1
2#ifndef _LINUX_USER_NAMESPACE_H
3#define _LINUX_USER_NAMESPACE_H
4
5#include <linux/kref.h>
6#include <linux/nsproxy.h>
7#include <linux/ns_common.h>
8#include <linux/sched.h>
9#include <linux/workqueue.h>
10#include <linux/rwsem.h>
11#include <linux/sysctl.h>
12#include <linux/err.h>
13#include <linux/rh_kabi.h>
14
15#define UID_GID_MAP_MAX_BASE_EXTENTS 5
16#define UID_GID_MAP_MAX_EXTENTS 340
17
18struct uid_gid_extent {
19 u32 first;
20 u32 lower_first;
21 u32 count;
22};
23
24struct uid_gid_map {
25 u32 nr_extents;
26 union {
27 struct uid_gid_extent extent[UID_GID_MAP_MAX_BASE_EXTENTS];
28 struct {
29 struct uid_gid_extent *forward;
30 struct uid_gid_extent *reverse;
31 };
32 };
33};
34
35#define USERNS_SETGROUPS_ALLOWED 1UL
36
37#define USERNS_INIT_FLAGS USERNS_SETGROUPS_ALLOWED
38
39struct ucounts;
40
41enum ucount_type {
42 UCOUNT_USER_NAMESPACES,
43 UCOUNT_PID_NAMESPACES,
44 UCOUNT_UTS_NAMESPACES,
45 UCOUNT_IPC_NAMESPACES,
46 UCOUNT_NET_NAMESPACES,
47 UCOUNT_MNT_NAMESPACES,
48 UCOUNT_CGROUP_NAMESPACES,
49#ifdef CONFIG_INOTIFY_USER
50 UCOUNT_INOTIFY_INSTANCES,
51 UCOUNT_INOTIFY_WATCHES,
52#endif
53 UCOUNT_TIME_NAMESPACES,
54 UCOUNT_KABI_RESERVE_2,
55 UCOUNT_KABI_RESERVE_3,
56 UCOUNT_KABI_RESERVE_4,
57 UCOUNT_KABI_RESERVE_5,
58 UCOUNT_KABI_RESERVE_6,
59 UCOUNT_KABI_RESERVE_7,
60 UCOUNT_KABI_RESERVE_8,
61 UCOUNT_KABI_RESERVE_9,
62 UCOUNT_KABI_RESERVE_10,
63 UCOUNT_KABI_RESERVE_11,
64 UCOUNT_KABI_RESERVE_12,
65 UCOUNT_KABI_RESERVE_13,
66 UCOUNT_KABI_RESERVE_14,
67 UCOUNT_KABI_RESERVE_15,
68 UCOUNT_COUNTS,
69};
70
71struct user_namespace {
72 struct uid_gid_map uid_map;
73 struct uid_gid_map gid_map;
74 struct uid_gid_map projid_map;
75 atomic_t count;
76 struct user_namespace *parent;
77 int level;
78 kuid_t owner;
79 kgid_t group;
80 struct ns_common ns;
81 unsigned long flags;
82
83
84#ifdef CONFIG_PERSISTENT_KEYRINGS
85 struct key *persistent_keyring_register;
86 struct rw_semaphore persistent_keyring_register_sem;
87#endif
88 struct work_struct work;
89#ifdef CONFIG_SYSCTL
90 struct ctl_table_set set;
91 struct ctl_table_header *sysctls;
92#endif
93 struct ucounts *ucounts;
94 int ucount_max[UCOUNT_COUNTS];
95
96
97
98 RH_KABI_USE(1, bool parent_could_setfcap)
99
100 RH_KABI_RESERVE(2)
101 RH_KABI_RESERVE(3)
102 RH_KABI_RESERVE(4)
103} __randomize_layout;
104
105struct ucounts {
106 struct hlist_node node;
107 struct user_namespace *ns;
108 kuid_t uid;
109 int count;
110 atomic_t ucount[UCOUNT_COUNTS];
111};
112
113extern struct user_namespace init_user_ns;
114
115bool setup_userns_sysctls(struct user_namespace *ns);
116void retire_userns_sysctls(struct user_namespace *ns);
117struct ucounts *inc_ucount(struct user_namespace *ns, kuid_t uid, enum ucount_type type);
118void dec_ucount(struct ucounts *ucounts, enum ucount_type type);
119
120#ifdef CONFIG_USER_NS
121
122static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
123{
124 if (ns)
125 atomic_inc(&ns->count);
126 return ns;
127}
128
129extern int create_user_ns(struct cred *new);
130extern int unshare_userns(unsigned long unshare_flags, struct cred **new_cred);
131extern void __put_user_ns(struct user_namespace *ns);
132
133static inline void put_user_ns(struct user_namespace *ns)
134{
135 if (ns && atomic_dec_and_test(&ns->count))
136 __put_user_ns(ns);
137}
138
139struct seq_operations;
140extern const struct seq_operations proc_uid_seq_operations;
141extern const struct seq_operations proc_gid_seq_operations;
142extern const struct seq_operations proc_projid_seq_operations;
143extern ssize_t proc_uid_map_write(struct file *, const char __user *, size_t, loff_t *);
144extern ssize_t proc_gid_map_write(struct file *, const char __user *, size_t, loff_t *);
145extern ssize_t proc_projid_map_write(struct file *, const char __user *, size_t, loff_t *);
146extern ssize_t proc_setgroups_write(struct file *, const char __user *, size_t, loff_t *);
147extern int proc_setgroups_show(struct seq_file *m, void *v);
148extern bool userns_may_setgroups(const struct user_namespace *ns);
149extern bool in_userns(const struct user_namespace *ancestor,
150 const struct user_namespace *child);
151extern bool current_in_userns(const struct user_namespace *target_ns);
152struct ns_common *ns_get_owner(struct ns_common *ns);
153#else
154
155static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
156{
157 return &init_user_ns;
158}
159
160static inline int create_user_ns(struct cred *new)
161{
162 return -EINVAL;
163}
164
165static inline int unshare_userns(unsigned long unshare_flags,
166 struct cred **new_cred)
167{
168 if (unshare_flags & CLONE_NEWUSER)
169 return -EINVAL;
170 return 0;
171}
172
173static inline void put_user_ns(struct user_namespace *ns)
174{
175}
176
177static inline bool userns_may_setgroups(const struct user_namespace *ns)
178{
179 return true;
180}
181
182static inline bool in_userns(const struct user_namespace *ancestor,
183 const struct user_namespace *child)
184{
185 return true;
186}
187
188static inline bool current_in_userns(const struct user_namespace *target_ns)
189{
190 return true;
191}
192
193static inline struct ns_common *ns_get_owner(struct ns_common *ns)
194{
195 return ERR_PTR(-EPERM);
196}
197#endif
198
199#endif
200