3 files changed, 49 insertions, 4 deletions
diff --git a/kernel/fork.c b/kernel/fork.c
index 13cf0978780a..7c5c5888e00a 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1606,7 +1606,7 @@ asmlinkage long sys_unshare(unsigned long unshare_flags)
        err = -EINVAL;
        if (unshare_flags & ~(CLONE_THREAD|CLONE_FS|CLONE_NEWNS|CLONE_SIGHAND|
                                CLONE_VM|CLONE_FILES|CLONE_SYSVSEM|
-                                CLONE_NEWUTS|CLONE_NEWIPC))
+                                CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER))
                goto bad_unshare_out;
        if ((err = unshare_thread(unshare_flags)))
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index 895e3a3f2044..5aa28e219487 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -117,7 +117,7 @@ int copy_namespaces(int flags, struct task_struct *tsk)
        get_nsproxy(old_ns);
-        if (!(flags & (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC)))
+        if (!(flags & (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWUSER)))
                return 0;
        if (!capable(CAP_SYS_ADMIN)) {
@@ -161,7 +161,8 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
 {
        int err = 0;
-        if (!(unshare_flags & (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC)))
+        if (!(unshare_flags & (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC |
+                               CLONE_NEWUSER)))
                return 0;
        if (!capable(CAP_SYS_ADMIN))
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 3d7964209774..89a27e8b17fb 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -21,6 +21,45 @@ EXPORT_SYMBOL_GPL(init_user_ns);
 #ifdef CONFIG_USER_NS
+/*
+ * Clone a new ns copying an original user ns, setting refcount to 1
+ * @old_ns: namespace to clone
+ * Return NULL on error (failure to kmalloc), new ns otherwise
+ */
+static struct user_namespace *clone_user_ns(struct user_namespace *old_ns)
+{
+        struct user_namespace *ns;
+        struct user_struct *new_user;
+        int n;
+        ns = kmalloc(sizeof(struct user_namespace), GFP_KERNEL);
+        if (!ns)
+                return NULL;
+        kref_init(&ns->kref);
+        for (n = 0; n < UIDHASH_SZ; ++n)
+                INIT_LIST_HEAD(ns->uidhash_table + n);
+        /* Insert new root user.  */
+        ns->root_user = alloc_uid(ns, 0);
+        if (!ns->root_user) {
+                kfree(ns);
+                return NULL;
+        }
+        /* Reset current->user with a new one */
+        new_user = alloc_uid(ns, current->uid);
+        if (!new_user) {
+                free_uid(ns->root_user);
+                kfree(ns);
+                return NULL;
+        }
+        switch_uid(new_user);
+        return ns;
+}
 struct user_namespace * copy_user_ns(int flags, struct user_namespace *old_ns)
 {
        struct user_namespace *new_ns;
@@ -28,7 +67,12 @@ struct user_namespace * copy_user_ns(int flags, struct user_namespace *old_ns)
        BUG_ON(!old_ns);
        get_user_ns(old_ns);
-        new_ns = old_ns;
+        if (!(flags & CLONE_NEWUSER))
+                return old_ns;
+        new_ns = clone_user_ns(old_ns);
+        put_user_ns(old_ns);
        return new_ns;
 }

diff --git a/kernel/fork.c b/kernel/fork.c index 13cf0978780a..7c5c5888e00a 100644 --- a/kernel/fork.c +++ b/kernel/fork.c
@@ -1606,7 +1606,7 @@ asmlinkage long sys_unshare(unsigned long unshare_flags)
1606	err = -EINVAL;	1606	err = -EINVAL;
1607	if (unshare_flags & ~(CLONE_THREAD\|CLONE_FS\|CLONE_NEWNS\|CLONE_SIGHAND\|	1607	if (unshare_flags & ~(CLONE_THREAD\|CLONE_FS\|CLONE_NEWNS\|CLONE_SIGHAND\|
1608	CLONE_VM\|CLONE_FILES\|CLONE_SYSVSEM\|	1608	CLONE_VM\|CLONE_FILES\|CLONE_SYSVSEM\|
1609	CLONE_NEWUTS\|CLONE_NEWIPC))	1609	CLONE_NEWUTS\|CLONE_NEWIPC\|CLONE_NEWUSER))
1610	goto bad_unshare_out;	1610	goto bad_unshare_out;
1611		1611
1612	if ((err = unshare_thread(unshare_flags)))	1612	if ((err = unshare_thread(unshare_flags)))


diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c index 895e3a3f2044..5aa28e219487 100644 --- a/kernel/nsproxy.c +++ b/kernel/nsproxy.c
@@ -117,7 +117,7 @@ int copy_namespaces(int flags, struct task_struct *tsk)
117		117
118	get_nsproxy(old_ns);	118	get_nsproxy(old_ns);
119		119
120	if (!(flags & (CLONE_NEWNS \| CLONE_NEWUTS \| CLONE_NEWIPC)))	120	if (!(flags & (CLONE_NEWNS \| CLONE_NEWUTS \| CLONE_NEWIPC \| CLONE_NEWUSER)))
121	return 0;	121	return 0;
122		122
123	if (!capable(CAP_SYS_ADMIN)) {	123	if (!capable(CAP_SYS_ADMIN)) {
@@ -161,7 +161,8 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
161	{	161	{
162	int err = 0;	162	int err = 0;
163		163
164	if (!(unshare_flags & (CLONE_NEWNS \| CLONE_NEWUTS \| CLONE_NEWIPC)))	164	if (!(unshare_flags & (CLONE_NEWNS \| CLONE_NEWUTS \| CLONE_NEWIPC \|
		165	CLONE_NEWUSER)))
165	return 0;	166	return 0;
166		167
167	if (!capable(CAP_SYS_ADMIN))	168	if (!capable(CAP_SYS_ADMIN))


diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index 3d7964209774..89a27e8b17fb 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c
@@ -21,6 +21,45 @@ EXPORT_SYMBOL_GPL(init_user_ns);
21		21
22	#ifdef CONFIG_USER_NS	22	#ifdef CONFIG_USER_NS
23		23
		24	/*
		25	* Clone a new ns copying an original user ns, setting refcount to 1
		26	* @old_ns: namespace to clone
		27	* Return NULL on error (failure to kmalloc), new ns otherwise
		28	*/
		29	static struct user_namespace clone_user_ns(struct user_namespace old_ns)
		30	{
		31	struct user_namespace *ns;
		32	struct user_struct *new_user;
		33	int n;
		34
		35	ns = kmalloc(sizeof(struct user_namespace), GFP_KERNEL);
		36	if (!ns)
		37	return NULL;
		38
		39	kref_init(&ns->kref);
		40
		41	for (n = 0; n < UIDHASH_SZ; ++n)
		42	INIT_LIST_HEAD(ns->uidhash_table + n);
		43
		44	/* Insert new root user. */
		45	ns->root_user = alloc_uid(ns, 0);
		46	if (!ns->root_user) {
		47	kfree(ns);
		48	return NULL;
		49	}
		50
		51	/* Reset current->user with a new one */
		52	new_user = alloc_uid(ns, current->uid);
		53	if (!new_user) {
		54	free_uid(ns->root_user);
		55	kfree(ns);
		56	return NULL;
		57	}
		58
		59	switch_uid(new_user);
		60	return ns;
		61	}
		62
24	struct user_namespace * copy_user_ns(int flags, struct user_namespace *old_ns)	63	struct user_namespace * copy_user_ns(int flags, struct user_namespace *old_ns)
25	{	64	{
26	struct user_namespace *new_ns;	65	struct user_namespace *new_ns;
@@ -28,7 +67,12 @@ struct user_namespace * copy_user_ns(int flags, struct user_namespace *old_ns)
28	BUG_ON(!old_ns);	67	BUG_ON(!old_ns);
29	get_user_ns(old_ns);	68	get_user_ns(old_ns);
30		69
31	new_ns = old_ns;	70	if (!(flags & CLONE_NEWUSER))
		71	return old_ns;
		72
		73	new_ns = clone_user_ns(old_ns);
		74
		75	put_user_ns(old_ns);
32	return new_ns;	76	return new_ns;
33	}	77	}
34		78