LCOV - code coverage report
Current view: top level - include/linux - user_namespace.h (source / functions) Hit Total Coverage
Test: coverage.info Lines: 3 6 50.0 %
Date: 2023-08-24 13:40:31 Functions: 0 1 0.0 %

          Line data    Source code
       1             : /* SPDX-License-Identifier: GPL-2.0 */
       2             : #ifndef _LINUX_USER_NAMESPACE_H
       3             : #define _LINUX_USER_NAMESPACE_H
       4             : 
       5             : #include <linux/kref.h>
       6             : #include <linux/nsproxy.h>
       7             : #include <linux/ns_common.h>
       8             : #include <linux/sched.h>
       9             : #include <linux/workqueue.h>
      10             : #include <linux/rwsem.h>
      11             : #include <linux/sysctl.h>
      12             : #include <linux/err.h>
      13             : 
      14             : #define UID_GID_MAP_MAX_BASE_EXTENTS 5
      15             : #define UID_GID_MAP_MAX_EXTENTS 340
      16             : 
      17             : struct uid_gid_extent {
      18             :         u32 first;
      19             :         u32 lower_first;
      20             :         u32 count;
      21             : };
      22             : 
      23             : struct uid_gid_map { /* 64 bytes -- 1 cache line */
      24             :         u32 nr_extents;
      25             :         union {
      26             :                 struct uid_gid_extent extent[UID_GID_MAP_MAX_BASE_EXTENTS];
      27             :                 struct {
      28             :                         struct uid_gid_extent *forward;
      29             :                         struct uid_gid_extent *reverse;
      30             :                 };
      31             :         };
      32             : };
      33             : 
      34             : #define USERNS_SETGROUPS_ALLOWED 1UL
      35             : 
      36             : #define USERNS_INIT_FLAGS USERNS_SETGROUPS_ALLOWED
      37             : 
      38             : struct ucounts;
      39             : 
      40             : enum ucount_type {
      41             :         UCOUNT_USER_NAMESPACES,
      42             :         UCOUNT_PID_NAMESPACES,
      43             :         UCOUNT_UTS_NAMESPACES,
      44             :         UCOUNT_IPC_NAMESPACES,
      45             :         UCOUNT_NET_NAMESPACES,
      46             :         UCOUNT_MNT_NAMESPACES,
      47             :         UCOUNT_CGROUP_NAMESPACES,
      48             :         UCOUNT_TIME_NAMESPACES,
      49             : #ifdef CONFIG_INOTIFY_USER
      50             :         UCOUNT_INOTIFY_INSTANCES,
      51             :         UCOUNT_INOTIFY_WATCHES,
      52             : #endif
      53             : #ifdef CONFIG_FANOTIFY
      54             :         UCOUNT_FANOTIFY_GROUPS,
      55             :         UCOUNT_FANOTIFY_MARKS,
      56             : #endif
      57             :         UCOUNT_COUNTS,
      58             : };
      59             : 
      60             : enum rlimit_type {
      61             :         UCOUNT_RLIMIT_NPROC,
      62             :         UCOUNT_RLIMIT_MSGQUEUE,
      63             :         UCOUNT_RLIMIT_SIGPENDING,
      64             :         UCOUNT_RLIMIT_MEMLOCK,
      65             :         UCOUNT_RLIMIT_COUNTS,
      66             : };
      67             : 
      68             : struct user_namespace {
      69             :         struct uid_gid_map      uid_map;
      70             :         struct uid_gid_map      gid_map;
      71             :         struct uid_gid_map      projid_map;
      72             :         struct user_namespace   *parent;
      73             :         int                     level;
      74             :         kuid_t                  owner;
      75             :         kgid_t                  group;
      76             :         struct ns_common        ns;
      77             :         unsigned long           flags;
      78             :         /* parent_could_setfcap: true if the creator if this ns had CAP_SETFCAP
      79             :          * in its effective capability set at the child ns creation time. */
      80             :         bool                    parent_could_setfcap;
      81             : 
      82             : #ifdef CONFIG_KEYS
      83             :         /* List of joinable keyrings in this namespace.  Modification access of
      84             :          * these pointers is controlled by keyring_sem.  Once
      85             :          * user_keyring_register is set, it won't be changed, so it can be
      86             :          * accessed directly with READ_ONCE().
      87             :          */
      88             :         struct list_head        keyring_name_list;
      89             :         struct key              *user_keyring_register;
      90             :         struct rw_semaphore     keyring_sem;
      91             : #endif
      92             : 
      93             :         /* Register of per-UID persistent keyrings for this namespace */
      94             : #ifdef CONFIG_PERSISTENT_KEYRINGS
      95             :         struct key              *persistent_keyring_register;
      96             : #endif
      97             :         struct work_struct      work;
      98             : #ifdef CONFIG_SYSCTL
      99             :         struct ctl_table_set    set;
     100             :         struct ctl_table_header *sysctls;
     101             : #endif
     102             :         struct ucounts          *ucounts;
     103             :         long ucount_max[UCOUNT_COUNTS];
     104             :         long rlimit_max[UCOUNT_RLIMIT_COUNTS];
     105             : } __randomize_layout;
     106             : 
     107             : struct ucounts {
     108             :         struct hlist_node node;
     109             :         struct user_namespace *ns;
     110             :         kuid_t uid;
     111             :         atomic_t count;
     112             :         atomic_long_t ucount[UCOUNT_COUNTS];
     113             :         atomic_long_t rlimit[UCOUNT_RLIMIT_COUNTS];
     114             : };
     115             : 
     116             : extern struct user_namespace init_user_ns;
     117             : extern struct ucounts init_ucounts;
     118             : 
     119             : bool setup_userns_sysctls(struct user_namespace *ns);
     120             : void retire_userns_sysctls(struct user_namespace *ns);
     121             : struct ucounts *inc_ucount(struct user_namespace *ns, kuid_t uid, enum ucount_type type);
     122             : void dec_ucount(struct ucounts *ucounts, enum ucount_type type);
     123             : struct ucounts *alloc_ucounts(struct user_namespace *ns, kuid_t uid);
     124             : struct ucounts * __must_check get_ucounts(struct ucounts *ucounts);
     125             : void put_ucounts(struct ucounts *ucounts);
     126             : 
     127             : static inline long get_rlimit_value(struct ucounts *ucounts, enum rlimit_type type)
     128             : {
     129         350 :         return atomic_long_read(&ucounts->rlimit[type]);
     130             : }
     131             : 
     132             : long inc_rlimit_ucounts(struct ucounts *ucounts, enum rlimit_type type, long v);
     133             : bool dec_rlimit_ucounts(struct ucounts *ucounts, enum rlimit_type type, long v);
     134             : long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type);
     135             : void dec_rlimit_put_ucounts(struct ucounts *ucounts, enum rlimit_type type);
     136             : bool is_rlimit_overlimit(struct ucounts *ucounts, enum rlimit_type type, unsigned long max);
     137             : 
     138             : static inline long get_userns_rlimit_max(struct user_namespace *ns, enum rlimit_type type)
     139             : {
     140         351 :         return READ_ONCE(ns->rlimit_max[type]);
     141             : }
     142             : 
     143             : static inline void set_userns_rlimit_max(struct user_namespace *ns,
     144             :                 enum rlimit_type type, unsigned long max)
     145             : {
     146           4 :         ns->rlimit_max[type] = max <= LONG_MAX ? max : LONG_MAX;
     147             : }
     148             : 
     149             : #ifdef CONFIG_USER_NS
     150             : 
     151             : static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
     152             : {
     153             :         if (ns)
     154             :                 refcount_inc(&ns->ns.count);
     155             :         return ns;
     156             : }
     157             : 
     158             : extern int create_user_ns(struct cred *new);
     159             : extern int unshare_userns(unsigned long unshare_flags, struct cred **new_cred);
     160             : extern void __put_user_ns(struct user_namespace *ns);
     161             : 
     162             : static inline void put_user_ns(struct user_namespace *ns)
     163             : {
     164             :         if (ns && refcount_dec_and_test(&ns->ns.count))
     165             :                 __put_user_ns(ns);
     166             : }
     167             : 
     168             : struct seq_operations;
     169             : extern const struct seq_operations proc_uid_seq_operations;
     170             : extern const struct seq_operations proc_gid_seq_operations;
     171             : extern const struct seq_operations proc_projid_seq_operations;
     172             : extern ssize_t proc_uid_map_write(struct file *, const char __user *, size_t, loff_t *);
     173             : extern ssize_t proc_gid_map_write(struct file *, const char __user *, size_t, loff_t *);
     174             : extern ssize_t proc_projid_map_write(struct file *, const char __user *, size_t, loff_t *);
     175             : extern ssize_t proc_setgroups_write(struct file *, const char __user *, size_t, loff_t *);
     176             : extern int proc_setgroups_show(struct seq_file *m, void *v);
     177             : extern bool userns_may_setgroups(const struct user_namespace *ns);
     178             : extern bool in_userns(const struct user_namespace *ancestor,
     179             :                        const struct user_namespace *child);
     180             : extern bool current_in_userns(const struct user_namespace *target_ns);
     181             : struct ns_common *ns_get_owner(struct ns_common *ns);
     182             : #else
     183             : 
     184             : static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
     185             : {
     186             :         return &init_user_ns;
     187             : }
     188             : 
     189             : static inline int create_user_ns(struct cred *new)
     190             : {
     191             :         return -EINVAL;
     192             : }
     193             : 
     194             : static inline int unshare_userns(unsigned long unshare_flags,
     195             :                                  struct cred **new_cred)
     196             : {
     197           0 :         if (unshare_flags & CLONE_NEWUSER)
     198             :                 return -EINVAL;
     199             :         return 0;
     200             : }
     201             : 
     202             : static inline void put_user_ns(struct user_namespace *ns)
     203             : {
     204             : }
     205             : 
     206             : static inline bool userns_may_setgroups(const struct user_namespace *ns)
     207             : {
     208             :         return true;
     209             : }
     210             : 
     211             : static inline bool in_userns(const struct user_namespace *ancestor,
     212             :                              const struct user_namespace *child)
     213             : {
     214             :         return true;
     215             : }
     216             : 
     217             : static inline bool current_in_userns(const struct user_namespace *target_ns)
     218             : {
     219             :         return true;
     220             : }
     221             : 
     222           0 : static inline struct ns_common *ns_get_owner(struct ns_common *ns)
     223             : {
     224           0 :         return ERR_PTR(-EPERM);
     225             : }
     226             : #endif
     227             : 
     228             : #endif /* _LINUX_USER_H */

Generated by: LCOV version 1.14