userns: Implement unshare of the user namespace
authorEric W. Biederman <ebiederm@xmission.com>
Thu, 26 Jul 2012 12:15:35 +0000 (05:15 -0700)
committerEric W. Biederman <ebiederm@xmission.com>
Tue, 20 Nov 2012 12:18:14 +0000 (04:18 -0800)
- Add CLONE_THREAD to the unshare flags if CLONE_NEWUSER is selected
  As changing user namespaces is only valid if all there is only
  a single thread.
- Restore the code to add CLONE_VM if CLONE_THREAD is selected and
  the code to addCLONE_SIGHAND if CLONE_VM is selected.
  Making the constraints in the code clear.

Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
include/linux/nsproxy.h
include/linux/user_namespace.h
kernel/fork.c
kernel/nsproxy.c
kernel/user_namespace.c

index cc37a55ad004391597661e13071f3c6e1c708c19..10e5947491c7b9b54f423ab567f9948be021eb6f 100644 (file)
@@ -67,7 +67,7 @@ void exit_task_namespaces(struct task_struct *tsk);
 void switch_task_namespaces(struct task_struct *tsk, struct nsproxy *new);
 void free_nsproxy(struct nsproxy *ns);
 int unshare_nsproxy_namespaces(unsigned long, struct nsproxy **,
-       struct fs_struct *);
+       struct cred *, struct fs_struct *);
 int __init nsproxy_cache_init(void);
 
 static inline void put_nsproxy(struct nsproxy *ns)
index 95142cae446a7205e9887029a7433eff1b147d81..17651f08d67feed00b0f4f13a78b374b0918d426 100644 (file)
@@ -39,6 +39,7 @@ static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
 }
 
 extern int create_user_ns(struct cred *new);
+extern int unshare_userns(unsigned long unshare_flags, struct cred **new_cred);
 extern void free_user_ns(struct kref *kref);
 
 static inline void put_user_ns(struct user_namespace *ns)
@@ -66,6 +67,14 @@ static inline int create_user_ns(struct cred *new)
        return -EINVAL;
 }
 
+static inline int unshare_userns(unsigned long unshare_flags,
+                                struct cred **new_cred)
+{
+       if (unshare_flags & CLONE_NEWUSER)
+               return -EINVAL;
+       return 0;
+}
+
 static inline void put_user_ns(struct user_namespace *ns)
 {
 }
index 8c29abb19014df2c1f330b04d3253eb63fc1aee4..38e53b87402c865e06e9a55e5319c297715b893c 100644 (file)
@@ -1687,7 +1687,7 @@ static int check_unshare_flags(unsigned long unshare_flags)
        if (unshare_flags & ~(CLONE_THREAD|CLONE_FS|CLONE_NEWNS|CLONE_SIGHAND|
                                CLONE_VM|CLONE_FILES|CLONE_SYSVSEM|
                                CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWNET|
-                               CLONE_NEWPID))
+                               CLONE_NEWUSER|CLONE_NEWPID))
                return -EINVAL;
        /*
         * Not implemented, but pretend it works if there is nothing to
@@ -1754,10 +1754,16 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
 {
        struct fs_struct *fs, *new_fs = NULL;
        struct files_struct *fd, *new_fd = NULL;
+       struct cred *new_cred = NULL;
        struct nsproxy *new_nsproxy = NULL;
        int do_sysvsem = 0;
        int err;
 
+       /*
+        * If unsharing a user namespace must also unshare the thread.
+        */
+       if (unshare_flags & CLONE_NEWUSER)
+               unshare_flags |= CLONE_THREAD;
        /*
         * If unsharing a pid namespace must also unshare the thread.
         */
@@ -1795,11 +1801,15 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
        err = unshare_fd(unshare_flags, &new_fd);
        if (err)
                goto bad_unshare_cleanup_fs;
-       err = unshare_nsproxy_namespaces(unshare_flags, &new_nsproxy, new_fs);
+       err = unshare_userns(unshare_flags, &new_cred);
        if (err)
                goto bad_unshare_cleanup_fd;
+       err = unshare_nsproxy_namespaces(unshare_flags, &new_nsproxy,
+                                        new_cred, new_fs);
+       if (err)
+               goto bad_unshare_cleanup_cred;
 
-       if (new_fs || new_fd || do_sysvsem || new_nsproxy) {
+       if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {
                if (do_sysvsem) {
                        /*
                         * CLONE_SYSVSEM is equivalent to sys_exit().
@@ -1832,11 +1842,20 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
                }
 
                task_unlock(current);
+
+               if (new_cred) {
+                       /* Install the new user namespace */
+                       commit_creds(new_cred);
+                       new_cred = NULL;
+               }
        }
 
        if (new_nsproxy)
                put_nsproxy(new_nsproxy);
 
+bad_unshare_cleanup_cred:
+       if (new_cred)
+               put_cred(new_cred);
 bad_unshare_cleanup_fd:
        if (new_fd)
                put_files_struct(new_fd);
index 2ddd81657a2a6fb07dd43f9090ac701ef0868958..78e2ecb201655575dceef87cd9f8c771547bcfb7 100644 (file)
@@ -186,7 +186,7 @@ void free_nsproxy(struct nsproxy *ns)
  * On success, returns the new nsproxy.
  */
 int unshare_nsproxy_namespaces(unsigned long unshare_flags,
-               struct nsproxy **new_nsp, struct fs_struct *new_fs)
+       struct nsproxy **new_nsp, struct cred *new_cred, struct fs_struct *new_fs)
 {
        struct user_namespace *user_ns;
        int err = 0;
@@ -195,12 +195,12 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
                               CLONE_NEWNET | CLONE_NEWPID)))
                return 0;
 
-       if (!nsown_capable(CAP_SYS_ADMIN))
+       user_ns = new_cred ? new_cred->user_ns : current_user_ns();
+       if (!ns_capable(user_ns, CAP_SYS_ADMIN))
                return -EPERM;
 
-       user_ns = current_user_ns();
        *new_nsp = create_new_namespaces(unshare_flags, current, user_ns,
-                               new_fs ? new_fs : current->fs);
+                                        new_fs ? new_fs : current->fs);
        if (IS_ERR(*new_nsp)) {
                err = PTR_ERR(*new_nsp);
                goto out;
index a9460774e77dd6535b04e2b5944fc7533791374a..ce92f7e6290a9016fad84d014a81e6907eaa5ec5 100644 (file)
@@ -82,6 +82,21 @@ int create_user_ns(struct cred *new)
        return 0;
 }
 
+int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
+{
+       struct cred *cred;
+
+       if (!(unshare_flags & CLONE_NEWUSER))
+               return 0;
+
+       cred = prepare_creds();
+       if (!cred)
+               return -ENOMEM;
+
+       *new_cred = cred;
+       return create_user_ns(cred);
+}
+
 void free_user_ns(struct kref *kref)
 {
        struct user_namespace *parent, *ns =