2017-11-01 15:07:57 +01:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 */
|
2007-07-15 23:40:59 -07:00
|
|
|
#ifndef _LINUX_USER_NAMESPACE_H
|
|
|
|
|
#define _LINUX_USER_NAMESPACE_H
|
|
|
|
|
|
|
|
|
|
#include <linux/kref.h>
|
|
|
|
|
#include <linux/nsproxy.h>
|
2014-10-31 22:56:04 -04:00
|
|
|
#include <linux/ns_common.h>
|
2007-07-15 23:40:59 -07:00
|
|
|
#include <linux/sched.h>
|
2017-02-06 09:56:40 +01:00
|
|
|
#include <linux/workqueue.h>
|
2017-02-08 18:51:58 +01:00
|
|
|
#include <linux/rwsem.h>
|
2017-02-03 10:06:45 +01:00
|
|
|
#include <linux/sysctl.h>
|
2007-07-15 23:41:01 -07:00
|
|
|
#include <linux/err.h>
|
2007-07-15 23:40:59 -07:00
|
|
|
|
2017-10-25 00:04:41 +02:00
|
|
|
#define UID_GID_MAP_MAX_BASE_EXTENTS 5
|
|
|
|
|
#define UID_GID_MAP_MAX_EXTENTS 340
|
2011-11-17 00:11:58 -08:00
|
|
|
|
2017-10-25 00:04:40 +02:00
|
|
|
struct uid_gid_extent {
|
|
|
|
|
u32 first;
|
|
|
|
|
u32 lower_first;
|
|
|
|
|
u32 count;
|
|
|
|
|
};
|
|
|
|
|
|
2017-10-25 00:04:41 +02:00
|
|
|
struct uid_gid_map { /* 64 bytes -- 1 cache line */
|
2011-11-17 00:11:58 -08:00
|
|
|
u32 nr_extents;
|
2017-10-25 00:04:40 +02:00
|
|
|
union {
|
2017-10-25 00:04:41 +02:00
|
|
|
struct uid_gid_extent extent[UID_GID_MAP_MAX_BASE_EXTENTS];
|
2017-10-25 00:04:40 +02:00
|
|
|
struct {
|
|
|
|
|
struct uid_gid_extent *forward;
|
|
|
|
|
struct uid_gid_extent *reverse;
|
|
|
|
|
};
|
|
|
|
|
};
|
2011-11-17 00:11:58 -08:00
|
|
|
};
|
|
|
|
|
|
2014-12-02 12:27:26 -06:00
|
|
|
#define USERNS_SETGROUPS_ALLOWED 1UL
|
|
|
|
|
|
|
|
|
|
#define USERNS_INIT_FLAGS USERNS_SETGROUPS_ALLOWED
|
|
|
|
|
|
2016-08-08 13:54:50 -05:00
|
|
|
struct ucounts;
|
2016-08-08 14:41:52 -05:00
|
|
|
|
|
|
|
|
enum ucount_type {
|
|
|
|
|
UCOUNT_USER_NAMESPACES,
|
2016-08-08 14:08:36 -05:00
|
|
|
UCOUNT_PID_NAMESPACES,
|
2016-08-08 14:11:25 -05:00
|
|
|
UCOUNT_UTS_NAMESPACES,
|
2016-08-08 14:20:23 -05:00
|
|
|
UCOUNT_IPC_NAMESPACES,
|
2016-08-08 14:33:23 -05:00
|
|
|
UCOUNT_NET_NAMESPACES,
|
2016-08-08 14:37:37 -05:00
|
|
|
UCOUNT_MNT_NAMESPACES,
|
2016-08-08 14:25:30 -05:00
|
|
|
UCOUNT_CGROUP_NAMESPACES,
|
2019-11-12 01:26:52 +00:00
|
|
|
UCOUNT_TIME_NAMESPACES,
|
2016-12-14 15:56:33 +02:00
|
|
|
#ifdef CONFIG_INOTIFY_USER
|
|
|
|
|
UCOUNT_INOTIFY_INSTANCES,
|
|
|
|
|
UCOUNT_INOTIFY_WATCHES,
|
2021-03-04 13:29:20 +02:00
|
|
|
#endif
|
|
|
|
|
#ifdef CONFIG_FANOTIFY
|
|
|
|
|
UCOUNT_FANOTIFY_GROUPS,
|
|
|
|
|
UCOUNT_FANOTIFY_MARKS,
|
2016-12-14 15:56:33 +02:00
|
|
|
#endif
|
2021-04-22 14:27:11 +02:00
|
|
|
UCOUNT_RLIMIT_NPROC,
|
2021-04-22 14:27:12 +02:00
|
|
|
UCOUNT_RLIMIT_MSGQUEUE,
|
2021-04-22 14:27:13 +02:00
|
|
|
UCOUNT_RLIMIT_SIGPENDING,
|
2021-04-22 14:27:14 +02:00
|
|
|
UCOUNT_RLIMIT_MEMLOCK,
|
2016-08-08 14:41:52 -05:00
|
|
|
UCOUNT_COUNTS,
|
|
|
|
|
};
|
|
|
|
|
|
2021-04-22 14:27:11 +02:00
|
|
|
#define MAX_PER_NAMESPACE_UCOUNTS UCOUNT_RLIMIT_NPROC
|
|
|
|
|
|
2007-07-15 23:40:59 -07:00
|
|
|
struct user_namespace {
|
2011-11-17 00:11:58 -08:00
|
|
|
struct uid_gid_map uid_map;
|
|
|
|
|
struct uid_gid_map gid_map;
|
2012-08-30 01:24:05 -07:00
|
|
|
struct uid_gid_map projid_map;
|
2011-11-16 21:59:43 -08:00
|
|
|
struct user_namespace *parent;
|
2013-08-08 18:55:32 +02:00
|
|
|
int level;
|
2011-11-17 01:32:59 -08:00
|
|
|
kuid_t owner;
|
|
|
|
|
kgid_t group;
|
2014-10-31 22:56:04 -04:00
|
|
|
struct ns_common ns;
|
2014-12-02 12:27:26 -06:00
|
|
|
unsigned long flags;
|
2021-04-20 08:43:34 -05:00
|
|
|
/* parent_could_setfcap: true if the creator if this ns had CAP_SETFCAP
|
|
|
|
|
* in its effective capability set at the child ns creation time. */
|
|
|
|
|
bool parent_could_setfcap;
|
2013-09-24 10:35:19 +01:00
|
|
|
|
2019-06-26 21:02:32 +01:00
|
|
|
#ifdef CONFIG_KEYS
|
2019-06-26 21:02:32 +01:00
|
|
|
/* List of joinable keyrings in this namespace. Modification access of
|
|
|
|
|
* these pointers is controlled by keyring_sem. Once
|
|
|
|
|
* user_keyring_register is set, it won't be changed, so it can be
|
|
|
|
|
* accessed directly with READ_ONCE().
|
|
|
|
|
*/
|
2019-06-26 21:02:32 +01:00
|
|
|
struct list_head keyring_name_list;
|
2019-06-26 21:02:32 +01:00
|
|
|
struct key *user_keyring_register;
|
|
|
|
|
struct rw_semaphore keyring_sem;
|
2019-06-26 21:02:32 +01:00
|
|
|
#endif
|
|
|
|
|
|
2013-09-24 10:35:19 +01:00
|
|
|
/* Register of per-UID persistent keyrings for this namespace */
|
|
|
|
|
#ifdef CONFIG_PERSISTENT_KEYRINGS
|
|
|
|
|
struct key *persistent_keyring_register;
|
|
|
|
|
#endif
|
2016-07-30 13:53:37 -05:00
|
|
|
struct work_struct work;
|
2016-07-30 13:58:49 -05:00
|
|
|
#ifdef CONFIG_SYSCTL
|
|
|
|
|
struct ctl_table_set set;
|
|
|
|
|
struct ctl_table_header *sysctls;
|
|
|
|
|
#endif
|
2016-08-08 13:54:50 -05:00
|
|
|
struct ucounts *ucounts;
|
2021-04-22 14:27:08 +02:00
|
|
|
long ucount_max[UCOUNT_COUNTS];
|
2016-10-28 01:22:25 -07:00
|
|
|
} __randomize_layout;
|
2016-08-08 13:54:50 -05:00
|
|
|
|
|
|
|
|
struct ucounts {
|
|
|
|
|
struct hlist_node node;
|
|
|
|
|
struct user_namespace *ns;
|
|
|
|
|
kuid_t uid;
|
2021-04-22 14:27:10 +02:00
|
|
|
atomic_t count;
|
2021-04-22 14:27:08 +02:00
|
|
|
atomic_long_t ucount[UCOUNT_COUNTS];
|
2007-07-15 23:40:59 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
extern struct user_namespace init_user_ns;
|
2021-04-22 14:27:09 +02:00
|
|
|
extern struct ucounts init_ucounts;
|
2016-08-08 13:54:50 -05:00
|
|
|
|
|
|
|
|
bool setup_userns_sysctls(struct user_namespace *ns);
|
|
|
|
|
void retire_userns_sysctls(struct user_namespace *ns);
|
2016-08-08 14:41:52 -05:00
|
|
|
struct ucounts *inc_ucount(struct user_namespace *ns, kuid_t uid, enum ucount_type type);
|
|
|
|
|
void dec_ucount(struct ucounts *ucounts, enum ucount_type type);
|
2021-04-22 14:27:09 +02:00
|
|
|
struct ucounts *alloc_ucounts(struct user_namespace *ns, kuid_t uid);
|
2021-04-22 14:27:10 +02:00
|
|
|
struct ucounts * __must_check get_ucounts(struct ucounts *ucounts);
|
2021-04-22 14:27:09 +02:00
|
|
|
void put_ucounts(struct ucounts *ucounts);
|
2007-07-15 23:40:59 -07:00
|
|
|
|
2021-04-22 14:27:11 +02:00
|
|
|
static inline long get_ucounts_value(struct ucounts *ucounts, enum ucount_type type)
|
|
|
|
|
{
|
|
|
|
|
return atomic_long_read(&ucounts->ucount[type]);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
long inc_rlimit_ucounts(struct ucounts *ucounts, enum ucount_type type, long v);
|
|
|
|
|
bool dec_rlimit_ucounts(struct ucounts *ucounts, enum ucount_type type, long v);
|
2021-10-16 15:59:49 -05:00
|
|
|
long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum ucount_type type);
|
|
|
|
|
void dec_rlimit_put_ucounts(struct ucounts *ucounts, enum ucount_type type);
|
2021-04-22 14:27:11 +02:00
|
|
|
bool is_ucounts_overlimit(struct ucounts *ucounts, enum ucount_type type, unsigned long max);
|
|
|
|
|
|
2021-04-22 14:27:16 +02:00
|
|
|
static inline void set_rlimit_ucount_max(struct user_namespace *ns,
|
|
|
|
|
enum ucount_type type, unsigned long max)
|
|
|
|
|
{
|
|
|
|
|
ns->ucount_max[type] = max <= LONG_MAX ? max : LONG_MAX;
|
|
|
|
|
}
|
2007-07-15 23:40:59 -07:00
|
|
|
|
|
|
|
|
#ifdef CONFIG_USER_NS
|
|
|
|
|
|
|
|
|
|
static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
|
|
|
|
|
{
|
|
|
|
|
if (ns)
|
2020-08-03 13:16:37 +03:00
|
|
|
refcount_inc(&ns->ns.count);
|
2007-07-15 23:40:59 -07:00
|
|
|
return ns;
|
|
|
|
|
}
|
|
|
|
|
|
2008-10-15 16:38:45 -05:00
|
|
|
extern int create_user_ns(struct cred *new);
|
2012-07-26 05:15:35 -07:00
|
|
|
extern int unshare_userns(unsigned long unshare_flags, struct cred **new_cred);
|
2016-07-30 13:53:37 -05:00
|
|
|
extern void __put_user_ns(struct user_namespace *ns);
|
2007-07-15 23:40:59 -07:00
|
|
|
|
|
|
|
|
static inline void put_user_ns(struct user_namespace *ns)
|
|
|
|
|
{
|
2020-08-03 13:16:37 +03:00
|
|
|
if (ns && refcount_dec_and_test(&ns->ns.count))
|
2016-07-30 13:53:37 -05:00
|
|
|
__put_user_ns(ns);
|
2007-07-15 23:40:59 -07:00
|
|
|
}
|
|
|
|
|
|
2011-11-17 00:11:58 -08:00
|
|
|
struct seq_operations;
|
2014-08-08 14:21:22 -07:00
|
|
|
extern const struct seq_operations proc_uid_seq_operations;
|
|
|
|
|
extern const struct seq_operations proc_gid_seq_operations;
|
|
|
|
|
extern const struct seq_operations proc_projid_seq_operations;
|
2011-11-17 00:11:58 -08:00
|
|
|
extern ssize_t proc_uid_map_write(struct file *, const char __user *, size_t, loff_t *);
|
|
|
|
|
extern ssize_t proc_gid_map_write(struct file *, const char __user *, size_t, loff_t *);
|
2012-08-30 01:24:05 -07:00
|
|
|
extern ssize_t proc_projid_map_write(struct file *, const char __user *, size_t, loff_t *);
|
2014-12-02 12:27:26 -06:00
|
|
|
extern ssize_t proc_setgroups_write(struct file *, const char __user *, size_t, loff_t *);
|
|
|
|
|
extern int proc_setgroups_show(struct seq_file *m, void *v);
|
2014-12-05 18:01:11 -06:00
|
|
|
extern bool userns_may_setgroups(const struct user_namespace *ns);
|
2017-04-29 14:12:15 -05:00
|
|
|
extern bool in_userns(const struct user_namespace *ancestor,
|
|
|
|
|
const struct user_namespace *child);
|
2015-09-23 15:16:04 -05:00
|
|
|
extern bool current_in_userns(const struct user_namespace *target_ns);
|
2016-09-06 00:47:13 -07:00
|
|
|
struct ns_common *ns_get_owner(struct ns_common *ns);
|
2007-07-15 23:40:59 -07:00
|
|
|
#else
|
|
|
|
|
|
|
|
|
|
static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
|
|
|
|
|
{
|
|
|
|
|
return &init_user_ns;
|
|
|
|
|
}
|
|
|
|
|
|
2008-10-15 16:38:45 -05:00
|
|
|
static inline int create_user_ns(struct cred *new)
|
2007-07-15 23:40:59 -07:00
|
|
|
{
|
2008-10-15 16:38:45 -05:00
|
|
|
return -EINVAL;
|
2007-07-15 23:40:59 -07:00
|
|
|
}
|
|
|
|
|
|
2012-07-26 05:15:35 -07:00
|
|
|
static inline int unshare_userns(unsigned long unshare_flags,
|
|
|
|
|
struct cred **new_cred)
|
|
|
|
|
{
|
|
|
|
|
if (unshare_flags & CLONE_NEWUSER)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2007-07-15 23:40:59 -07:00
|
|
|
static inline void put_user_ns(struct user_namespace *ns)
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
2014-12-05 18:01:11 -06:00
|
|
|
static inline bool userns_may_setgroups(const struct user_namespace *ns)
|
|
|
|
|
{
|
|
|
|
|
return true;
|
|
|
|
|
}
|
2015-09-23 15:16:04 -05:00
|
|
|
|
2017-04-29 14:12:15 -05:00
|
|
|
static inline bool in_userns(const struct user_namespace *ancestor,
|
|
|
|
|
const struct user_namespace *child)
|
|
|
|
|
{
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2015-09-23 15:16:04 -05:00
|
|
|
static inline bool current_in_userns(const struct user_namespace *target_ns)
|
|
|
|
|
{
|
|
|
|
|
return true;
|
|
|
|
|
}
|
2016-09-06 00:47:13 -07:00
|
|
|
|
|
|
|
|
static inline struct ns_common *ns_get_owner(struct ns_common *ns)
|
|
|
|
|
{
|
|
|
|
|
return ERR_PTR(-EPERM);
|
|
|
|
|
}
|
2011-11-17 00:11:58 -08:00
|
|
|
#endif
|
|
|
|
|
|
2007-07-15 23:40:59 -07:00
|
|
|
#endif /* _LINUX_USER_H */
|
