Commit b2e0d987 authored by Eric W. Biederman's avatar Eric W. Biederman

userns: Implement unshare of the user namespace

- Add CLONE_THREAD to the unshare flags if CLONE_NEWUSER is selected
  As changing user namespaces is only valid if all there is only
  a single thread.
- Restore the code to add CLONE_VM if CLONE_THREAD is selected and
  the code to addCLONE_SIGHAND if CLONE_VM is selected.
  Making the constraints in the code clear.
Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
parent cde1975b
...@@ -67,7 +67,7 @@ void exit_task_namespaces(struct task_struct *tsk); ...@@ -67,7 +67,7 @@ void exit_task_namespaces(struct task_struct *tsk);
void switch_task_namespaces(struct task_struct *tsk, struct nsproxy *new); void switch_task_namespaces(struct task_struct *tsk, struct nsproxy *new);
void free_nsproxy(struct nsproxy *ns); void free_nsproxy(struct nsproxy *ns);
int unshare_nsproxy_namespaces(unsigned long, struct nsproxy **, int unshare_nsproxy_namespaces(unsigned long, struct nsproxy **,
struct fs_struct *); struct cred *, struct fs_struct *);
int __init nsproxy_cache_init(void); int __init nsproxy_cache_init(void);
static inline void put_nsproxy(struct nsproxy *ns) static inline void put_nsproxy(struct nsproxy *ns)
......
...@@ -39,6 +39,7 @@ static inline struct user_namespace *get_user_ns(struct user_namespace *ns) ...@@ -39,6 +39,7 @@ static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
} }
extern int create_user_ns(struct cred *new); extern int create_user_ns(struct cred *new);
extern int unshare_userns(unsigned long unshare_flags, struct cred **new_cred);
extern void free_user_ns(struct kref *kref); extern void free_user_ns(struct kref *kref);
static inline void put_user_ns(struct user_namespace *ns) static inline void put_user_ns(struct user_namespace *ns)
...@@ -66,6 +67,14 @@ static inline int create_user_ns(struct cred *new) ...@@ -66,6 +67,14 @@ static inline int create_user_ns(struct cred *new)
return -EINVAL; return -EINVAL;
} }
static inline int unshare_userns(unsigned long unshare_flags,
struct cred **new_cred)
{
if (unshare_flags & CLONE_NEWUSER)
return -EINVAL;
return 0;
}
static inline void put_user_ns(struct user_namespace *ns) static inline void put_user_ns(struct user_namespace *ns)
{ {
} }
......
...@@ -1687,7 +1687,7 @@ static int check_unshare_flags(unsigned long unshare_flags) ...@@ -1687,7 +1687,7 @@ static int check_unshare_flags(unsigned long unshare_flags)
if (unshare_flags & ~(CLONE_THREAD|CLONE_FS|CLONE_NEWNS|CLONE_SIGHAND| if (unshare_flags & ~(CLONE_THREAD|CLONE_FS|CLONE_NEWNS|CLONE_SIGHAND|
CLONE_VM|CLONE_FILES|CLONE_SYSVSEM| CLONE_VM|CLONE_FILES|CLONE_SYSVSEM|
CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWNET| CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWNET|
CLONE_NEWPID)) CLONE_NEWUSER|CLONE_NEWPID))
return -EINVAL; return -EINVAL;
/* /*
* Not implemented, but pretend it works if there is nothing to * Not implemented, but pretend it works if there is nothing to
...@@ -1754,10 +1754,16 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) ...@@ -1754,10 +1754,16 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
{ {
struct fs_struct *fs, *new_fs = NULL; struct fs_struct *fs, *new_fs = NULL;
struct files_struct *fd, *new_fd = NULL; struct files_struct *fd, *new_fd = NULL;
struct cred *new_cred = NULL;
struct nsproxy *new_nsproxy = NULL; struct nsproxy *new_nsproxy = NULL;
int do_sysvsem = 0; int do_sysvsem = 0;
int err; int err;
/*
* If unsharing a user namespace must also unshare the thread.
*/
if (unshare_flags & CLONE_NEWUSER)
unshare_flags |= CLONE_THREAD;
/* /*
* If unsharing a pid namespace must also unshare the thread. * If unsharing a pid namespace must also unshare the thread.
*/ */
...@@ -1795,11 +1801,15 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) ...@@ -1795,11 +1801,15 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
err = unshare_fd(unshare_flags, &new_fd); err = unshare_fd(unshare_flags, &new_fd);
if (err) if (err)
goto bad_unshare_cleanup_fs; goto bad_unshare_cleanup_fs;
err = unshare_nsproxy_namespaces(unshare_flags, &new_nsproxy, new_fs); err = unshare_userns(unshare_flags, &new_cred);
if (err) if (err)
goto bad_unshare_cleanup_fd; goto bad_unshare_cleanup_fd;
err = unshare_nsproxy_namespaces(unshare_flags, &new_nsproxy,
new_cred, new_fs);
if (err)
goto bad_unshare_cleanup_cred;
if (new_fs || new_fd || do_sysvsem || new_nsproxy) { if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {
if (do_sysvsem) { if (do_sysvsem) {
/* /*
* CLONE_SYSVSEM is equivalent to sys_exit(). * CLONE_SYSVSEM is equivalent to sys_exit().
...@@ -1832,11 +1842,20 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) ...@@ -1832,11 +1842,20 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
} }
task_unlock(current); task_unlock(current);
if (new_cred) {
/* Install the new user namespace */
commit_creds(new_cred);
new_cred = NULL;
}
} }
if (new_nsproxy) if (new_nsproxy)
put_nsproxy(new_nsproxy); put_nsproxy(new_nsproxy);
bad_unshare_cleanup_cred:
if (new_cred)
put_cred(new_cred);
bad_unshare_cleanup_fd: bad_unshare_cleanup_fd:
if (new_fd) if (new_fd)
put_files_struct(new_fd); put_files_struct(new_fd);
......
...@@ -186,7 +186,7 @@ void free_nsproxy(struct nsproxy *ns) ...@@ -186,7 +186,7 @@ void free_nsproxy(struct nsproxy *ns)
* On success, returns the new nsproxy. * On success, returns the new nsproxy.
*/ */
int unshare_nsproxy_namespaces(unsigned long unshare_flags, int unshare_nsproxy_namespaces(unsigned long unshare_flags,
struct nsproxy **new_nsp, struct fs_struct *new_fs) struct nsproxy **new_nsp, struct cred *new_cred, struct fs_struct *new_fs)
{ {
struct user_namespace *user_ns; struct user_namespace *user_ns;
int err = 0; int err = 0;
...@@ -195,10 +195,10 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags, ...@@ -195,10 +195,10 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
CLONE_NEWNET | CLONE_NEWPID))) CLONE_NEWNET | CLONE_NEWPID)))
return 0; return 0;
if (!nsown_capable(CAP_SYS_ADMIN)) user_ns = new_cred ? new_cred->user_ns : current_user_ns();
if (!ns_capable(user_ns, CAP_SYS_ADMIN))
return -EPERM; return -EPERM;
user_ns = current_user_ns();
*new_nsp = create_new_namespaces(unshare_flags, current, user_ns, *new_nsp = create_new_namespaces(unshare_flags, current, user_ns,
new_fs ? new_fs : current->fs); new_fs ? new_fs : current->fs);
if (IS_ERR(*new_nsp)) { if (IS_ERR(*new_nsp)) {
......
...@@ -82,6 +82,21 @@ int create_user_ns(struct cred *new) ...@@ -82,6 +82,21 @@ int create_user_ns(struct cred *new)
return 0; return 0;
} }
int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
{
struct cred *cred;
if (!(unshare_flags & CLONE_NEWUSER))
return 0;
cred = prepare_creds();
if (!cred)
return -ENOMEM;
*new_cred = cred;
return create_user_ns(cred);
}
void free_user_ns(struct kref *kref) void free_user_ns(struct kref *kref)
{ {
struct user_namespace *parent, *ns = struct user_namespace *parent, *ns =
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment