1 // SPDX-License-Identifier: GPL-2.0-only
3 #include <linux/export.h>
4 #include <linux/nsproxy.h>
5 #include <linux/slab.h>
6 #include <linux/sched/signal.h>
7 #include <linux/user_namespace.h>
8 #include <linux/proc_ns.h>
9 #include <linux/highuid.h>
10 #include <linux/cred.h>
11 #include <linux/securebits.h>
12 #include <linux/security.h>
13 #include <linux/keyctl.h>
14 #include <linux/key-type.h>
15 #include <keys/user-type.h>
16 #include <linux/seq_file.h>
18 #include <linux/uaccess.h>
19 #include <linux/ctype.h>
20 #include <linux/projid.h>
21 #include <linux/fs_struct.h>
22 #include <linux/bsearch.h>
23 #include <linux/sort.h>
25 static struct kmem_cache *user_ns_cachep __ro_after_init;
26 static DEFINE_MUTEX(userns_state_mutex);
28 static bool new_idmap_permitted(const struct file *file,
29 struct user_namespace *ns, int cap_setid,
30 struct uid_gid_map *map);
31 static void free_user_ns(struct work_struct *work);
33 static struct ucounts *inc_user_namespaces(struct user_namespace *ns, kuid_t uid)
35 return inc_ucount(ns, uid, UCOUNT_USER_NAMESPACES);
38 static void dec_user_namespaces(struct ucounts *ucounts)
40 return dec_ucount(ucounts, UCOUNT_USER_NAMESPACES);
43 static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
45 /* Start with the same capabilities as init but useless for doing
46 * anything as the capabilities are bound to the new user namespace.
48 cred->securebits = SECUREBITS_DEFAULT;
49 cred->cap_inheritable = CAP_EMPTY_SET;
50 cred->cap_permitted = CAP_FULL_SET;
51 cred->cap_effective = CAP_FULL_SET;
52 cred->cap_ambient = CAP_EMPTY_SET;
53 cred->cap_bset = CAP_FULL_SET;
55 key_put(cred->request_key_auth);
56 cred->request_key_auth = NULL;
58 /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
59 cred->user_ns = user_ns;
62 static unsigned long enforced_nproc_rlimit(void)
64 unsigned long limit = RLIM_INFINITY;
66 /* Is RLIMIT_NPROC currently enforced? */
67 if (!uid_eq(current_uid(), GLOBAL_ROOT_UID) ||
68 (current_user_ns() != &init_user_ns))
69 limit = rlimit(RLIMIT_NPROC);
75 * Create a new user namespace, deriving the creator from the user in the
76 * passed credentials, and replacing that user with the new root user for the
79 * This is called by copy_creds(), which will finish setting the target task's
82 int create_user_ns(struct cred *new)
84 struct user_namespace *ns, *parent_ns = new->user_ns;
85 kuid_t owner = new->euid;
86 kgid_t group = new->egid;
87 struct ucounts *ucounts;
91 if (parent_ns->level > 32)
94 ucounts = inc_user_namespaces(parent_ns, owner);
99 * Verify that we can not violate the policy of which files
100 * may be accessed that is specified by the root directory,
101 * by verifying that the root directory is at the root of the
102 * mount namespace which allows all files to be accessed.
105 if (current_chrooted())
108 /* The creator needs a mapping in the parent user namespace
109 * or else we won't be able to reasonably tell userspace who
110 * created a user_namespace.
113 if (!kuid_has_mapping(parent_ns, owner) ||
114 !kgid_has_mapping(parent_ns, group))
117 ret = security_create_user_ns(new);
122 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
126 ns->parent_could_setfcap = cap_raised(new->cap_effective, CAP_SETFCAP);
127 ret = ns_alloc_inum(&ns->ns);
130 ns->ns.ops = &userns_operations;
132 refcount_set(&ns->ns.count, 1);
133 /* Leave the new->user_ns reference with the new user namespace. */
134 ns->parent = parent_ns;
135 ns->level = parent_ns->level + 1;
138 INIT_WORK(&ns->work, free_user_ns);
139 for (i = 0; i < UCOUNT_COUNTS; i++) {
140 ns->ucount_max[i] = INT_MAX;
142 set_userns_rlimit_max(ns, UCOUNT_RLIMIT_NPROC, enforced_nproc_rlimit());
143 set_userns_rlimit_max(ns, UCOUNT_RLIMIT_MSGQUEUE, rlimit(RLIMIT_MSGQUEUE));
144 set_userns_rlimit_max(ns, UCOUNT_RLIMIT_SIGPENDING, rlimit(RLIMIT_SIGPENDING));
145 set_userns_rlimit_max(ns, UCOUNT_RLIMIT_MEMLOCK, rlimit(RLIMIT_MEMLOCK));
146 ns->ucounts = ucounts;
148 /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
149 mutex_lock(&userns_state_mutex);
150 ns->flags = parent_ns->flags;
151 mutex_unlock(&userns_state_mutex);
154 INIT_LIST_HEAD(&ns->keyring_name_list);
155 init_rwsem(&ns->keyring_sem);
158 if (!setup_userns_sysctls(ns))
161 set_cred_user_ns(new, ns);
164 #ifdef CONFIG_PERSISTENT_KEYRINGS
165 key_put(ns->persistent_keyring_register);
167 ns_free_inum(&ns->ns);
169 kmem_cache_free(user_ns_cachep, ns);
171 dec_user_namespaces(ucounts);
176 int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
181 if (!(unshare_flags & CLONE_NEWUSER))
184 cred = prepare_creds();
186 err = create_user_ns(cred);
196 static void free_user_ns(struct work_struct *work)
198 struct user_namespace *parent, *ns =
199 container_of(work, struct user_namespace, work);
202 struct ucounts *ucounts = ns->ucounts;
204 if (ns->gid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
205 kfree(ns->gid_map.forward);
206 kfree(ns->gid_map.reverse);
208 if (ns->uid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
209 kfree(ns->uid_map.forward);
210 kfree(ns->uid_map.reverse);
212 if (ns->projid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
213 kfree(ns->projid_map.forward);
214 kfree(ns->projid_map.reverse);
216 #if IS_ENABLED(CONFIG_BINFMT_MISC)
217 kfree(ns->binfmt_misc);
219 retire_userns_sysctls(ns);
220 key_free_user_ns(ns);
221 ns_free_inum(&ns->ns);
222 kmem_cache_free(user_ns_cachep, ns);
223 dec_user_namespaces(ucounts);
225 } while (refcount_dec_and_test(&parent->ns.count));
228 void __put_user_ns(struct user_namespace *ns)
230 schedule_work(&ns->work);
232 EXPORT_SYMBOL(__put_user_ns);
235 * struct idmap_key - holds the information necessary to find an idmapping in a
236 * sorted idmap array. It is passed to cmp_map_id() as first argument.
239 bool map_up; /* true -> id from kid; false -> kid from id */
240 u32 id; /* id to find */
245 * cmp_map_id - Function to be passed to bsearch() to find the requested
246 * idmapping. Expects struct idmap_key to be passed via @k.
248 static int cmp_map_id(const void *k, const void *e)
250 u32 first, last, id2;
251 const struct idmap_key *key = k;
252 const struct uid_gid_extent *el = e;
254 id2 = key->id + key->count - 1;
256 /* handle map_id_{down,up}() */
258 first = el->lower_first;
262 last = first + el->count - 1;
264 if (key->id >= first && key->id <= last &&
265 (id2 >= first && id2 <= last))
268 if (key->id < first || id2 < first)
275 * map_id_range_down_max - Find idmap via binary search in ordered idmap array.
276 * Can only be called if number of mappings exceeds UID_GID_MAP_MAX_BASE_EXTENTS.
278 static struct uid_gid_extent *
279 map_id_range_down_max(unsigned extents, struct uid_gid_map *map, u32 id, u32 count)
281 struct idmap_key key;
287 return bsearch(&key, map->forward, extents,
288 sizeof(struct uid_gid_extent), cmp_map_id);
292 * map_id_range_down_base - Find idmap via binary search in static extent array.
293 * Can only be called if number of mappings is equal or less than
294 * UID_GID_MAP_MAX_BASE_EXTENTS.
296 static struct uid_gid_extent *
297 map_id_range_down_base(unsigned extents, struct uid_gid_map *map, u32 id, u32 count)
300 u32 first, last, id2;
302 id2 = id + count - 1;
304 /* Find the matching extent */
305 for (idx = 0; idx < extents; idx++) {
306 first = map->extent[idx].first;
307 last = first + map->extent[idx].count - 1;
308 if (id >= first && id <= last &&
309 (id2 >= first && id2 <= last))
310 return &map->extent[idx];
315 static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
317 struct uid_gid_extent *extent;
318 unsigned extents = map->nr_extents;
321 if (extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
322 extent = map_id_range_down_base(extents, map, id, count);
324 extent = map_id_range_down_max(extents, map, id, count);
326 /* Map the id or note failure */
328 id = (id - extent->first) + extent->lower_first;
335 u32 map_id_down(struct uid_gid_map *map, u32 id)
337 return map_id_range_down(map, id, 1);
341 * map_id_up_base - Find idmap via binary search in static extent array.
342 * Can only be called if number of mappings is equal or less than
343 * UID_GID_MAP_MAX_BASE_EXTENTS.
345 static struct uid_gid_extent *
346 map_id_range_up_base(unsigned extents, struct uid_gid_map *map, u32 id, u32 count)
349 u32 first, last, id2;
351 id2 = id + count - 1;
353 /* Find the matching extent */
354 for (idx = 0; idx < extents; idx++) {
355 first = map->extent[idx].lower_first;
356 last = first + map->extent[idx].count - 1;
357 if (id >= first && id <= last &&
358 (id2 >= first && id2 <= last))
359 return &map->extent[idx];
365 * map_id_up_max - Find idmap via binary search in ordered idmap array.
366 * Can only be called if number of mappings exceeds UID_GID_MAP_MAX_BASE_EXTENTS.
368 static struct uid_gid_extent *
369 map_id_range_up_max(unsigned extents, struct uid_gid_map *map, u32 id, u32 count)
371 struct idmap_key key;
377 return bsearch(&key, map->reverse, extents,
378 sizeof(struct uid_gid_extent), cmp_map_id);
381 u32 map_id_range_up(struct uid_gid_map *map, u32 id, u32 count)
383 struct uid_gid_extent *extent;
384 unsigned extents = map->nr_extents;
387 if (extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
388 extent = map_id_range_up_base(extents, map, id, count);
390 extent = map_id_range_up_max(extents, map, id, count);
392 /* Map the id or note failure */
394 id = (id - extent->lower_first) + extent->first;
401 u32 map_id_up(struct uid_gid_map *map, u32 id)
403 return map_id_range_up(map, id, 1);
407 * make_kuid - Map a user-namespace uid pair into a kuid.
408 * @ns: User namespace that the uid is in
409 * @uid: User identifier
411 * Maps a user-namespace uid pair into a kernel internal kuid,
412 * and returns that kuid.
414 * When there is no mapping defined for the user-namespace uid
415 * pair INVALID_UID is returned. Callers are expected to test
416 * for and handle INVALID_UID being returned. INVALID_UID
417 * may be tested for using uid_valid().
419 kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
421 /* Map the uid to a global kernel uid */
422 return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
424 EXPORT_SYMBOL(make_kuid);
427 * from_kuid - Create a uid from a kuid user-namespace pair.
428 * @targ: The user namespace we want a uid in.
429 * @kuid: The kernel internal uid to start with.
431 * Map @kuid into the user-namespace specified by @targ and
432 * return the resulting uid.
434 * There is always a mapping into the initial user_namespace.
436 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
438 uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
440 /* Map the uid from a global kernel uid */
441 return map_id_up(&targ->uid_map, __kuid_val(kuid));
443 EXPORT_SYMBOL(from_kuid);
446 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
447 * @targ: The user namespace we want a uid in.
448 * @kuid: The kernel internal uid to start with.
450 * Map @kuid into the user-namespace specified by @targ and
451 * return the resulting uid.
453 * There is always a mapping into the initial user_namespace.
455 * Unlike from_kuid from_kuid_munged never fails and always
456 * returns a valid uid. This makes from_kuid_munged appropriate
457 * for use in syscalls like stat and getuid where failing the
458 * system call and failing to provide a valid uid are not an
461 * If @kuid has no mapping in @targ overflowuid is returned.
463 uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
466 uid = from_kuid(targ, kuid);
468 if (uid == (uid_t) -1)
472 EXPORT_SYMBOL(from_kuid_munged);
475 * make_kgid - Map a user-namespace gid pair into a kgid.
476 * @ns: User namespace that the gid is in
477 * @gid: group identifier
479 * Maps a user-namespace gid pair into a kernel internal kgid,
480 * and returns that kgid.
482 * When there is no mapping defined for the user-namespace gid
483 * pair INVALID_GID is returned. Callers are expected to test
484 * for and handle INVALID_GID being returned. INVALID_GID may be
485 * tested for using gid_valid().
487 kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
489 /* Map the gid to a global kernel gid */
490 return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
492 EXPORT_SYMBOL(make_kgid);
495 * from_kgid - Create a gid from a kgid user-namespace pair.
496 * @targ: The user namespace we want a gid in.
497 * @kgid: The kernel internal gid to start with.
499 * Map @kgid into the user-namespace specified by @targ and
500 * return the resulting gid.
502 * There is always a mapping into the initial user_namespace.
504 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
506 gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
508 /* Map the gid from a global kernel gid */
509 return map_id_up(&targ->gid_map, __kgid_val(kgid));
511 EXPORT_SYMBOL(from_kgid);
514 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
515 * @targ: The user namespace we want a gid in.
516 * @kgid: The kernel internal gid to start with.
518 * Map @kgid into the user-namespace specified by @targ and
519 * return the resulting gid.
521 * There is always a mapping into the initial user_namespace.
523 * Unlike from_kgid from_kgid_munged never fails and always
524 * returns a valid gid. This makes from_kgid_munged appropriate
525 * for use in syscalls like stat and getgid where failing the
526 * system call and failing to provide a valid gid are not options.
528 * If @kgid has no mapping in @targ overflowgid is returned.
530 gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
533 gid = from_kgid(targ, kgid);
535 if (gid == (gid_t) -1)
539 EXPORT_SYMBOL(from_kgid_munged);
542 * make_kprojid - Map a user-namespace projid pair into a kprojid.
543 * @ns: User namespace that the projid is in
544 * @projid: Project identifier
546 * Maps a user-namespace uid pair into a kernel internal kuid,
547 * and returns that kuid.
549 * When there is no mapping defined for the user-namespace projid
550 * pair INVALID_PROJID is returned. Callers are expected to test
551 * for and handle INVALID_PROJID being returned. INVALID_PROJID
552 * may be tested for using projid_valid().
554 kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
556 /* Map the uid to a global kernel uid */
557 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
559 EXPORT_SYMBOL(make_kprojid);
562 * from_kprojid - Create a projid from a kprojid user-namespace pair.
563 * @targ: The user namespace we want a projid in.
564 * @kprojid: The kernel internal project identifier to start with.
566 * Map @kprojid into the user-namespace specified by @targ and
567 * return the resulting projid.
569 * There is always a mapping into the initial user_namespace.
571 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
573 projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
575 /* Map the uid from a global kernel uid */
576 return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
578 EXPORT_SYMBOL(from_kprojid);
581 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
582 * @targ: The user namespace we want a projid in.
583 * @kprojid: The kernel internal projid to start with.
585 * Map @kprojid into the user-namespace specified by @targ and
586 * return the resulting projid.
588 * There is always a mapping into the initial user_namespace.
590 * Unlike from_kprojid from_kprojid_munged never fails and always
591 * returns a valid projid. This makes from_kprojid_munged
592 * appropriate for use in syscalls like stat and where
593 * failing the system call and failing to provide a valid projid are
596 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
598 projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
601 projid = from_kprojid(targ, kprojid);
603 if (projid == (projid_t) -1)
604 projid = OVERFLOW_PROJID;
607 EXPORT_SYMBOL(from_kprojid_munged);
610 static int uid_m_show(struct seq_file *seq, void *v)
612 struct user_namespace *ns = seq->private;
613 struct uid_gid_extent *extent = v;
614 struct user_namespace *lower_ns;
617 lower_ns = seq_user_ns(seq);
618 if ((lower_ns == ns) && lower_ns->parent)
619 lower_ns = lower_ns->parent;
621 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
623 seq_printf(seq, "%10u %10u %10u\n",
631 static int gid_m_show(struct seq_file *seq, void *v)
633 struct user_namespace *ns = seq->private;
634 struct uid_gid_extent *extent = v;
635 struct user_namespace *lower_ns;
638 lower_ns = seq_user_ns(seq);
639 if ((lower_ns == ns) && lower_ns->parent)
640 lower_ns = lower_ns->parent;
642 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
644 seq_printf(seq, "%10u %10u %10u\n",
652 static int projid_m_show(struct seq_file *seq, void *v)
654 struct user_namespace *ns = seq->private;
655 struct uid_gid_extent *extent = v;
656 struct user_namespace *lower_ns;
659 lower_ns = seq_user_ns(seq);
660 if ((lower_ns == ns) && lower_ns->parent)
661 lower_ns = lower_ns->parent;
663 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
665 seq_printf(seq, "%10u %10u %10u\n",
673 static void *m_start(struct seq_file *seq, loff_t *ppos,
674 struct uid_gid_map *map)
677 unsigned extents = map->nr_extents;
683 if (extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
684 return &map->extent[pos];
686 return &map->forward[pos];
689 static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
691 struct user_namespace *ns = seq->private;
693 return m_start(seq, ppos, &ns->uid_map);
696 static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
698 struct user_namespace *ns = seq->private;
700 return m_start(seq, ppos, &ns->gid_map);
703 static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
705 struct user_namespace *ns = seq->private;
707 return m_start(seq, ppos, &ns->projid_map);
710 static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
713 return seq->op->start(seq, pos);
716 static void m_stop(struct seq_file *seq, void *v)
721 const struct seq_operations proc_uid_seq_operations = {
722 .start = uid_m_start,
728 const struct seq_operations proc_gid_seq_operations = {
729 .start = gid_m_start,
735 const struct seq_operations proc_projid_seq_operations = {
736 .start = projid_m_start,
739 .show = projid_m_show,
742 static bool mappings_overlap(struct uid_gid_map *new_map,
743 struct uid_gid_extent *extent)
745 u32 upper_first, lower_first, upper_last, lower_last;
748 upper_first = extent->first;
749 lower_first = extent->lower_first;
750 upper_last = upper_first + extent->count - 1;
751 lower_last = lower_first + extent->count - 1;
753 for (idx = 0; idx < new_map->nr_extents; idx++) {
754 u32 prev_upper_first, prev_lower_first;
755 u32 prev_upper_last, prev_lower_last;
756 struct uid_gid_extent *prev;
758 if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
759 prev = &new_map->extent[idx];
761 prev = &new_map->forward[idx];
763 prev_upper_first = prev->first;
764 prev_lower_first = prev->lower_first;
765 prev_upper_last = prev_upper_first + prev->count - 1;
766 prev_lower_last = prev_lower_first + prev->count - 1;
768 /* Does the upper range intersect a previous extent? */
769 if ((prev_upper_first <= upper_last) &&
770 (prev_upper_last >= upper_first))
773 /* Does the lower range intersect a previous extent? */
774 if ((prev_lower_first <= lower_last) &&
775 (prev_lower_last >= lower_first))
782 * insert_extent - Safely insert a new idmap extent into struct uid_gid_map.
783 * Takes care to allocate a 4K block of memory if the number of mappings exceeds
784 * UID_GID_MAP_MAX_BASE_EXTENTS.
786 static int insert_extent(struct uid_gid_map *map, struct uid_gid_extent *extent)
788 struct uid_gid_extent *dest;
790 if (map->nr_extents == UID_GID_MAP_MAX_BASE_EXTENTS) {
791 struct uid_gid_extent *forward;
793 /* Allocate memory for 340 mappings. */
794 forward = kmalloc_array(UID_GID_MAP_MAX_EXTENTS,
795 sizeof(struct uid_gid_extent),
800 /* Copy over memory. Only set up memory for the forward pointer.
801 * Defer the memory setup for the reverse pointer.
803 memcpy(forward, map->extent,
804 map->nr_extents * sizeof(map->extent[0]));
806 map->forward = forward;
810 if (map->nr_extents < UID_GID_MAP_MAX_BASE_EXTENTS)
811 dest = &map->extent[map->nr_extents];
813 dest = &map->forward[map->nr_extents];
820 /* cmp function to sort() forward mappings */
821 static int cmp_extents_forward(const void *a, const void *b)
823 const struct uid_gid_extent *e1 = a;
824 const struct uid_gid_extent *e2 = b;
826 if (e1->first < e2->first)
829 if (e1->first > e2->first)
835 /* cmp function to sort() reverse mappings */
836 static int cmp_extents_reverse(const void *a, const void *b)
838 const struct uid_gid_extent *e1 = a;
839 const struct uid_gid_extent *e2 = b;
841 if (e1->lower_first < e2->lower_first)
844 if (e1->lower_first > e2->lower_first)
851 * sort_idmaps - Sorts an array of idmap entries.
852 * Can only be called if number of mappings exceeds UID_GID_MAP_MAX_BASE_EXTENTS.
854 static int sort_idmaps(struct uid_gid_map *map)
856 if (map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
859 /* Sort forward array. */
860 sort(map->forward, map->nr_extents, sizeof(struct uid_gid_extent),
861 cmp_extents_forward, NULL);
863 /* Only copy the memory from forward we actually need. */
864 map->reverse = kmemdup_array(map->forward, map->nr_extents,
865 sizeof(struct uid_gid_extent), GFP_KERNEL);
869 /* Sort reverse array. */
870 sort(map->reverse, map->nr_extents, sizeof(struct uid_gid_extent),
871 cmp_extents_reverse, NULL);
877 * verify_root_map() - check the uid 0 mapping
878 * @file: idmapping file
879 * @map_ns: user namespace of the target process
880 * @new_map: requested idmap
882 * If a process requests mapping parent uid 0 into the new ns, verify that the
883 * process writing the map had the CAP_SETFCAP capability as the target process
884 * will be able to write fscaps that are valid in ancestor user namespaces.
886 * Return: true if the mapping is allowed, false if not.
888 static bool verify_root_map(const struct file *file,
889 struct user_namespace *map_ns,
890 struct uid_gid_map *new_map)
893 const struct user_namespace *file_ns = file->f_cred->user_ns;
894 struct uid_gid_extent *extent0 = NULL;
896 for (idx = 0; idx < new_map->nr_extents; idx++) {
897 if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
898 extent0 = &new_map->extent[idx];
900 extent0 = &new_map->forward[idx];
901 if (extent0->lower_first == 0)
910 if (map_ns == file_ns) {
911 /* The process unshared its ns and is writing to its own
912 * /proc/self/uid_map. User already has full capabilites in
913 * the new namespace. Verify that the parent had CAP_SETFCAP
916 if (!file_ns->parent_could_setfcap)
919 /* Process p1 is writing to uid_map of p2, who is in a child
920 * user namespace to p1's. Verify that the opener of the map
921 * file has CAP_SETFCAP against the parent of the new map
923 if (!file_ns_capable(file, map_ns->parent, CAP_SETFCAP))
930 static ssize_t map_write(struct file *file, const char __user *buf,
931 size_t count, loff_t *ppos,
933 struct uid_gid_map *map,
934 struct uid_gid_map *parent_map)
936 struct seq_file *seq = file->private_data;
937 struct user_namespace *map_ns = seq->private;
938 struct uid_gid_map new_map;
940 struct uid_gid_extent extent;
941 char *kbuf, *pos, *next_line;
944 /* Only allow < page size writes at the beginning of the file */
945 if ((*ppos != 0) || (count >= PAGE_SIZE))
948 /* Slurp in the user data */
949 kbuf = memdup_user_nul(buf, count);
951 return PTR_ERR(kbuf);
954 * The userns_state_mutex serializes all writes to any given map.
956 * Any map is only ever written once.
958 * An id map fits within 1 cache line on most architectures.
960 * On read nothing needs to be done unless you are on an
961 * architecture with a crazy cache coherency model like alpha.
963 * There is a one time data dependency between reading the
964 * count of the extents and the values of the extents. The
965 * desired behavior is to see the values of the extents that
966 * were written before the count of the extents.
968 * To achieve this smp_wmb() is used on guarantee the write
969 * order and smp_rmb() is guaranteed that we don't have crazy
970 * architectures returning stale data.
972 mutex_lock(&userns_state_mutex);
974 memset(&new_map, 0, sizeof(struct uid_gid_map));
977 /* Only allow one successful write to the map */
978 if (map->nr_extents != 0)
982 * Adjusting namespace settings requires capabilities on the target.
984 if (cap_valid(cap_setid) && !file_ns_capable(file, map_ns, CAP_SYS_ADMIN))
987 /* Parse the user data */
990 for (; pos; pos = next_line) {
992 /* Find the end of line and ensure I don't look past it */
993 next_line = strchr(pos, '\n');
997 if (*next_line == '\0')
1001 pos = skip_spaces(pos);
1002 extent.first = simple_strtoul(pos, &pos, 10);
1006 pos = skip_spaces(pos);
1007 extent.lower_first = simple_strtoul(pos, &pos, 10);
1011 pos = skip_spaces(pos);
1012 extent.count = simple_strtoul(pos, &pos, 10);
1013 if (*pos && !isspace(*pos))
1016 /* Verify there is not trailing junk on the line */
1017 pos = skip_spaces(pos);
1021 /* Verify we have been given valid starting values */
1022 if ((extent.first == (u32) -1) ||
1023 (extent.lower_first == (u32) -1))
1026 /* Verify count is not zero and does not cause the
1029 if ((extent.first + extent.count) <= extent.first)
1031 if ((extent.lower_first + extent.count) <=
1035 /* Do the ranges in extent overlap any previous extents? */
1036 if (mappings_overlap(&new_map, &extent))
1039 if ((new_map.nr_extents + 1) == UID_GID_MAP_MAX_EXTENTS &&
1040 (next_line != NULL))
1043 ret = insert_extent(&new_map, &extent);
1048 /* Be very certain the new map actually exists */
1049 if (new_map.nr_extents == 0)
1053 /* Validate the user is allowed to use user id's mapped to. */
1054 if (!new_idmap_permitted(file, map_ns, cap_setid, &new_map))
1058 /* Map the lower ids from the parent user namespace to the
1059 * kernel global id space.
1061 for (idx = 0; idx < new_map.nr_extents; idx++) {
1062 struct uid_gid_extent *e;
1065 if (new_map.nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
1066 e = &new_map.extent[idx];
1068 e = &new_map.forward[idx];
1070 lower_first = map_id_range_down(parent_map,
1074 /* Fail if we can not map the specified extent to
1075 * the kernel global id space.
1077 if (lower_first == (u32) -1)
1080 e->lower_first = lower_first;
1084 * If we want to use binary search for lookup, this clones the extent
1085 * array and sorts both copies.
1087 ret = sort_idmaps(&new_map);
1091 /* Install the map */
1092 if (new_map.nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) {
1093 memcpy(map->extent, new_map.extent,
1094 new_map.nr_extents * sizeof(new_map.extent[0]));
1096 map->forward = new_map.forward;
1097 map->reverse = new_map.reverse;
1100 map->nr_extents = new_map.nr_extents;
1105 if (ret < 0 && new_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
1106 kfree(new_map.forward);
1107 kfree(new_map.reverse);
1108 map->forward = NULL;
1109 map->reverse = NULL;
1110 map->nr_extents = 0;
1113 mutex_unlock(&userns_state_mutex);
1118 ssize_t proc_uid_map_write(struct file *file, const char __user *buf,
1119 size_t size, loff_t *ppos)
1121 struct seq_file *seq = file->private_data;
1122 struct user_namespace *ns = seq->private;
1123 struct user_namespace *seq_ns = seq_user_ns(seq);
1128 if ((seq_ns != ns) && (seq_ns != ns->parent))
1131 return map_write(file, buf, size, ppos, CAP_SETUID,
1132 &ns->uid_map, &ns->parent->uid_map);
1135 ssize_t proc_gid_map_write(struct file *file, const char __user *buf,
1136 size_t size, loff_t *ppos)
1138 struct seq_file *seq = file->private_data;
1139 struct user_namespace *ns = seq->private;
1140 struct user_namespace *seq_ns = seq_user_ns(seq);
1145 if ((seq_ns != ns) && (seq_ns != ns->parent))
1148 return map_write(file, buf, size, ppos, CAP_SETGID,
1149 &ns->gid_map, &ns->parent->gid_map);
1152 ssize_t proc_projid_map_write(struct file *file, const char __user *buf,
1153 size_t size, loff_t *ppos)
1155 struct seq_file *seq = file->private_data;
1156 struct user_namespace *ns = seq->private;
1157 struct user_namespace *seq_ns = seq_user_ns(seq);
1162 if ((seq_ns != ns) && (seq_ns != ns->parent))
1165 /* Anyone can set any valid project id no capability needed */
1166 return map_write(file, buf, size, ppos, -1,
1167 &ns->projid_map, &ns->parent->projid_map);
1170 static bool new_idmap_permitted(const struct file *file,
1171 struct user_namespace *ns, int cap_setid,
1172 struct uid_gid_map *new_map)
1174 const struct cred *cred = file->f_cred;
1176 if (cap_setid == CAP_SETUID && !verify_root_map(file, ns, new_map))
1179 /* Don't allow mappings that would allow anything that wouldn't
1180 * be allowed without the establishment of unprivileged mappings.
1182 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
1183 uid_eq(ns->owner, cred->euid)) {
1184 u32 id = new_map->extent[0].lower_first;
1185 if (cap_setid == CAP_SETUID) {
1186 kuid_t uid = make_kuid(ns->parent, id);
1187 if (uid_eq(uid, cred->euid))
1189 } else if (cap_setid == CAP_SETGID) {
1190 kgid_t gid = make_kgid(ns->parent, id);
1191 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
1192 gid_eq(gid, cred->egid))
1197 /* Allow anyone to set a mapping that doesn't require privilege */
1198 if (!cap_valid(cap_setid))
1201 /* Allow the specified ids if we have the appropriate capability
1202 * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
1203 * And the opener of the id file also has the appropriate capability.
1205 if (ns_capable(ns->parent, cap_setid) &&
1206 file_ns_capable(file, ns->parent, cap_setid))
1212 int proc_setgroups_show(struct seq_file *seq, void *v)
1214 struct user_namespace *ns = seq->private;
1215 unsigned long userns_flags = READ_ONCE(ns->flags);
1217 seq_printf(seq, "%s\n",
1218 (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
1223 ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
1224 size_t count, loff_t *ppos)
1226 struct seq_file *seq = file->private_data;
1227 struct user_namespace *ns = seq->private;
1229 bool setgroups_allowed;
1232 /* Only allow a very narrow range of strings to be written */
1234 if ((*ppos != 0) || (count >= sizeof(kbuf)))
1237 /* What was written? */
1239 if (copy_from_user(kbuf, buf, count))
1244 /* What is being requested? */
1246 if (strncmp(pos, "allow", 5) == 0) {
1248 setgroups_allowed = true;
1250 else if (strncmp(pos, "deny", 4) == 0) {
1252 setgroups_allowed = false;
1257 /* Verify there is not trailing junk on the line */
1258 pos = skip_spaces(pos);
1263 mutex_lock(&userns_state_mutex);
1264 if (setgroups_allowed) {
1265 /* Enabling setgroups after setgroups has been disabled
1268 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
1271 /* Permanently disabling setgroups after setgroups has
1272 * been enabled by writing the gid_map is not allowed.
1274 if (ns->gid_map.nr_extents != 0)
1276 ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
1278 mutex_unlock(&userns_state_mutex);
1280 /* Report a successful write */
1286 mutex_unlock(&userns_state_mutex);
1290 bool userns_may_setgroups(const struct user_namespace *ns)
1294 mutex_lock(&userns_state_mutex);
1295 /* It is not safe to use setgroups until a gid mapping in
1296 * the user namespace has been established.
1298 allowed = ns->gid_map.nr_extents != 0;
1299 /* Is setgroups allowed? */
1300 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
1301 mutex_unlock(&userns_state_mutex);
1307 * Returns true if @child is the same namespace or a descendant of
1310 bool in_userns(const struct user_namespace *ancestor,
1311 const struct user_namespace *child)
1313 const struct user_namespace *ns;
1314 for (ns = child; ns->level > ancestor->level; ns = ns->parent)
1316 return (ns == ancestor);
1319 bool current_in_userns(const struct user_namespace *target_ns)
1321 return in_userns(target_ns, current_user_ns());
1323 EXPORT_SYMBOL(current_in_userns);
1325 static inline struct user_namespace *to_user_ns(struct ns_common *ns)
1327 return container_of(ns, struct user_namespace, ns);
1330 static struct ns_common *userns_get(struct task_struct *task)
1332 struct user_namespace *user_ns;
1335 user_ns = get_user_ns(__task_cred(task)->user_ns);
1338 return user_ns ? &user_ns->ns : NULL;
1341 static void userns_put(struct ns_common *ns)
1343 put_user_ns(to_user_ns(ns));
1346 static int userns_install(struct nsset *nsset, struct ns_common *ns)
1348 struct user_namespace *user_ns = to_user_ns(ns);
1351 /* Don't allow gaining capabilities by reentering
1352 * the same user namespace.
1354 if (user_ns == current_user_ns())
1357 /* Tasks that share a thread group must share a user namespace */
1358 if (!thread_group_empty(current))
1361 if (current->fs->users != 1)
1364 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
1367 cred = nsset_cred(nsset);
1371 put_user_ns(cred->user_ns);
1372 set_cred_user_ns(cred, get_user_ns(user_ns));
1374 if (set_cred_ucounts(cred) < 0)
1380 struct ns_common *ns_get_owner(struct ns_common *ns)
1382 struct user_namespace *my_user_ns = current_user_ns();
1383 struct user_namespace *owner, *p;
1385 /* See if the owner is in the current user namespace */
1386 owner = p = ns->ops->owner(ns);
1389 return ERR_PTR(-EPERM);
1390 if (p == my_user_ns)
1395 return &get_user_ns(owner)->ns;
1398 static struct user_namespace *userns_owner(struct ns_common *ns)
1400 return to_user_ns(ns)->parent;
1403 const struct proc_ns_operations userns_operations = {
1405 .type = CLONE_NEWUSER,
1408 .install = userns_install,
1409 .owner = userns_owner,
1410 .get_parent = ns_get_owner,
1413 static __init int user_namespaces_init(void)
1415 user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC | SLAB_ACCOUNT);
1418 subsys_initcall(user_namespaces_init);
projects / linux-block.git / blob