77ec739d8d
This patch enables the unshare of user namespaces. It adds a new clone flag CLONE_NEWUSER and implements copy_user_ns() which resets the current user_struct and adds a new root user (uid == 0) For now, unsharing the user namespace allows a process to reset its user_struct accounting and uid 0 in the new user namespace should be contained using appropriate means, for instance selinux The plan, when the full support is complete (all uid checks covered), is to keep the original user's rights in the original namespace, and let a process become uid 0 in the new namespace, with full capabilities to the new namespace. Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Signed-off-by: Cedric Le Goater <clg@fr.ibm.com> Acked-by: Pavel Emelianov <xemul@openvz.org> Cc: Herbert Poetzl <herbert@13thfloor.at> Cc: Kirill Korotaev <dev@sw.ru> Cc: Eric W. Biederman <ebiederm@xmission.com> Cc: Chris Wright <chrisw@sous-sol.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: James Morris <jmorris@namei.org> Cc: Andrew Morgan <agm@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
61 lines
1.2 KiB
C
61 lines
1.2 KiB
C
#ifndef _LINUX_USER_NAMESPACE_H
|
|
#define _LINUX_USER_NAMESPACE_H
|
|
|
|
#include <linux/kref.h>
|
|
#include <linux/nsproxy.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/err.h>
|
|
|
|
#define UIDHASH_BITS (CONFIG_BASE_SMALL ? 3 : 8)
|
|
#define UIDHASH_SZ (1 << UIDHASH_BITS)
|
|
|
|
struct user_namespace {
|
|
struct kref kref;
|
|
struct list_head uidhash_table[UIDHASH_SZ];
|
|
struct user_struct *root_user;
|
|
};
|
|
|
|
extern struct user_namespace init_user_ns;
|
|
|
|
#ifdef CONFIG_USER_NS
|
|
|
|
static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
|
|
{
|
|
if (ns)
|
|
kref_get(&ns->kref);
|
|
return ns;
|
|
}
|
|
|
|
extern struct user_namespace *copy_user_ns(int flags,
|
|
struct user_namespace *old_ns);
|
|
extern void free_user_ns(struct kref *kref);
|
|
|
|
static inline void put_user_ns(struct user_namespace *ns)
|
|
{
|
|
if (ns)
|
|
kref_put(&ns->kref, free_user_ns);
|
|
}
|
|
|
|
#else
|
|
|
|
static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
|
|
{
|
|
return &init_user_ns;
|
|
}
|
|
|
|
static inline struct user_namespace *copy_user_ns(int flags,
|
|
struct user_namespace *old_ns)
|
|
{
|
|
if (flags & CLONE_NEWUSER)
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
return NULL;
|
|
}
|
|
|
|
static inline void put_user_ns(struct user_namespace *ns)
|
|
{
|
|
}
|
|
|
|
#endif
|
|
|
|
#endif /* _LINUX_USER_H */
|