; in proc_uid_map_write()
1128 if (!ns->parent) in proc_uid_map_write()
1129 return -EPERM; in proc_uid_map_write()
1131 if ((seq_ns != ns) && (seq_ns != ns->parent)) in proc_uid_map_write()
1132 return -EPERM; in proc_uid_map_write()
1135 &ns->uid_map, &ns->parent->uid_map); in proc_uid_map_write()
1141 struct seq_file *seq = file->private_data; in proc_gid_map_write()
1142 struct user_namespace *ns = seq->private; in proc_gid_map_write()
1145 if (!ns->parent) in proc_gid_map_write()
1146 return -EPERM; in proc_gid_map_write()
1148 if ((seq_ns != ns) && (seq_ns != ns->parent)) in proc_gid_map_write()
1149 return -EPERM; in proc_gid_map_write()
1152 &ns->gid_map, &ns->parent->gid_map); in proc_gid_map_write()
1158 struct seq_file *seq = file->private_data; in proc_projid_map_write()
1159 struct user_namespace *ns = seq->private; in proc_projid_map_write()
1162 if (!ns->parent) in proc_projid_map_write()
1163 return -EPERM; in proc_projid_map_write()
1165 if ((seq_ns != ns) && (seq_ns != ns->parent)) in proc_projid_map_write()
1166 return -EPERM; in proc_projid_map_write()
1168 /* Anyone can set any valid project id no capability needed */ in proc_projid_map_write()
1169 return map_write(file, buf, size, ppos, -1, in proc_projid_map_write()
1170 &ns->projid_map, &ns->parent->projid_map); in proc_projid_map_write()
1177 const struct cred *cred = file->f_cred; in new_idmap_permitted()
1185 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) && in new_idmap_permitted()
1186 uid_eq(ns->owner, cred->euid)) { in new_idmap_permitted()
1187 u32 id = new_map->extent[0].lower_first; in new_idmap_permitted()
1189 kuid_t uid = make_kuid(ns->parent, id); in new_idmap_permitted()
1190 if (uid_eq(uid, cred->euid)) in new_idmap_permitted()
1193 kgid_t gid = make_kgid(ns->parent, id); in new_idmap_permitted()
1194 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) && in new_idmap_permitted()
1195 gid_eq(gid, cred->egid)) in new_idmap_permitted()
1208 if (ns_capable(ns->parent, cap_setid) && in new_idmap_permitted()
1209 file_ns_capable(file, ns->parent, cap_setid)) in new_idmap_permitted()
1217 struct user_namespace *ns = seq->private; in proc_setgroups_show()
1218 unsigned long userns_flags = READ_ONCE(ns->flags); in proc_setgroups_show()
1229 struct seq_file *seq = file->private_data; in proc_setgroups_write()
1230 struct user_namespace *ns = seq->private; in proc_setgroups_write()
1236 ret = -EINVAL; in proc_setgroups_write()
1241 ret = -EFAULT; in proc_setgroups_write()
1248 ret = -EINVAL; in proc_setgroups_write()
1265 ret = -EPERM; in proc_setgroups_write()
1271 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED)) in proc_setgroups_write()
1277 if (ns->gid_map.nr_extents != 0) in proc_setgroups_write()
1279 ns->flags &= ~USERNS_SETGROUPS_ALLOWED; in proc_setgroups_write()
1301 allowed = ns->gid_map.nr_extents != 0; in userns_may_setgroups()
1303 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED); in userns_may_setgroups()
1317 for (ns = child; ns->level > ancestor->level; ns = ns->parent) in in_userns()
1333 user_ns = get_user_ns(__task_cred(task)->user_ns); in userns_get()
1336 return user_ns ? &user_ns->ns : NULL; in userns_get()
1353 return -EINVAL; in userns_install()
1357 return -EINVAL; in userns_install()
1359 if (current->fs->users != 1) in userns_install()
1360 return -EINVAL; in userns_install()
1363 return -EPERM; in userns_install()
1367 return -EINVAL; in userns_install()
1369 put_user_ns(cred->user_ns); in userns_install()
1373 return -EINVAL; in userns_install()
1384 owner = p = ns->ops->owner(ns); in ns_get_owner()
1387 return ERR_PTR(-EPERM); in ns_get_owner()
1390 p = p->parent; in ns_get_owner()
1393 return &get_user_ns(owner)->ns; in ns_get_owner()
1398 return to_user_ns(ns)->parent; in userns_owner()