diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2012-12-17 18:44:47 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-12-17 18:44:47 -0500 |
| commit | 6a2b60b17b3e48a418695a94bd2420f6ab32e519 (patch) | |
| tree | 54b7792fa68b8890f710fa6398b6ba8626a039a8 /ipc | |
| parent | 9228ff90387e276ad67b10c0eb525c9d6a57d5e9 (diff) | |
| parent | 98f842e675f96ffac96e6c50315790912b2812be (diff) | |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
Pull user namespace changes from Eric Biederman:
"While small this set of changes is very significant with respect to
containers in general and user namespaces in particular. The user
space interface is now complete.
This set of changes adds support for unprivileged users to create user
namespaces and as a user namespace root to create other namespaces.
The tyranny of supporting suid root preventing unprivileged users from
using cool new kernel features is broken.
This set of changes completes the work on setns, adding support for
the pid, user, mount namespaces.
This set of changes includes a bunch of basic pid namespace
cleanups/simplifications. Of particular significance is the rework of
the pid namespace cleanup so it no longer requires sending out
tendrils into all kinds of unexpected cleanup paths for operation. At
least one case of broken error handling is fixed by this cleanup.
The files under /proc/<pid>/ns/ have been converted from regular files
to magic symlinks which prevents incorrect caching by the VFS,
ensuring the files always refer to the namespace the process is
currently using and ensuring that the ptrace_mayaccess permission
checks are always applied.
The files under /proc/<pid>/ns/ have been given stable inode numbers
so it is now possible to see if different processes share the same
namespaces.
Through the David Miller's net tree are changes to relax many of the
permission checks in the networking stack to allowing the user
namespace root to usefully use the networking stack. Similar changes
for the mount namespace and the pid namespace are coming through my
tree.
Two small changes to add user namespace support were commited here adn
in David Miller's -net tree so that I could complete the work on the
/proc/<pid>/ns/ files in this tree.
Work remains to make it safe to build user namespaces and 9p, afs,
ceph, cifs, coda, gfs2, ncpfs, nfs, nfsd, ocfs2, and xfs so the
Kconfig guard remains in place preventing that user namespaces from
being built when any of those filesystems are enabled.
Future design work remains to allow root users outside of the initial
user namespace to mount more than just /proc and /sys."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (38 commits)
proc: Usable inode numbers for the namespace file descriptors.
proc: Fix the namespace inode permission checks.
proc: Generalize proc inode allocation
userns: Allow unprivilged mounts of proc and sysfs
userns: For /proc/self/{uid,gid}_map derive the lower userns from the struct file
procfs: Print task uids and gids in the userns that opened the proc file
userns: Implement unshare of the user namespace
userns: Implent proc namespace operations
userns: Kill task_user_ns
userns: Make create_new_namespaces take a user_ns parameter
userns: Allow unprivileged use of setns.
userns: Allow unprivileged users to create new namespaces
userns: Allow setting a userns mapping to your current uid.
userns: Allow chown and setgid preservation
userns: Allow unprivileged users to create user namespaces.
userns: Ignore suid and sgid on binaries if the uid or gid can not be mapped
userns: fix return value on mntns_install() failure
vfs: Allow unprivileged manipulation of the mount namespace.
vfs: Only support slave subtrees across different user namespaces
vfs: Add a user namespace reference from struct mnt_namespace
...
Diffstat (limited to 'ipc')
| -rw-r--r-- | ipc/msgutil.c | 2 | ||||
| -rw-r--r-- | ipc/namespace.c | 32 |
2 files changed, 27 insertions, 7 deletions
diff --git a/ipc/msgutil.c b/ipc/msgutil.c index 26143d377c95..6471f1bdae96 100644 --- a/ipc/msgutil.c +++ b/ipc/msgutil.c | |||
| @@ -16,6 +16,7 @@ | |||
| 16 | #include <linux/msg.h> | 16 | #include <linux/msg.h> |
| 17 | #include <linux/ipc_namespace.h> | 17 | #include <linux/ipc_namespace.h> |
| 18 | #include <linux/utsname.h> | 18 | #include <linux/utsname.h> |
| 19 | #include <linux/proc_fs.h> | ||
| 19 | #include <asm/uaccess.h> | 20 | #include <asm/uaccess.h> |
| 20 | 21 | ||
| 21 | #include "util.h" | 22 | #include "util.h" |
| @@ -30,6 +31,7 @@ DEFINE_SPINLOCK(mq_lock); | |||
| 30 | struct ipc_namespace init_ipc_ns = { | 31 | struct ipc_namespace init_ipc_ns = { |
| 31 | .count = ATOMIC_INIT(1), | 32 | .count = ATOMIC_INIT(1), |
| 32 | .user_ns = &init_user_ns, | 33 | .user_ns = &init_user_ns, |
| 34 | .proc_inum = PROC_IPC_INIT_INO, | ||
| 33 | }; | 35 | }; |
| 34 | 36 | ||
| 35 | atomic_t nr_ipc_ns = ATOMIC_INIT(1); | 37 | atomic_t nr_ipc_ns = ATOMIC_INIT(1); |
diff --git a/ipc/namespace.c b/ipc/namespace.c index f362298c5ce4..cf3386a51de2 100644 --- a/ipc/namespace.c +++ b/ipc/namespace.c | |||
| @@ -16,7 +16,7 @@ | |||
| 16 | 16 | ||
| 17 | #include "util.h" | 17 | #include "util.h" |
| 18 | 18 | ||
| 19 | static struct ipc_namespace *create_ipc_ns(struct task_struct *tsk, | 19 | static struct ipc_namespace *create_ipc_ns(struct user_namespace *user_ns, |
| 20 | struct ipc_namespace *old_ns) | 20 | struct ipc_namespace *old_ns) |
| 21 | { | 21 | { |
| 22 | struct ipc_namespace *ns; | 22 | struct ipc_namespace *ns; |
| @@ -26,9 +26,16 @@ static struct ipc_namespace *create_ipc_ns(struct task_struct *tsk, | |||
| 26 | if (ns == NULL) | 26 | if (ns == NULL) |
| 27 | return ERR_PTR(-ENOMEM); | 27 | return ERR_PTR(-ENOMEM); |
| 28 | 28 | ||
| 29 | err = proc_alloc_inum(&ns->proc_inum); | ||
| 30 | if (err) { | ||
| 31 | kfree(ns); | ||
| 32 | return ERR_PTR(err); | ||
| 33 | } | ||
| 34 | |||
| 29 | atomic_set(&ns->count, 1); | 35 | atomic_set(&ns->count, 1); |
| 30 | err = mq_init_ns(ns); | 36 | err = mq_init_ns(ns); |
| 31 | if (err) { | 37 | if (err) { |
| 38 | proc_free_inum(ns->proc_inum); | ||
| 32 | kfree(ns); | 39 | kfree(ns); |
| 33 | return ERR_PTR(err); | 40 | return ERR_PTR(err); |
| 34 | } | 41 | } |
| @@ -46,19 +53,17 @@ static struct ipc_namespace *create_ipc_ns(struct task_struct *tsk, | |||
| 46 | ipcns_notify(IPCNS_CREATED); | 53 | ipcns_notify(IPCNS_CREATED); |
| 47 | register_ipcns_notifier(ns); | 54 | register_ipcns_notifier(ns); |
| 48 | 55 | ||
| 49 | ns->user_ns = get_user_ns(task_cred_xxx(tsk, user_ns)); | 56 | ns->user_ns = get_user_ns(user_ns); |
| 50 | 57 | ||
| 51 | return ns; | 58 | return ns; |
| 52 | } | 59 | } |
| 53 | 60 | ||
| 54 | struct ipc_namespace *copy_ipcs(unsigned long flags, | 61 | struct ipc_namespace *copy_ipcs(unsigned long flags, |
| 55 | struct task_struct *tsk) | 62 | struct user_namespace *user_ns, struct ipc_namespace *ns) |
| 56 | { | 63 | { |
| 57 | struct ipc_namespace *ns = tsk->nsproxy->ipc_ns; | ||
| 58 | |||
| 59 | if (!(flags & CLONE_NEWIPC)) | 64 | if (!(flags & CLONE_NEWIPC)) |
| 60 | return get_ipc_ns(ns); | 65 | return get_ipc_ns(ns); |
| 61 | return create_ipc_ns(tsk, ns); | 66 | return create_ipc_ns(user_ns, ns); |
| 62 | } | 67 | } |
| 63 | 68 | ||
| 64 | /* | 69 | /* |
| @@ -113,6 +118,7 @@ static void free_ipc_ns(struct ipc_namespace *ns) | |||
| 113 | */ | 118 | */ |
| 114 | ipcns_notify(IPCNS_REMOVED); | 119 | ipcns_notify(IPCNS_REMOVED); |
| 115 | put_user_ns(ns->user_ns); | 120 | put_user_ns(ns->user_ns); |
| 121 | proc_free_inum(ns->proc_inum); | ||
| 116 | kfree(ns); | 122 | kfree(ns); |
| 117 | } | 123 | } |
| 118 | 124 | ||
| @@ -161,8 +167,12 @@ static void ipcns_put(void *ns) | |||
| 161 | return put_ipc_ns(ns); | 167 | return put_ipc_ns(ns); |
| 162 | } | 168 | } |
| 163 | 169 | ||
| 164 | static int ipcns_install(struct nsproxy *nsproxy, void *ns) | 170 | static int ipcns_install(struct nsproxy *nsproxy, void *new) |
| 165 | { | 171 | { |
| 172 | struct ipc_namespace *ns = new; | ||
| 173 | if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN)) | ||
| 174 | return -EPERM; | ||
| 175 | |||
| 166 | /* Ditch state from the old ipc namespace */ | 176 | /* Ditch state from the old ipc namespace */ |
| 167 | exit_sem(current); | 177 | exit_sem(current); |
| 168 | put_ipc_ns(nsproxy->ipc_ns); | 178 | put_ipc_ns(nsproxy->ipc_ns); |
| @@ -170,10 +180,18 @@ static int ipcns_install(struct nsproxy *nsproxy, void *ns) | |||
| 170 | return 0; | 180 | return 0; |
| 171 | } | 181 | } |
| 172 | 182 | ||
| 183 | static unsigned int ipcns_inum(void *vp) | ||
| 184 | { | ||
| 185 | struct ipc_namespace *ns = vp; | ||
| 186 | |||
| 187 | return ns->proc_inum; | ||
| 188 | } | ||
| 189 | |||
| 173 | const struct proc_ns_operations ipcns_operations = { | 190 | const struct proc_ns_operations ipcns_operations = { |
| 174 | .name = "ipc", | 191 | .name = "ipc", |
| 175 | .type = CLONE_NEWIPC, | 192 | .type = CLONE_NEWIPC, |
| 176 | .get = ipcns_get, | 193 | .get = ipcns_get, |
| 177 | .put = ipcns_put, | 194 | .put = ipcns_put, |
| 178 | .install = ipcns_install, | 195 | .install = ipcns_install, |
| 196 | .inum = ipcns_inum, | ||
| 179 | }; | 197 | }; |