diff options
Diffstat (limited to 'kernel/nsproxy.c')
| -rw-r--r-- | kernel/nsproxy.c | 72 |
1 files changed, 48 insertions, 24 deletions
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c index 9e83b589f754..10f0bbba382b 100644 --- a/kernel/nsproxy.c +++ b/kernel/nsproxy.c | |||
| @@ -21,6 +21,8 @@ | |||
| 21 | #include <linux/utsname.h> | 21 | #include <linux/utsname.h> |
| 22 | #include <linux/pid_namespace.h> | 22 | #include <linux/pid_namespace.h> |
| 23 | 23 | ||
| 24 | static struct kmem_cache *nsproxy_cachep; | ||
| 25 | |||
| 24 | struct nsproxy init_nsproxy = INIT_NSPROXY(init_nsproxy); | 26 | struct nsproxy init_nsproxy = INIT_NSPROXY(init_nsproxy); |
| 25 | 27 | ||
| 26 | static inline void get_nsproxy(struct nsproxy *ns) | 28 | static inline void get_nsproxy(struct nsproxy *ns) |
| @@ -43,9 +45,11 @@ static inline struct nsproxy *clone_nsproxy(struct nsproxy *orig) | |||
| 43 | { | 45 | { |
| 44 | struct nsproxy *ns; | 46 | struct nsproxy *ns; |
| 45 | 47 | ||
| 46 | ns = kmemdup(orig, sizeof(struct nsproxy), GFP_KERNEL); | 48 | ns = kmem_cache_alloc(nsproxy_cachep, GFP_KERNEL); |
| 47 | if (ns) | 49 | if (ns) { |
| 50 | memcpy(ns, orig, sizeof(struct nsproxy)); | ||
| 48 | atomic_set(&ns->count, 1); | 51 | atomic_set(&ns->count, 1); |
| 52 | } | ||
| 49 | return ns; | 53 | return ns; |
| 50 | } | 54 | } |
| 51 | 55 | ||
| @@ -54,33 +58,51 @@ static inline struct nsproxy *clone_nsproxy(struct nsproxy *orig) | |||
| 54 | * Return the newly created nsproxy. Do not attach this to the task, | 58 | * Return the newly created nsproxy. Do not attach this to the task, |
| 55 | * leave it to the caller to do proper locking and attach it to task. | 59 | * leave it to the caller to do proper locking and attach it to task. |
| 56 | */ | 60 | */ |
| 57 | static struct nsproxy *create_new_namespaces(int flags, struct task_struct *tsk, | 61 | static struct nsproxy *create_new_namespaces(unsigned long flags, |
| 58 | struct fs_struct *new_fs) | 62 | struct task_struct *tsk, struct fs_struct *new_fs) |
| 59 | { | 63 | { |
| 60 | struct nsproxy *new_nsp; | 64 | struct nsproxy *new_nsp; |
| 65 | int err; | ||
| 61 | 66 | ||
| 62 | new_nsp = clone_nsproxy(tsk->nsproxy); | 67 | new_nsp = clone_nsproxy(tsk->nsproxy); |
| 63 | if (!new_nsp) | 68 | if (!new_nsp) |
| 64 | return ERR_PTR(-ENOMEM); | 69 | return ERR_PTR(-ENOMEM); |
| 65 | 70 | ||
| 66 | new_nsp->mnt_ns = copy_mnt_ns(flags, tsk->nsproxy->mnt_ns, new_fs); | 71 | new_nsp->mnt_ns = copy_mnt_ns(flags, tsk->nsproxy->mnt_ns, new_fs); |
| 67 | if (IS_ERR(new_nsp->mnt_ns)) | 72 | if (IS_ERR(new_nsp->mnt_ns)) { |
| 73 | err = PTR_ERR(new_nsp->mnt_ns); | ||
| 68 | goto out_ns; | 74 | goto out_ns; |
| 75 | } | ||
| 69 | 76 | ||
| 70 | new_nsp->uts_ns = copy_utsname(flags, tsk->nsproxy->uts_ns); | 77 | new_nsp->uts_ns = copy_utsname(flags, tsk->nsproxy->uts_ns); |
| 71 | if (IS_ERR(new_nsp->uts_ns)) | 78 | if (IS_ERR(new_nsp->uts_ns)) { |
| 79 | err = PTR_ERR(new_nsp->uts_ns); | ||
| 72 | goto out_uts; | 80 | goto out_uts; |
| 81 | } | ||
| 73 | 82 | ||
| 74 | new_nsp->ipc_ns = copy_ipcs(flags, tsk->nsproxy->ipc_ns); | 83 | new_nsp->ipc_ns = copy_ipcs(flags, tsk->nsproxy->ipc_ns); |
| 75 | if (IS_ERR(new_nsp->ipc_ns)) | 84 | if (IS_ERR(new_nsp->ipc_ns)) { |
| 85 | err = PTR_ERR(new_nsp->ipc_ns); | ||
| 76 | goto out_ipc; | 86 | goto out_ipc; |
| 87 | } | ||
| 77 | 88 | ||
| 78 | new_nsp->pid_ns = copy_pid_ns(flags, tsk->nsproxy->pid_ns); | 89 | new_nsp->pid_ns = copy_pid_ns(flags, tsk->nsproxy->pid_ns); |
| 79 | if (IS_ERR(new_nsp->pid_ns)) | 90 | if (IS_ERR(new_nsp->pid_ns)) { |
| 91 | err = PTR_ERR(new_nsp->pid_ns); | ||
| 80 | goto out_pid; | 92 | goto out_pid; |
| 93 | } | ||
| 94 | |||
| 95 | new_nsp->user_ns = copy_user_ns(flags, tsk->nsproxy->user_ns); | ||
| 96 | if (IS_ERR(new_nsp->user_ns)) { | ||
| 97 | err = PTR_ERR(new_nsp->user_ns); | ||
| 98 | goto out_user; | ||
| 99 | } | ||
| 81 | 100 | ||
| 82 | return new_nsp; | 101 | return new_nsp; |
| 83 | 102 | ||
| 103 | out_user: | ||
| 104 | if (new_nsp->pid_ns) | ||
| 105 | put_pid_ns(new_nsp->pid_ns); | ||
| 84 | out_pid: | 106 | out_pid: |
| 85 | if (new_nsp->ipc_ns) | 107 | if (new_nsp->ipc_ns) |
| 86 | put_ipc_ns(new_nsp->ipc_ns); | 108 | put_ipc_ns(new_nsp->ipc_ns); |
| @@ -91,15 +113,15 @@ out_uts: | |||
| 91 | if (new_nsp->mnt_ns) | 113 | if (new_nsp->mnt_ns) |
| 92 | put_mnt_ns(new_nsp->mnt_ns); | 114 | put_mnt_ns(new_nsp->mnt_ns); |
| 93 | out_ns: | 115 | out_ns: |
| 94 | kfree(new_nsp); | 116 | kmem_cache_free(nsproxy_cachep, new_nsp); |
| 95 | return ERR_PTR(-ENOMEM); | 117 | return ERR_PTR(err); |
| 96 | } | 118 | } |
| 97 | 119 | ||
| 98 | /* | 120 | /* |
| 99 | * called from clone. This now handles copy for nsproxy and all | 121 | * called from clone. This now handles copy for nsproxy and all |
| 100 | * namespaces therein. | 122 | * namespaces therein. |
| 101 | */ | 123 | */ |
| 102 | int copy_namespaces(int flags, struct task_struct *tsk) | 124 | int copy_namespaces(unsigned long flags, struct task_struct *tsk) |
| 103 | { | 125 | { |
| 104 | struct nsproxy *old_ns = tsk->nsproxy; | 126 | struct nsproxy *old_ns = tsk->nsproxy; |
| 105 | struct nsproxy *new_ns; | 127 | struct nsproxy *new_ns; |
| @@ -110,7 +132,7 @@ int copy_namespaces(int flags, struct task_struct *tsk) | |||
| 110 | 132 | ||
| 111 | get_nsproxy(old_ns); | 133 | get_nsproxy(old_ns); |
| 112 | 134 | ||
| 113 | if (!(flags & (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC))) | 135 | if (!(flags & (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWUSER))) |
| 114 | return 0; | 136 | return 0; |
| 115 | 137 | ||
| 116 | if (!capable(CAP_SYS_ADMIN)) { | 138 | if (!capable(CAP_SYS_ADMIN)) { |
| @@ -140,7 +162,9 @@ void free_nsproxy(struct nsproxy *ns) | |||
| 140 | put_ipc_ns(ns->ipc_ns); | 162 | put_ipc_ns(ns->ipc_ns); |
| 141 | if (ns->pid_ns) | 163 | if (ns->pid_ns) |
| 142 | put_pid_ns(ns->pid_ns); | 164 | put_pid_ns(ns->pid_ns); |
| 143 | kfree(ns); | 165 | if (ns->user_ns) |
| 166 | put_user_ns(ns->user_ns); | ||
| 167 | kmem_cache_free(nsproxy_cachep, ns); | ||
| 144 | } | 168 | } |
| 145 | 169 | ||
| 146 | /* | 170 | /* |
| @@ -152,19 +176,10 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags, | |||
| 152 | { | 176 | { |
| 153 | int err = 0; | 177 | int err = 0; |
| 154 | 178 | ||
| 155 | if (!(unshare_flags & (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC))) | 179 | if (!(unshare_flags & (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC | |
| 180 | CLONE_NEWUSER))) | ||
| 156 | return 0; | 181 | return 0; |
| 157 | 182 | ||
| 158 | #ifndef CONFIG_IPC_NS | ||
| 159 | if (unshare_flags & CLONE_NEWIPC) | ||
| 160 | return -EINVAL; | ||
| 161 | #endif | ||
| 162 | |||
| 163 | #ifndef CONFIG_UTS_NS | ||
| 164 | if (unshare_flags & CLONE_NEWUTS) | ||
| 165 | return -EINVAL; | ||
| 166 | #endif | ||
| 167 | |||
| 168 | if (!capable(CAP_SYS_ADMIN)) | 183 | if (!capable(CAP_SYS_ADMIN)) |
| 169 | return -EPERM; | 184 | return -EPERM; |
| 170 | 185 | ||
| @@ -174,3 +189,12 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags, | |||
| 174 | err = PTR_ERR(*new_nsp); | 189 | err = PTR_ERR(*new_nsp); |
| 175 | return err; | 190 | return err; |
| 176 | } | 191 | } |
| 192 | |||
| 193 | static int __init nsproxy_cache_init(void) | ||
| 194 | { | ||
| 195 | nsproxy_cachep = kmem_cache_create("nsproxy", sizeof(struct nsproxy), | ||
| 196 | 0, SLAB_PANIC, NULL, NULL); | ||
| 197 | return 0; | ||
| 198 | } | ||
| 199 | |||
| 200 | module_init(nsproxy_cache_init); | ||