forked from Minki/linux
userns: Implement unshare of the user namespace
- Add CLONE_THREAD to the unshare flags if CLONE_NEWUSER is selected As changing user namespaces is only valid if all there is only a single thread. - Restore the code to add CLONE_VM if CLONE_THREAD is selected and the code to addCLONE_SIGHAND if CLONE_VM is selected. Making the constraints in the code clear. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
This commit is contained in:
parent
cde1975bc2
commit
b2e0d98705
|
@ -67,7 +67,7 @@ void exit_task_namespaces(struct task_struct *tsk);
|
||||||
void switch_task_namespaces(struct task_struct *tsk, struct nsproxy *new);
|
void switch_task_namespaces(struct task_struct *tsk, struct nsproxy *new);
|
||||||
void free_nsproxy(struct nsproxy *ns);
|
void free_nsproxy(struct nsproxy *ns);
|
||||||
int unshare_nsproxy_namespaces(unsigned long, struct nsproxy **,
|
int unshare_nsproxy_namespaces(unsigned long, struct nsproxy **,
|
||||||
struct fs_struct *);
|
struct cred *, struct fs_struct *);
|
||||||
int __init nsproxy_cache_init(void);
|
int __init nsproxy_cache_init(void);
|
||||||
|
|
||||||
static inline void put_nsproxy(struct nsproxy *ns)
|
static inline void put_nsproxy(struct nsproxy *ns)
|
||||||
|
|
|
@ -39,6 +39,7 @@ static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
|
||||||
}
|
}
|
||||||
|
|
||||||
extern int create_user_ns(struct cred *new);
|
extern int create_user_ns(struct cred *new);
|
||||||
|
extern int unshare_userns(unsigned long unshare_flags, struct cred **new_cred);
|
||||||
extern void free_user_ns(struct kref *kref);
|
extern void free_user_ns(struct kref *kref);
|
||||||
|
|
||||||
static inline void put_user_ns(struct user_namespace *ns)
|
static inline void put_user_ns(struct user_namespace *ns)
|
||||||
|
@ -66,6 +67,14 @@ static inline int create_user_ns(struct cred *new)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static inline int unshare_userns(unsigned long unshare_flags,
|
||||||
|
struct cred **new_cred)
|
||||||
|
{
|
||||||
|
if (unshare_flags & CLONE_NEWUSER)
|
||||||
|
return -EINVAL;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static inline void put_user_ns(struct user_namespace *ns)
|
static inline void put_user_ns(struct user_namespace *ns)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
|
@ -1687,7 +1687,7 @@ static int check_unshare_flags(unsigned long unshare_flags)
|
||||||
if (unshare_flags & ~(CLONE_THREAD|CLONE_FS|CLONE_NEWNS|CLONE_SIGHAND|
|
if (unshare_flags & ~(CLONE_THREAD|CLONE_FS|CLONE_NEWNS|CLONE_SIGHAND|
|
||||||
CLONE_VM|CLONE_FILES|CLONE_SYSVSEM|
|
CLONE_VM|CLONE_FILES|CLONE_SYSVSEM|
|
||||||
CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWNET|
|
CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWNET|
|
||||||
CLONE_NEWPID))
|
CLONE_NEWUSER|CLONE_NEWPID))
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
/*
|
/*
|
||||||
* Not implemented, but pretend it works if there is nothing to
|
* Not implemented, but pretend it works if there is nothing to
|
||||||
|
@ -1754,10 +1754,16 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
|
||||||
{
|
{
|
||||||
struct fs_struct *fs, *new_fs = NULL;
|
struct fs_struct *fs, *new_fs = NULL;
|
||||||
struct files_struct *fd, *new_fd = NULL;
|
struct files_struct *fd, *new_fd = NULL;
|
||||||
|
struct cred *new_cred = NULL;
|
||||||
struct nsproxy *new_nsproxy = NULL;
|
struct nsproxy *new_nsproxy = NULL;
|
||||||
int do_sysvsem = 0;
|
int do_sysvsem = 0;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If unsharing a user namespace must also unshare the thread.
|
||||||
|
*/
|
||||||
|
if (unshare_flags & CLONE_NEWUSER)
|
||||||
|
unshare_flags |= CLONE_THREAD;
|
||||||
/*
|
/*
|
||||||
* If unsharing a pid namespace must also unshare the thread.
|
* If unsharing a pid namespace must also unshare the thread.
|
||||||
*/
|
*/
|
||||||
|
@ -1795,11 +1801,15 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
|
||||||
err = unshare_fd(unshare_flags, &new_fd);
|
err = unshare_fd(unshare_flags, &new_fd);
|
||||||
if (err)
|
if (err)
|
||||||
goto bad_unshare_cleanup_fs;
|
goto bad_unshare_cleanup_fs;
|
||||||
err = unshare_nsproxy_namespaces(unshare_flags, &new_nsproxy, new_fs);
|
err = unshare_userns(unshare_flags, &new_cred);
|
||||||
if (err)
|
if (err)
|
||||||
goto bad_unshare_cleanup_fd;
|
goto bad_unshare_cleanup_fd;
|
||||||
|
err = unshare_nsproxy_namespaces(unshare_flags, &new_nsproxy,
|
||||||
|
new_cred, new_fs);
|
||||||
|
if (err)
|
||||||
|
goto bad_unshare_cleanup_cred;
|
||||||
|
|
||||||
if (new_fs || new_fd || do_sysvsem || new_nsproxy) {
|
if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {
|
||||||
if (do_sysvsem) {
|
if (do_sysvsem) {
|
||||||
/*
|
/*
|
||||||
* CLONE_SYSVSEM is equivalent to sys_exit().
|
* CLONE_SYSVSEM is equivalent to sys_exit().
|
||||||
|
@ -1832,11 +1842,20 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
|
||||||
}
|
}
|
||||||
|
|
||||||
task_unlock(current);
|
task_unlock(current);
|
||||||
|
|
||||||
|
if (new_cred) {
|
||||||
|
/* Install the new user namespace */
|
||||||
|
commit_creds(new_cred);
|
||||||
|
new_cred = NULL;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (new_nsproxy)
|
if (new_nsproxy)
|
||||||
put_nsproxy(new_nsproxy);
|
put_nsproxy(new_nsproxy);
|
||||||
|
|
||||||
|
bad_unshare_cleanup_cred:
|
||||||
|
if (new_cred)
|
||||||
|
put_cred(new_cred);
|
||||||
bad_unshare_cleanup_fd:
|
bad_unshare_cleanup_fd:
|
||||||
if (new_fd)
|
if (new_fd)
|
||||||
put_files_struct(new_fd);
|
put_files_struct(new_fd);
|
||||||
|
|
|
@ -186,7 +186,7 @@ void free_nsproxy(struct nsproxy *ns)
|
||||||
* On success, returns the new nsproxy.
|
* On success, returns the new nsproxy.
|
||||||
*/
|
*/
|
||||||
int unshare_nsproxy_namespaces(unsigned long unshare_flags,
|
int unshare_nsproxy_namespaces(unsigned long unshare_flags,
|
||||||
struct nsproxy **new_nsp, struct fs_struct *new_fs)
|
struct nsproxy **new_nsp, struct cred *new_cred, struct fs_struct *new_fs)
|
||||||
{
|
{
|
||||||
struct user_namespace *user_ns;
|
struct user_namespace *user_ns;
|
||||||
int err = 0;
|
int err = 0;
|
||||||
|
@ -195,12 +195,12 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
|
||||||
CLONE_NEWNET | CLONE_NEWPID)))
|
CLONE_NEWNET | CLONE_NEWPID)))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (!nsown_capable(CAP_SYS_ADMIN))
|
user_ns = new_cred ? new_cred->user_ns : current_user_ns();
|
||||||
|
if (!ns_capable(user_ns, CAP_SYS_ADMIN))
|
||||||
return -EPERM;
|
return -EPERM;
|
||||||
|
|
||||||
user_ns = current_user_ns();
|
|
||||||
*new_nsp = create_new_namespaces(unshare_flags, current, user_ns,
|
*new_nsp = create_new_namespaces(unshare_flags, current, user_ns,
|
||||||
new_fs ? new_fs : current->fs);
|
new_fs ? new_fs : current->fs);
|
||||||
if (IS_ERR(*new_nsp)) {
|
if (IS_ERR(*new_nsp)) {
|
||||||
err = PTR_ERR(*new_nsp);
|
err = PTR_ERR(*new_nsp);
|
||||||
goto out;
|
goto out;
|
||||||
|
|
|
@ -82,6 +82,21 @@ int create_user_ns(struct cred *new)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
|
||||||
|
{
|
||||||
|
struct cred *cred;
|
||||||
|
|
||||||
|
if (!(unshare_flags & CLONE_NEWUSER))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
cred = prepare_creds();
|
||||||
|
if (!cred)
|
||||||
|
return -ENOMEM;
|
||||||
|
|
||||||
|
*new_cred = cred;
|
||||||
|
return create_user_ns(cred);
|
||||||
|
}
|
||||||
|
|
||||||
void free_user_ns(struct kref *kref)
|
void free_user_ns(struct kref *kref)
|
||||||
{
|
{
|
||||||
struct user_namespace *parent, *ns =
|
struct user_namespace *parent, *ns =
|
||||||
|
|
Loading…
Reference in New Issue
Block a user