diff options
| author | Eric W. Biederman <ebiederm@xmission.com> | 2012-07-26 07:02:49 -0400 |
|---|---|---|
| committer | Eric W. Biederman <ebiederm@xmission.com> | 2012-11-20 07:17:43 -0500 |
| commit | bcf58e725ddc45d31addbc6627d4f0edccc824c1 (patch) | |
| tree | e6dff2fbed40f26d8c45f78e23a7476527573bf1 | |
| parent | 142e1d1d5f088e7a38659daca6e84a730967774a (diff) | |
userns: Make create_new_namespaces take a user_ns parameter
Modify create_new_namespaces to explicitly take a user namespace
parameter, instead of implicitly through the task_struct.
This allows an implementation of unshare(CLONE_NEWUSER) where
the new user namespace is not stored onto the current task_struct
until after all of the namespaces are created.
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
| -rw-r--r-- | include/linux/ipc_namespace.h | 7 | ||||
| -rw-r--r-- | include/linux/utsname.h | 6 | ||||
| -rw-r--r-- | ipc/namespace.c | 10 | ||||
| -rw-r--r-- | kernel/nsproxy.c | 22 | ||||
| -rw-r--r-- | kernel/utsname.c | 9 |
5 files changed, 28 insertions, 26 deletions
diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h index 5499c92a9153..f03af702a39d 100644 --- a/include/linux/ipc_namespace.h +++ b/include/linux/ipc_namespace.h | |||
| @@ -133,7 +133,8 @@ static inline int mq_init_ns(struct ipc_namespace *ns) { return 0; } | |||
| 133 | 133 | ||
| 134 | #if defined(CONFIG_IPC_NS) | 134 | #if defined(CONFIG_IPC_NS) |
| 135 | extern struct ipc_namespace *copy_ipcs(unsigned long flags, | 135 | extern struct ipc_namespace *copy_ipcs(unsigned long flags, |
| 136 | struct task_struct *tsk); | 136 | struct user_namespace *user_ns, struct ipc_namespace *ns); |
| 137 | |||
| 137 | static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns) | 138 | static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns) |
| 138 | { | 139 | { |
| 139 | if (ns) | 140 | if (ns) |
| @@ -144,12 +145,12 @@ static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns) | |||
| 144 | extern void put_ipc_ns(struct ipc_namespace *ns); | 145 | extern void put_ipc_ns(struct ipc_namespace *ns); |
| 145 | #else | 146 | #else |
| 146 | static inline struct ipc_namespace *copy_ipcs(unsigned long flags, | 147 | static inline struct ipc_namespace *copy_ipcs(unsigned long flags, |
| 147 | struct task_struct *tsk) | 148 | struct user_namespace *user_ns, struct ipc_namespace *ns) |
| 148 | { | 149 | { |
| 149 | if (flags & CLONE_NEWIPC) | 150 | if (flags & CLONE_NEWIPC) |
| 150 | return ERR_PTR(-EINVAL); | 151 | return ERR_PTR(-EINVAL); |
| 151 | 152 | ||
| 152 | return tsk->nsproxy->ipc_ns; | 153 | return ns; |
| 153 | } | 154 | } |
| 154 | 155 | ||
| 155 | static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns) | 156 | static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns) |
diff --git a/include/linux/utsname.h b/include/linux/utsname.h index 2b345206722a..221f4a0a7502 100644 --- a/include/linux/utsname.h +++ b/include/linux/utsname.h | |||
| @@ -33,7 +33,7 @@ static inline void get_uts_ns(struct uts_namespace *ns) | |||
| 33 | } | 33 | } |
| 34 | 34 | ||
| 35 | extern struct uts_namespace *copy_utsname(unsigned long flags, | 35 | extern struct uts_namespace *copy_utsname(unsigned long flags, |
| 36 | struct task_struct *tsk); | 36 | struct user_namespace *user_ns, struct uts_namespace *old_ns); |
| 37 | extern void free_uts_ns(struct kref *kref); | 37 | extern void free_uts_ns(struct kref *kref); |
| 38 | 38 | ||
| 39 | static inline void put_uts_ns(struct uts_namespace *ns) | 39 | static inline void put_uts_ns(struct uts_namespace *ns) |
| @@ -50,12 +50,12 @@ static inline void put_uts_ns(struct uts_namespace *ns) | |||
| 50 | } | 50 | } |
| 51 | 51 | ||
| 52 | static inline struct uts_namespace *copy_utsname(unsigned long flags, | 52 | static inline struct uts_namespace *copy_utsname(unsigned long flags, |
| 53 | struct task_struct *tsk) | 53 | struct user_namespace *user_ns, struct uts_namespace *old_ns) |
| 54 | { | 54 | { |
| 55 | if (flags & CLONE_NEWUTS) | 55 | if (flags & CLONE_NEWUTS) |
| 56 | return ERR_PTR(-EINVAL); | 56 | return ERR_PTR(-EINVAL); |
| 57 | 57 | ||
| 58 | return tsk->nsproxy->uts_ns; | 58 | return old_ns; |
| 59 | } | 59 | } |
| 60 | #endif | 60 | #endif |
| 61 | 61 | ||
diff --git a/ipc/namespace.c b/ipc/namespace.c index 6ed33c05cb66..72c868277793 100644 --- a/ipc/namespace.c +++ b/ipc/namespace.c | |||
| @@ -16,7 +16,7 @@ | |||
| 16 | 16 | ||
| 17 | #include "util.h" | 17 | #include "util.h" |
| 18 | 18 | ||
| 19 | static struct ipc_namespace *create_ipc_ns(struct task_struct *tsk, | 19 | static struct ipc_namespace *create_ipc_ns(struct user_namespace *user_ns, |
| 20 | struct ipc_namespace *old_ns) | 20 | struct ipc_namespace *old_ns) |
| 21 | { | 21 | { |
| 22 | struct ipc_namespace *ns; | 22 | struct ipc_namespace *ns; |
| @@ -46,19 +46,17 @@ static struct ipc_namespace *create_ipc_ns(struct task_struct *tsk, | |||
| 46 | ipcns_notify(IPCNS_CREATED); | 46 | ipcns_notify(IPCNS_CREATED); |
| 47 | register_ipcns_notifier(ns); | 47 | register_ipcns_notifier(ns); |
| 48 | 48 | ||
| 49 | ns->user_ns = get_user_ns(task_cred_xxx(tsk, user_ns)); | 49 | ns->user_ns = get_user_ns(user_ns); |
| 50 | 50 | ||
| 51 | return ns; | 51 | return ns; |
| 52 | } | 52 | } |
| 53 | 53 | ||
| 54 | struct ipc_namespace *copy_ipcs(unsigned long flags, | 54 | struct ipc_namespace *copy_ipcs(unsigned long flags, |
| 55 | struct task_struct *tsk) | 55 | struct user_namespace *user_ns, struct ipc_namespace *ns) |
| 56 | { | 56 | { |
| 57 | struct ipc_namespace *ns = tsk->nsproxy->ipc_ns; | ||
| 58 | |||
| 59 | if (!(flags & CLONE_NEWIPC)) | 57 | if (!(flags & CLONE_NEWIPC)) |
| 60 | return get_ipc_ns(ns); | 58 | return get_ipc_ns(ns); |
| 61 | return create_ipc_ns(tsk, ns); | 59 | return create_ipc_ns(user_ns, ns); |
| 62 | } | 60 | } |
| 63 | 61 | ||
| 64 | /* | 62 | /* |
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c index 4357a0a7d17d..2ddd81657a2a 100644 --- a/kernel/nsproxy.c +++ b/kernel/nsproxy.c | |||
| @@ -57,7 +57,8 @@ static inline struct nsproxy *create_nsproxy(void) | |||
| 57 | * leave it to the caller to do proper locking and attach it to task. | 57 | * leave it to the caller to do proper locking and attach it to task. |
| 58 | */ | 58 | */ |
| 59 | static struct nsproxy *create_new_namespaces(unsigned long flags, | 59 | static struct nsproxy *create_new_namespaces(unsigned long flags, |
| 60 | struct task_struct *tsk, struct fs_struct *new_fs) | 60 | struct task_struct *tsk, struct user_namespace *user_ns, |
| 61 | struct fs_struct *new_fs) | ||
| 61 | { | 62 | { |
| 62 | struct nsproxy *new_nsp; | 63 | struct nsproxy *new_nsp; |
| 63 | int err; | 64 | int err; |
| @@ -66,31 +67,31 @@ static struct nsproxy *create_new_namespaces(unsigned long flags, | |||
| 66 | if (!new_nsp) | 67 | if (!new_nsp) |
| 67 | return ERR_PTR(-ENOMEM); | 68 | return ERR_PTR(-ENOMEM); |
| 68 | 69 | ||
| 69 | new_nsp->mnt_ns = copy_mnt_ns(flags, tsk->nsproxy->mnt_ns, task_cred_xxx(tsk, user_ns), new_fs); | 70 | new_nsp->mnt_ns = copy_mnt_ns(flags, tsk->nsproxy->mnt_ns, user_ns, new_fs); |
| 70 | if (IS_ERR(new_nsp->mnt_ns)) { | 71 | if (IS_ERR(new_nsp->mnt_ns)) { |
| 71 | err = PTR_ERR(new_nsp->mnt_ns); | 72 | err = PTR_ERR(new_nsp->mnt_ns); |
| 72 | goto out_ns; | 73 | goto out_ns; |
| 73 | } | 74 | } |
| 74 | 75 | ||
| 75 | new_nsp->uts_ns = copy_utsname(flags, tsk); | 76 | new_nsp->uts_ns = copy_utsname(flags, user_ns, tsk->nsproxy->uts_ns); |
| 76 | if (IS_ERR(new_nsp->uts_ns)) { | 77 | if (IS_ERR(new_nsp->uts_ns)) { |
| 77 | err = PTR_ERR(new_nsp->uts_ns); | 78 | err = PTR_ERR(new_nsp->uts_ns); |
| 78 | goto out_uts; | 79 | goto out_uts; |
| 79 | } | 80 | } |
| 80 | 81 | ||
| 81 | new_nsp->ipc_ns = copy_ipcs(flags, tsk); | 82 | new_nsp->ipc_ns = copy_ipcs(flags, user_ns, tsk->nsproxy->ipc_ns); |
| 82 | if (IS_ERR(new_nsp->ipc_ns)) { | 83 | if (IS_ERR(new_nsp->ipc_ns)) { |
| 83 | err = PTR_ERR(new_nsp->ipc_ns); | 84 | err = PTR_ERR(new_nsp->ipc_ns); |
| 84 | goto out_ipc; | 85 | goto out_ipc; |
| 85 | } | 86 | } |
| 86 | 87 | ||
| 87 | new_nsp->pid_ns = copy_pid_ns(flags, task_cred_xxx(tsk, user_ns), tsk->nsproxy->pid_ns); | 88 | new_nsp->pid_ns = copy_pid_ns(flags, user_ns, tsk->nsproxy->pid_ns); |
| 88 | if (IS_ERR(new_nsp->pid_ns)) { | 89 | if (IS_ERR(new_nsp->pid_ns)) { |
| 89 | err = PTR_ERR(new_nsp->pid_ns); | 90 | err = PTR_ERR(new_nsp->pid_ns); |
| 90 | goto out_pid; | 91 | goto out_pid; |
| 91 | } | 92 | } |
| 92 | 93 | ||
| 93 | new_nsp->net_ns = copy_net_ns(flags, task_cred_xxx(tsk, user_ns), tsk->nsproxy->net_ns); | 94 | new_nsp->net_ns = copy_net_ns(flags, user_ns, tsk->nsproxy->net_ns); |
| 94 | if (IS_ERR(new_nsp->net_ns)) { | 95 | if (IS_ERR(new_nsp->net_ns)) { |
| 95 | err = PTR_ERR(new_nsp->net_ns); | 96 | err = PTR_ERR(new_nsp->net_ns); |
| 96 | goto out_net; | 97 | goto out_net; |
| @@ -152,7 +153,8 @@ int copy_namespaces(unsigned long flags, struct task_struct *tsk) | |||
| 152 | goto out; | 153 | goto out; |
| 153 | } | 154 | } |
| 154 | 155 | ||
| 155 | new_ns = create_new_namespaces(flags, tsk, tsk->fs); | 156 | new_ns = create_new_namespaces(flags, tsk, |
| 157 | task_cred_xxx(tsk, user_ns), tsk->fs); | ||
| 156 | if (IS_ERR(new_ns)) { | 158 | if (IS_ERR(new_ns)) { |
| 157 | err = PTR_ERR(new_ns); | 159 | err = PTR_ERR(new_ns); |
| 158 | goto out; | 160 | goto out; |
| @@ -186,6 +188,7 @@ void free_nsproxy(struct nsproxy *ns) | |||
| 186 | int unshare_nsproxy_namespaces(unsigned long unshare_flags, | 188 | int unshare_nsproxy_namespaces(unsigned long unshare_flags, |
| 187 | struct nsproxy **new_nsp, struct fs_struct *new_fs) | 189 | struct nsproxy **new_nsp, struct fs_struct *new_fs) |
| 188 | { | 190 | { |
| 191 | struct user_namespace *user_ns; | ||
| 189 | int err = 0; | 192 | int err = 0; |
| 190 | 193 | ||
| 191 | if (!(unshare_flags & (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC | | 194 | if (!(unshare_flags & (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC | |
| @@ -195,7 +198,8 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags, | |||
| 195 | if (!nsown_capable(CAP_SYS_ADMIN)) | 198 | if (!nsown_capable(CAP_SYS_ADMIN)) |
| 196 | return -EPERM; | 199 | return -EPERM; |
| 197 | 200 | ||
| 198 | *new_nsp = create_new_namespaces(unshare_flags, current, | 201 | user_ns = current_user_ns(); |
| 202 | *new_nsp = create_new_namespaces(unshare_flags, current, user_ns, | ||
| 199 | new_fs ? new_fs : current->fs); | 203 | new_fs ? new_fs : current->fs); |
| 200 | if (IS_ERR(*new_nsp)) { | 204 | if (IS_ERR(*new_nsp)) { |
| 201 | err = PTR_ERR(*new_nsp); | 205 | err = PTR_ERR(*new_nsp); |
| @@ -252,7 +256,7 @@ SYSCALL_DEFINE2(setns, int, fd, int, nstype) | |||
| 252 | if (nstype && (ops->type != nstype)) | 256 | if (nstype && (ops->type != nstype)) |
| 253 | goto out; | 257 | goto out; |
| 254 | 258 | ||
| 255 | new_nsproxy = create_new_namespaces(0, tsk, tsk->fs); | 259 | new_nsproxy = create_new_namespaces(0, tsk, current_user_ns(), tsk->fs); |
| 256 | if (IS_ERR(new_nsproxy)) { | 260 | if (IS_ERR(new_nsproxy)) { |
| 257 | err = PTR_ERR(new_nsproxy); | 261 | err = PTR_ERR(new_nsproxy); |
| 258 | goto out; | 262 | goto out; |
diff --git a/kernel/utsname.c b/kernel/utsname.c index 4a9362f9325d..fdc619eb61ef 100644 --- a/kernel/utsname.c +++ b/kernel/utsname.c | |||
| @@ -32,7 +32,7 @@ static struct uts_namespace *create_uts_ns(void) | |||
| 32 | * @old_ns: namespace to clone | 32 | * @old_ns: namespace to clone |
| 33 | * Return NULL on error (failure to kmalloc), new ns otherwise | 33 | * Return NULL on error (failure to kmalloc), new ns otherwise |
| 34 | */ | 34 | */ |
| 35 | static struct uts_namespace *clone_uts_ns(struct task_struct *tsk, | 35 | static struct uts_namespace *clone_uts_ns(struct user_namespace *user_ns, |
| 36 | struct uts_namespace *old_ns) | 36 | struct uts_namespace *old_ns) |
| 37 | { | 37 | { |
| 38 | struct uts_namespace *ns; | 38 | struct uts_namespace *ns; |
| @@ -43,7 +43,7 @@ static struct uts_namespace *clone_uts_ns(struct task_struct *tsk, | |||
| 43 | 43 | ||
| 44 | down_read(&uts_sem); | 44 | down_read(&uts_sem); |
| 45 | memcpy(&ns->name, &old_ns->name, sizeof(ns->name)); | 45 | memcpy(&ns->name, &old_ns->name, sizeof(ns->name)); |
| 46 | ns->user_ns = get_user_ns(task_cred_xxx(tsk, user_ns)); | 46 | ns->user_ns = get_user_ns(user_ns); |
| 47 | up_read(&uts_sem); | 47 | up_read(&uts_sem); |
| 48 | return ns; | 48 | return ns; |
| 49 | } | 49 | } |
| @@ -55,9 +55,8 @@ static struct uts_namespace *clone_uts_ns(struct task_struct *tsk, | |||
| 55 | * versa. | 55 | * versa. |
| 56 | */ | 56 | */ |
| 57 | struct uts_namespace *copy_utsname(unsigned long flags, | 57 | struct uts_namespace *copy_utsname(unsigned long flags, |
| 58 | struct task_struct *tsk) | 58 | struct user_namespace *user_ns, struct uts_namespace *old_ns) |
| 59 | { | 59 | { |
| 60 | struct uts_namespace *old_ns = tsk->nsproxy->uts_ns; | ||
| 61 | struct uts_namespace *new_ns; | 60 | struct uts_namespace *new_ns; |
| 62 | 61 | ||
| 63 | BUG_ON(!old_ns); | 62 | BUG_ON(!old_ns); |
| @@ -66,7 +65,7 @@ struct uts_namespace *copy_utsname(unsigned long flags, | |||
| 66 | if (!(flags & CLONE_NEWUTS)) | 65 | if (!(flags & CLONE_NEWUTS)) |
| 67 | return old_ns; | 66 | return old_ns; |
| 68 | 67 | ||
| 69 | new_ns = clone_uts_ns(tsk, old_ns); | 68 | new_ns = clone_uts_ns(user_ns, old_ns); |
| 70 | 69 | ||
| 71 | put_uts_ns(old_ns); | 70 | put_uts_ns(old_ns); |
| 72 | return new_ns; | 71 | return new_ns; |