user_namespace.c source code [linux/kernel/user_namespace.c]

1	// SPDX-License-Identifier: GPL-2.0-only
2
3	#include <linux/export.h>
4	#include <linux/nsproxy.h>
5	#include <linux/slab.h>
6	#include <linux/sched/signal.h>
7	#include <linux/user_namespace.h>
8	#include <linux/proc_ns.h>
9	#include <linux/highuid.h>
10	#include <linux/cred.h>
11	#include <linux/securebits.h>
12	#include <linux/security.h>
13	#include <linux/keyctl.h>
14	#include <linux/key-type.h>
15	#include <keys/user-type.h>
16	#include <linux/seq_file.h>
17	#include <linux/fs.h>
18	#include <linux/uaccess.h>
19	#include <linux/ctype.h>
20	#include <linux/projid.h>
21	#include <linux/fs_struct.h>
22	#include <linux/bsearch.h>
23	#include <linux/sort.h>
24
25	static struct kmem_cache *user_ns_cachep __ro_after_init;
26	static DEFINE_MUTEX(userns_state_mutex);
27
28	static bool new_idmap_permitted(const struct file *file,
29	struct user_namespace ns, int* cap_setid,
30	struct uid_gid_map *map);
31	static void free_user_ns(struct work_struct *work);
32
33	static struct ucounts inc_user_namespaces(struct* user_namespace *ns, kuid_t uid)
34	{
35	return inc_ucount(ns, uid, type: UCOUNT_USER_NAMESPACES);
36	}
37
38	static void dec_user_namespaces(struct ucounts *ucounts)
39	{
40	return dec_ucount(ucounts, type: UCOUNT_USER_NAMESPACES);
41	}
42
43	static void set_cred_user_ns(struct cred cred, struct* user_namespace *user_ns)
44	{
45	/ Start with the same capabilities as init but useless for doing*
46	* anything as the capabilities are bound to the new user namespace.
47	*/
48	cred->securebits = SECUREBITS_DEFAULT;
49	cred->cap_inheritable = CAP_EMPTY_SET;
50	cred->cap_permitted = CAP_FULL_SET;
51	cred->cap_effective = CAP_FULL_SET;
52	cred->cap_ambient = CAP_EMPTY_SET;
53	cred->cap_bset = CAP_FULL_SET;
54	#ifdef CONFIG_KEYS
55	key_put(cred->request_key_auth);
56	cred->request_key_auth = NULL;
57	#endif
58	/ tgcred will be cleared in our caller bc CLONE_THREAD won't be set /
59	cred->user_ns = user_ns;
60	}
61
62	static unsigned long enforced_nproc_rlimit(void)
63	{
64	unsigned long limit = RLIM_INFINITY;
65
66	/ Is RLIMIT_NPROC currently enforced? /
67	if (!uid_eq(current_uid(), GLOBAL_ROOT_UID) \|\|
68	(current_user_ns() != &init_user_ns))
69	limit = rlimit(RLIMIT_NPROC);
70
71	return limit;
72	}
73
74	/*
75	* Create a new user namespace, deriving the creator from the user in the
76	* passed credentials, and replacing that user with the new root user for the
77	* new namespace.
78	*
79	* This is called by copy_creds(), which will finish setting the target task's
80	* credentials.
81	*/
82	int create_user_ns(struct cred *new)
83	{
84	struct user_namespace ns, parent_ns = new->user_ns;
85	kuid_t owner = new->euid;
86	kgid_t group = new->egid;
87	struct ucounts *ucounts;
88	int ret, i;
89
90	ret = -ENOSPC;
91	if (parent_ns->level > `32`)
92	goto fail;
93
94	ucounts = inc_user_namespaces(ns: parent_ns, uid: owner);
95	if (!ucounts)
96	goto fail;
97
98	/*
99	* Verify that we can not violate the policy of which files
100	* may be accessed that is specified by the root directory,
101	* by verifying that the root directory is at the root of the
102	* mount namespace which allows all files to be accessed.
103	*/
104	ret = -EPERM;
105	if (current_chrooted())
106	goto fail_dec;
107
108	/ The creator needs a mapping in the parent user namespace*
109	* or else we won't be able to reasonably tell userspace who
110	* created a user_namespace.
111	*/
112	ret = -EPERM;
113	if (!kuid_has_mapping(ns: parent_ns, uid: owner) \|\|
114	!kgid_has_mapping(ns: parent_ns, gid: group))
115	goto fail_dec;
116
117	ret = security_create_user_ns(cred: new);
118	if (ret < `0`)
119	goto fail_dec;
120
121	ret = -ENOMEM;
122	ns = kmem_cache_zalloc(k: user_ns_cachep, GFP_KERNEL);
123	if (!ns)
124	goto fail_dec;
125
126	ns->parent_could_setfcap = cap_raised(new->cap_effective, CAP_SETFCAP);
127	ret = ns_alloc_inum(ns: &ns->ns);
128	if (ret)
129	goto fail_free;
130	ns->ns.ops = &userns_operations;
131
132	refcount_set(r: &ns->ns.count, n: `1`);
133	/ Leave the new->user_ns reference with the new user namespace. /
134	ns->parent = parent_ns;
135	ns->level = parent_ns->level + `1`;
136	ns->owner = owner;
137	ns->group = group;
138	INIT_WORK(&ns->work, free_user_ns);
139	for (i = `0`; i < UCOUNT_COUNTS; i++) {
140	ns->ucount_max[i] = INT_MAX;
141	}
142	set_userns_rlimit_max(ns, type: UCOUNT_RLIMIT_NPROC, max: enforced_nproc_rlimit());
143	set_userns_rlimit_max(ns, type: UCOUNT_RLIMIT_MSGQUEUE, max: rlimit(RLIMIT_MSGQUEUE));
144	set_userns_rlimit_max(ns, type: UCOUNT_RLIMIT_SIGPENDING, max: rlimit(RLIMIT_SIGPENDING));
145	set_userns_rlimit_max(ns, type: UCOUNT_RLIMIT_MEMLOCK, max: rlimit(RLIMIT_MEMLOCK));
146	ns->ucounts = ucounts;
147
148	/ Inherit USERNS_SETGROUPS_ALLOWED from our parent /
149	mutex_lock(&userns_state_mutex);
150	ns->flags = parent_ns->flags;
151	mutex_unlock(lock: &userns_state_mutex);
152
153	#ifdef CONFIG_KEYS
154	INIT_LIST_HEAD(list: &ns->keyring_name_list);
155	init_rwsem(&ns->keyring_sem);
156	#endif
157	ret = -ENOMEM;
158	if (!setup_userns_sysctls(ns))
159	goto fail_keyring;
160
161	set_cred_user_ns(cred: new, user_ns: ns);
162	return `0`;
163	fail_keyring:
164	#ifdef CONFIG_PERSISTENT_KEYRINGS
165	key_put(key: ns->persistent_keyring_register);
166	#endif
167	ns_free_inum(&ns->ns);
168	fail_free:
169	kmem_cache_free(s: user_ns_cachep, objp: ns);
170	fail_dec:
171	dec_user_namespaces(ucounts);
172	fail:
173	return ret;
174	}
175
176	int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
177	{
178	struct cred *cred;
179	int err = -ENOMEM;
180
181	if (!(unshare_flags & CLONE_NEWUSER))
182	return `0`;
183
184	cred = prepare_creds();
185	if (cred) {
186	err = create_user_ns(new: cred);
187	if (err)
188	put_cred(cred);
189	else
190	*new_cred = cred;
191	}
192
193	return err;
194	}
195
196	static void free_user_ns(struct work_struct *work)
197	{
198	struct user_namespace parent, ns =
199	container_of(work, struct user_namespace, work);
200
201	do {
202	struct ucounts *ucounts = ns->ucounts;
203	parent = ns->parent;
204	if (ns->gid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
205	kfree(objp: ns->gid_map.forward);
206	kfree(objp: ns->gid_map.reverse);
207	}
208	if (ns->uid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
209	kfree(objp: ns->uid_map.forward);
210	kfree(objp: ns->uid_map.reverse);
211	}
212	if (ns->projid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
213	kfree(objp: ns->projid_map.forward);
214	kfree(objp: ns->projid_map.reverse);
215	}
216	#if IS_ENABLED(CONFIG_BINFMT_MISC)
217	kfree(objp: ns->binfmt_misc);
218	#endif
219	retire_userns_sysctls(ns);
220	key_free_user_ns(ns);
221	ns_free_inum(&ns->ns);
222	kmem_cache_free(s: user_ns_cachep, objp: ns);
223	dec_user_namespaces(ucounts);
224	ns = parent;
225	} while (refcount_dec_and_test(r: &parent->ns.count));
226	}
227
228	void __put_user_ns(struct user_namespace *ns)
229	{
230	schedule_work(work: &ns->work);
231	}
232	EXPORT_SYMBOL(__put_user_ns);
233
234	/*
235	* struct idmap_key - holds the information necessary to find an idmapping in a
236	* sorted idmap array. It is passed to cmp_map_id() as first argument.
237	*/
238	struct idmap_key {
239	bool map_up; / true -> id from kid; false -> kid from id /
240	u32 id; / id to find /
241	u32 count; / == 0 unless used with map_id_range_down() /
242	};
243
244	/*
245	* cmp_map_id - Function to be passed to bsearch() to find the requested
246	* idmapping. Expects struct idmap_key to be passed via @k.
247	*/
248	static int cmp_map_id(const void k, const* void *e)
249	{
250	u32 first, last, id2;
251	const struct idmap_key *key = k;
252	const struct uid_gid_extent *el = e;
253
254	id2 = key->id + key->count - `1`;
255
256	/ handle map_id_{down,up}() /
257	if (key->map_up)
258	first = el->lower_first;
259	else
260	first = el->first;
261
262	last = first + el->count - `1`;
263
264	if (key->id >= first && key->id <= last &&
265	(id2 >= first && id2 <= last))
266	return `0`;
267
268	if (key->id < first \|\| id2 < first)
269	return -`1`;
270
271	return `1`;
272	}
273
274	/*
275	* map_id_range_down_max - Find idmap via binary search in ordered idmap array.
276	* Can only be called if number of mappings exceeds UID_GID_MAP_MAX_BASE_EXTENTS.
277	*/
278	static struct uid_gid_extent *
279	map_id_range_down_max(unsigned extents, struct uid_gid_map *map, u32 id, u32 count)
280	{
281	struct idmap_key key;
282
283	key.map_up = false;
284	key.count = count;
285	key.id = id;
286
287	return bsearch(key: &key, base: map->forward, num: extents,
288	size: sizeof(struct uid_gid_extent), cmp: cmp_map_id);
289	}
290
291	/*
292	* map_id_range_down_base - Find idmap via binary search in static extent array.
293	* Can only be called if number of mappings is equal or less than
294	* UID_GID_MAP_MAX_BASE_EXTENTS.
295	*/
296	static struct uid_gid_extent *
297	map_id_range_down_base(unsigned extents, struct uid_gid_map *map, u32 id, u32 count)
298	{
299	unsigned idx;
300	u32 first, last, id2;
301
302	id2 = id + count - `1`;
303
304	/ Find the matching extent /
305	for (idx = `0`; idx < extents; idx++) {
306	first = map->extent[idx].first;
307	last = first + map->extent[idx].count - `1`;
308	if (id >= first && id <= last &&
309	(id2 >= first && id2 <= last))
310	return &map->extent[idx];
311	}
312	return NULL;
313	}
314
315	static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
316	{
317	struct uid_gid_extent *extent;
318	unsigned extents = map->nr_extents;
319	smp_rmb();
320
321	if (extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
322	extent = map_id_range_down_base(extents, map, id, count);
323	else
324	extent = map_id_range_down_max(extents, map, id, count);
325
326	/ Map the id or note failure /
327	if (extent)
328	id = (id - extent->first) + extent->lower_first;
329	else
330	id = (u32) -`1`;
331
332	return id;
333	}
334
335	u32 map_id_down(struct uid_gid_map *map, u32 id)
336	{
337	return map_id_range_down(map, id, count: `1`);
338	}
339
340	/*
341	* map_id_up_base - Find idmap via binary search in static extent array.
342	* Can only be called if number of mappings is equal or less than
343	* UID_GID_MAP_MAX_BASE_EXTENTS.
344	*/
345	static struct uid_gid_extent *
346	map_id_up_base(unsigned extents, struct uid_gid_map *map, u32 id)
347	{
348	unsigned idx;
349	u32 first, last;
350
351	/ Find the matching extent /
352	for (idx = `0`; idx < extents; idx++) {
353	first = map->extent[idx].lower_first;
354	last = first + map->extent[idx].count - `1`;
355	if (id >= first && id <= last)
356	return &map->extent[idx];
357	}
358	return NULL;
359	}
360
361	/*
362	* map_id_up_max - Find idmap via binary search in ordered idmap array.
363	* Can only be called if number of mappings exceeds UID_GID_MAP_MAX_BASE_EXTENTS.
364	*/
365	static struct uid_gid_extent *
366	map_id_up_max(unsigned extents, struct uid_gid_map *map, u32 id)
367	{
368	struct idmap_key key;
369
370	key.map_up = true;
371	key.count = `1`;
372	key.id = id;
373
374	return bsearch(key: &key, base: map->reverse, num: extents,
375	size: sizeof(struct uid_gid_extent), cmp: cmp_map_id);
376	}
377
378	u32 map_id_up(struct uid_gid_map *map, u32 id)
379	{
380	struct uid_gid_extent *extent;
381	unsigned extents = map->nr_extents;
382	smp_rmb();
383
384	if (extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
385	extent = map_id_up_base(extents, map, id);
386	else
387	extent = map_id_up_max(extents, map, id);
388
389	/ Map the id or note failure /
390	if (extent)
391	id = (id - extent->lower_first) + extent->first;
392	else
393	id = (u32) -`1`;
394
395	return id;
396	}
397
398	/**
399	* make_kuid - Map a user-namespace uid pair into a kuid.
400	* @ns: User namespace that the uid is in
401	* @uid: User identifier
402	*
403	* Maps a user-namespace uid pair into a kernel internal kuid,
404	* and returns that kuid.
405	*
406	* When there is no mapping defined for the user-namespace uid
407	* pair INVALID_UID is returned. Callers are expected to test
408	* for and handle INVALID_UID being returned. INVALID_UID
409	* may be tested for using uid_valid().
410	*/
411	kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
412	{
413	/ Map the uid to a global kernel uid /
414	return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
415	}
416	EXPORT_SYMBOL(make_kuid);
417
418	/**
419	* from_kuid - Create a uid from a kuid user-namespace pair.
420	* @targ: The user namespace we want a uid in.
421	* @kuid: The kernel internal uid to start with.
422	*
423	* Map @kuid into the user-namespace specified by @targ and
424	* return the resulting uid.
425	*
426	* There is always a mapping into the initial user_namespace.
427	*
428	* If @kuid has no mapping in @targ (uid_t)-1 is returned.
429	*/
430	uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
431	{
432	/ Map the uid from a global kernel uid /
433	return map_id_up(map: &targ->uid_map, id: __kuid_val(uid: kuid));
434	}
435	EXPORT_SYMBOL(from_kuid);
436
437	/**
438	* from_kuid_munged - Create a uid from a kuid user-namespace pair.
439	* @targ: The user namespace we want a uid in.
440	* @kuid: The kernel internal uid to start with.
441	*
442	* Map @kuid into the user-namespace specified by @targ and
443	* return the resulting uid.
444	*
445	* There is always a mapping into the initial user_namespace.
446	*
447	* Unlike from_kuid from_kuid_munged never fails and always
448	* returns a valid uid. This makes from_kuid_munged appropriate
449	* for use in syscalls like stat and getuid where failing the
450	* system call and failing to provide a valid uid are not an
451	* options.
452	*
453	* If @kuid has no mapping in @targ overflowuid is returned.
454	*/
455	uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
456	{
457	uid_t uid;
458	uid = from_kuid(targ, kuid);
459
460	if (uid == (uid_t) -`1`)
461	uid = overflowuid;
462	return uid;
463	}
464	EXPORT_SYMBOL(from_kuid_munged);
465
466	/**
467	* make_kgid - Map a user-namespace gid pair into a kgid.
468	* @ns: User namespace that the gid is in
469	* @gid: group identifier
470	*
471	* Maps a user-namespace gid pair into a kernel internal kgid,
472	* and returns that kgid.
473	*
474	* When there is no mapping defined for the user-namespace gid
475	* pair INVALID_GID is returned. Callers are expected to test
476	* for and handle INVALID_GID being returned. INVALID_GID may be
477	* tested for using gid_valid().
478	*/
479	kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
480	{
481	/ Map the gid to a global kernel gid /
482	return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
483	}
484	EXPORT_SYMBOL(make_kgid);
485
486	/**
487	* from_kgid - Create a gid from a kgid user-namespace pair.
488	* @targ: The user namespace we want a gid in.
489	* @kgid: The kernel internal gid to start with.
490	*
491	* Map @kgid into the user-namespace specified by @targ and
492	* return the resulting gid.
493	*
494	* There is always a mapping into the initial user_namespace.
495	*
496	* If @kgid has no mapping in @targ (gid_t)-1 is returned.
497	*/
498	gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
499	{
500	/ Map the gid from a global kernel gid /
501	return map_id_up(map: &targ->gid_map, id: __kgid_val(gid: kgid));
502	}
503	EXPORT_SYMBOL(from_kgid);
504
505	/**
506	* from_kgid_munged - Create a gid from a kgid user-namespace pair.
507	* @targ: The user namespace we want a gid in.
508	* @kgid: The kernel internal gid to start with.
509	*
510	* Map @kgid into the user-namespace specified by @targ and
511	* return the resulting gid.
512	*
513	* There is always a mapping into the initial user_namespace.
514	*
515	* Unlike from_kgid from_kgid_munged never fails and always
516	* returns a valid gid. This makes from_kgid_munged appropriate
517	* for use in syscalls like stat and getgid where failing the
518	* system call and failing to provide a valid gid are not options.
519	*
520	* If @kgid has no mapping in @targ overflowgid is returned.
521	*/
522	gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
523	{
524	gid_t gid;
525	gid = from_kgid(targ, kgid);
526
527	if (gid == (gid_t) -`1`)
528	gid = overflowgid;
529	return gid;
530	}
531	EXPORT_SYMBOL(from_kgid_munged);
532
533	/**
534	* make_kprojid - Map a user-namespace projid pair into a kprojid.
535	* @ns: User namespace that the projid is in
536	* @projid: Project identifier
537	*
538	* Maps a user-namespace uid pair into a kernel internal kuid,
539	* and returns that kuid.
540	*
541	* When there is no mapping defined for the user-namespace projid
542	* pair INVALID_PROJID is returned. Callers are expected to test
543	* for and handle INVALID_PROJID being returned. INVALID_PROJID
544	* may be tested for using projid_valid().
545	*/
546	kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
547	{
548	/ Map the uid to a global kernel uid /
549	return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
550	}
551	EXPORT_SYMBOL(make_kprojid);
552
553	/**
554	* from_kprojid - Create a projid from a kprojid user-namespace pair.
555	* @targ: The user namespace we want a projid in.
556	* @kprojid: The kernel internal project identifier to start with.
557	*
558	* Map @kprojid into the user-namespace specified by @targ and
559	* return the resulting projid.
560	*
561	* There is always a mapping into the initial user_namespace.
562	*
563	* If @kprojid has no mapping in @targ (projid_t)-1 is returned.
564	*/
565	projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
566	{
567	/ Map the uid from a global kernel uid /
568	return map_id_up(map: &targ->projid_map, id: __kprojid_val(projid: kprojid));
569	}
570	EXPORT_SYMBOL(from_kprojid);
571
572	/**
573	* from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
574	* @targ: The user namespace we want a projid in.
575	* @kprojid: The kernel internal projid to start with.
576	*
577	* Map @kprojid into the user-namespace specified by @targ and
578	* return the resulting projid.
579	*
580	* There is always a mapping into the initial user_namespace.
581	*
582	* Unlike from_kprojid from_kprojid_munged never fails and always
583	* returns a valid projid. This makes from_kprojid_munged
584	* appropriate for use in syscalls like stat and where
585	* failing the system call and failing to provide a valid projid are
586	* not an options.
587	*
588	* If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
589	*/
590	projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
591	{
592	projid_t projid;
593	projid = from_kprojid(targ, kprojid);
594
595	if (projid == (projid_t) -`1`)
596	projid = OVERFLOW_PROJID;
597	return projid;
598	}
599	EXPORT_SYMBOL(from_kprojid_munged);
600
601
602	static int uid_m_show(struct seq_file seq, void* *v)
603	{
604	struct user_namespace *ns = seq->private;
605	struct uid_gid_extent *extent = v;
606	struct user_namespace *lower_ns;
607	uid_t lower;
608
609	lower_ns = seq_user_ns(seq);
610	if ((lower_ns == ns) && lower_ns->parent)
611	lower_ns = lower_ns->parent;
612
613	lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
614
615	seq_printf(m: seq, fmt: "%10u %10u %10u\n",
616	extent->first,
617	lower,
618	extent->count);
619
620	return `0`;
621	}
622
623	static int gid_m_show(struct seq_file seq, void* *v)
624	{
625	struct user_namespace *ns = seq->private;
626	struct uid_gid_extent *extent = v;
627	struct user_namespace *lower_ns;
628	gid_t lower;
629
630	lower_ns = seq_user_ns(seq);
631	if ((lower_ns == ns) && lower_ns->parent)
632	lower_ns = lower_ns->parent;
633
634	lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
635
636	seq_printf(m: seq, fmt: "%10u %10u %10u\n",
637	extent->first,
638	lower,
639	extent->count);
640
641	return `0`;
642	}
643
644	static int projid_m_show(struct seq_file seq, void* *v)
645	{
646	struct user_namespace *ns = seq->private;
647	struct uid_gid_extent *extent = v;
648	struct user_namespace *lower_ns;
649	projid_t lower;
650
651	lower_ns = seq_user_ns(seq);
652	if ((lower_ns == ns) && lower_ns->parent)
653	lower_ns = lower_ns->parent;
654
655	lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
656
657	seq_printf(m: seq, fmt: "%10u %10u %10u\n",
658	extent->first,
659	lower,
660	extent->count);
661
662	return `0`;
663	}
664
665	static void m_start(struct* seq_file seq, loff_t ppos,
666	struct uid_gid_map *map)
667	{
668	loff_t pos = *ppos;
669	unsigned extents = map->nr_extents;
670	smp_rmb();
671
672	if (pos >= extents)
673	return NULL;
674
675	if (extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
676	return &map->extent[pos];
677
678	return &map->forward[pos];
679	}
680
681	static void uid_m_start(struct* seq_file seq, loff_t ppos)
682	{
683	struct user_namespace *ns = seq->private;
684
685	return m_start(seq, ppos, map: &ns->uid_map);
686	}
687
688	static void gid_m_start(struct* seq_file seq, loff_t ppos)
689	{
690	struct user_namespace *ns = seq->private;
691
692	return m_start(seq, ppos, map: &ns->gid_map);
693	}
694
695	static void projid_m_start(struct* seq_file seq, loff_t ppos)
696	{
697	struct user_namespace *ns = seq->private;
698
699	return m_start(seq, ppos, map: &ns->projid_map);
700	}
701
702	static void m_next(struct* seq_file seq, void* v, loff_t pos)
703	{
704	(*pos)++;
705	return seq->op->start(seq, pos);
706	}
707
708	static void m_stop(struct seq_file seq, void* *v)
709	{
710	return;
711	}
712
713	const struct seq_operations proc_uid_seq_operations = {
714	.start = uid_m_start,
715	.stop = m_stop,
716	.next = m_next,
717	.show = uid_m_show,
718	};
719
720	const struct seq_operations proc_gid_seq_operations = {
721	.start = gid_m_start,
722	.stop = m_stop,
723	.next = m_next,
724	.show = gid_m_show,
725	};
726
727	const struct seq_operations proc_projid_seq_operations = {
728	.start = projid_m_start,
729	.stop = m_stop,
730	.next = m_next,
731	.show = projid_m_show,
732	};
733
734	static bool mappings_overlap(struct uid_gid_map *new_map,
735	struct uid_gid_extent *extent)
736	{
737	u32 upper_first, lower_first, upper_last, lower_last;
738	unsigned idx;
739
740	upper_first = extent->first;
741	lower_first = extent->lower_first;
742	upper_last = upper_first + extent->count - `1`;
743	lower_last = lower_first + extent->count - `1`;
744
745	for (idx = `0`; idx < new_map->nr_extents; idx++) {
746	u32 prev_upper_first, prev_lower_first;
747	u32 prev_upper_last, prev_lower_last;
748	struct uid_gid_extent *prev;
749
750	if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
751	prev = &new_map->extent[idx];
752	else
753	prev = &new_map->forward[idx];
754
755	prev_upper_first = prev->first;
756	prev_lower_first = prev->lower_first;
757	prev_upper_last = prev_upper_first + prev->count - `1`;
758	prev_lower_last = prev_lower_first + prev->count - `1`;
759
760	/ Does the upper range intersect a previous extent? /
761	if ((prev_upper_first <= upper_last) &&
762	(prev_upper_last >= upper_first))
763	return true;
764
765	/ Does the lower range intersect a previous extent? /
766	if ((prev_lower_first <= lower_last) &&
767	(prev_lower_last >= lower_first))
768	return true;
769	}
770	return false;
771	}
772
773	/*
774	* insert_extent - Safely insert a new idmap extent into struct uid_gid_map.
775	* Takes care to allocate a 4K block of memory if the number of mappings exceeds
776	* UID_GID_MAP_MAX_BASE_EXTENTS.
777	*/
778	static int insert_extent(struct uid_gid_map map, struct* uid_gid_extent *extent)
779	{
780	struct uid_gid_extent *dest;
781
782	if (map->nr_extents == UID_GID_MAP_MAX_BASE_EXTENTS) {
783	struct uid_gid_extent *forward;
784
785	/ Allocate memory for 340 mappings. /
786	forward = kmalloc_array(UID_GID_MAP_MAX_EXTENTS,
787	size: sizeof(struct uid_gid_extent),
788	GFP_KERNEL);
789	if (!forward)
790	return -ENOMEM;
791
792	/ Copy over memory. Only set up memory for the forward pointer.*
793	* Defer the memory setup for the reverse pointer.
794	*/
795	memcpy(forward, map->extent,
796	map->nr_extents * sizeof(map->extent[`0`]));
797
798	map->forward = forward;
799	map->reverse = NULL;
800	}
801
802	if (map->nr_extents < UID_GID_MAP_MAX_BASE_EXTENTS)
803	dest = &map->extent[map->nr_extents];
804	else
805	dest = &map->forward[map->nr_extents];
806
807	dest = extent;
808	map->nr_extents++;
809	return `0`;
810	}
811
812	/ cmp function to sort() forward mappings /
813	static int cmp_extents_forward(const void a, const* void *b)
814	{
815	const struct uid_gid_extent *e1 = a;
816	const struct uid_gid_extent *e2 = b;
817
818	if (e1->first < e2->first)
819	return -`1`;
820
821	if (e1->first > e2->first)
822	return `1`;
823
824	return `0`;
825	}
826
827	/ cmp function to sort() reverse mappings /
828	static int cmp_extents_reverse(const void a, const* void *b)
829	{
830	const struct uid_gid_extent *e1 = a;
831	const struct uid_gid_extent *e2 = b;
832
833	if (e1->lower_first < e2->lower_first)
834	return -`1`;
835
836	if (e1->lower_first > e2->lower_first)
837	return `1`;
838
839	return `0`;
840	}
841
842	/*
843	* sort_idmaps - Sorts an array of idmap entries.
844	* Can only be called if number of mappings exceeds UID_GID_MAP_MAX_BASE_EXTENTS.
845	*/
846	static int sort_idmaps(struct uid_gid_map *map)
847	{
848	if (map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
849	return `0`;
850
851	/ Sort forward array. /
852	sort(base: map->forward, num: map->nr_extents, size: sizeof(struct uid_gid_extent),
853	cmp_func: cmp_extents_forward, NULL);
854
855	/ Only copy the memory from forward we actually need. /
856	map->reverse = kmemdup(p: map->forward,
857	size: map->nr_extents * sizeof(struct uid_gid_extent),
858	GFP_KERNEL);
859	if (!map->reverse)
860	return -ENOMEM;
861
862	/ Sort reverse array. /
863	sort(base: map->reverse, num: map->nr_extents, size: sizeof(struct uid_gid_extent),
864	cmp_func: cmp_extents_reverse, NULL);
865
866	return `0`;
867	}
868
869	/**
870	* verify_root_map() - check the uid 0 mapping
871	* @file: idmapping file
872	* @map_ns: user namespace of the target process
873	* @new_map: requested idmap
874	*
875	* If a process requests mapping parent uid 0 into the new ns, verify that the
876	* process writing the map had the CAP_SETFCAP capability as the target process
877	* will be able to write fscaps that are valid in ancestor user namespaces.
878	*
879	* Return: true if the mapping is allowed, false if not.
880	*/
881	static bool verify_root_map(const struct file *file,
882	struct user_namespace *map_ns,
883	struct uid_gid_map *new_map)
884	{
885	int idx;
886	const struct user_namespace *file_ns = file->f_cred->user_ns;
887	struct uid_gid_extent *extent0 = NULL;
888
889	for (idx = `0`; idx < new_map->nr_extents; idx++) {
890	if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
891	extent0 = &new_map->extent[idx];
892	else
893	extent0 = &new_map->forward[idx];
894	if (extent0->lower_first == `0`)
895	break;
896
897	extent0 = NULL;
898	}
899
900	if (!extent0)
901	return true;
902
903	if (map_ns == file_ns) {
904	/ The process unshared its ns and is writing to its own*
905	* /proc/self/uid_map. User already has full capabilites in
906	* the new namespace. Verify that the parent had CAP_SETFCAP
907	* when it unshared.
908	* */
909	if (!file_ns->parent_could_setfcap)
910	return false;
911	} else {
912	/ Process p1 is writing to uid_map of p2, who is in a child*
913	* user namespace to p1's. Verify that the opener of the map
914	* file has CAP_SETFCAP against the parent of the new map
915	* namespace */
916	if (!file_ns_capable(file, ns: map_ns->parent, CAP_SETFCAP))
917	return false;
918	}
919
920	return true;
921	}
922
923	static ssize_t map_write(struct file file, const* char __user *buf,
924	size_t count, loff_t *ppos,
925	int cap_setid,
926	struct uid_gid_map *map,
927	struct uid_gid_map *parent_map)
928	{
929	struct seq_file *seq = file->private_data;
930	struct user_namespace *map_ns = seq->private;
931	struct uid_gid_map new_map;
932	unsigned idx;
933	struct uid_gid_extent extent;
934	char kbuf, pos, *next_line;
935	ssize_t ret;
936
937	/ Only allow < page size writes at the beginning of the file /
938	if ((*ppos != `0`) \|\| (count >= PAGE_SIZE))
939	return -EINVAL;
940
941	/ Slurp in the user data /
942	kbuf = memdup_user_nul(buf, count);
943	if (IS_ERR(ptr: kbuf))
944	return PTR_ERR(ptr: kbuf);
945
946	/*
947	* The userns_state_mutex serializes all writes to any given map.
948	*
949	* Any map is only ever written once.
950	*
951	* An id map fits within 1 cache line on most architectures.
952	*
953	* On read nothing needs to be done unless you are on an
954	* architecture with a crazy cache coherency model like alpha.
955	*
956	* There is a one time data dependency between reading the
957	* count of the extents and the values of the extents. The
958	* desired behavior is to see the values of the extents that
959	* were written before the count of the extents.
960	*
961	* To achieve this smp_wmb() is used on guarantee the write
962	* order and smp_rmb() is guaranteed that we don't have crazy
963	* architectures returning stale data.
964	*/
965	mutex_lock(&userns_state_mutex);
966
967	memset(&new_map, `0`, sizeof(struct uid_gid_map));
968
969	ret = -EPERM;
970	/ Only allow one successful write to the map /
971	if (map->nr_extents != `0`)
972	goto out;
973
974	/*
975	* Adjusting namespace settings requires capabilities on the target.
976	*/
977	if (cap_valid(cap_setid) && !file_ns_capable(file, ns: map_ns, CAP_SYS_ADMIN))
978	goto out;
979
980	/ Parse the user data /
981	ret = -EINVAL;
982	pos = kbuf;
983	for (; pos; pos = next_line) {
984
985	/ Find the end of line and ensure I don't look past it /
986	next_line = strchr(pos, `'\n'`);
987	if (next_line) {
988	*next_line = `'\0'`;
989	next_line++;
990	if (*next_line == `'\0'`)
991	next_line = NULL;
992	}
993
994	pos = skip_spaces(pos);
995	extent.first = simple_strtoul(pos, &pos, `10`);
996	if (!isspace(*pos))
997	goto out;
998
999	pos = skip_spaces(pos);
1000	extent.lower_first = simple_strtoul(pos, &pos, `10`);
1001	if (!isspace(*pos))
1002	goto out;
1003
1004	pos = skip_spaces(pos);
1005	extent.count = simple_strtoul(pos, &pos, `10`);
1006	if (pos && !isspace(pos))
1007	goto out;
1008
1009	/ Verify there is not trailing junk on the line /
1010	pos = skip_spaces(pos);
1011	if (*pos != `'\0'`)
1012	goto out;
1013
1014	/ Verify we have been given valid starting values /
1015	if ((extent.first == (u32) -`1`) \|\|
1016	(extent.lower_first == (u32) -`1`))
1017	goto out;
1018
1019	/ Verify count is not zero and does not cause the*
1020	* extent to wrap
1021	*/
1022	if ((extent.first + extent.count) <= extent.first)
1023	goto out;
1024	if ((extent.lower_first + extent.count) <=
1025	extent.lower_first)
1026	goto out;
1027
1028	/ Do the ranges in extent overlap any previous extents? /
1029	if (mappings_overlap(new_map: &new_map, extent: &extent))
1030	goto out;
1031
1032	if ((new_map.nr_extents + `1`) == UID_GID_MAP_MAX_EXTENTS &&
1033	(next_line != NULL))
1034	goto out;
1035
1036	ret = insert_extent(map: &new_map, extent: &extent);
1037	if (ret < `0`)
1038	goto out;
1039	ret = -EINVAL;
1040	}
1041	/ Be very certain the new map actually exists /
1042	if (new_map.nr_extents == `0`)
1043	goto out;
1044
1045	ret = -EPERM;
1046	/ Validate the user is allowed to use user id's mapped to. /
1047	if (!new_idmap_permitted(file, ns: map_ns, cap_setid, map: &new_map))
1048	goto out;
1049
1050	ret = -EPERM;
1051	/ Map the lower ids from the parent user namespace to the*
1052	* kernel global id space.
1053	*/
1054	for (idx = `0`; idx < new_map.nr_extents; idx++) {
1055	struct uid_gid_extent *e;
1056	u32 lower_first;
1057
1058	if (new_map.nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
1059	e = &new_map.extent[idx];
1060	else
1061	e = &new_map.forward[idx];
1062
1063	lower_first = map_id_range_down(map: parent_map,
1064	id: e->lower_first,
1065	count: e->count);
1066
1067	/ Fail if we can not map the specified extent to*
1068	* the kernel global id space.
1069	*/
1070	if (lower_first == (u32) -`1`)
1071	goto out;
1072
1073	e->lower_first = lower_first;
1074	}
1075
1076	/*
1077	* If we want to use binary search for lookup, this clones the extent
1078	* array and sorts both copies.
1079	*/
1080	ret = sort_idmaps(map: &new_map);
1081	if (ret < `0`)
1082	goto out;
1083
1084	/ Install the map /
1085	if (new_map.nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) {
1086	memcpy(map->extent, new_map.extent,
1087	new_map.nr_extents * sizeof(new_map.extent[`0`]));
1088	} else {
1089	map->forward = new_map.forward;
1090	map->reverse = new_map.reverse;
1091	}
1092	smp_wmb();
1093	map->nr_extents = new_map.nr_extents;
1094
1095	*ppos = count;
1096	ret = count;
1097	out:
1098	if (ret < `0` && new_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) {
1099	kfree(objp: new_map.forward);
1100	kfree(objp: new_map.reverse);
1101	map->forward = NULL;
1102	map->reverse = NULL;
1103	map->nr_extents = `0`;
1104	}
1105
1106	mutex_unlock(lock: &userns_state_mutex);
1107	kfree(objp: kbuf);
1108	return ret;
1109	}
1110
1111	ssize_t proc_uid_map_write(struct file file, const* char __user *buf,
1112	size_t size, loff_t *ppos)
1113	{
1114	struct seq_file *seq = file->private_data;
1115	struct user_namespace *ns = seq->private;
1116	struct user_namespace *seq_ns = seq_user_ns(seq);
1117
1118	if (!ns->parent)
1119	return -EPERM;
1120
1121	if ((seq_ns != ns) && (seq_ns != ns->parent))
1122	return -EPERM;
1123
1124	return map_write(file, buf, count: size, ppos, CAP_SETUID,
1125	map: &ns->uid_map, parent_map: &ns->parent->uid_map);
1126	}
1127
1128	ssize_t proc_gid_map_write(struct file file, const* char __user *buf,
1129	size_t size, loff_t *ppos)
1130	{
1131	struct seq_file *seq = file->private_data;
1132	struct user_namespace *ns = seq->private;
1133	struct user_namespace *seq_ns = seq_user_ns(seq);
1134
1135	if (!ns->parent)
1136	return -EPERM;
1137
1138	if ((seq_ns != ns) && (seq_ns != ns->parent))
1139	return -EPERM;
1140
1141	return map_write(file, buf, count: size, ppos, CAP_SETGID,
1142	map: &ns->gid_map, parent_map: &ns->parent->gid_map);
1143	}
1144
1145	ssize_t proc_projid_map_write(struct file file, const* char __user *buf,
1146	size_t size, loff_t *ppos)
1147	{
1148	struct seq_file *seq = file->private_data;
1149	struct user_namespace *ns = seq->private;
1150	struct user_namespace *seq_ns = seq_user_ns(seq);
1151
1152	if (!ns->parent)
1153	return -EPERM;
1154
1155	if ((seq_ns != ns) && (seq_ns != ns->parent))
1156	return -EPERM;
1157
1158	/ Anyone can set any valid project id no capability needed /
1159	return map_write(file, buf, count: size, ppos, cap_setid: -`1`,
1160	map: &ns->projid_map, parent_map: &ns->parent->projid_map);
1161	}
1162
1163	static bool new_idmap_permitted(const struct file *file,
1164	struct user_namespace ns, int* cap_setid,
1165	struct uid_gid_map *new_map)
1166	{
1167	const struct cred *cred = file->f_cred;
1168
1169	if (cap_setid == CAP_SETUID && !verify_root_map(file, map_ns: ns, new_map))
1170	return false;
1171
1172	/ Don't allow mappings that would allow anything that wouldn't*
1173	* be allowed without the establishment of unprivileged mappings.
1174	*/
1175	if ((new_map->nr_extents == `1`) && (new_map->extent[`0`].count == `1`) &&
1176	uid_eq(left: ns->owner, right: cred->euid)) {
1177	u32 id = new_map->extent[`0`].lower_first;
1178	if (cap_setid == CAP_SETUID) {
1179	kuid_t uid = make_kuid(ns->parent, id);
1180	if (uid_eq(left: uid, right: cred->euid))
1181	return true;
1182	} else if (cap_setid == CAP_SETGID) {
1183	kgid_t gid = make_kgid(ns->parent, id);
1184	if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
1185	gid_eq(left: gid, right: cred->egid))
1186	return true;
1187	}
1188	}
1189
1190	/ Allow anyone to set a mapping that doesn't require privilege /
1191	if (!cap_valid(cap_setid))
1192	return true;
1193
1194	/ Allow the specified ids if we have the appropriate capability*
1195	* (CAP_SETUID or CAP_SETGID) over the parent user namespace.
1196	* And the opener of the id file also has the appropriate capability.
1197	*/
1198	if (ns_capable(ns: ns->parent, cap: cap_setid) &&
1199	file_ns_capable(file, ns: ns->parent, cap: cap_setid))
1200	return true;
1201
1202	return false;
1203	}
1204
1205	int proc_setgroups_show(struct seq_file seq, void* *v)
1206	{
1207	struct user_namespace *ns = seq->private;
1208	unsigned long userns_flags = READ_ONCE(ns->flags);
1209
1210	seq_printf(m: seq, fmt: "%s\n",
1211	(userns_flags & USERNS_SETGROUPS_ALLOWED) ?
1212	"allow" : "deny");
1213	return `0`;
1214	}
1215
1216	ssize_t proc_setgroups_write(struct file file, const* char __user *buf,
1217	size_t count, loff_t *ppos)
1218	{
1219	struct seq_file *seq = file->private_data;
1220	struct user_namespace *ns = seq->private;
1221	char kbuf[`8`], *pos;
1222	bool setgroups_allowed;
1223	ssize_t ret;
1224
1225	/ Only allow a very narrow range of strings to be written /
1226	ret = -EINVAL;
1227	if ((ppos != `0`) \|\| (count >= sizeof*(kbuf)))
1228	goto out;
1229
1230	/ What was written? /
1231	ret = -EFAULT;
1232	if (copy_from_user(to: kbuf, from: buf, n: count))
1233	goto out;
1234	kbuf[count] = `'\0'`;
1235	pos = kbuf;
1236
1237	/ What is being requested? /
1238	ret = -EINVAL;
1239	if (strncmp(pos, "allow", `5`) == `0`) {
1240	pos += `5`;
1241	setgroups_allowed = true;
1242	}
1243	else if (strncmp(pos, "deny", `4`) == `0`) {
1244	pos += `4`;
1245	setgroups_allowed = false;
1246	}
1247	else
1248	goto out;
1249
1250	/ Verify there is not trailing junk on the line /
1251	pos = skip_spaces(pos);
1252	if (*pos != `'\0'`)
1253	goto out;
1254
1255	ret = -EPERM;
1256	mutex_lock(&userns_state_mutex);
1257	if (setgroups_allowed) {
1258	/ Enabling setgroups after setgroups has been disabled*
1259	* is not allowed.
1260	*/
1261	if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
1262	goto out_unlock;
1263	} else {
1264	/ Permanently disabling setgroups after setgroups has*
1265	* been enabled by writing the gid_map is not allowed.
1266	*/
1267	if (ns->gid_map.nr_extents != `0`)
1268	goto out_unlock;
1269	ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
1270	}
1271	mutex_unlock(lock: &userns_state_mutex);
1272
1273	/ Report a successful write /
1274	*ppos = count;
1275	ret = count;
1276	out:
1277	return ret;
1278	out_unlock:
1279	mutex_unlock(lock: &userns_state_mutex);
1280	goto out;
1281	}
1282
1283	bool userns_may_setgroups(const struct user_namespace *ns)
1284	{
1285	bool allowed;
1286
1287	mutex_lock(&userns_state_mutex);
1288	/ It is not safe to use setgroups until a gid mapping in*
1289	* the user namespace has been established.
1290	*/
1291	allowed = ns->gid_map.nr_extents != `0`;
1292	/ Is setgroups allowed? /
1293	allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
1294	mutex_unlock(lock: &userns_state_mutex);
1295
1296	return allowed;
1297	}
1298
1299	/*
1300	* Returns true if @child is the same namespace or a descendant of
1301	* @ancestor.
1302	*/
1303	bool in_userns(const struct user_namespace *ancestor,
1304	const struct user_namespace *child)
1305	{
1306	const struct user_namespace *ns;
1307	for (ns = child; ns->level > ancestor->level; ns = ns->parent)
1308	;
1309	return (ns == ancestor);
1310	}
1311
1312	bool current_in_userns(const struct user_namespace *target_ns)
1313	{
1314	return in_userns(ancestor: target_ns, current_user_ns());
1315	}
1316	EXPORT_SYMBOL(current_in_userns);
1317
1318	static inline struct user_namespace to_user_ns(struct* ns_common *ns)
1319	{
1320	return container_of(ns, struct user_namespace, ns);
1321	}
1322
1323	static struct ns_common userns_get(struct* task_struct *task)
1324	{
1325	struct user_namespace *user_ns;
1326
1327	rcu_read_lock();
1328	user_ns = get_user_ns(__task_cred(task)->user_ns);
1329	rcu_read_unlock();
1330
1331	return user_ns ? &user_ns->ns : NULL;
1332	}
1333
1334	static void userns_put(struct ns_common *ns)
1335	{
1336	put_user_ns(ns: to_user_ns(ns));
1337	}
1338
1339	static int userns_install(struct nsset nsset, struct* ns_common *ns)
1340	{
1341	struct user_namespace *user_ns = to_user_ns(ns);
1342	struct cred *cred;
1343
1344	/ Don't allow gaining capabilities by reentering*
1345	* the same user namespace.
1346	*/
1347	if (user_ns == current_user_ns())
1348	return -EINVAL;
1349
1350	/ Tasks that share a thread group must share a user namespace /
1351	if (!thread_group_empty(current))
1352	return -EINVAL;
1353
1354	if (current->fs->users != `1`)
1355	return -EINVAL;
1356
1357	if (!ns_capable(ns: user_ns, CAP_SYS_ADMIN))
1358	return -EPERM;
1359
1360	cred = nsset_cred(set: nsset);
1361	if (!cred)
1362	return -EINVAL;
1363
1364	put_user_ns(ns: cred->user_ns);
1365	set_cred_user_ns(cred, user_ns: get_user_ns(ns: user_ns));
1366
1367	if (set_cred_ucounts(cred) < `0`)
1368	return -EINVAL;
1369
1370	return `0`;
1371	}
1372
1373	struct ns_common ns_get_owner(struct* ns_common *ns)
1374	{
1375	struct user_namespace *my_user_ns = current_user_ns();
1376	struct user_namespace owner, p;
1377
1378	/ See if the owner is in the current user namespace /
1379	owner = p = ns->ops->owner(ns);
1380	for (;;) {
1381	if (!p)
1382	return ERR_PTR(error: -EPERM);
1383	if (p == my_user_ns)
1384	break;
1385	p = p->parent;
1386	}
1387
1388	return &get_user_ns(ns: owner)->ns;
1389	}
1390
1391	static struct user_namespace userns_owner(struct* ns_common *ns)
1392	{
1393	return to_user_ns(ns)->parent;
1394	}
1395
1396	const struct proc_ns_operations userns_operations = {
1397	.name = "user",
1398	.type = CLONE_NEWUSER,
1399	.get = userns_get,
1400	.put = userns_put,
1401	.install = userns_install,
1402	.owner = userns_owner,
1403	.get_parent = ns_get_owner,
1404	};
1405
1406	static __init int user_namespaces_init(void)
1407	{
1408	user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC \| SLAB_ACCOUNT);
1409	return `0`;
1410	}
1411	subsys_initcall(user_namespaces_init);
1412

source code of linux/kernel/user_namespace.c