| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Apr 2012 18:49:00 +0000
From: "Serge E. Hallyn" <serge@...lyn.com>
To: "Eric W. Beiderman" <ebiederm@...ssion.com>
Cc: linux-kernel@...r.kernel.org,
Linux Containers <containers@...ts.linux-foundation.org>,
Cyrill Gorcunov <gorcunov@...nvz.org>,
linux-security-module@...r.kernel.org,
Al Viro <viro@...IV.linux.org.uk>,
linux-fsdevel@...r.kernel.org,
Andrew Morton <akpm@...ux-foundation.org>,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH 17/43] userns: Rework the user_namespace adding uid/gid
mapping support
Quoting Eric W. Beiderman (ebiederm@...ssion.com):
> From: Eric W. Biederman <ebiederm@...ssion.com>
>
> - Convert the old uid mapping functions into compatibility wrappers
> - Add a uid/gid mapping layer from user space uid and gids to kernel
> internal uids and gids that is extent based for simplicty and speed.
> * Working with number space after mapping uids/gids into their kernel
> internal version adds only mapping complexity over what we have today,
> leaving the kernel code easy to understand and test.
> - Add proc files /proc/self/uid_map /proc/self/gid_map
> These files display the mapping and allow a mapping to be added
> if a mapping does not exist.
> - Allow entering the user namespace without a uid or gid mapping.
> Since we are starting with an existing user our uids and gids
> still have global mappings so are still valid and useful they just don't
> have local mappings. The requirement for things to work are global uid
> and gid so it is odd but perfectly fine not to have a local uid
> and gid mapping.
> Not requiring global uid and gid mappings greatly simplifies
> the logic of setting up the uid and gid mappings by allowing
> the mappings to be set after the namespace is created which makes the
> slight weirdness worth it.
> - Make the mappings in the initial user namespace to the global
> uid/gid space explicit. Today it is an identity mapping
> but in the future we may want to twist this for debugging, similar
> to what we do with jiffies.
> - Document the memory ordering requirements of setting the uid and
> gid mappings. We only allow the mappings to be set once
> and there are no pointers involved so the requirments are
> trivial but a little atypical.
>
> Performance:
>
> In this scheme for the permission checks the performance is expected to
> stay the same as the actuall machine instructions should remain the same.
>
> The worst case I could think of is ls -l on a large directory where
> all of the stat results need to be translated with from kuids and
> kgids to uids and gids. So I benchmarked that case on my laptop
> with a dual core hyperthread Intel i5-2520M cpu with 3M of cpu cache.
>
> My benchmark consisted of going to single user mode where nothing else
> was running. On an ext4 filesystem opening 1,000,000 files and looping
> through all of the files 1000 times and calling fstat on the
> individuals files. This was to ensure I was benchmarking stat times
> where the inodes were in the kernels cache, but the inode values were
> not in the processors cache. My results:
>
> v3.4-rc1: ~= 156ns (unmodified v3.4-rc1 with user namespace support disabled)
> v3.4-rc1-userns-: ~= 155ns (v3.4-rc1 with my user namespace patches and user namespace support disabled)
> v3.4-rc1-userns+: ~= 164ns (v3.4-rc1 with my user namespace patches and user namespace support enabled)
>
> All of the configurations ran in roughly 120ns when I performed tests
> that ran in the cpu cache.
>
> So in summary the performance impact is:
> 1ns improvement in the worst case with user namespace support compiled out.
> 8ns aka 5% slowdown in the worst case with user namespace support compiled in.
>
> Signed-off-by: Eric W. Biederman <ebiederm@...ssion.com>
Acked-by: Serge Hallyn <serge.hallyn@...onical.com>
> ---
> fs/proc/base.c | 77 ++++++
> include/linux/uidgid.h | 24 ++
> include/linux/user_namespace.h | 30 ++-
> kernel/user.c | 16 ++
> kernel/user_namespace.c | 545 +++++++++++++++++++++++++++++++++++++---
> 5 files changed, 644 insertions(+), 48 deletions(-)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 1c8b280..2ee514c 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -81,6 +81,7 @@
> #include <linux/oom.h>
> #include <linux/elf.h>
> #include <linux/pid_namespace.h>
> +#include <linux/user_namespace.h>
> #include <linux/fs_struct.h>
> #include <linux/slab.h>
> #include <linux/flex_array.h>
> @@ -2943,6 +2944,74 @@ static int proc_tgid_io_accounting(struct task_struct *task, char *buffer)
> }
> #endif /* CONFIG_TASK_IO_ACCOUNTING */
>
> +#ifdef CONFIG_USER_NS
> +static int proc_id_map_open(struct inode *inode, struct file *file,
> + struct seq_operations *seq_ops)
> +{
> + struct user_namespace *ns = NULL;
> + struct task_struct *task;
> + struct seq_file *seq;
> + int ret = -EINVAL;
> +
> + task = get_proc_task(inode);
> + if (task) {
> + rcu_read_lock();
> + ns = get_user_ns(task_cred_xxx(task, user_ns));
> + rcu_read_unlock();
> + put_task_struct(task);
> + }
> + if (!ns)
> + goto err;
> +
> + ret = seq_open(file, seq_ops);
> + if (ret)
> + goto err_put_ns;
> +
> + seq = file->private_data;
> + seq->private = ns;
> +
> + return 0;
> +err_put_ns:
> + put_user_ns(ns);
> +err:
> + return ret;
> +}
> +
> +static int proc_id_map_release(struct inode *inode, struct file *file)
> +{
> + struct seq_file *seq = file->private_data;
> + struct user_namespace *ns = seq->private;
> + put_user_ns(ns);
> + return seq_release(inode, file);
> +}
> +
> +static int proc_uid_map_open(struct inode *inode, struct file *file)
> +{
> + return proc_id_map_open(inode, file, &proc_uid_seq_operations);
> +}
> +
> +static int proc_gid_map_open(struct inode *inode, struct file *file)
> +{
> + return proc_id_map_open(inode, file, &proc_gid_seq_operations);
> +}
> +
> +static const struct file_operations proc_uid_map_operations = {
> + .open = proc_uid_map_open,
> + .write = proc_uid_map_write,
> + .read = seq_read,
> + .llseek = seq_lseek,
> + .release = proc_id_map_release,
> +};
> +
> +static const struct file_operations proc_gid_map_operations = {
> + .open = proc_gid_map_open,
> + .write = proc_gid_map_write,
> + .read = seq_read,
> + .llseek = seq_lseek,
> + .release = proc_id_map_release,
> +};
> +#endif /* CONFIG_USER_NS */
> +
> static int proc_pid_personality(struct seq_file *m, struct pid_namespace *ns,
> struct pid *pid, struct task_struct *task)
> {
> @@ -3045,6 +3114,10 @@ static const struct pid_entry tgid_base_stuff[] = {
> #ifdef CONFIG_HARDWALL
> INF("hardwall", S_IRUGO, proc_pid_hardwall),
> #endif
> +#ifdef CONFIG_USER_NS
> + REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations),
> + REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations),
> +#endif
> };
>
> static int proc_tgid_base_readdir(struct file * filp,
> @@ -3400,6 +3473,10 @@ static const struct pid_entry tid_base_stuff[] = {
> #ifdef CONFIG_HARDWALL
> INF("hardwall", S_IRUGO, proc_pid_hardwall),
> #endif
> +#ifdef CONFIG_USER_NS
> + REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations),
> + REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations),
> +#endif
> };
>
> static int proc_tid_base_readdir(struct file * filp,
> diff --git a/include/linux/uidgid.h b/include/linux/uidgid.h
> index 5398568..8e522cbc 100644
> --- a/include/linux/uidgid.h
> +++ b/include/linux/uidgid.h
> @@ -127,6 +127,28 @@ static inline bool gid_valid(kgid_t gid)
> return !gid_eq(gid, INVALID_GID);
> }
>
> +#ifdef CONFIG_USER_NS
> +
> +extern kuid_t make_kuid(struct user_namespace *from, uid_t uid);
> +extern kgid_t make_kgid(struct user_namespace *from, gid_t gid);
> +
> +extern uid_t from_kuid(struct user_namespace *to, kuid_t uid);
> +extern gid_t from_kgid(struct user_namespace *to, kgid_t gid);
> +extern uid_t from_kuid_munged(struct user_namespace *to, kuid_t uid);
> +extern gid_t from_kgid_munged(struct user_namespace *to, kgid_t gid);
> +
> +static inline bool kuid_has_mapping(struct user_namespace *ns, kuid_t uid)
> +{
> + return from_kuid(ns, uid) != (uid_t) -1;
> +}
> +
> +static inline bool kgid_has_mapping(struct user_namespace *ns, kgid_t gid)
> +{
> + return from_kgid(ns, gid) != (gid_t) -1;
> +}
> +
> +#else
> +
> static inline kuid_t make_kuid(struct user_namespace *from, uid_t uid)
> {
> return KUIDT_INIT(uid);
> @@ -173,4 +195,6 @@ static inline bool kgid_has_mapping(struct user_namespace *ns, kgid_t gid)
> return true;
> }
>
> +#endif /* CONFIG_USER_NS */
> +
> #endif /* _LINUX_UIDGID_H */
> diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
> index 8a391bd..4c9846d 100644
> --- a/include/linux/user_namespace.h
> +++ b/include/linux/user_namespace.h
> @@ -6,7 +6,20 @@
> #include <linux/sched.h>
> #include <linux/err.h>
>
> +#define UID_GID_MAP_MAX_EXTENTS 5
> +
> +struct uid_gid_map { /* 64 bytes -- 1 cache line */
> + u32 nr_extents;
> + struct uid_gid_extent {
> + u32 first;
> + u32 lower_first;
> + u32 count;
> + } extent[UID_GID_MAP_MAX_EXTENTS];
> +};
> +
> struct user_namespace {
> + struct uid_gid_map uid_map;
> + struct uid_gid_map gid_map;
> struct kref kref;
> struct user_namespace *parent;
> kuid_t owner;
> @@ -33,9 +46,11 @@ static inline void put_user_ns(struct user_namespace *ns)
> kref_put(&ns->kref, free_user_ns);
> }
>
> -uid_t user_ns_map_uid(struct user_namespace *to, const struct cred *cred, uid_t uid);
> -gid_t user_ns_map_gid(struct user_namespace *to, const struct cred *cred, gid_t gid);
> -
> +struct seq_operations;
> +extern struct seq_operations proc_uid_seq_operations;
> +extern struct seq_operations proc_gid_seq_operations;
> +extern ssize_t proc_uid_map_write(struct file *, const char __user *, size_t, loff_t *);
> +extern ssize_t proc_gid_map_write(struct file *, const char __user *, size_t, loff_t *);
> #else
>
> static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
> @@ -52,17 +67,18 @@ static inline void put_user_ns(struct user_namespace *ns)
> {
> }
>
> +#endif
> +
> static inline uid_t user_ns_map_uid(struct user_namespace *to,
> const struct cred *cred, uid_t uid)
> {
> - return uid;
> + return from_kuid_munged(to, make_kuid(cred->user_ns, uid));
> }
> +
> static inline gid_t user_ns_map_gid(struct user_namespace *to,
> const struct cred *cred, gid_t gid)
> {
> - return gid;
> + return from_kgid_munged(to, make_kgid(cred->user_ns, gid));
> }
>
> -#endif
> -
> #endif /* _LINUX_USER_H */
> diff --git a/kernel/user.c b/kernel/user.c
> index cff3856..f9e420e 100644
> --- a/kernel/user.c
> +++ b/kernel/user.c
> @@ -22,6 +22,22 @@
> * and 1 for... ?
> */
> struct user_namespace init_user_ns = {
> + .uid_map = {
> + .nr_extents = 1,
> + .extent[0] = {
> + .first = 0,
> + .lower_first = 0,
> + .count = 4294967295,
> + },
> + },
> + .gid_map = {
> + .nr_extents = 1,
> + .extent[0] = {
> + .first = 0,
> + .lower_first = 0,
> + .count = 4294967295,
> + },
> + },
> .kref = {
> .refcount = ATOMIC_INIT(3),
> },
> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> index f69741a..9991bac 100644
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -12,9 +12,19 @@
> #include <linux/highuid.h>
> #include <linux/cred.h>
> #include <linux/securebits.h>
> +#include <linux/keyctl.h>
> +#include <linux/key-type.h>
> +#include <keys/user-type.h>
> +#include <linux/seq_file.h>
> +#include <linux/fs.h>
> +#include <linux/uaccess.h>
> +#include <linux/ctype.h>
>
> static struct kmem_cache *user_ns_cachep __read_mostly;
>
> +static bool new_idmap_permitted(struct user_namespace *ns, int cap_setid,
> + struct uid_gid_map *map);
> +
> /*
> * Create a new user namespace, deriving the creator from the user in the
> * passed credentials, and replacing that user with the new root user for the
> @@ -26,7 +36,6 @@ static struct kmem_cache *user_ns_cachep __read_mostly;
> int create_user_ns(struct cred *new)
> {
> struct user_namespace *ns, *parent_ns = new->user_ns;
> - struct user_struct *root_user;
> kuid_t owner = make_kuid(new->user_ns, new->euid);
> kgid_t group = make_kgid(new->user_ns, new->egid);
>
> @@ -38,29 +47,15 @@ int create_user_ns(struct cred *new)
> !kgid_has_mapping(parent_ns, group))
> return -EPERM;
>
> - ns = kmem_cache_alloc(user_ns_cachep, GFP_KERNEL);
> + ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
> if (!ns)
> return -ENOMEM;
>
> kref_init(&ns->kref);
> -
> - /* Alloc new root user. */
> - root_user = alloc_uid(make_kuid(ns, 0));
> - if (!root_user) {
> - kmem_cache_free(user_ns_cachep, ns);
> - return -ENOMEM;
> - }
> -
> - /* set the new root user in the credentials under preparation */
> ns->parent = parent_ns;
> ns->owner = owner;
> ns->group = group;
> - free_uid(new->user);
> - new->user = root_user;
> - new->uid = new->euid = new->suid = new->fsuid = 0;
> - new->gid = new->egid = new->sgid = new->fsgid = 0;
> - put_group_info(new->group_info);
> - new->group_info = get_group_info(&init_groups);
> +
> /* Start with the same capabilities as init but useless for doing
> * anything as the capabilities are bound to the new user namespace.
> */
> @@ -92,44 +87,512 @@ void free_user_ns(struct kref *kref)
> }
> EXPORT_SYMBOL(free_user_ns);
>
> -uid_t user_ns_map_uid(struct user_namespace *to, const struct cred *cred, uid_t uid)
> +static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
> {
> - struct user_namespace *tmp;
> + unsigned idx, extents;
> + u32 first, last, id2;
>
> - if (likely(to == cred->user_ns))
> - return uid;
> + id2 = id + count - 1;
>
> - /* Is cred->user the creator of the target user_ns
> - * or the creator of one of it's parents?
> - */
> - for ( tmp = to; tmp != &init_user_ns; tmp = tmp->parent ) {
> - if (uid_eq(cred->user->uid, tmp->owner)) {
> - return (uid_t)0;
> - }
> + /* Find the matching extent */
> + extents = map->nr_extents;
> + smp_read_barrier_depends();
> + for (idx = 0; idx < extents; idx++) {
> + first = map->extent[idx].first;
> + last = first + map->extent[idx].count - 1;
> + if (id >= first && id <= last &&
> + (id2 >= first && id2 <= last))
> + break;
> + }
> + /* Map the id or note failure */
> + if (idx < extents)
> + id = (id - first) + map->extent[idx].lower_first;
> + else
> + id = (u32) -1;
> +
> + return id;
> +}
> +
> +static u32 map_id_down(struct uid_gid_map *map, u32 id)
> +{
> + unsigned idx, extents;
> + u32 first, last;
> +
> + /* Find the matching extent */
> + extents = map->nr_extents;
> + smp_read_barrier_depends();
> + for (idx = 0; idx < extents; idx++) {
> + first = map->extent[idx].first;
> + last = first + map->extent[idx].count - 1;
> + if (id >= first && id <= last)
> + break;
> + }
> + /* Map the id or note failure */
> + if (idx < extents)
> + id = (id - first) + map->extent[idx].lower_first;
> + else
> + id = (u32) -1;
> +
> + return id;
> +}
> +
> +static u32 map_id_up(struct uid_gid_map *map, u32 id)
> +{
> + unsigned idx, extents;
> + u32 first, last;
> +
> + /* Find the matching extent */
> + extents = map->nr_extents;
> + smp_read_barrier_depends();
> + for (idx = 0; idx < extents; idx++) {
> + first = map->extent[idx].lower_first;
> + last = first + map->extent[idx].count - 1;
> + if (id >= first && id <= last)
> + break;
> }
> + /* Map the id or note failure */
> + if (idx < extents)
> + id = (id - first) + map->extent[idx].first;
> + else
> + id = (u32) -1;
> +
> + return id;
> +}
> +
> +/**
> + * make_kuid - Map a user-namespace uid pair into a kuid.
> + * @ns: User namespace that the uid is in
> + * @uid: User identifier
> + *
> + * Maps a user-namespace uid pair into a kernel internal kuid,
> + * and returns that kuid.
> + *
> + * When there is no mapping defined for the user-namespace uid
> + * pair INVALID_UID is returned. Callers are expected to test
> + * for and handle handle INVALID_UID being returned. INVALID_UID
> + * may be tested for using uid_valid().
> + */
> +kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
> +{
> + /* Map the uid to a global kernel uid */
> + return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
> +}
> +EXPORT_SYMBOL(make_kuid);
> +
> +/**
> + * from_kuid - Create a uid from a kuid user-namespace pair.
> + * @targ: The user namespace we want a uid in.
> + * @kuid: The kernel internal uid to start with.
> + *
> + * Map @kuid into the user-namespace specified by @targ and
> + * return the resulting uid.
> + *
> + * There is always a mapping into the initial user_namespace.
> + *
> + * If @kuid has no mapping in @targ (uid_t)-1 is returned.
> + */
> +uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
> +{
> + /* Map the uid from a global kernel uid */
> + return map_id_up(&targ->uid_map, __kuid_val(kuid));
> +}
> +EXPORT_SYMBOL(from_kuid);
> +
> +/**
> + * from_kuid_munged - Create a uid from a kuid user-namespace pair.
> + * @targ: The user namespace we want a uid in.
> + * @kuid: The kernel internal uid to start with.
> + *
> + * Map @kuid into the user-namespace specified by @targ and
> + * return the resulting uid.
> + *
> + * There is always a mapping into the initial user_namespace.
> + *
> + * Unlike from_kuid from_kuid_munged never fails and always
> + * returns a valid uid. This makes from_kuid_munged appropriate
> + * for use in syscalls like stat and getuid where failing the
> + * system call and failing to provide a valid uid are not an
> + * options.
> + *
> + * If @kuid has no mapping in @targ overflowuid is returned.
> + */
> +uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
> +{
> + uid_t uid;
> + uid = from_kuid(targ, kuid);
> +
> + if (uid == (uid_t) -1)
> + uid = overflowuid;
> + return uid;
> +}
> +EXPORT_SYMBOL(from_kuid_munged);
> +
> +/**
> + * make_kgid - Map a user-namespace gid pair into a kgid.
> + * @ns: User namespace that the gid is in
> + * @uid: group identifier
> + *
> + * Maps a user-namespace gid pair into a kernel internal kgid,
> + * and returns that kgid.
> + *
> + * When there is no mapping defined for the user-namespace gid
> + * pair INVALID_GID is returned. Callers are expected to test
> + * for and handle INVALID_GID being returned. INVALID_GID may be
> + * tested for using gid_valid().
> + */
> +kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
> +{
> + /* Map the gid to a global kernel gid */
> + return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
> +}
> +EXPORT_SYMBOL(make_kgid);
> +
> +/**
> + * from_kgid - Create a gid from a kgid user-namespace pair.
> + * @targ: The user namespace we want a gid in.
> + * @kgid: The kernel internal gid to start with.
> + *
> + * Map @kgid into the user-namespace specified by @targ and
> + * return the resulting gid.
> + *
> + * There is always a mapping into the initial user_namespace.
> + *
> + * If @kgid has no mapping in @targ (gid_t)-1 is returned.
> + */
> +gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
> +{
> + /* Map the gid from a global kernel gid */
> + return map_id_up(&targ->gid_map, __kgid_val(kgid));
> +}
> +EXPORT_SYMBOL(from_kgid);
> +
> +/**
> + * from_kgid_munged - Create a gid from a kgid user-namespace pair.
> + * @targ: The user namespace we want a gid in.
> + * @kgid: The kernel internal gid to start with.
> + *
> + * Map @kgid into the user-namespace specified by @targ and
> + * return the resulting gid.
> + *
> + * There is always a mapping into the initial user_namespace.
> + *
> + * Unlike from_kgid from_kgid_munged never fails and always
> + * returns a valid gid. This makes from_kgid_munged appropriate
> + * for use in syscalls like stat and getgid where failing the
> + * system call and failing to provide a valid gid are not options.
> + *
> + * If @kgid has no mapping in @targ overflowgid is returned.
> + */
> +gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
> +{
> + gid_t gid;
> + gid = from_kgid(targ, kgid);
> +
> + if (gid == (gid_t) -1)
> + gid = overflowgid;
> + return gid;
> +}
> +EXPORT_SYMBOL(from_kgid_munged);
> +
> +static int uid_m_show(struct seq_file *seq, void *v)
> +{
> + struct user_namespace *ns = seq->private;
> + struct uid_gid_extent *extent = v;
> + struct user_namespace *lower_ns;
> + uid_t lower;
>
> - /* No useful relationship so no mapping */
> - return overflowuid;
> + lower_ns = current_user_ns();
> + if ((lower_ns == ns) && lower_ns->parent)
> + lower_ns = lower_ns->parent;
> +
> + lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
> +
> + seq_printf(seq, "%10u %10u %10u\n",
> + extent->first,
> + lower,
> + extent->count);
> +
> + return 0;
> }
>
> -gid_t user_ns_map_gid(struct user_namespace *to, const struct cred *cred, gid_t gid)
> +static int gid_m_show(struct seq_file *seq, void *v)
> {
> - struct user_namespace *tmp;
> + struct user_namespace *ns = seq->private;
> + struct uid_gid_extent *extent = v;
> + struct user_namespace *lower_ns;
> + gid_t lower;
>
> - if (likely(to == cred->user_ns))
> - return gid;
> + lower_ns = current_user_ns();
> + if ((lower_ns == ns) && lower_ns->parent)
> + lower_ns = lower_ns->parent;
>
> - /* Is cred->user the creator of the target user_ns
> - * or the creator of one of it's parents?
> + lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
> +
> + seq_printf(seq, "%10u %10u %10u\n",
> + extent->first,
> + lower,
> + extent->count);
> +
> + return 0;
> +}
> +
> +static void *m_start(struct seq_file *seq, loff_t *ppos, struct uid_gid_map *map)
> +{
> + struct uid_gid_extent *extent = NULL;
> + loff_t pos = *ppos;
> +
> + if (pos < map->nr_extents)
> + extent = &map->extent[pos];
> +
> + return extent;
> +}
> +
> +static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
> +{
> + struct user_namespace *ns = seq->private;
> +
> + return m_start(seq, ppos, &ns->uid_map);
> +}
> +
> +static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
> +{
> + struct user_namespace *ns = seq->private;
> +
> + return m_start(seq, ppos, &ns->gid_map);
> +}
> +
> +static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
> +{
> + (*pos)++;
> + return seq->op->start(seq, pos);
> +}
> +
> +static void m_stop(struct seq_file *seq, void *v)
> +{
> + return;
> +}
> +
> +struct seq_operations proc_uid_seq_operations = {
> + .start = uid_m_start,
> + .stop = m_stop,
> + .next = m_next,
> + .show = uid_m_show,
> +};
> +
> +struct seq_operations proc_gid_seq_operations = {
> + .start = gid_m_start,
> + .stop = m_stop,
> + .next = m_next,
> + .show = gid_m_show,
> +};
> +
> +static DEFINE_MUTEX(id_map_mutex);
> +
> +static ssize_t map_write(struct file *file, const char __user *buf,
> + size_t count, loff_t *ppos,
> + int cap_setid,
> + struct uid_gid_map *map,
> + struct uid_gid_map *parent_map)
> +{
> + struct seq_file *seq = file->private_data;
> + struct user_namespace *ns = seq->private;
> + struct uid_gid_map new_map;
> + unsigned idx;
> + struct uid_gid_extent *extent, *last = NULL;
> + unsigned long page = 0;
> + char *kbuf, *pos, *next_line;
> + ssize_t ret = -EINVAL;
> +
> + /*
> + * The id_map_mutex serializes all writes to any given map.
> + *
> + * Any map is only ever written once.
> + *
> + * An id map fits within 1 cache line on most architectures.
> + *
> + * On read nothing needs to be done unless you are on an
> + * architecture with a crazy cache coherency model like alpha.
> + *
> + * There is a one time data dependency between reading the
> + * count of the extents and the values of the extents. The
> + * desired behavior is to see the values of the extents that
> + * were written before the count of the extents.
> + *
> + * To achieve this smp_wmb() is used on guarantee the write
> + * order and smp_read_barrier_depends() is guaranteed that we
> + * don't have crazy architectures returning stale data.
> + *
> + */
> + mutex_lock(&id_map_mutex);
> +
> + ret = -EPERM;
> + /* Only allow one successful write to the map */
> + if (map->nr_extents != 0)
> + goto out;
> +
> + /* Require the appropriate privilege CAP_SETUID or CAP_SETGID
> + * over the user namespace in order to set the id mapping.
> */
> - for ( tmp = to; tmp != &init_user_ns; tmp = tmp->parent ) {
> - if (uid_eq(cred->user->uid, tmp->owner)) {
> - return (gid_t)0;
> + if (!ns_capable(ns, cap_setid))
> + goto out;
> +
> + /* Get a buffer */
> + ret = -ENOMEM;
> + page = __get_free_page(GFP_TEMPORARY);
> + kbuf = (char *) page;
> + if (!page)
> + goto out;
> +
> + /* Only allow <= page size writes at the beginning of the file */
> + ret = -EINVAL;
> + if ((*ppos != 0) || (count >= PAGE_SIZE))
> + goto out;
> +
> + /* Slurp in the user data */
> + ret = -EFAULT;
> + if (copy_from_user(kbuf, buf, count))
> + goto out;
> + kbuf[count] = '\0';
> +
> + /* Parse the user data */
> + ret = -EINVAL;
> + pos = kbuf;
> + new_map.nr_extents = 0;
> + for (;pos; pos = next_line) {
> + extent = &new_map.extent[new_map.nr_extents];
> +
> + /* Find the end of line and ensure I don't look past it */
> + next_line = strchr(pos, '\n');
> + if (next_line) {
> + *next_line = '\0';
> + next_line++;
> + if (*next_line == '\0')
> + next_line = NULL;
> }
> +
> + pos = skip_spaces(pos);
> + extent->first = simple_strtoul(pos, &pos, 10);
> + if (!isspace(*pos))
> + goto out;
> +
> + pos = skip_spaces(pos);
> + extent->lower_first = simple_strtoul(pos, &pos, 10);
> + if (!isspace(*pos))
> + goto out;
> +
> + pos = skip_spaces(pos);
> + extent->count = simple_strtoul(pos, &pos, 10);
> + if (*pos && !isspace(*pos))
> + goto out;
> +
> + /* Verify there is not trailing junk on the line */
> + pos = skip_spaces(pos);
> + if (*pos != '\0')
> + goto out;
> +
> + /* Verify we have been given valid starting values */
> + if ((extent->first == (u32) -1) ||
> + (extent->lower_first == (u32) -1 ))
> + goto out;
> +
> + /* Verify count is not zero and does not cause the extent to wrap */
> + if ((extent->first + extent->count) <= extent->first)
> + goto out;
> + if ((extent->lower_first + extent->count) <= extent->lower_first)
> + goto out;
> +
> + /* For now only accept extents that are strictly in order */
> + if (last &&
> + (((last->first + last->count) > extent->first) ||
> + ((last->lower_first + last->count) > extent->lower_first)))
> + goto out;
> +
> + new_map.nr_extents++;
> + last = extent;
> +
> + /* Fail if the file contains too many extents */
> + if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) &&
> + (next_line != NULL))
> + goto out;
> }
> + /* Be very certaint the new map actually exists */
> + if (new_map.nr_extents == 0)
> + goto out;
> +
> + ret = -EPERM;
> + /* Validate the user is allowed to use user id's mapped to. */
> + if (!new_idmap_permitted(ns, cap_setid, &new_map))
> + goto out;
> +
> + /* Map the lower ids from the parent user namespace to the
> + * kernel global id space.
> + */
> + for (idx = 0; idx < new_map.nr_extents; idx++) {
> + u32 lower_first;
> + extent = &new_map.extent[idx];
> +
> + lower_first = map_id_range_down(parent_map,
> + extent->lower_first,
> + extent->count);
> +
> + /* Fail if we can not map the specified extent to
> + * the kernel global id space.
> + */
> + if (lower_first == (u32) -1)
> + goto out;
> +
> + extent->lower_first = lower_first;
> + }
> +
> + /* Install the map */
> + memcpy(map->extent, new_map.extent,
> + new_map.nr_extents*sizeof(new_map.extent[0]));
> + smp_wmb();
> + map->nr_extents = new_map.nr_extents;
> +
> + *ppos = count;
> + ret = count;
> +out:
> + mutex_unlock(&id_map_mutex);
> + if (page)
> + free_page(page);
> + return ret;
> +}
> +
> +ssize_t proc_uid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
> +{
> + struct seq_file *seq = file->private_data;
> + struct user_namespace *ns = seq->private;
> +
> + if (!ns->parent)
> + return -EPERM;
> +
> + return map_write(file, buf, size, ppos, CAP_SETUID,
> + &ns->uid_map, &ns->parent->uid_map);
> +}
> +
> +ssize_t proc_gid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
> +{
> + struct seq_file *seq = file->private_data;
> + struct user_namespace *ns = seq->private;
> +
> + if (!ns->parent)
> + return -EPERM;
> +
> + return map_write(file, buf, size, ppos, CAP_SETGID,
> + &ns->gid_map, &ns->parent->gid_map);
> +}
> +
> +static bool new_idmap_permitted(struct user_namespace *ns, int cap_setid,
> + struct uid_gid_map *new_map)
> +{
> + /* Allow the specified ids if we have the appropriate capability
> + * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
> + */
> + if (ns_capable(ns->parent, cap_setid))
> + return true;
>
> - /* No useful relationship so no mapping */
> - return overflowgid;
> + return false;
> }
>
> static __init int user_namespaces_init(void)
> --
> 1.7.2.5
>
> _______________________________________________
> Containers mailing list
> Containers@...ts.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/containers
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists