Lines Matching +full:no +full:- +full:map
1 // SPDX-License-Identifier: GPL-2.0-only
13 #include <linux/key-type.h>
14 #include <keys/user-type.h>
29 struct uid_gid_map *map);
47 cred->securebits = SECUREBITS_DEFAULT; in set_cred_user_ns()
48 cred->cap_inheritable = CAP_EMPTY_SET; in set_cred_user_ns()
49 cred->cap_permitted = CAP_FULL_SET; in set_cred_user_ns()
50 cred->cap_effective = CAP_FULL_SET; in set_cred_user_ns()
51 cred->cap_ambient = CAP_EMPTY_SET; in set_cred_user_ns()
52 cred->cap_bset = CAP_FULL_SET; in set_cred_user_ns()
54 key_put(cred->request_key_auth); in set_cred_user_ns()
55 cred->request_key_auth = NULL; in set_cred_user_ns()
58 cred->user_ns = user_ns; in set_cred_user_ns()
71 struct user_namespace *ns, *parent_ns = new->user_ns; in create_user_ns()
72 kuid_t owner = new->euid; in create_user_ns()
73 kgid_t group = new->egid; in create_user_ns()
77 ret = -ENOSPC; in create_user_ns()
78 if (parent_ns->level > 32) in create_user_ns()
91 ret = -EPERM; in create_user_ns()
99 ret = -EPERM; in create_user_ns()
104 ret = -ENOMEM; in create_user_ns()
109 ns->parent_could_setfcap = cap_raised(new->cap_effective, CAP_SETFCAP); in create_user_ns()
110 ret = ns_alloc_inum(&ns->ns); in create_user_ns()
113 ns->ns.ops = &userns_operations; in create_user_ns()
115 refcount_set(&ns->ns.count, 1); in create_user_ns()
116 /* Leave the new->user_ns reference with the new user namespace. */ in create_user_ns()
117 ns->parent = parent_ns; in create_user_ns()
118 ns->level = parent_ns->level + 1; in create_user_ns()
119 ns->owner = owner; in create_user_ns()
120 ns->group = group; in create_user_ns()
121 INIT_WORK(&ns->work, free_user_ns); in create_user_ns()
123 ns->ucount_max[i] = INT_MAX; in create_user_ns()
129 ns->ucounts = ucounts; in create_user_ns()
133 ns->flags = parent_ns->flags; in create_user_ns()
137 INIT_LIST_HEAD(&ns->keyring_name_list); in create_user_ns()
138 init_rwsem(&ns->keyring_sem); in create_user_ns()
140 ret = -ENOMEM; in create_user_ns()
148 key_put(ns->persistent_keyring_register); in create_user_ns()
150 ns_free_inum(&ns->ns); in create_user_ns()
162 int err = -ENOMEM; in unshare_userns()
185 struct ucounts *ucounts = ns->ucounts; in free_user_ns()
186 parent = ns->parent; in free_user_ns()
187 if (ns->gid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) { in free_user_ns()
188 kfree(ns->gid_map.forward); in free_user_ns()
189 kfree(ns->gid_map.reverse); in free_user_ns()
191 if (ns->uid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) { in free_user_ns()
192 kfree(ns->uid_map.forward); in free_user_ns()
193 kfree(ns->uid_map.reverse); in free_user_ns()
195 if (ns->projid_map.nr_extents > UID_GID_MAP_MAX_BASE_EXTENTS) { in free_user_ns()
196 kfree(ns->projid_map.forward); in free_user_ns()
197 kfree(ns->projid_map.reverse); in free_user_ns()
201 ns_free_inum(&ns->ns); in free_user_ns()
205 } while (refcount_dec_and_test(&parent->ns.count)); in free_user_ns()
210 schedule_work(&ns->work); in __put_user_ns()
219 bool map_up; /* true -> id from kid; false -> kid from id */
225 * cmp_map_id - Function to be passed to bsearch() to find the requested
234 id2 = key->id + key->count - 1; in cmp_map_id()
237 if (key->map_up) in cmp_map_id()
238 first = el->lower_first; in cmp_map_id()
240 first = el->first; in cmp_map_id()
242 last = first + el->count - 1; in cmp_map_id()
244 if (key->id >= first && key->id <= last && in cmp_map_id()
248 if (key->id < first || id2 < first) in cmp_map_id()
249 return -1; in cmp_map_id()
255 * map_id_range_down_max - Find idmap via binary search in ordered idmap array.
259 map_id_range_down_max(unsigned extents, struct uid_gid_map *map, u32 id, u32 count) in map_id_range_down_max() argument
267 return bsearch(&key, map->forward, extents, in map_id_range_down_max()
272 * map_id_range_down_base - Find idmap via binary search in static extent array.
277 map_id_range_down_base(unsigned extents, struct uid_gid_map *map, u32 id, u32 count) in map_id_range_down_base() argument
282 id2 = id + count - 1; in map_id_range_down_base()
286 first = map->extent[idx].first; in map_id_range_down_base()
287 last = first + map->extent[idx].count - 1; in map_id_range_down_base()
290 return &map->extent[idx]; in map_id_range_down_base()
295 static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count) in map_id_range_down() argument
298 unsigned extents = map->nr_extents; in map_id_range_down()
302 extent = map_id_range_down_base(extents, map, id, count); in map_id_range_down()
304 extent = map_id_range_down_max(extents, map, id, count); in map_id_range_down()
306 /* Map the id or note failure */ in map_id_range_down()
308 id = (id - extent->first) + extent->lower_first; in map_id_range_down()
310 id = (u32) -1; in map_id_range_down()
315 static u32 map_id_down(struct uid_gid_map *map, u32 id) in map_id_down() argument
317 return map_id_range_down(map, id, 1); in map_id_down()
321 * map_id_up_base - Find idmap via binary search in static extent array.
326 map_id_up_base(unsigned extents, struct uid_gid_map *map, u32 id) in map_id_up_base() argument
333 first = map->extent[idx].lower_first; in map_id_up_base()
334 last = first + map->extent[idx].count - 1; in map_id_up_base()
336 return &map->extent[idx]; in map_id_up_base()
342 * map_id_up_max - Find idmap via binary search in ordered idmap array.
346 map_id_up_max(unsigned extents, struct uid_gid_map *map, u32 id) in map_id_up_max() argument
354 return bsearch(&key, map->reverse, extents, in map_id_up_max()
358 static u32 map_id_up(struct uid_gid_map *map, u32 id) in map_id_up() argument
361 unsigned extents = map->nr_extents; in map_id_up()
365 extent = map_id_up_base(extents, map, id); in map_id_up()
367 extent = map_id_up_max(extents, map, id); in map_id_up()
369 /* Map the id or note failure */ in map_id_up()
371 id = (id - extent->lower_first) + extent->first; in map_id_up()
373 id = (u32) -1; in map_id_up()
379 * make_kuid - Map a user-namespace uid pair into a kuid.
383 * Maps a user-namespace uid pair into a kernel internal kuid,
386 * When there is no mapping defined for the user-namespace uid
393 /* Map the uid to a global kernel uid */ in make_kuid()
394 return KUIDT_INIT(map_id_down(&ns->uid_map, uid)); in make_kuid()
399 * from_kuid - Create a uid from a kuid user-namespace pair.
403 * Map @kuid into the user-namespace specified by @targ and
408 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
412 /* Map the uid from a global kernel uid */ in from_kuid()
413 return map_id_up(&targ->uid_map, __kuid_val(kuid)); in from_kuid()
418 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
422 * Map @kuid into the user-namespace specified by @targ and
433 * If @kuid has no mapping in @targ overflowuid is returned.
440 if (uid == (uid_t) -1) in from_kuid_munged()
447 * make_kgid - Map a user-namespace gid pair into a kgid.
451 * Maps a user-namespace gid pair into a kernel internal kgid,
454 * When there is no mapping defined for the user-namespace gid
461 /* Map the gid to a global kernel gid */ in make_kgid()
462 return KGIDT_INIT(map_id_down(&ns->gid_map, gid)); in make_kgid()
467 * from_kgid - Create a gid from a kgid user-namespace pair.
471 * Map @kgid into the user-namespace specified by @targ and
476 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
480 /* Map the gid from a global kernel gid */ in from_kgid()
481 return map_id_up(&targ->gid_map, __kgid_val(kgid)); in from_kgid()
486 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
490 * Map @kgid into the user-namespace specified by @targ and
500 * If @kgid has no mapping in @targ overflowgid is returned.
507 if (gid == (gid_t) -1) in from_kgid_munged()
514 * make_kprojid - Map a user-namespace projid pair into a kprojid.
518 * Maps a user-namespace uid pair into a kernel internal kuid,
521 * When there is no mapping defined for the user-namespace projid
528 /* Map the uid to a global kernel uid */ in make_kprojid()
529 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid)); in make_kprojid()
534 * from_kprojid - Create a projid from a kprojid user-namespace pair.
538 * Map @kprojid into the user-namespace specified by @targ and
543 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
547 /* Map the uid from a global kernel uid */ in from_kprojid()
548 return map_id_up(&targ->projid_map, __kprojid_val(kprojid)); in from_kprojid()
553 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
557 * Map @kprojid into the user-namespace specified by @targ and
568 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
575 if (projid == (projid_t) -1) in from_kprojid_munged()
584 struct user_namespace *ns = seq->private; in uid_m_show()
590 if ((lower_ns == ns) && lower_ns->parent) in uid_m_show()
591 lower_ns = lower_ns->parent; in uid_m_show()
593 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first)); in uid_m_show()
596 extent->first, in uid_m_show()
598 extent->count); in uid_m_show()
605 struct user_namespace *ns = seq->private; in gid_m_show()
611 if ((lower_ns == ns) && lower_ns->parent) in gid_m_show()
612 lower_ns = lower_ns->parent; in gid_m_show()
614 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first)); in gid_m_show()
617 extent->first, in gid_m_show()
619 extent->count); in gid_m_show()
626 struct user_namespace *ns = seq->private; in projid_m_show()
632 if ((lower_ns == ns) && lower_ns->parent) in projid_m_show()
633 lower_ns = lower_ns->parent; in projid_m_show()
635 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first)); in projid_m_show()
638 extent->first, in projid_m_show()
640 extent->count); in projid_m_show()
646 struct uid_gid_map *map) in m_start() argument
649 unsigned extents = map->nr_extents; in m_start()
656 return &map->extent[pos]; in m_start()
658 return &map->forward[pos]; in m_start()
663 struct user_namespace *ns = seq->private; in uid_m_start()
665 return m_start(seq, ppos, &ns->uid_map); in uid_m_start()
670 struct user_namespace *ns = seq->private; in gid_m_start()
672 return m_start(seq, ppos, &ns->gid_map); in gid_m_start()
677 struct user_namespace *ns = seq->private; in projid_m_start()
679 return m_start(seq, ppos, &ns->projid_map); in projid_m_start()
685 return seq->op->start(seq, pos); in m_next()
720 upper_first = extent->first; in mappings_overlap()
721 lower_first = extent->lower_first; in mappings_overlap()
722 upper_last = upper_first + extent->count - 1; in mappings_overlap()
723 lower_last = lower_first + extent->count - 1; in mappings_overlap()
725 for (idx = 0; idx < new_map->nr_extents; idx++) { in mappings_overlap()
730 if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) in mappings_overlap()
731 prev = &new_map->extent[idx]; in mappings_overlap()
733 prev = &new_map->forward[idx]; in mappings_overlap()
735 prev_upper_first = prev->first; in mappings_overlap()
736 prev_lower_first = prev->lower_first; in mappings_overlap()
737 prev_upper_last = prev_upper_first + prev->count - 1; in mappings_overlap()
738 prev_lower_last = prev_lower_first + prev->count - 1; in mappings_overlap()
754 * insert_extent - Safely insert a new idmap extent into struct uid_gid_map.
758 static int insert_extent(struct uid_gid_map *map, struct uid_gid_extent *extent) in insert_extent() argument
762 if (map->nr_extents == UID_GID_MAP_MAX_BASE_EXTENTS) { in insert_extent()
770 return -ENOMEM; in insert_extent()
775 memcpy(forward, map->extent, in insert_extent()
776 map->nr_extents * sizeof(map->extent[0])); in insert_extent()
778 map->forward = forward; in insert_extent()
779 map->reverse = NULL; in insert_extent()
782 if (map->nr_extents < UID_GID_MAP_MAX_BASE_EXTENTS) in insert_extent()
783 dest = &map->extent[map->nr_extents]; in insert_extent()
785 dest = &map->forward[map->nr_extents]; in insert_extent()
788 map->nr_extents++; in insert_extent()
798 if (e1->first < e2->first) in cmp_extents_forward()
799 return -1; in cmp_extents_forward()
801 if (e1->first > e2->first) in cmp_extents_forward()
813 if (e1->lower_first < e2->lower_first) in cmp_extents_reverse()
814 return -1; in cmp_extents_reverse()
816 if (e1->lower_first > e2->lower_first) in cmp_extents_reverse()
823 * sort_idmaps - Sorts an array of idmap entries.
826 static int sort_idmaps(struct uid_gid_map *map) in sort_idmaps() argument
828 if (map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) in sort_idmaps()
832 sort(map->forward, map->nr_extents, sizeof(struct uid_gid_extent), in sort_idmaps()
836 map->reverse = kmemdup(map->forward, in sort_idmaps()
837 map->nr_extents * sizeof(struct uid_gid_extent), in sort_idmaps()
839 if (!map->reverse) in sort_idmaps()
840 return -ENOMEM; in sort_idmaps()
843 sort(map->reverse, map->nr_extents, sizeof(struct uid_gid_extent), in sort_idmaps()
850 * verify_root_map() - check the uid 0 mapping
856 * process writing the map had the CAP_SETFCAP capability as the target process
866 const struct user_namespace *file_ns = file->f_cred->user_ns; in verify_root_map()
869 for (idx = 0; idx < new_map->nr_extents; idx++) { in verify_root_map()
870 if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) in verify_root_map()
871 extent0 = &new_map->extent[idx]; in verify_root_map()
873 extent0 = &new_map->forward[idx]; in verify_root_map()
874 if (extent0->lower_first == 0) in verify_root_map()
889 if (!file_ns->parent_could_setfcap) in verify_root_map()
893 * user namespace to p1's. Verify that the opener of the map in verify_root_map()
894 * file has CAP_SETFCAP against the parent of the new map in verify_root_map()
896 if (!file_ns_capable(file, map_ns->parent, CAP_SETFCAP)) in verify_root_map()
906 struct uid_gid_map *map, in map_write() argument
909 struct seq_file *seq = file->private_data; in map_write()
910 struct user_namespace *map_ns = seq->private; in map_write()
919 return -EINVAL; in map_write()
927 * The userns_state_mutex serializes all writes to any given map. in map_write()
929 * Any map is only ever written once. in map_write()
931 * An id map fits within 1 cache line on most architectures. in map_write()
949 ret = -EPERM; in map_write()
950 /* Only allow one successful write to the map */ in map_write()
951 if (map->nr_extents != 0) in map_write()
961 ret = -EINVAL; in map_write()
995 if ((extent.first == (u32) -1) || in map_write()
996 (extent.lower_first == (u32) -1)) in map_write()
1019 ret = -EINVAL; in map_write()
1021 /* Be very certain the new map actually exists */ in map_write()
1025 ret = -EPERM; in map_write()
1030 ret = -EPERM; in map_write()
1031 /* Map the lower ids from the parent user namespace to the in map_write()
1044 e->lower_first, in map_write()
1045 e->count); in map_write()
1047 /* Fail if we can not map the specified extent to in map_write()
1050 if (lower_first == (u32) -1) in map_write()
1053 e->lower_first = lower_first; in map_write()
1064 /* Install the map */ in map_write()
1066 memcpy(map->extent, new_map.extent, in map_write()
1069 map->forward = new_map.forward; in map_write()
1070 map->reverse = new_map.reverse; in map_write()
1073 map->nr_extents = new_map.nr_extents; in map_write()
1081 map->forward = NULL; in map_write()
1082 map->reverse = NULL; in map_write()
1083 map->nr_extents = 0; in map_write()
1094 struct seq_file *seq = file->private_data; in proc_uid_map_write()
1095 struct user_namespace *ns = seq->private; in proc_uid_map_write()
1098 if (!ns->parent) in proc_uid_map_write()
1099 return -EPERM; in proc_uid_map_write()
1101 if ((seq_ns != ns) && (seq_ns != ns->parent)) in proc_uid_map_write()
1102 return -EPERM; in proc_uid_map_write()
1105 &ns->uid_map, &ns->parent->uid_map); in proc_uid_map_write()
1111 struct seq_file *seq = file->private_data; in proc_gid_map_write()
1112 struct user_namespace *ns = seq->private; in proc_gid_map_write()
1115 if (!ns->parent) in proc_gid_map_write()
1116 return -EPERM; in proc_gid_map_write()
1118 if ((seq_ns != ns) && (seq_ns != ns->parent)) in proc_gid_map_write()
1119 return -EPERM; in proc_gid_map_write()
1122 &ns->gid_map, &ns->parent->gid_map); in proc_gid_map_write()
1128 struct seq_file *seq = file->private_data; in proc_projid_map_write()
1129 struct user_namespace *ns = seq->private; in proc_projid_map_write()
1132 if (!ns->parent) in proc_projid_map_write()
1133 return -EPERM; in proc_projid_map_write()
1135 if ((seq_ns != ns) && (seq_ns != ns->parent)) in proc_projid_map_write()
1136 return -EPERM; in proc_projid_map_write()
1138 /* Anyone can set any valid project id no capability needed */ in proc_projid_map_write()
1139 return map_write(file, buf, size, ppos, -1, in proc_projid_map_write()
1140 &ns->projid_map, &ns->parent->projid_map); in proc_projid_map_write()
1147 const struct cred *cred = file->f_cred; in new_idmap_permitted()
1155 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) && in new_idmap_permitted()
1156 uid_eq(ns->owner, cred->euid)) { in new_idmap_permitted()
1157 u32 id = new_map->extent[0].lower_first; in new_idmap_permitted()
1159 kuid_t uid = make_kuid(ns->parent, id); in new_idmap_permitted()
1160 if (uid_eq(uid, cred->euid)) in new_idmap_permitted()
1163 kgid_t gid = make_kgid(ns->parent, id); in new_idmap_permitted()
1164 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) && in new_idmap_permitted()
1165 gid_eq(gid, cred->egid)) in new_idmap_permitted()
1178 if (ns_capable(ns->parent, cap_setid) && in new_idmap_permitted()
1179 file_ns_capable(file, ns->parent, cap_setid)) in new_idmap_permitted()
1187 struct user_namespace *ns = seq->private; in proc_setgroups_show()
1188 unsigned long userns_flags = READ_ONCE(ns->flags); in proc_setgroups_show()
1199 struct seq_file *seq = file->private_data; in proc_setgroups_write()
1200 struct user_namespace *ns = seq->private; in proc_setgroups_write()
1206 ret = -EINVAL; in proc_setgroups_write()
1211 ret = -EFAULT; in proc_setgroups_write()
1218 ret = -EINVAL; in proc_setgroups_write()
1235 ret = -EPERM; in proc_setgroups_write()
1241 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED)) in proc_setgroups_write()
1247 if (ns->gid_map.nr_extents != 0) in proc_setgroups_write()
1249 ns->flags &= ~USERNS_SETGROUPS_ALLOWED; in proc_setgroups_write()
1271 allowed = ns->gid_map.nr_extents != 0; in userns_may_setgroups()
1273 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED); in userns_may_setgroups()
1287 for (ns = child; ns->level > ancestor->level; ns = ns->parent) in in_userns()
1308 user_ns = get_user_ns(__task_cred(task)->user_ns); in userns_get()
1311 return user_ns ? &user_ns->ns : NULL; in userns_get()
1328 return -EINVAL; in userns_install()
1332 return -EINVAL; in userns_install()
1334 if (current->fs->users != 1) in userns_install()
1335 return -EINVAL; in userns_install()
1338 return -EPERM; in userns_install()
1342 return -EINVAL; in userns_install()
1344 put_user_ns(cred->user_ns); in userns_install()
1348 return -EINVAL; in userns_install()
1359 owner = p = ns->ops->owner(ns); in ns_get_owner()
1362 return ERR_PTR(-EPERM); in ns_get_owner()
1365 p = p->parent; in ns_get_owner()
1368 return &get_user_ns(owner)->ns; in ns_get_owner()
1373 return to_user_ns(ns)->parent; in userns_owner()