1 files changed, 127 insertions, 26 deletions

diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index aa312b0dc3ec..4109f8320684 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -24,6 +24,7 @@
 #include <linux/fs_struct.h>
 
 static struct kmem_cache *user_ns_cachep __read_mostly;
+static DEFINE_MUTEX(userns_state_mutex);
 
 static bool new_idmap_permitted(const struct file *file,
                                 struct user_namespace *ns, int cap_setid,
@@ -86,11 +87,12 @@ int create_user_ns(struct cred *new)
         if (!ns)
                 return -ENOMEM;
 
-        ret = proc_alloc_inum(&ns->proc_inum);
+        ret = ns_alloc_inum(&ns->ns);
         if (ret) {
                 kmem_cache_free(user_ns_cachep, ns);
                 return ret;
         }
+        ns->ns.ops = &userns_operations;
 
         atomic_set(&ns->count, 1);
         /* Leave the new->user_ns reference with the new user namespace. */
@@ -99,6 +101,11 @@ int create_user_ns(struct cred *new)
         ns->owner = owner;
         ns->group = group;
 
+        /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
+        mutex_lock(&userns_state_mutex);
+        ns->flags = parent_ns->flags;
+        mutex_unlock(&userns_state_mutex);
+
         set_cred_user_ns(new, ns);
 
 #ifdef CONFIG_PERSISTENT_KEYRINGS
@@ -136,7 +143,7 @@ void free_user_ns(struct user_namespace *ns)
 #ifdef CONFIG_PERSISTENT_KEYRINGS
                 key_put(ns->persistent_keyring_register);
 #endif
-                proc_free_inum(ns->proc_inum);
+                ns_free_inum(&ns->ns);
                 kmem_cache_free(user_ns_cachep, ns);
                 ns = parent;
         } while (atomic_dec_and_test(&parent->count));
@@ -583,9 +590,6 @@ static bool mappings_overlap(struct uid_gid_map *new_map,
         return false;
 }
 
-
-static DEFINE_MUTEX(id_map_mutex);
-
 static ssize_t map_write(struct file *file, const char __user *buf,
                          size_t count, loff_t *ppos,
                          int cap_setid,
@@ -602,7 +606,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
         ssize_t ret = -EINVAL;
 
         /*
-         * The id_map_mutex serializes all writes to any given map.
+         * The userns_state_mutex serializes all writes to any given map.
          *
          * Any map is only ever written once.
          *
@@ -620,7 +624,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
          * order and smp_rmb() is guaranteed that we don't have crazy
          * architectures returning stale data.
          */
-        mutex_lock(&id_map_mutex);
+        mutex_lock(&userns_state_mutex);
 
         ret = -EPERM;
         /* Only allow one successful write to the map */
@@ -640,7 +644,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
         if (!page)
                 goto out;
 
-        /* Only allow <= page size writes at the beginning of the file */
+        /* Only allow < page size writes at the beginning of the file */
         ret = -EINVAL;
         if ((*ppos != 0) || (count >= PAGE_SIZE))
                 goto out;
@@ -750,7 +754,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
         *ppos = count;
         ret = count;
 out:
-        mutex_unlock(&id_map_mutex);
+        mutex_unlock(&userns_state_mutex);
         if (page)
                 free_page(page);
         return ret;
@@ -812,16 +816,21 @@ static bool new_idmap_permitted(const struct file *file,
                                 struct user_namespace *ns, int cap_setid,
                                 struct uid_gid_map *new_map)
 {
-        /* Allow mapping to your own filesystem ids */
-        if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) {
+        const struct cred *cred = file->f_cred;
+        /* Don't allow mappings that would allow anything that wouldn't
+         * be allowed without the establishment of unprivileged mappings.
+         */
+        if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
+            uid_eq(ns->owner, cred->euid)) {
                 u32 id = new_map->extent[0].lower_first;
                 if (cap_setid == CAP_SETUID) {
                         kuid_t uid = make_kuid(ns->parent, id);
-                        if (uid_eq(uid, file->f_cred->fsuid))
+                        if (uid_eq(uid, cred->euid))
                                 return true;
                 } else if (cap_setid == CAP_SETGID) {
                         kgid_t gid = make_kgid(ns->parent, id);
-                        if (gid_eq(gid, file->f_cred->fsgid))
+                        if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
+                            gid_eq(gid, cred->egid))
                                 return true;
                 }
         }
@@ -841,7 +850,106 @@ static bool new_idmap_permitted(const struct file *file,
         return false;
 }
 
-static void *userns_get(struct task_struct *task)
+int proc_setgroups_show(struct seq_file *seq, void *v)
+{
+        struct user_namespace *ns = seq->private;
+        unsigned long userns_flags = ACCESS_ONCE(ns->flags);
+
+        seq_printf(seq, "%s\n",
+                   (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
+                   "allow" : "deny");
+        return 0;
+}
+
+ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
+                             size_t count, loff_t *ppos)
+{
+        struct seq_file *seq = file->private_data;
+        struct user_namespace *ns = seq->private;
+        char kbuf[8], *pos;
+        bool setgroups_allowed;
+        ssize_t ret;
+
+        /* Only allow a very narrow range of strings to be written */
+        ret = -EINVAL;
+        if ((*ppos != 0) || (count >= sizeof(kbuf)))
+                goto out;
+
+        /* What was written? */
+        ret = -EFAULT;
+        if (copy_from_user(kbuf, buf, count))
+                goto out;
+        kbuf[count] = '\0';
+        pos = kbuf;
+
+        /* What is being requested? */
+        ret = -EINVAL;
+        if (strncmp(pos, "allow", 5) == 0) {
+                pos += 5;
+                setgroups_allowed = true;
+        }
+        else if (strncmp(pos, "deny", 4) == 0) {
+                pos += 4;
+                setgroups_allowed = false;
+        }
+        else
+                goto out;
+
+        /* Verify there is not trailing junk on the line */
+        pos = skip_spaces(pos);
+        if (*pos != '\0')
+                goto out;
+
+        ret = -EPERM;
+        mutex_lock(&userns_state_mutex);
+        if (setgroups_allowed) {
+                /* Enabling setgroups after setgroups has been disabled
+                 * is not allowed.
+                 */
+                if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
+                        goto out_unlock;
+        } else {
+                /* Permanently disabling setgroups after setgroups has
+                 * been enabled by writing the gid_map is not allowed.
+                 */
+                if (ns->gid_map.nr_extents != 0)
+                        goto out_unlock;
+                ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
+        }
+        mutex_unlock(&userns_state_mutex);
+
+        /* Report a successful write */
+        *ppos = count;
+        ret = count;
+out:
+        return ret;
+out_unlock:
+        mutex_unlock(&userns_state_mutex);
+        goto out;
+}
+
+bool userns_may_setgroups(const struct user_namespace *ns)
+{
+        bool allowed;
+
+        mutex_lock(&userns_state_mutex);
+        /* It is not safe to use setgroups until a gid mapping in
+         * the user namespace has been established.
+         */
+        allowed = ns->gid_map.nr_extents != 0;
+        /* Is setgroups allowed? */
+        allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
+        mutex_unlock(&userns_state_mutex);
+
+        return allowed;
+}
+
+static inline struct user_namespace *to_user_ns(struct ns_common *ns)
+{
+        return container_of(ns, struct user_namespace, ns);
+}
+
+static struct ns_common *userns_get(struct task_struct *task)
 {
         struct user_namespace *user_ns;
 
@@ -849,17 +957,17 @@ static void *userns_get(struct task_struct *task)
         user_ns = get_user_ns(__task_cred(task)->user_ns);
         rcu_read_unlock();
 
-        return user_ns;
+        return user_ns ? &user_ns->ns : NULL;
 }
 
-static void userns_put(void *ns)
+static void userns_put(struct ns_common *ns)
 {
-        put_user_ns(ns);
+        put_user_ns(to_user_ns(ns));
 }
 
-static int userns_install(struct nsproxy *nsproxy, void *ns)
+static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
 {
-        struct user_namespace *user_ns = ns;
+        struct user_namespace *user_ns = to_user_ns(ns);
         struct cred *cred;
 
         /* Don't allow gaining capabilities by reentering
@@ -888,19 +996,12 @@ static int userns_install(struct nsproxy *nsproxy, void *ns)
         return commit_creds(cred);
 }
 
-static unsigned int userns_inum(void *ns)
-{
-        struct user_namespace *user_ns = ns;
-        return user_ns->proc_inum;
-}
-
 const struct proc_ns_operations userns_operations = {
         .name           = "user",
         .type           = CLONE_NEWUSER,
         .get            = userns_get,
         .put            = userns_put,
         .install        = userns_install,
-        .inum           = userns_inum,
 };
 
 static __init int user_namespaces_init(void)