Line data Source code
1 : /* SPDX-License-Identifier: GPL-2.0 */
2 : #ifndef _LINUX_USER_NAMESPACE_H
3 : #define _LINUX_USER_NAMESPACE_H
4 :
5 : #include <linux/kref.h>
6 : #include <linux/nsproxy.h>
7 : #include <linux/ns_common.h>
8 : #include <linux/sched.h>
9 : #include <linux/workqueue.h>
10 : #include <linux/rwsem.h>
11 : #include <linux/sysctl.h>
12 : #include <linux/err.h>
13 :
14 : #define UID_GID_MAP_MAX_BASE_EXTENTS 5
15 : #define UID_GID_MAP_MAX_EXTENTS 340
16 :
17 : struct uid_gid_extent {
18 : u32 first;
19 : u32 lower_first;
20 : u32 count;
21 : };
22 :
23 : struct uid_gid_map { /* 64 bytes -- 1 cache line */
24 : u32 nr_extents;
25 : union {
26 : struct uid_gid_extent extent[UID_GID_MAP_MAX_BASE_EXTENTS];
27 : struct {
28 : struct uid_gid_extent *forward;
29 : struct uid_gid_extent *reverse;
30 : };
31 : };
32 : };
33 :
34 : #define USERNS_SETGROUPS_ALLOWED 1UL
35 :
36 : #define USERNS_INIT_FLAGS USERNS_SETGROUPS_ALLOWED
37 :
38 : struct ucounts;
39 :
40 : enum ucount_type {
41 : UCOUNT_USER_NAMESPACES,
42 : UCOUNT_PID_NAMESPACES,
43 : UCOUNT_UTS_NAMESPACES,
44 : UCOUNT_IPC_NAMESPACES,
45 : UCOUNT_NET_NAMESPACES,
46 : UCOUNT_MNT_NAMESPACES,
47 : UCOUNT_CGROUP_NAMESPACES,
48 : UCOUNT_TIME_NAMESPACES,
49 : #ifdef CONFIG_INOTIFY_USER
50 : UCOUNT_INOTIFY_INSTANCES,
51 : UCOUNT_INOTIFY_WATCHES,
52 : #endif
53 : #ifdef CONFIG_FANOTIFY
54 : UCOUNT_FANOTIFY_GROUPS,
55 : UCOUNT_FANOTIFY_MARKS,
56 : #endif
57 : UCOUNT_RLIMIT_NPROC,
58 : UCOUNT_RLIMIT_MSGQUEUE,
59 : UCOUNT_RLIMIT_SIGPENDING,
60 : UCOUNT_RLIMIT_MEMLOCK,
61 : UCOUNT_COUNTS,
62 : };
63 :
64 : #define MAX_PER_NAMESPACE_UCOUNTS UCOUNT_RLIMIT_NPROC
65 :
66 : struct user_namespace {
67 : struct uid_gid_map uid_map;
68 : struct uid_gid_map gid_map;
69 : struct uid_gid_map projid_map;
70 : struct user_namespace *parent;
71 : int level;
72 : kuid_t owner;
73 : kgid_t group;
74 : struct ns_common ns;
75 : unsigned long flags;
76 : /* parent_could_setfcap: true if the creator if this ns had CAP_SETFCAP
77 : * in its effective capability set at the child ns creation time. */
78 : bool parent_could_setfcap;
79 :
80 : #ifdef CONFIG_KEYS
81 : /* List of joinable keyrings in this namespace. Modification access of
82 : * these pointers is controlled by keyring_sem. Once
83 : * user_keyring_register is set, it won't be changed, so it can be
84 : * accessed directly with READ_ONCE().
85 : */
86 : struct list_head keyring_name_list;
87 : struct key *user_keyring_register;
88 : struct rw_semaphore keyring_sem;
89 : #endif
90 :
91 : /* Register of per-UID persistent keyrings for this namespace */
92 : #ifdef CONFIG_PERSISTENT_KEYRINGS
93 : struct key *persistent_keyring_register;
94 : #endif
95 : struct work_struct work;
96 : #ifdef CONFIG_SYSCTL
97 : struct ctl_table_set set;
98 : struct ctl_table_header *sysctls;
99 : #endif
100 : struct ucounts *ucounts;
101 : long ucount_max[UCOUNT_COUNTS];
102 : } __randomize_layout;
103 :
104 : struct ucounts {
105 : struct hlist_node node;
106 : struct user_namespace *ns;
107 : kuid_t uid;
108 : atomic_t count;
109 : atomic_long_t ucount[UCOUNT_COUNTS];
110 : };
111 :
112 : extern struct user_namespace init_user_ns;
113 : extern struct ucounts init_ucounts;
114 :
115 : bool setup_userns_sysctls(struct user_namespace *ns);
116 : void retire_userns_sysctls(struct user_namespace *ns);
117 : struct ucounts *inc_ucount(struct user_namespace *ns, kuid_t uid, enum ucount_type type);
118 : void dec_ucount(struct ucounts *ucounts, enum ucount_type type);
119 : struct ucounts *alloc_ucounts(struct user_namespace *ns, kuid_t uid);
120 : struct ucounts * __must_check get_ucounts(struct ucounts *ucounts);
121 : void put_ucounts(struct ucounts *ucounts);
122 :
123 : static inline long get_ucounts_value(struct ucounts *ucounts, enum ucount_type type)
124 : {
125 214 : return atomic_long_read(&ucounts->ucount[type]);
126 : }
127 :
128 : long inc_rlimit_ucounts(struct ucounts *ucounts, enum ucount_type type, long v);
129 : bool dec_rlimit_ucounts(struct ucounts *ucounts, enum ucount_type type, long v);
130 : long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum ucount_type type);
131 : void dec_rlimit_put_ucounts(struct ucounts *ucounts, enum ucount_type type);
132 : bool is_ucounts_overlimit(struct ucounts *ucounts, enum ucount_type type, unsigned long max);
133 :
134 : static inline void set_rlimit_ucount_max(struct user_namespace *ns,
135 : enum ucount_type type, unsigned long max)
136 : {
137 4 : ns->ucount_max[type] = max <= LONG_MAX ? max : LONG_MAX;
138 : }
139 :
140 : #ifdef CONFIG_USER_NS
141 :
142 : static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
143 : {
144 : if (ns)
145 : refcount_inc(&ns->ns.count);
146 : return ns;
147 : }
148 :
149 : extern int create_user_ns(struct cred *new);
150 : extern int unshare_userns(unsigned long unshare_flags, struct cred **new_cred);
151 : extern void __put_user_ns(struct user_namespace *ns);
152 :
153 : static inline void put_user_ns(struct user_namespace *ns)
154 : {
155 : if (ns && refcount_dec_and_test(&ns->ns.count))
156 : __put_user_ns(ns);
157 : }
158 :
159 : struct seq_operations;
160 : extern const struct seq_operations proc_uid_seq_operations;
161 : extern const struct seq_operations proc_gid_seq_operations;
162 : extern const struct seq_operations proc_projid_seq_operations;
163 : extern ssize_t proc_uid_map_write(struct file *, const char __user *, size_t, loff_t *);
164 : extern ssize_t proc_gid_map_write(struct file *, const char __user *, size_t, loff_t *);
165 : extern ssize_t proc_projid_map_write(struct file *, const char __user *, size_t, loff_t *);
166 : extern ssize_t proc_setgroups_write(struct file *, const char __user *, size_t, loff_t *);
167 : extern int proc_setgroups_show(struct seq_file *m, void *v);
168 : extern bool userns_may_setgroups(const struct user_namespace *ns);
169 : extern bool in_userns(const struct user_namespace *ancestor,
170 : const struct user_namespace *child);
171 : extern bool current_in_userns(const struct user_namespace *target_ns);
172 : struct ns_common *ns_get_owner(struct ns_common *ns);
173 : #else
174 :
175 : static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
176 : {
177 : return &init_user_ns;
178 : }
179 :
180 : static inline int create_user_ns(struct cred *new)
181 : {
182 : return -EINVAL;
183 : }
184 :
185 : static inline int unshare_userns(unsigned long unshare_flags,
186 : struct cred **new_cred)
187 : {
188 0 : if (unshare_flags & CLONE_NEWUSER)
189 : return -EINVAL;
190 : return 0;
191 : }
192 :
193 : static inline void put_user_ns(struct user_namespace *ns)
194 : {
195 : }
196 :
197 : static inline bool userns_may_setgroups(const struct user_namespace *ns)
198 : {
199 : return true;
200 : }
201 :
202 : static inline bool in_userns(const struct user_namespace *ancestor,
203 : const struct user_namespace *child)
204 : {
205 : return true;
206 : }
207 :
208 : static inline bool current_in_userns(const struct user_namespace *target_ns)
209 : {
210 : return true;
211 : }
212 :
213 0 : static inline struct ns_common *ns_get_owner(struct ns_common *ns)
214 : {
215 0 : return ERR_PTR(-EPERM);
216 : }
217 : #endif
218 :
219 : #endif /* _LINUX_USER_H */
|
