Line data Source code
1 : /* SPDX-License-Identifier: GPL-2.0 */
2 : #ifndef _LINUX_USER_NAMESPACE_H
3 : #define _LINUX_USER_NAMESPACE_H
4 :
5 : #include <linux/kref.h>
6 : #include <linux/nsproxy.h>
7 : #include <linux/ns_common.h>
8 : #include <linux/sched.h>
9 : #include <linux/workqueue.h>
10 : #include <linux/rwsem.h>
11 : #include <linux/sysctl.h>
12 : #include <linux/err.h>
13 :
14 : #define UID_GID_MAP_MAX_BASE_EXTENTS 5
15 : #define UID_GID_MAP_MAX_EXTENTS 340
16 :
17 : struct uid_gid_extent {
18 : u32 first;
19 : u32 lower_first;
20 : u32 count;
21 : };
22 :
23 : struct uid_gid_map { /* 64 bytes -- 1 cache line */
24 : u32 nr_extents;
25 : union {
26 : struct uid_gid_extent extent[UID_GID_MAP_MAX_BASE_EXTENTS];
27 : struct {
28 : struct uid_gid_extent *forward;
29 : struct uid_gid_extent *reverse;
30 : };
31 : };
32 : };
33 :
34 : #define USERNS_SETGROUPS_ALLOWED 1UL
35 :
36 : #define USERNS_INIT_FLAGS USERNS_SETGROUPS_ALLOWED
37 :
38 : struct ucounts;
39 :
40 : enum ucount_type {
41 : UCOUNT_USER_NAMESPACES,
42 : UCOUNT_PID_NAMESPACES,
43 : UCOUNT_UTS_NAMESPACES,
44 : UCOUNT_IPC_NAMESPACES,
45 : UCOUNT_NET_NAMESPACES,
46 : UCOUNT_MNT_NAMESPACES,
47 : UCOUNT_CGROUP_NAMESPACES,
48 : UCOUNT_TIME_NAMESPACES,
49 : #ifdef CONFIG_INOTIFY_USER
50 : UCOUNT_INOTIFY_INSTANCES,
51 : UCOUNT_INOTIFY_WATCHES,
52 : #endif
53 : #ifdef CONFIG_FANOTIFY
54 : UCOUNT_FANOTIFY_GROUPS,
55 : UCOUNT_FANOTIFY_MARKS,
56 : #endif
57 : UCOUNT_COUNTS,
58 : };
59 :
60 : enum rlimit_type {
61 : UCOUNT_RLIMIT_NPROC,
62 : UCOUNT_RLIMIT_MSGQUEUE,
63 : UCOUNT_RLIMIT_SIGPENDING,
64 : UCOUNT_RLIMIT_MEMLOCK,
65 : UCOUNT_RLIMIT_COUNTS,
66 : };
67 :
68 : struct user_namespace {
69 : struct uid_gid_map uid_map;
70 : struct uid_gid_map gid_map;
71 : struct uid_gid_map projid_map;
72 : struct user_namespace *parent;
73 : int level;
74 : kuid_t owner;
75 : kgid_t group;
76 : struct ns_common ns;
77 : unsigned long flags;
78 : /* parent_could_setfcap: true if the creator if this ns had CAP_SETFCAP
79 : * in its effective capability set at the child ns creation time. */
80 : bool parent_could_setfcap;
81 :
82 : #ifdef CONFIG_KEYS
83 : /* List of joinable keyrings in this namespace. Modification access of
84 : * these pointers is controlled by keyring_sem. Once
85 : * user_keyring_register is set, it won't be changed, so it can be
86 : * accessed directly with READ_ONCE().
87 : */
88 : struct list_head keyring_name_list;
89 : struct key *user_keyring_register;
90 : struct rw_semaphore keyring_sem;
91 : #endif
92 :
93 : /* Register of per-UID persistent keyrings for this namespace */
94 : #ifdef CONFIG_PERSISTENT_KEYRINGS
95 : struct key *persistent_keyring_register;
96 : #endif
97 : struct work_struct work;
98 : #ifdef CONFIG_SYSCTL
99 : struct ctl_table_set set;
100 : struct ctl_table_header *sysctls;
101 : #endif
102 : struct ucounts *ucounts;
103 : long ucount_max[UCOUNT_COUNTS];
104 : long rlimit_max[UCOUNT_RLIMIT_COUNTS];
105 : } __randomize_layout;
106 :
107 : struct ucounts {
108 : struct hlist_node node;
109 : struct user_namespace *ns;
110 : kuid_t uid;
111 : atomic_t count;
112 : atomic_long_t ucount[UCOUNT_COUNTS];
113 : atomic_long_t rlimit[UCOUNT_RLIMIT_COUNTS];
114 : };
115 :
116 : extern struct user_namespace init_user_ns;
117 : extern struct ucounts init_ucounts;
118 :
119 : bool setup_userns_sysctls(struct user_namespace *ns);
120 : void retire_userns_sysctls(struct user_namespace *ns);
121 : struct ucounts *inc_ucount(struct user_namespace *ns, kuid_t uid, enum ucount_type type);
122 : void dec_ucount(struct ucounts *ucounts, enum ucount_type type);
123 : struct ucounts *alloc_ucounts(struct user_namespace *ns, kuid_t uid);
124 : struct ucounts * __must_check get_ucounts(struct ucounts *ucounts);
125 : void put_ucounts(struct ucounts *ucounts);
126 :
127 : static inline long get_rlimit_value(struct ucounts *ucounts, enum rlimit_type type)
128 : {
129 350 : return atomic_long_read(&ucounts->rlimit[type]);
130 : }
131 :
132 : long inc_rlimit_ucounts(struct ucounts *ucounts, enum rlimit_type type, long v);
133 : bool dec_rlimit_ucounts(struct ucounts *ucounts, enum rlimit_type type, long v);
134 : long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type);
135 : void dec_rlimit_put_ucounts(struct ucounts *ucounts, enum rlimit_type type);
136 : bool is_rlimit_overlimit(struct ucounts *ucounts, enum rlimit_type type, unsigned long max);
137 :
138 : static inline long get_userns_rlimit_max(struct user_namespace *ns, enum rlimit_type type)
139 : {
140 351 : return READ_ONCE(ns->rlimit_max[type]);
141 : }
142 :
143 : static inline void set_userns_rlimit_max(struct user_namespace *ns,
144 : enum rlimit_type type, unsigned long max)
145 : {
146 4 : ns->rlimit_max[type] = max <= LONG_MAX ? max : LONG_MAX;
147 : }
148 :
149 : #ifdef CONFIG_USER_NS
150 :
151 : static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
152 : {
153 : if (ns)
154 : refcount_inc(&ns->ns.count);
155 : return ns;
156 : }
157 :
158 : extern int create_user_ns(struct cred *new);
159 : extern int unshare_userns(unsigned long unshare_flags, struct cred **new_cred);
160 : extern void __put_user_ns(struct user_namespace *ns);
161 :
162 : static inline void put_user_ns(struct user_namespace *ns)
163 : {
164 : if (ns && refcount_dec_and_test(&ns->ns.count))
165 : __put_user_ns(ns);
166 : }
167 :
168 : struct seq_operations;
169 : extern const struct seq_operations proc_uid_seq_operations;
170 : extern const struct seq_operations proc_gid_seq_operations;
171 : extern const struct seq_operations proc_projid_seq_operations;
172 : extern ssize_t proc_uid_map_write(struct file *, const char __user *, size_t, loff_t *);
173 : extern ssize_t proc_gid_map_write(struct file *, const char __user *, size_t, loff_t *);
174 : extern ssize_t proc_projid_map_write(struct file *, const char __user *, size_t, loff_t *);
175 : extern ssize_t proc_setgroups_write(struct file *, const char __user *, size_t, loff_t *);
176 : extern int proc_setgroups_show(struct seq_file *m, void *v);
177 : extern bool userns_may_setgroups(const struct user_namespace *ns);
178 : extern bool in_userns(const struct user_namespace *ancestor,
179 : const struct user_namespace *child);
180 : extern bool current_in_userns(const struct user_namespace *target_ns);
181 : struct ns_common *ns_get_owner(struct ns_common *ns);
182 : #else
183 :
184 : static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
185 : {
186 : return &init_user_ns;
187 : }
188 :
189 : static inline int create_user_ns(struct cred *new)
190 : {
191 : return -EINVAL;
192 : }
193 :
194 : static inline int unshare_userns(unsigned long unshare_flags,
195 : struct cred **new_cred)
196 : {
197 0 : if (unshare_flags & CLONE_NEWUSER)
198 : return -EINVAL;
199 : return 0;
200 : }
201 :
202 : static inline void put_user_ns(struct user_namespace *ns)
203 : {
204 : }
205 :
206 : static inline bool userns_may_setgroups(const struct user_namespace *ns)
207 : {
208 : return true;
209 : }
210 :
211 : static inline bool in_userns(const struct user_namespace *ancestor,
212 : const struct user_namespace *child)
213 : {
214 : return true;
215 : }
216 :
217 : static inline bool current_in_userns(const struct user_namespace *target_ns)
218 : {
219 : return true;
220 : }
221 :
222 0 : static inline struct ns_common *ns_get_owner(struct ns_common *ns)
223 : {
224 0 : return ERR_PTR(-EPERM);
225 : }
226 : #endif
227 :
228 : #endif /* _LINUX_USER_H */
|