Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=77ec739d8d0979477fc91f530403805afa2581a4
Commit:     77ec739d8d0979477fc91f530403805afa2581a4
Parent:     acce292c82d4d82d35553b928df2b0597c3a9c78
Author:     Serge E. Hallyn <[EMAIL PROTECTED]>
AuthorDate: Sun Jul 15 23:41:01 2007 -0700
Committer:  Linus Torvalds <[EMAIL PROTECTED]>
CommitDate: Mon Jul 16 09:05:47 2007 -0700

    user namespace: add unshare
    
    This patch enables the unshare of user namespaces.
    
    It adds a new clone flag CLONE_NEWUSER and implements copy_user_ns() which
    resets the current user_struct and adds a new root user (uid == 0)
    
    For now, unsharing the user namespace allows a process to reset its
    user_struct accounting and uid 0 in the new user namespace should be 
contained
    using appropriate means, for instance selinux
    
    The plan, when the full support is complete (all uid checks covered), is to
    keep the original user's rights in the original namespace, and let a process
    become uid 0 in the new namespace, with full capabilities to the new
    namespace.
    
    Signed-off-by: Serge E. Hallyn <[EMAIL PROTECTED]>
    Signed-off-by: Cedric Le Goater <[EMAIL PROTECTED]>
    Acked-by: Pavel Emelianov <[EMAIL PROTECTED]>
    Cc: Herbert Poetzl <[EMAIL PROTECTED]>
    Cc: Kirill Korotaev <[EMAIL PROTECTED]>
    Cc: Eric W. Biederman <[EMAIL PROTECTED]>
    Cc: Chris Wright <[EMAIL PROTECTED]>
    Cc: Stephen Smalley <[EMAIL PROTECTED]>
    Cc: James Morris <[EMAIL PROTECTED]>
    Cc: Andrew Morgan <[EMAIL PROTECTED]>
    Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
    Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
---
 include/linux/sched.h          |    1 +
 include/linux/user_namespace.h |    4 +++
 kernel/fork.c                  |    2 +-
 kernel/nsproxy.c               |    5 ++-
 kernel/user_namespace.c        |   46 +++++++++++++++++++++++++++++++++++++++-
 5 files changed, 54 insertions(+), 4 deletions(-)

diff --git a/include/linux/sched.h b/include/linux/sched.h
index c667255..731edac 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -26,6 +26,7 @@
 #define CLONE_STOPPED          0x02000000      /* Start in stopped state */
 #define CLONE_NEWUTS           0x04000000      /* New utsname group? */
 #define CLONE_NEWIPC           0x08000000      /* New ipcs */
+#define CLONE_NEWUSER          0x10000000      /* New user namespace */
 
 /*
  * Scheduling policies
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 92a4586..bb32057 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -4,6 +4,7 @@
 #include <linux/kref.h>
 #include <linux/nsproxy.h>
 #include <linux/sched.h>
+#include <linux/err.h>
 
 #define UIDHASH_BITS   (CONFIG_BASE_SMALL ? 3 : 8)
 #define UIDHASH_SZ     (1 << UIDHASH_BITS)
@@ -45,6 +46,9 @@ static inline struct user_namespace *get_user_ns(struct 
user_namespace *ns)
 static inline struct user_namespace *copy_user_ns(int flags,
                                                  struct user_namespace *old_ns)
 {
+       if (flags & CLONE_NEWUSER)
+               return ERR_PTR(-EINVAL);
+
        return NULL;
 }
 
diff --git a/kernel/fork.c b/kernel/fork.c
index 13cf097..7c5c588 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1606,7 +1606,7 @@ asmlinkage long sys_unshare(unsigned long unshare_flags)
        err = -EINVAL;
        if (unshare_flags & ~(CLONE_THREAD|CLONE_FS|CLONE_NEWNS|CLONE_SIGHAND|
                                CLONE_VM|CLONE_FILES|CLONE_SYSVSEM|
-                               CLONE_NEWUTS|CLONE_NEWIPC))
+                               CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER))
                goto bad_unshare_out;
 
        if ((err = unshare_thread(unshare_flags)))
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index 895e3a3..5aa28e2 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -117,7 +117,7 @@ int copy_namespaces(int flags, struct task_struct *tsk)
 
        get_nsproxy(old_ns);
 
-       if (!(flags & (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC)))
+       if (!(flags & (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC | 
CLONE_NEWUSER)))
                return 0;
 
        if (!capable(CAP_SYS_ADMIN)) {
@@ -161,7 +161,8 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
 {
        int err = 0;
 
-       if (!(unshare_flags & (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC)))
+       if (!(unshare_flags & (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC |
+                              CLONE_NEWUSER)))
                return 0;
 
        if (!capable(CAP_SYS_ADMIN))
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 3d79642..89a27e8 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -21,6 +21,45 @@ EXPORT_SYMBOL_GPL(init_user_ns);
 
 #ifdef CONFIG_USER_NS
 
+/*
+ * Clone a new ns copying an original user ns, setting refcount to 1
+ * @old_ns: namespace to clone
+ * Return NULL on error (failure to kmalloc), new ns otherwise
+ */
+static struct user_namespace *clone_user_ns(struct user_namespace *old_ns)
+{
+       struct user_namespace *ns;
+       struct user_struct *new_user;
+       int n;
+
+       ns = kmalloc(sizeof(struct user_namespace), GFP_KERNEL);
+       if (!ns)
+               return NULL;
+
+       kref_init(&ns->kref);
+
+       for (n = 0; n < UIDHASH_SZ; ++n)
+               INIT_LIST_HEAD(ns->uidhash_table + n);
+
+       /* Insert new root user.  */
+       ns->root_user = alloc_uid(ns, 0);
+       if (!ns->root_user) {
+               kfree(ns);
+               return NULL;
+       }
+
+       /* Reset current->user with a new one */
+       new_user = alloc_uid(ns, current->uid);
+       if (!new_user) {
+               free_uid(ns->root_user);
+               kfree(ns);
+               return NULL;
+       }
+
+       switch_uid(new_user);
+       return ns;
+}
+
 struct user_namespace * copy_user_ns(int flags, struct user_namespace *old_ns)
 {
        struct user_namespace *new_ns;
@@ -28,7 +67,12 @@ struct user_namespace * copy_user_ns(int flags, struct 
user_namespace *old_ns)
        BUG_ON(!old_ns);
        get_user_ns(old_ns);
 
-       new_ns = old_ns;
+       if (!(flags & CLONE_NEWUSER))
+               return old_ns;
+
+       new_ns = clone_user_ns(old_ns);
+
+       put_user_ns(old_ns);
        return new_ns;
 }
 
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to