Lines Matching +full:reverse +full:- +full:data
1 // SPDX-License-Identifier: GPL-2.0-only
14 #include <linux/key-type.h>
15 #include <keys/user-type.h>
48 cred->securebits = SECUREBITS_DEFAULT; in set_cred_user_ns()
49 cred->cap_inheritable = CAP_EMPTY_SET; in set_cred_user_ns()
50 cred->cap_permitted = CAP_FULL_SET; in set_cred_user_ns()
51 cred->cap_effective = CAP_FULL_SET; in set_cred_user_ns()
52 cred->cap_ambient = CAP_EMPTY_SET; in set_cred_user_ns()
53 cred->cap_bset = CAP_FULL_SET; in set_cred_user_ns()
55 key_put(cred->request_key_auth); in set_cred_user_ns()
56 cred->request_key_auth = NULL; in set_cred_user_ns()
59 cred->user_ns = user_ns; in set_cred_user_ns()
84 struct user_namespace *ns, *parent_ns = new->user_ns; in create_user_ns()
85 kuid_t owner = new->euid; in create_user_ns()
86 kgid_t group = new->egid; in create_user_ns()
90 ret = -ENOSPC; in create_user_ns()
91 if (parent_ns->level > 32) in create_user_ns()
104 ret = -EPERM; in create_user_ns()
112 ret = -EPERM; in create_user_ns()
121 ret = -ENOMEM; in create_user_ns()
126 ns->parent_could_setfcap = cap_raised(new->cap_effective, CAP_SETFCAP); in create_user_ns()
127 ret = ns_alloc_inum(&ns->ns); in create_user_ns()
130 ns->ns.ops = &userns_operations; in create_user_ns()
132 refcount_set(&ns->ns.count, 1); in create_user_ns()
133 /* Leave the new->user_ns reference with the new user namespace. */ in create_user_ns()
134 ns->parent = parent_ns; in create_user_ns()
135 ns->level = parent_ns->level + 1; in create_user_ns()
136 ns->owner = owner; in create_user_ns()
137 ns->group = group; in create_user_ns()
138 INIT_WORK(&ns->work, free_user_ns); in create_user_ns()
140 ns->ucount_max[i] = INT_MAX; in create_user_ns()
146 ns->ucounts = ucounts; in create_user_ns()
150 ns->flags = parent_ns->flags; in create_user_ns()
154 INIT_LIST_HEAD(&ns->keyring_name_list); in create_user_ns()
155 init_rwsem(&ns->keyring_sem); in create_user_ns()
157 ret = -ENOMEM; in create_user_ns()
165 key_put(ns->persistent_keyring_register); in create_user_ns()
167 ns_free_inum(&ns->ns); in create_user_ns()
179 int err = -ENOMEM; in unshare_userns()
202 struct ucounts *ucounts = ns->ucounts; in free_user_ns()
203 parent = ns->parent; in free_user_ns()
204 if (ns->gid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) { in free_user_ns()
205 kfree(ns->gid_map.forward); in free_user_ns()
206 kfree(ns->gid_map.reverse); in free_user_ns()
208 if (ns->uid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) { in free_user_ns()
209 kfree(ns->uid_map.forward); in free_user_ns()
210 kfree(ns->uid_map.reverse); in free_user_ns()
212 if (ns->projid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) { in free_user_ns()
213 kfree(ns->projid_map.forward); in free_user_ns()
214 kfree(ns->projid_map.reverse); in free_user_ns()
217 kfree(ns->binfmt_misc); in free_user_ns()
221 ns_free_inum(&ns->ns); in free_user_ns()
225 } while (refcount_dec_and_test(&parent->ns.count)); in free_user_ns()
230 schedule_work(&ns->work); in __put_user_ns()
235 * struct idmap_key - holds the information necessary to find an idmapping in a
239 bool map_up; /* true -> id from kid; false -> kid from id */
245 * cmp_map_id - Function to be passed to bsearch() to find the requested
254 id2 = key->id + key->count - 1; in cmp_map_id()
257 if (key->map_up) in cmp_map_id()
258 first = el->lower_first; in cmp_map_id()
260 first = el->first; in cmp_map_id()
262 last = first + el->count - 1; in cmp_map_id()
264 if (key->id >= first && key->id <= last && in cmp_map_id()
268 if (key->id < first || id2 < first) in cmp_map_id()
269 return -1; in cmp_map_id()
275 * map_id_range_down_max - Find idmap via binary search in ordered idmap array.
287 return bsearch(&key, map->forward, extents, in map_id_range_down_max()
292 * map_id_range_down_base - Find idmap via binary search in static extent array.
302 id2 = id + count - 1; in map_id_range_down_base()
306 first = map->extent[idx].first; in map_id_range_down_base()
307 last = first + map->extent[idx].count - 1; in map_id_range_down_base()
310 return &map->extent[idx]; in map_id_range_down_base()
318 unsigned extents = map->nr_extents; in map_id_range_down()
328 id = (id - extent->first) + extent->lower_first; in map_id_range_down()
330 id = (u32) -1; in map_id_range_down()
341 * map_id_up_base - Find idmap via binary search in static extent array.
353 first = map->extent[idx].lower_first; in map_id_up_base()
354 last = first + map->extent[idx].count - 1; in map_id_up_base()
356 return &map->extent[idx]; in map_id_up_base()
362 * map_id_up_max - Find idmap via binary search in ordered idmap array.
374 return bsearch(&key, map->reverse, extents, in map_id_up_max()
381 unsigned extents = map->nr_extents; in map_id_up()
391 id = (id - extent->lower_first) + extent->first; in map_id_up()
393 id = (u32) -1; in map_id_up()
399 * make_kuid - Map a user-namespace uid pair into a kuid.
403 * Maps a user-namespace uid pair into a kernel internal kuid,
406 * When there is no mapping defined for the user-namespace uid
414 return KUIDT_INIT(map_id_down(&ns->uid_map, uid)); in make_kuid()
419 * from_kuid - Create a uid from a kuid user-namespace pair.
423 * Map @kuid into the user-namespace specified by @targ and
428 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
433 return map_id_up(&targ->uid_map, __kuid_val(kuid)); in from_kuid()
438 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
442 * Map @kuid into the user-namespace specified by @targ and
460 if (uid == (uid_t) -1) in from_kuid_munged()
467 * make_kgid - Map a user-namespace gid pair into a kgid.
471 * Maps a user-namespace gid pair into a kernel internal kgid,
474 * When there is no mapping defined for the user-namespace gid
482 return KGIDT_INIT(map_id_down(&ns->gid_map, gid)); in make_kgid()
487 * from_kgid - Create a gid from a kgid user-namespace pair.
491 * Map @kgid into the user-namespace specified by @targ and
496 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
501 return map_id_up(&targ->gid_map, __kgid_val(kgid)); in from_kgid()
506 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
510 * Map @kgid into the user-namespace specified by @targ and
527 if (gid == (gid_t) -1) in from_kgid_munged()
534 * make_kprojid - Map a user-namespace projid pair into a kprojid.
538 * Maps a user-namespace uid pair into a kernel internal kuid,
541 * When there is no mapping defined for the user-namespace projid
549 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid)); in make_kprojid()
554 * from_kprojid - Create a projid from a kprojid user-namespace pair.
558 * Map @kprojid into the user-namespace specified by @targ and
563 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
568 return map_id_up(&targ->projid_map, __kprojid_val(kprojid)); in from_kprojid()
573 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
577 * Map @kprojid into the user-namespace specified by @targ and
595 if (projid == (projid_t) -1) in from_kprojid_munged()
604 struct user_namespace *ns = seq->private; in uid_m_show()
610 if ((lower_ns == ns) && lower_ns->parent) in uid_m_show()
611 lower_ns = lower_ns->parent; in uid_m_show()
613 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first)); in uid_m_show()
616 extent->first, in uid_m_show()
618 extent->count); in uid_m_show()
625 struct user_namespace *ns = seq->private; in gid_m_show()
631 if ((lower_ns == ns) && lower_ns->parent) in gid_m_show()
632 lower_ns = lower_ns->parent; in gid_m_show()
634 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first)); in gid_m_show()
637 extent->first, in gid_m_show()
639 extent->count); in gid_m_show()
646 struct user_namespace *ns = seq->private; in projid_m_show()
652 if ((lower_ns == ns) && lower_ns->parent) in projid_m_show()
653 lower_ns = lower_ns->parent; in projid_m_show()
655 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first)); in projid_m_show()
658 extent->first, in projid_m_show()
660 extent->count); in projid_m_show()
669 unsigned extents = map->nr_extents; in m_start()
676 return &map->extent[pos]; in m_start()
678 return &map->forward[pos]; in m_start()
683 struct user_namespace *ns = seq->private; in uid_m_start()
685 return m_start(seq, ppos, &ns->uid_map); in uid_m_start()
690 struct user_namespace *ns = seq->private; in gid_m_start()
692 return m_start(seq, ppos, &ns->gid_map); in gid_m_start()
697 struct user_namespace *ns = seq->private; in projid_m_start()
699 return m_start(seq, ppos, &ns->projid_map); in projid_m_start()
705 return seq->op->start(seq, pos); in m_next()
740 upper_first = extent->first; in mappings_overlap()
741 lower_first = extent->lower_first; in mappings_overlap()
742 upper_last = upper_first + extent->count - 1; in mappings_overlap()
743 lower_last = lower_first + extent->count - 1; in mappings_overlap()
745 for (idx = 0; idx < new_map->nr_extents; idx++) { in mappings_overlap()
750 if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) in mappings_overlap()
751 prev = &new_map->extent[idx]; in mappings_overlap()
753 prev = &new_map->forward[idx]; in mappings_overlap()
755 prev_upper_first = prev->first; in mappings_overlap()
756 prev_lower_first = prev->lower_first; in mappings_overlap()
757 prev_upper_last = prev_upper_first + prev->count - 1; in mappings_overlap()
758 prev_lower_last = prev_lower_first + prev->count - 1; in mappings_overlap()
774 * insert_extent - Safely insert a new idmap extent into struct uid_gid_map.
782 if (map->nr_extents == UID_GID_MAP_MAX_BASE_EXTENTS) { in insert_extent()
790 return -ENOMEM; in insert_extent()
793 * Defer the memory setup for the reverse pointer. in insert_extent()
795 memcpy(forward, map->extent, in insert_extent()
796 map->nr_extents * sizeof(map->extent[0])); in insert_extent()
798 map->forward = forward; in insert_extent()
799 map->reverse = NULL; in insert_extent()
802 if (map->nr_extents < UID_GID_MAP_MAX_BASE_EXTENTS) in insert_extent()
803 dest = &map->extent[map->nr_extents]; in insert_extent()
805 dest = &map->forward[map->nr_extents]; in insert_extent()
808 map->nr_extents++; in insert_extent()
818 if (e1->first < e2->first) in cmp_extents_forward()
819 return -1; in cmp_extents_forward()
821 if (e1->first > e2->first) in cmp_extents_forward()
827 /* cmp function to sort() reverse mappings */
833 if (e1->lower_first < e2->lower_first) in cmp_extents_reverse()
834 return -1; in cmp_extents_reverse()
836 if (e1->lower_first > e2->lower_first) in cmp_extents_reverse()
843 * sort_idmaps - Sorts an array of idmap entries.
848 if (map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) in sort_idmaps()
852 sort(map->forward, map->nr_extents, sizeof(struct uid_gid_extent), in sort_idmaps()
856 map->reverse = kmemdup_array(map->forward, map->nr_extents, in sort_idmaps()
858 if (!map->reverse) in sort_idmaps()
859 return -ENOMEM; in sort_idmaps()
861 /* Sort reverse array. */ in sort_idmaps()
862 sort(map->reverse, map->nr_extents, sizeof(struct uid_gid_extent), in sort_idmaps()
869 * verify_root_map() - check the uid 0 mapping
885 const struct user_namespace *file_ns = file->f_cred->user_ns; in verify_root_map()
888 for (idx = 0; idx < new_map->nr_extents; idx++) { in verify_root_map()
889 if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) in verify_root_map()
890 extent0 = &new_map->extent[idx]; in verify_root_map()
892 extent0 = &new_map->forward[idx]; in verify_root_map()
893 if (extent0->lower_first == 0) in verify_root_map()
908 if (!file_ns->parent_could_setfcap) in verify_root_map()
915 if (!file_ns_capable(file, map_ns->parent, CAP_SETFCAP)) in verify_root_map()
928 struct seq_file *seq = file->private_data; in map_write()
929 struct user_namespace *map_ns = seq->private; in map_write()
938 return -EINVAL; in map_write()
940 /* Slurp in the user data */ in map_write()
955 * There is a one time data dependency between reading the in map_write()
962 * architectures returning stale data. in map_write()
968 ret = -EPERM; in map_write()
970 if (map->nr_extents != 0) in map_write()
979 /* Parse the user data */ in map_write()
980 ret = -EINVAL; in map_write()
1014 if ((extent.first == (u32) -1) || in map_write()
1015 (extent.lower_first == (u32) -1)) in map_write()
1038 ret = -EINVAL; in map_write()
1044 ret = -EPERM; in map_write()
1049 ret = -EPERM; in map_write()
1063 e->lower_first, in map_write()
1064 e->count); in map_write()
1069 if (lower_first == (u32) -1) in map_write()
1072 e->lower_first = lower_first; in map_write()
1085 memcpy(map->extent, new_map.extent, in map_write()
1088 map->forward = new_map.forward; in map_write()
1089 map->reverse = new_map.reverse; in map_write()
1092 map->nr_extents = new_map.nr_extents; in map_write()
1099 kfree(new_map.reverse); in map_write()
1100 map->forward = NULL; in map_write()
1101 map->reverse = NULL; in map_write()
1102 map->nr_extents = 0; in map_write()
1113 struct seq_file *seq = file->private_data; in proc_uid_map_write()
1114 struct user_namespace *ns = seq->private; in proc_uid_map_write()
1117 if (!ns->parent) in proc_uid_map_write()
1118 return -EPERM; in proc_uid_map_write()
1120 if ((seq_ns != ns) && (seq_ns != ns->parent)) in proc_uid_map_write()
1121 return -EPERM; in proc_uid_map_write()
1124 &ns->uid_map, &ns->parent->uid_map); in proc_uid_map_write()
1130 struct seq_file *seq = file->private_data; in proc_gid_map_write()
1131 struct user_namespace *ns = seq->private; in proc_gid_map_write()
1134 if (!ns->parent) in proc_gid_map_write()
1135 return -EPERM; in proc_gid_map_write()
1137 if ((seq_ns != ns) && (seq_ns != ns->parent)) in proc_gid_map_write()
1138 return -EPERM; in proc_gid_map_write()
1141 &ns->gid_map, &ns->parent->gid_map); in proc_gid_map_write()
1147 struct seq_file *seq = file->private_data; in proc_projid_map_write()
1148 struct user_namespace *ns = seq->private; in proc_projid_map_write()
1151 if (!ns->parent) in proc_projid_map_write()
1152 return -EPERM; in proc_projid_map_write()
1154 if ((seq_ns != ns) && (seq_ns != ns->parent)) in proc_projid_map_write()
1155 return -EPERM; in proc_projid_map_write()
1158 return map_write(file, buf, size, ppos, -1, in proc_projid_map_write()
1159 &ns->projid_map, &ns->parent->projid_map); in proc_projid_map_write()
1166 const struct cred *cred = file->f_cred; in new_idmap_permitted()
1174 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) && in new_idmap_permitted()
1175 uid_eq(ns->owner, cred->euid)) { in new_idmap_permitted()
1176 u32 id = new_map->extent[0].lower_first; in new_idmap_permitted()
1178 kuid_t uid = make_kuid(ns->parent, id); in new_idmap_permitted()
1179 if (uid_eq(uid, cred->euid)) in new_idmap_permitted()
1182 kgid_t gid = make_kgid(ns->parent, id); in new_idmap_permitted()
1183 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) && in new_idmap_permitted()
1184 gid_eq(gid, cred->egid)) in new_idmap_permitted()
1197 if (ns_capable(ns->parent, cap_setid) && in new_idmap_permitted()
1198 file_ns_capable(file, ns->parent, cap_setid)) in new_idmap_permitted()
1206 struct user_namespace *ns = seq->private; in proc_setgroups_show()
1207 unsigned long userns_flags = READ_ONCE(ns->flags); in proc_setgroups_show()
1218 struct seq_file *seq = file->private_data; in proc_setgroups_write()
1219 struct user_namespace *ns = seq->private; in proc_setgroups_write()
1225 ret = -EINVAL; in proc_setgroups_write()
1230 ret = -EFAULT; in proc_setgroups_write()
1237 ret = -EINVAL; in proc_setgroups_write()
1254 ret = -EPERM; in proc_setgroups_write()
1260 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED)) in proc_setgroups_write()
1266 if (ns->gid_map.nr_extents != 0) in proc_setgroups_write()
1268 ns->flags &= ~USERNS_SETGROUPS_ALLOWED; in proc_setgroups_write()
1290 allowed = ns->gid_map.nr_extents != 0; in userns_may_setgroups()
1292 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED); in userns_may_setgroups()
1306 for (ns = child; ns->level > ancestor->level; ns = ns->parent) in in_userns()
1327 user_ns = get_user_ns(__task_cred(task)->user_ns); in userns_get()
1330 return user_ns ? &user_ns->ns : NULL; in userns_get()
1347 return -EINVAL; in userns_install()
1351 return -EINVAL; in userns_install()
1353 if (current->fs->users != 1) in userns_install()
1354 return -EINVAL; in userns_install()
1357 return -EPERM; in userns_install()
1361 return -EINVAL; in userns_install()
1363 put_user_ns(cred->user_ns); in userns_install()
1367 return -EINVAL; in userns_install()
1378 owner = p = ns->ops->owner(ns); in ns_get_owner()
1381 return ERR_PTR(-EPERM); in ns_get_owner()
1384 p = p->parent; in ns_get_owner()
1387 return &get_user_ns(owner)->ns; in ns_get_owner()
1392 return to_user_ns(ns)->parent; in userns_owner()