include/linux/user_namespace.h at v6.16 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / include / linux / user_namespace.h
at v6.16 6.7 kB view raw
  1/* SPDX-License-Identifier: GPL-2.0 */
  2#ifndef _LINUX_USER_NAMESPACE_H
  3#define _LINUX_USER_NAMESPACE_H
  4
  5#include <linux/kref.h>
  6#include <linux/nsproxy.h>
  7#include <linux/ns_common.h>
  8#include <linux/rculist_nulls.h>
  9#include <linux/sched.h>
 10#include <linux/workqueue.h>
 11#include <linux/rcuref.h>
 12#include <linux/rwsem.h>
 13#include <linux/sysctl.h>
 14#include <linux/err.h>
 15
 16#define UID_GID_MAP_MAX_BASE_EXTENTS 5
 17#define UID_GID_MAP_MAX_EXTENTS 340
 18
 19struct uid_gid_extent {
 20	u32 first;
 21	u32 lower_first;
 22	u32 count;
 23};
 24
 25struct uid_gid_map { /* 64 bytes -- 1 cache line */
 26	union {
 27		struct {
 28			struct uid_gid_extent extent[UID_GID_MAP_MAX_BASE_EXTENTS];
 29			u32 nr_extents;
 30		};
 31		struct {
 32			struct uid_gid_extent *forward;
 33			struct uid_gid_extent *reverse;
 34		};
 35	};
 36};
 37
 38#define USERNS_SETGROUPS_ALLOWED 1UL
 39
 40#define USERNS_INIT_FLAGS USERNS_SETGROUPS_ALLOWED
 41
 42struct ucounts;
 43
 44enum ucount_type {
 45	UCOUNT_USER_NAMESPACES,
 46	UCOUNT_PID_NAMESPACES,
 47	UCOUNT_UTS_NAMESPACES,
 48	UCOUNT_IPC_NAMESPACES,
 49	UCOUNT_NET_NAMESPACES,
 50	UCOUNT_MNT_NAMESPACES,
 51	UCOUNT_CGROUP_NAMESPACES,
 52	UCOUNT_TIME_NAMESPACES,
 53#ifdef CONFIG_INOTIFY_USER
 54	UCOUNT_INOTIFY_INSTANCES,
 55	UCOUNT_INOTIFY_WATCHES,
 56#endif
 57#ifdef CONFIG_FANOTIFY
 58	UCOUNT_FANOTIFY_GROUPS,
 59	UCOUNT_FANOTIFY_MARKS,
 60#endif
 61	UCOUNT_COUNTS,
 62};
 63
 64enum rlimit_type {
 65	UCOUNT_RLIMIT_NPROC,
 66	UCOUNT_RLIMIT_MSGQUEUE,
 67	UCOUNT_RLIMIT_SIGPENDING,
 68	UCOUNT_RLIMIT_MEMLOCK,
 69	UCOUNT_RLIMIT_COUNTS,
 70};
 71
 72#if IS_ENABLED(CONFIG_BINFMT_MISC)
 73struct binfmt_misc;
 74#endif
 75
 76struct user_namespace {
 77	struct uid_gid_map	uid_map;
 78	struct uid_gid_map	gid_map;
 79	struct uid_gid_map	projid_map;
 80	struct user_namespace	*parent;
 81	int			level;
 82	kuid_t			owner;
 83	kgid_t			group;
 84	struct ns_common	ns;
 85	unsigned long		flags;
 86	/* parent_could_setfcap: true if the creator if this ns had CAP_SETFCAP
 87	 * in its effective capability set at the child ns creation time. */
 88	bool			parent_could_setfcap;
 89
 90#ifdef CONFIG_KEYS
 91	/* List of joinable keyrings in this namespace.  Modification access of
 92	 * these pointers is controlled by keyring_sem.  Once
 93	 * user_keyring_register is set, it won't be changed, so it can be
 94	 * accessed directly with READ_ONCE().
 95	 */
 96	struct list_head	keyring_name_list;
 97	struct key		*user_keyring_register;
 98	struct rw_semaphore	keyring_sem;
 99#endif
100
101	/* Register of per-UID persistent keyrings for this namespace */
102#ifdef CONFIG_PERSISTENT_KEYRINGS
103	struct key		*persistent_keyring_register;
104#endif
105	struct work_struct	work;
106#ifdef CONFIG_SYSCTL
107	struct ctl_table_set	set;
108	struct ctl_table_header *sysctls;
109#endif
110	struct ucounts		*ucounts;
111	long ucount_max[UCOUNT_COUNTS];
112	long rlimit_max[UCOUNT_RLIMIT_COUNTS];
113
114#if IS_ENABLED(CONFIG_BINFMT_MISC)
115	struct binfmt_misc *binfmt_misc;
116#endif
117} __randomize_layout;
118
119struct ucounts {
120	struct hlist_nulls_node node;
121	struct user_namespace *ns;
122	kuid_t uid;
123	struct rcu_head rcu;
124	rcuref_t count;
125	atomic_long_t ucount[UCOUNT_COUNTS];
126	atomic_long_t rlimit[UCOUNT_RLIMIT_COUNTS];
127};
128
129extern struct user_namespace init_user_ns;
130extern struct ucounts init_ucounts;
131
132bool setup_userns_sysctls(struct user_namespace *ns);
133void retire_userns_sysctls(struct user_namespace *ns);
134struct ucounts *inc_ucount(struct user_namespace *ns, kuid_t uid, enum ucount_type type);
135void dec_ucount(struct ucounts *ucounts, enum ucount_type type);
136struct ucounts *alloc_ucounts(struct user_namespace *ns, kuid_t uid);
137void put_ucounts(struct ucounts *ucounts);
138
139static inline struct ucounts * __must_check get_ucounts(struct ucounts *ucounts)
140{
141	if (rcuref_get(&ucounts->count))
142		return ucounts;
143	return NULL;
144}
145
146static inline long get_rlimit_value(struct ucounts *ucounts, enum rlimit_type type)
147{
148	return atomic_long_read(&ucounts->rlimit[type]);
149}
150
151long inc_rlimit_ucounts(struct ucounts *ucounts, enum rlimit_type type, long v);
152bool dec_rlimit_ucounts(struct ucounts *ucounts, enum rlimit_type type, long v);
153long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type,
154			    bool override_rlimit);
155void dec_rlimit_put_ucounts(struct ucounts *ucounts, enum rlimit_type type);
156bool is_rlimit_overlimit(struct ucounts *ucounts, enum rlimit_type type, unsigned long max);
157
158static inline long get_userns_rlimit_max(struct user_namespace *ns, enum rlimit_type type)
159{
160	return READ_ONCE(ns->rlimit_max[type]);
161}
162
163static inline void set_userns_rlimit_max(struct user_namespace *ns,
164		enum rlimit_type type, unsigned long max)
165{
166	ns->rlimit_max[type] = max <= LONG_MAX ? max : LONG_MAX;
167}
168
169#ifdef CONFIG_USER_NS
170
171static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
172{
173	if (ns)
174		refcount_inc(&ns->ns.count);
175	return ns;
176}
177
178extern int create_user_ns(struct cred *new);
179extern int unshare_userns(unsigned long unshare_flags, struct cred **new_cred);
180extern void __put_user_ns(struct user_namespace *ns);
181
182static inline void put_user_ns(struct user_namespace *ns)
183{
184	if (ns && refcount_dec_and_test(&ns->ns.count))
185		__put_user_ns(ns);
186}
187
188struct seq_operations;
189extern const struct seq_operations proc_uid_seq_operations;
190extern const struct seq_operations proc_gid_seq_operations;
191extern const struct seq_operations proc_projid_seq_operations;
192extern ssize_t proc_uid_map_write(struct file *, const char __user *, size_t, loff_t *);
193extern ssize_t proc_gid_map_write(struct file *, const char __user *, size_t, loff_t *);
194extern ssize_t proc_projid_map_write(struct file *, const char __user *, size_t, loff_t *);
195extern ssize_t proc_setgroups_write(struct file *, const char __user *, size_t, loff_t *);
196extern int proc_setgroups_show(struct seq_file *m, void *v);
197extern bool userns_may_setgroups(const struct user_namespace *ns);
198extern bool in_userns(const struct user_namespace *ancestor,
199		       const struct user_namespace *child);
200extern bool current_in_userns(const struct user_namespace *target_ns);
201struct ns_common *ns_get_owner(struct ns_common *ns);
202#else
203
204static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
205{
206	return &init_user_ns;
207}
208
209static inline int create_user_ns(struct cred *new)
210{
211	return -EINVAL;
212}
213
214static inline int unshare_userns(unsigned long unshare_flags,
215				 struct cred **new_cred)
216{
217	if (unshare_flags & CLONE_NEWUSER)
218		return -EINVAL;
219	return 0;
220}
221
222static inline void put_user_ns(struct user_namespace *ns)
223{
224}
225
226static inline bool userns_may_setgroups(const struct user_namespace *ns)
227{
228	return true;
229}
230
231static inline bool in_userns(const struct user_namespace *ancestor,
232			     const struct user_namespace *child)
233{
234	return true;
235}
236
237static inline bool current_in_userns(const struct user_namespace *target_ns)
238{
239	return true;
240}
241
242static inline struct ns_common *ns_get_owner(struct ns_common *ns)
243{
244	return ERR_PTR(-EPERM);
245}
246#endif
247
248#endif /* _LINUX_USER_H */