1 /* 2 * This program is free software; you can redistribute it and/or 3 * modify it under the terms of the GNU General Public License as 4 * published by the Free Software Foundation, version 2 of the 5 * License. 6 */ 7 8 #include <linux/export.h> 9 #include <linux/nsproxy.h> 10 #include <linux/slab.h> 11 #include <linux/user_namespace.h> 12 #include <linux/proc_ns.h> 13 #include <linux/highuid.h> 14 #include <linux/cred.h> 15 #include <linux/securebits.h> 16 #include <linux/keyctl.h> 17 #include <linux/key-type.h> 18 #include <keys/user-type.h> 19 #include <linux/seq_file.h> 20 #include <linux/fs.h> 21 #include <linux/uaccess.h> 22 #include <linux/ctype.h> 23 #include <linux/projid.h> 24 #include <linux/fs_struct.h> 25 26 static struct kmem_cache *user_ns_cachep __read_mostly; 27 static DEFINE_MUTEX(userns_state_mutex); 28 29 static bool new_idmap_permitted(const struct file *file, 30 struct user_namespace *ns, int cap_setid, 31 struct uid_gid_map *map); 32 33 static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns) 34 { 35 /* Start with the same capabilities as init but useless for doing 36 * anything as the capabilities are bound to the new user namespace. 37 */ 38 cred->securebits = SECUREBITS_DEFAULT; 39 cred->cap_inheritable = CAP_EMPTY_SET; 40 cred->cap_permitted = CAP_FULL_SET; 41 cred->cap_effective = CAP_FULL_SET; 42 cred->cap_bset = CAP_FULL_SET; 43 #ifdef CONFIG_KEYS 44 key_put(cred->request_key_auth); 45 cred->request_key_auth = NULL; 46 #endif 47 /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */ 48 cred->user_ns = user_ns; 49 } 50 51 /* 52 * Create a new user namespace, deriving the creator from the user in the 53 * passed credentials, and replacing that user with the new root user for the 54 * new namespace. 55 * 56 * This is called by copy_creds(), which will finish setting the target task's 57 * credentials. 58 */ 59 int create_user_ns(struct cred *new) 60 { 61 struct user_namespace *ns, *parent_ns = new->user_ns; 62 kuid_t owner = new->euid; 63 kgid_t group = new->egid; 64 int ret; 65 66 if (parent_ns->level > 32) 67 return -EUSERS; 68 69 /* 70 * Verify that we can not violate the policy of which files 71 * may be accessed that is specified by the root directory, 72 * by verifing that the root directory is at the root of the 73 * mount namespace which allows all files to be accessed. 74 */ 75 if (current_chrooted()) 76 return -EPERM; 77 78 /* The creator needs a mapping in the parent user namespace 79 * or else we won't be able to reasonably tell userspace who 80 * created a user_namespace. 81 */ 82 if (!kuid_has_mapping(parent_ns, owner) || 83 !kgid_has_mapping(parent_ns, group)) 84 return -EPERM; 85 86 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL); 87 if (!ns) 88 return -ENOMEM; 89 90 ret = proc_alloc_inum(&ns->proc_inum); 91 if (ret) { 92 kmem_cache_free(user_ns_cachep, ns); 93 return ret; 94 } 95 96 atomic_set(&ns->count, 1); 97 /* Leave the new->user_ns reference with the new user namespace. */ 98 ns->parent = parent_ns; 99 ns->level = parent_ns->level + 1; 100 ns->owner = owner; 101 ns->group = group; 102 103 /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */ 104 mutex_lock(&userns_state_mutex); 105 ns->flags = parent_ns->flags; 106 mutex_unlock(&userns_state_mutex); 107 108 set_cred_user_ns(new, ns); 109 110 #ifdef CONFIG_PERSISTENT_KEYRINGS 111 init_rwsem(&ns->persistent_keyring_register_sem); 112 #endif 113 return 0; 114 } 115 116 int unshare_userns(unsigned long unshare_flags, struct cred **new_cred) 117 { 118 struct cred *cred; 119 int err = -ENOMEM; 120 121 if (!(unshare_flags & CLONE_NEWUSER)) 122 return 0; 123 124 cred = prepare_creds(); 125 if (cred) { 126 err = create_user_ns(cred); 127 if (err) 128 put_cred(cred); 129 else 130 *new_cred = cred; 131 } 132 133 return err; 134 } 135 136 void free_user_ns(struct user_namespace *ns) 137 { 138 struct user_namespace *parent; 139 140 do { 141 parent = ns->parent; 142 #ifdef CONFIG_PERSISTENT_KEYRINGS 143 key_put(ns->persistent_keyring_register); 144 #endif 145 proc_free_inum(ns->proc_inum); 146 kmem_cache_free(user_ns_cachep, ns); 147 ns = parent; 148 } while (atomic_dec_and_test(&parent->count)); 149 } 150 EXPORT_SYMBOL(free_user_ns); 151 152 static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count) 153 { 154 unsigned idx, extents; 155 u32 first, last, id2; 156 157 id2 = id + count - 1; 158 159 /* Find the matching extent */ 160 extents = map->nr_extents; 161 smp_rmb(); 162 for (idx = 0; idx < extents; idx++) { 163 first = map->extent[idx].first; 164 last = first + map->extent[idx].count - 1; 165 if (id >= first && id <= last && 166 (id2 >= first && id2 <= last)) 167 break; 168 } 169 /* Map the id or note failure */ 170 if (idx < extents) 171 id = (id - first) + map->extent[idx].lower_first; 172 else 173 id = (u32) -1; 174 175 return id; 176 } 177 178 static u32 map_id_down(struct uid_gid_map *map, u32 id) 179 { 180 unsigned idx, extents; 181 u32 first, last; 182 183 /* Find the matching extent */ 184 extents = map->nr_extents; 185 smp_rmb(); 186 for (idx = 0; idx < extents; idx++) { 187 first = map->extent[idx].first; 188 last = first + map->extent[idx].count - 1; 189 if (id >= first && id <= last) 190 break; 191 } 192 /* Map the id or note failure */ 193 if (idx < extents) 194 id = (id - first) + map->extent[idx].lower_first; 195 else 196 id = (u32) -1; 197 198 return id; 199 } 200 201 static u32 map_id_up(struct uid_gid_map *map, u32 id) 202 { 203 unsigned idx, extents; 204 u32 first, last; 205 206 /* Find the matching extent */ 207 extents = map->nr_extents; 208 smp_rmb(); 209 for (idx = 0; idx < extents; idx++) { 210 first = map->extent[idx].lower_first; 211 last = first + map->extent[idx].count - 1; 212 if (id >= first && id <= last) 213 break; 214 } 215 /* Map the id or note failure */ 216 if (idx < extents) 217 id = (id - first) + map->extent[idx].first; 218 else 219 id = (u32) -1; 220 221 return id; 222 } 223 224 /** 225 * make_kuid - Map a user-namespace uid pair into a kuid. 226 * @ns: User namespace that the uid is in 227 * @uid: User identifier 228 * 229 * Maps a user-namespace uid pair into a kernel internal kuid, 230 * and returns that kuid. 231 * 232 * When there is no mapping defined for the user-namespace uid 233 * pair INVALID_UID is returned. Callers are expected to test 234 * for and handle INVALID_UID being returned. INVALID_UID 235 * may be tested for using uid_valid(). 236 */ 237 kuid_t make_kuid(struct user_namespace *ns, uid_t uid) 238 { 239 /* Map the uid to a global kernel uid */ 240 return KUIDT_INIT(map_id_down(&ns->uid_map, uid)); 241 } 242 EXPORT_SYMBOL(make_kuid); 243 244 /** 245 * from_kuid - Create a uid from a kuid user-namespace pair. 246 * @targ: The user namespace we want a uid in. 247 * @kuid: The kernel internal uid to start with. 248 * 249 * Map @kuid into the user-namespace specified by @targ and 250 * return the resulting uid. 251 * 252 * There is always a mapping into the initial user_namespace. 253 * 254 * If @kuid has no mapping in @targ (uid_t)-1 is returned. 255 */ 256 uid_t from_kuid(struct user_namespace *targ, kuid_t kuid) 257 { 258 /* Map the uid from a global kernel uid */ 259 return map_id_up(&targ->uid_map, __kuid_val(kuid)); 260 } 261 EXPORT_SYMBOL(from_kuid); 262 263 /** 264 * from_kuid_munged - Create a uid from a kuid user-namespace pair. 265 * @targ: The user namespace we want a uid in. 266 * @kuid: The kernel internal uid to start with. 267 * 268 * Map @kuid into the user-namespace specified by @targ and 269 * return the resulting uid. 270 * 271 * There is always a mapping into the initial user_namespace. 272 * 273 * Unlike from_kuid from_kuid_munged never fails and always 274 * returns a valid uid. This makes from_kuid_munged appropriate 275 * for use in syscalls like stat and getuid where failing the 276 * system call and failing to provide a valid uid are not an 277 * options. 278 * 279 * If @kuid has no mapping in @targ overflowuid is returned. 280 */ 281 uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid) 282 { 283 uid_t uid; 284 uid = from_kuid(targ, kuid); 285 286 if (uid == (uid_t) -1) 287 uid = overflowuid; 288 return uid; 289 } 290 EXPORT_SYMBOL(from_kuid_munged); 291 292 /** 293 * make_kgid - Map a user-namespace gid pair into a kgid. 294 * @ns: User namespace that the gid is in 295 * @gid: group identifier 296 * 297 * Maps a user-namespace gid pair into a kernel internal kgid, 298 * and returns that kgid. 299 * 300 * When there is no mapping defined for the user-namespace gid 301 * pair INVALID_GID is returned. Callers are expected to test 302 * for and handle INVALID_GID being returned. INVALID_GID may be 303 * tested for using gid_valid(). 304 */ 305 kgid_t make_kgid(struct user_namespace *ns, gid_t gid) 306 { 307 /* Map the gid to a global kernel gid */ 308 return KGIDT_INIT(map_id_down(&ns->gid_map, gid)); 309 } 310 EXPORT_SYMBOL(make_kgid); 311 312 /** 313 * from_kgid - Create a gid from a kgid user-namespace pair. 314 * @targ: The user namespace we want a gid in. 315 * @kgid: The kernel internal gid to start with. 316 * 317 * Map @kgid into the user-namespace specified by @targ and 318 * return the resulting gid. 319 * 320 * There is always a mapping into the initial user_namespace. 321 * 322 * If @kgid has no mapping in @targ (gid_t)-1 is returned. 323 */ 324 gid_t from_kgid(struct user_namespace *targ, kgid_t kgid) 325 { 326 /* Map the gid from a global kernel gid */ 327 return map_id_up(&targ->gid_map, __kgid_val(kgid)); 328 } 329 EXPORT_SYMBOL(from_kgid); 330 331 /** 332 * from_kgid_munged - Create a gid from a kgid user-namespace pair. 333 * @targ: The user namespace we want a gid in. 334 * @kgid: The kernel internal gid to start with. 335 * 336 * Map @kgid into the user-namespace specified by @targ and 337 * return the resulting gid. 338 * 339 * There is always a mapping into the initial user_namespace. 340 * 341 * Unlike from_kgid from_kgid_munged never fails and always 342 * returns a valid gid. This makes from_kgid_munged appropriate 343 * for use in syscalls like stat and getgid where failing the 344 * system call and failing to provide a valid gid are not options. 345 * 346 * If @kgid has no mapping in @targ overflowgid is returned. 347 */ 348 gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid) 349 { 350 gid_t gid; 351 gid = from_kgid(targ, kgid); 352 353 if (gid == (gid_t) -1) 354 gid = overflowgid; 355 return gid; 356 } 357 EXPORT_SYMBOL(from_kgid_munged); 358 359 /** 360 * make_kprojid - Map a user-namespace projid pair into a kprojid. 361 * @ns: User namespace that the projid is in 362 * @projid: Project identifier 363 * 364 * Maps a user-namespace uid pair into a kernel internal kuid, 365 * and returns that kuid. 366 * 367 * When there is no mapping defined for the user-namespace projid 368 * pair INVALID_PROJID is returned. Callers are expected to test 369 * for and handle handle INVALID_PROJID being returned. INVALID_PROJID 370 * may be tested for using projid_valid(). 371 */ 372 kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid) 373 { 374 /* Map the uid to a global kernel uid */ 375 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid)); 376 } 377 EXPORT_SYMBOL(make_kprojid); 378 379 /** 380 * from_kprojid - Create a projid from a kprojid user-namespace pair. 381 * @targ: The user namespace we want a projid in. 382 * @kprojid: The kernel internal project identifier to start with. 383 * 384 * Map @kprojid into the user-namespace specified by @targ and 385 * return the resulting projid. 386 * 387 * There is always a mapping into the initial user_namespace. 388 * 389 * If @kprojid has no mapping in @targ (projid_t)-1 is returned. 390 */ 391 projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid) 392 { 393 /* Map the uid from a global kernel uid */ 394 return map_id_up(&targ->projid_map, __kprojid_val(kprojid)); 395 } 396 EXPORT_SYMBOL(from_kprojid); 397 398 /** 399 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair. 400 * @targ: The user namespace we want a projid in. 401 * @kprojid: The kernel internal projid to start with. 402 * 403 * Map @kprojid into the user-namespace specified by @targ and 404 * return the resulting projid. 405 * 406 * There is always a mapping into the initial user_namespace. 407 * 408 * Unlike from_kprojid from_kprojid_munged never fails and always 409 * returns a valid projid. This makes from_kprojid_munged 410 * appropriate for use in syscalls like stat and where 411 * failing the system call and failing to provide a valid projid are 412 * not an options. 413 * 414 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned. 415 */ 416 projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid) 417 { 418 projid_t projid; 419 projid = from_kprojid(targ, kprojid); 420 421 if (projid == (projid_t) -1) 422 projid = OVERFLOW_PROJID; 423 return projid; 424 } 425 EXPORT_SYMBOL(from_kprojid_munged); 426 427 428 static int uid_m_show(struct seq_file *seq, void *v) 429 { 430 struct user_namespace *ns = seq->private; 431 struct uid_gid_extent *extent = v; 432 struct user_namespace *lower_ns; 433 uid_t lower; 434 435 lower_ns = seq_user_ns(seq); 436 if ((lower_ns == ns) && lower_ns->parent) 437 lower_ns = lower_ns->parent; 438 439 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first)); 440 441 seq_printf(seq, "%10u %10u %10u\n", 442 extent->first, 443 lower, 444 extent->count); 445 446 return 0; 447 } 448 449 static int gid_m_show(struct seq_file *seq, void *v) 450 { 451 struct user_namespace *ns = seq->private; 452 struct uid_gid_extent *extent = v; 453 struct user_namespace *lower_ns; 454 gid_t lower; 455 456 lower_ns = seq_user_ns(seq); 457 if ((lower_ns == ns) && lower_ns->parent) 458 lower_ns = lower_ns->parent; 459 460 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first)); 461 462 seq_printf(seq, "%10u %10u %10u\n", 463 extent->first, 464 lower, 465 extent->count); 466 467 return 0; 468 } 469 470 static int projid_m_show(struct seq_file *seq, void *v) 471 { 472 struct user_namespace *ns = seq->private; 473 struct uid_gid_extent *extent = v; 474 struct user_namespace *lower_ns; 475 projid_t lower; 476 477 lower_ns = seq_user_ns(seq); 478 if ((lower_ns == ns) && lower_ns->parent) 479 lower_ns = lower_ns->parent; 480 481 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first)); 482 483 seq_printf(seq, "%10u %10u %10u\n", 484 extent->first, 485 lower, 486 extent->count); 487 488 return 0; 489 } 490 491 static void *m_start(struct seq_file *seq, loff_t *ppos, 492 struct uid_gid_map *map) 493 { 494 struct uid_gid_extent *extent = NULL; 495 loff_t pos = *ppos; 496 497 if (pos < map->nr_extents) 498 extent = &map->extent[pos]; 499 500 return extent; 501 } 502 503 static void *uid_m_start(struct seq_file *seq, loff_t *ppos) 504 { 505 struct user_namespace *ns = seq->private; 506 507 return m_start(seq, ppos, &ns->uid_map); 508 } 509 510 static void *gid_m_start(struct seq_file *seq, loff_t *ppos) 511 { 512 struct user_namespace *ns = seq->private; 513 514 return m_start(seq, ppos, &ns->gid_map); 515 } 516 517 static void *projid_m_start(struct seq_file *seq, loff_t *ppos) 518 { 519 struct user_namespace *ns = seq->private; 520 521 return m_start(seq, ppos, &ns->projid_map); 522 } 523 524 static void *m_next(struct seq_file *seq, void *v, loff_t *pos) 525 { 526 (*pos)++; 527 return seq->op->start(seq, pos); 528 } 529 530 static void m_stop(struct seq_file *seq, void *v) 531 { 532 return; 533 } 534 535 const struct seq_operations proc_uid_seq_operations = { 536 .start = uid_m_start, 537 .stop = m_stop, 538 .next = m_next, 539 .show = uid_m_show, 540 }; 541 542 const struct seq_operations proc_gid_seq_operations = { 543 .start = gid_m_start, 544 .stop = m_stop, 545 .next = m_next, 546 .show = gid_m_show, 547 }; 548 549 const struct seq_operations proc_projid_seq_operations = { 550 .start = projid_m_start, 551 .stop = m_stop, 552 .next = m_next, 553 .show = projid_m_show, 554 }; 555 556 static bool mappings_overlap(struct uid_gid_map *new_map, 557 struct uid_gid_extent *extent) 558 { 559 u32 upper_first, lower_first, upper_last, lower_last; 560 unsigned idx; 561 562 upper_first = extent->first; 563 lower_first = extent->lower_first; 564 upper_last = upper_first + extent->count - 1; 565 lower_last = lower_first + extent->count - 1; 566 567 for (idx = 0; idx < new_map->nr_extents; idx++) { 568 u32 prev_upper_first, prev_lower_first; 569 u32 prev_upper_last, prev_lower_last; 570 struct uid_gid_extent *prev; 571 572 prev = &new_map->extent[idx]; 573 574 prev_upper_first = prev->first; 575 prev_lower_first = prev->lower_first; 576 prev_upper_last = prev_upper_first + prev->count - 1; 577 prev_lower_last = prev_lower_first + prev->count - 1; 578 579 /* Does the upper range intersect a previous extent? */ 580 if ((prev_upper_first <= upper_last) && 581 (prev_upper_last >= upper_first)) 582 return true; 583 584 /* Does the lower range intersect a previous extent? */ 585 if ((prev_lower_first <= lower_last) && 586 (prev_lower_last >= lower_first)) 587 return true; 588 } 589 return false; 590 } 591 592 static ssize_t map_write(struct file *file, const char __user *buf, 593 size_t count, loff_t *ppos, 594 int cap_setid, 595 struct uid_gid_map *map, 596 struct uid_gid_map *parent_map) 597 { 598 struct seq_file *seq = file->private_data; 599 struct user_namespace *ns = seq->private; 600 struct uid_gid_map new_map; 601 unsigned idx; 602 struct uid_gid_extent *extent = NULL; 603 unsigned long page = 0; 604 char *kbuf, *pos, *next_line; 605 ssize_t ret = -EINVAL; 606 607 /* 608 * The userns_state_mutex serializes all writes to any given map. 609 * 610 * Any map is only ever written once. 611 * 612 * An id map fits within 1 cache line on most architectures. 613 * 614 * On read nothing needs to be done unless you are on an 615 * architecture with a crazy cache coherency model like alpha. 616 * 617 * There is a one time data dependency between reading the 618 * count of the extents and the values of the extents. The 619 * desired behavior is to see the values of the extents that 620 * were written before the count of the extents. 621 * 622 * To achieve this smp_wmb() is used on guarantee the write 623 * order and smp_rmb() is guaranteed that we don't have crazy 624 * architectures returning stale data. 625 */ 626 mutex_lock(&userns_state_mutex); 627 628 ret = -EPERM; 629 /* Only allow one successful write to the map */ 630 if (map->nr_extents != 0) 631 goto out; 632 633 /* 634 * Adjusting namespace settings requires capabilities on the target. 635 */ 636 if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN)) 637 goto out; 638 639 /* Get a buffer */ 640 ret = -ENOMEM; 641 page = __get_free_page(GFP_TEMPORARY); 642 kbuf = (char *) page; 643 if (!page) 644 goto out; 645 646 /* Only allow < page size writes at the beginning of the file */ 647 ret = -EINVAL; 648 if ((*ppos != 0) || (count >= PAGE_SIZE)) 649 goto out; 650 651 /* Slurp in the user data */ 652 ret = -EFAULT; 653 if (copy_from_user(kbuf, buf, count)) 654 goto out; 655 kbuf[count] = '\0'; 656 657 /* Parse the user data */ 658 ret = -EINVAL; 659 pos = kbuf; 660 new_map.nr_extents = 0; 661 for (; pos; pos = next_line) { 662 extent = &new_map.extent[new_map.nr_extents]; 663 664 /* Find the end of line and ensure I don't look past it */ 665 next_line = strchr(pos, '\n'); 666 if (next_line) { 667 *next_line = '\0'; 668 next_line++; 669 if (*next_line == '\0') 670 next_line = NULL; 671 } 672 673 pos = skip_spaces(pos); 674 extent->first = simple_strtoul(pos, &pos, 10); 675 if (!isspace(*pos)) 676 goto out; 677 678 pos = skip_spaces(pos); 679 extent->lower_first = simple_strtoul(pos, &pos, 10); 680 if (!isspace(*pos)) 681 goto out; 682 683 pos = skip_spaces(pos); 684 extent->count = simple_strtoul(pos, &pos, 10); 685 if (*pos && !isspace(*pos)) 686 goto out; 687 688 /* Verify there is not trailing junk on the line */ 689 pos = skip_spaces(pos); 690 if (*pos != '\0') 691 goto out; 692 693 /* Verify we have been given valid starting values */ 694 if ((extent->first == (u32) -1) || 695 (extent->lower_first == (u32) -1)) 696 goto out; 697 698 /* Verify count is not zero and does not cause the 699 * extent to wrap 700 */ 701 if ((extent->first + extent->count) <= extent->first) 702 goto out; 703 if ((extent->lower_first + extent->count) <= 704 extent->lower_first) 705 goto out; 706 707 /* Do the ranges in extent overlap any previous extents? */ 708 if (mappings_overlap(&new_map, extent)) 709 goto out; 710 711 new_map.nr_extents++; 712 713 /* Fail if the file contains too many extents */ 714 if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) && 715 (next_line != NULL)) 716 goto out; 717 } 718 /* Be very certaint the new map actually exists */ 719 if (new_map.nr_extents == 0) 720 goto out; 721 722 ret = -EPERM; 723 /* Validate the user is allowed to use user id's mapped to. */ 724 if (!new_idmap_permitted(file, ns, cap_setid, &new_map)) 725 goto out; 726 727 /* Map the lower ids from the parent user namespace to the 728 * kernel global id space. 729 */ 730 for (idx = 0; idx < new_map.nr_extents; idx++) { 731 u32 lower_first; 732 extent = &new_map.extent[idx]; 733 734 lower_first = map_id_range_down(parent_map, 735 extent->lower_first, 736 extent->count); 737 738 /* Fail if we can not map the specified extent to 739 * the kernel global id space. 740 */ 741 if (lower_first == (u32) -1) 742 goto out; 743 744 extent->lower_first = lower_first; 745 } 746 747 /* Install the map */ 748 memcpy(map->extent, new_map.extent, 749 new_map.nr_extents*sizeof(new_map.extent[0])); 750 smp_wmb(); 751 map->nr_extents = new_map.nr_extents; 752 753 *ppos = count; 754 ret = count; 755 out: 756 mutex_unlock(&userns_state_mutex); 757 if (page) 758 free_page(page); 759 return ret; 760 } 761 762 ssize_t proc_uid_map_write(struct file *file, const char __user *buf, 763 size_t size, loff_t *ppos) 764 { 765 struct seq_file *seq = file->private_data; 766 struct user_namespace *ns = seq->private; 767 struct user_namespace *seq_ns = seq_user_ns(seq); 768 769 if (!ns->parent) 770 return -EPERM; 771 772 if ((seq_ns != ns) && (seq_ns != ns->parent)) 773 return -EPERM; 774 775 return map_write(file, buf, size, ppos, CAP_SETUID, 776 &ns->uid_map, &ns->parent->uid_map); 777 } 778 779 ssize_t proc_gid_map_write(struct file *file, const char __user *buf, 780 size_t size, loff_t *ppos) 781 { 782 struct seq_file *seq = file->private_data; 783 struct user_namespace *ns = seq->private; 784 struct user_namespace *seq_ns = seq_user_ns(seq); 785 786 if (!ns->parent) 787 return -EPERM; 788 789 if ((seq_ns != ns) && (seq_ns != ns->parent)) 790 return -EPERM; 791 792 return map_write(file, buf, size, ppos, CAP_SETGID, 793 &ns->gid_map, &ns->parent->gid_map); 794 } 795 796 ssize_t proc_projid_map_write(struct file *file, const char __user *buf, 797 size_t size, loff_t *ppos) 798 { 799 struct seq_file *seq = file->private_data; 800 struct user_namespace *ns = seq->private; 801 struct user_namespace *seq_ns = seq_user_ns(seq); 802 803 if (!ns->parent) 804 return -EPERM; 805 806 if ((seq_ns != ns) && (seq_ns != ns->parent)) 807 return -EPERM; 808 809 /* Anyone can set any valid project id no capability needed */ 810 return map_write(file, buf, size, ppos, -1, 811 &ns->projid_map, &ns->parent->projid_map); 812 } 813 814 static bool new_idmap_permitted(const struct file *file, 815 struct user_namespace *ns, int cap_setid, 816 struct uid_gid_map *new_map) 817 { 818 const struct cred *cred = file->f_cred; 819 /* Don't allow mappings that would allow anything that wouldn't 820 * be allowed without the establishment of unprivileged mappings. 821 */ 822 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) && 823 uid_eq(ns->owner, cred->euid)) { 824 u32 id = new_map->extent[0].lower_first; 825 if (cap_setid == CAP_SETUID) { 826 kuid_t uid = make_kuid(ns->parent, id); 827 if (uid_eq(uid, cred->euid)) 828 return true; 829 } else if (cap_setid == CAP_SETGID) { 830 kgid_t gid = make_kgid(ns->parent, id); 831 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) && 832 gid_eq(gid, cred->egid)) 833 return true; 834 } 835 } 836 837 /* Allow anyone to set a mapping that doesn't require privilege */ 838 if (!cap_valid(cap_setid)) 839 return true; 840 841 /* Allow the specified ids if we have the appropriate capability 842 * (CAP_SETUID or CAP_SETGID) over the parent user namespace. 843 * And the opener of the id file also had the approprpiate capability. 844 */ 845 if (ns_capable(ns->parent, cap_setid) && 846 file_ns_capable(file, ns->parent, cap_setid)) 847 return true; 848 849 return false; 850 } 851 852 int proc_setgroups_show(struct seq_file *seq, void *v) 853 { 854 struct user_namespace *ns = seq->private; 855 unsigned long userns_flags = ACCESS_ONCE(ns->flags); 856 857 seq_printf(seq, "%s\n", 858 (userns_flags & USERNS_SETGROUPS_ALLOWED) ? 859 "allow" : "deny"); 860 return 0; 861 } 862 863 ssize_t proc_setgroups_write(struct file *file, const char __user *buf, 864 size_t count, loff_t *ppos) 865 { 866 struct seq_file *seq = file->private_data; 867 struct user_namespace *ns = seq->private; 868 char kbuf[8], *pos; 869 bool setgroups_allowed; 870 ssize_t ret; 871 872 /* Only allow a very narrow range of strings to be written */ 873 ret = -EINVAL; 874 if ((*ppos != 0) || (count >= sizeof(kbuf))) 875 goto out; 876 877 /* What was written? */ 878 ret = -EFAULT; 879 if (copy_from_user(kbuf, buf, count)) 880 goto out; 881 kbuf[count] = '\0'; 882 pos = kbuf; 883 884 /* What is being requested? */ 885 ret = -EINVAL; 886 if (strncmp(pos, "allow", 5) == 0) { 887 pos += 5; 888 setgroups_allowed = true; 889 } 890 else if (strncmp(pos, "deny", 4) == 0) { 891 pos += 4; 892 setgroups_allowed = false; 893 } 894 else 895 goto out; 896 897 /* Verify there is not trailing junk on the line */ 898 pos = skip_spaces(pos); 899 if (*pos != '\0') 900 goto out; 901 902 ret = -EPERM; 903 mutex_lock(&userns_state_mutex); 904 if (setgroups_allowed) { 905 /* Enabling setgroups after setgroups has been disabled 906 * is not allowed. 907 */ 908 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED)) 909 goto out_unlock; 910 } else { 911 /* Permanently disabling setgroups after setgroups has 912 * been enabled by writing the gid_map is not allowed. 913 */ 914 if (ns->gid_map.nr_extents != 0) 915 goto out_unlock; 916 ns->flags &= ~USERNS_SETGROUPS_ALLOWED; 917 } 918 mutex_unlock(&userns_state_mutex); 919 920 /* Report a successful write */ 921 *ppos = count; 922 ret = count; 923 out: 924 return ret; 925 out_unlock: 926 mutex_unlock(&userns_state_mutex); 927 goto out; 928 } 929 930 bool userns_may_setgroups(const struct user_namespace *ns) 931 { 932 bool allowed; 933 934 mutex_lock(&userns_state_mutex); 935 /* It is not safe to use setgroups until a gid mapping in 936 * the user namespace has been established. 937 */ 938 allowed = ns->gid_map.nr_extents != 0; 939 /* Is setgroups allowed? */ 940 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED); 941 mutex_unlock(&userns_state_mutex); 942 943 return allowed; 944 } 945 946 static void *userns_get(struct task_struct *task) 947 { 948 struct user_namespace *user_ns; 949 950 rcu_read_lock(); 951 user_ns = get_user_ns(__task_cred(task)->user_ns); 952 rcu_read_unlock(); 953 954 return user_ns; 955 } 956 957 static void userns_put(void *ns) 958 { 959 put_user_ns(ns); 960 } 961 962 static int userns_install(struct nsproxy *nsproxy, void *ns) 963 { 964 struct user_namespace *user_ns = ns; 965 struct cred *cred; 966 967 /* Don't allow gaining capabilities by reentering 968 * the same user namespace. 969 */ 970 if (user_ns == current_user_ns()) 971 return -EINVAL; 972 973 /* Threaded processes may not enter a different user namespace */ 974 if (atomic_read(¤t->mm->mm_users) > 1) 975 return -EINVAL; 976 977 if (current->fs->users != 1) 978 return -EINVAL; 979 980 if (!ns_capable(user_ns, CAP_SYS_ADMIN)) 981 return -EPERM; 982 983 cred = prepare_creds(); 984 if (!cred) 985 return -ENOMEM; 986 987 put_user_ns(cred->user_ns); 988 set_cred_user_ns(cred, get_user_ns(user_ns)); 989 990 return commit_creds(cred); 991 } 992 993 static unsigned int userns_inum(void *ns) 994 { 995 struct user_namespace *user_ns = ns; 996 return user_ns->proc_inum; 997 } 998 999 const struct proc_ns_operations userns_operations = { 1000 .name = "user", 1001 .type = CLONE_NEWUSER, 1002 .get = userns_get, 1003 .put = userns_put, 1004 .install = userns_install, 1005 .inum = userns_inum, 1006 }; 1007 1008 static __init int user_namespaces_init(void) 1009 { 1010 user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC); 1011 return 0; 1012 } 1013 subsys_initcall(user_namespaces_init); 1014