Re: [PATCH v2 03/10] userns: Add a limit on the number of user namespaces

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx):
> Export the export the maximum number of user namespaces as

^ note if you resend, duplicate "export the"

> /proc/sys/userns/max_user_namespaces.
> 
> Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>

Acked-by: Serge Hallyn <serge@xxxxxxxxxx>

> ---
>  include/linux/user_namespace.h |  2 ++
>  kernel/fork.c                  |  2 ++
>  kernel/user_namespace.c        | 69 +++++++++++++++++++++++++++++++++++++-----
>  3 files changed, 65 insertions(+), 8 deletions(-)
> 
> diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
> index 7d59af1f08f1..ba6a995178f9 100644
> --- a/include/linux/user_namespace.h
> +++ b/include/linux/user_namespace.h
> @@ -43,6 +43,8 @@ struct user_namespace {
>  	struct ctl_table_set	set;
>  	struct ctl_table_header *sysctls;
>  #endif
> +	int max_user_namespaces;
> +	atomic_t user_namespaces;
>  };
>  
>  extern struct user_namespace init_user_ns;
> diff --git a/kernel/fork.c b/kernel/fork.c
> index 5c2c355aa97f..95d5498c463f 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -323,6 +323,8 @@ void __init fork_init(void)
>  	init_task.signal->rlim[RLIMIT_NPROC].rlim_max = max_threads/2;
>  	init_task.signal->rlim[RLIMIT_SIGPENDING] =
>  		init_task.signal->rlim[RLIMIT_NPROC];
> +
> +	init_user_ns.max_user_namespaces = max_threads;
>  }
>  
>  int __weak arch_dup_task_struct(struct task_struct *dst,
> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> index 10afbb55dfc2..0061550e3282 100644
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -29,6 +29,7 @@ static DEFINE_MUTEX(userns_state_mutex);
>  static bool new_idmap_permitted(const struct file *file,
>  				struct user_namespace *ns, int cap_setid,
>  				struct uid_gid_map *map);
> +#define COUNT_MAX (INT_MAX - 1)
>  
>  #ifdef CONFIG_SYSCTL
>  static struct ctl_table_set *
> @@ -63,7 +64,18 @@ static struct ctl_table_root set_root = {
>  	.permissions = set_permissions,
>  };
>  
> +static int zero = 0;
> +static int count_max = COUNT_MAX;
>  static struct ctl_table userns_table[] = {
> +	{
> +		.procname	= "max_user_namespaces",
> +		.data		= &init_user_ns.max_user_namespaces,
> +		.maxlen		= sizeof(init_user_ns.max_user_namespaces),
> +		.mode		= 0644,
> +		.proc_handler	= proc_dointvec_minmax,
> +		.extra1		= &zero,
> +		.extra2		= &count_max,
> +	},
>  	{ }
>  };
>  #endif /* CONFIG_SYSCTL */
> @@ -75,6 +87,8 @@ static bool setup_userns_sysctls(struct user_namespace *ns)
>  	setup_sysctl_set(&ns->set, &set_root, set_is_seen);
>  	tbl = kmemdup(userns_table, sizeof(userns_table), GFP_KERNEL);
>  	if (tbl) {
> +		tbl[0].data = &ns->max_user_namespaces;
> +
>  		ns->sysctls = __register_sysctl_table(&ns->set, "userns", tbl);
>  	}
>  	if (!ns->sysctls) {
> @@ -113,6 +127,34 @@ static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
>  	cred->user_ns = user_ns;
>  }
>  
> +static bool inc_user_namespaces(struct user_namespace *ns)
> +{
> +	struct user_namespace *pos, *bad;
> +	for (pos = ns; pos; pos = pos->parent) {
> +		int max = READ_ONCE(pos->max_user_namespaces);
> +		int sum = atomic_inc_return(&pos->user_namespaces);
> +		if (sum > max)
> +			goto fail;
> +	}
> +	return true;
> +fail:
> +	bad = pos;
> +	atomic_dec(&pos->user_namespaces);
> +	for (pos = ns; pos != bad; pos = pos->parent)
> +		atomic_dec(&pos->user_namespaces);
> +
> +	return false;
> +}
> +
> +static void dec_user_namespaces(struct user_namespace *ns)
> +{
> +	struct user_namespace *pos;
> +	for (pos = ns; pos; pos = pos->parent) {
> +		int dec = atomic_dec_if_positive(&pos->user_namespaces);
> +		WARN_ON_ONCE(dec < 0);
> +	}
> +}
> +
>  /*
>   * Create a new user namespace, deriving the creator from the user in the
>   * passed credentials, and replacing that user with the new root user for the
> @@ -128,8 +170,12 @@ int create_user_ns(struct cred *new)
>  	kgid_t group = new->egid;
>  	int ret;
>  
> +	ret = -EUSERS;
>  	if (parent_ns->level > 32)
> -		return -EUSERS;
> +		goto fail;
> +
> +	if (!inc_user_namespaces(parent_ns))
> +		goto fail;
>  
>  	/*
>  	 * Verify that we can not violate the policy of which files
> @@ -137,26 +183,27 @@ int create_user_ns(struct cred *new)
>  	 * by verifing that the root directory is at the root of the
>  	 * mount namespace which allows all files to be accessed.
>  	 */
> +	ret = -EPERM;
>  	if (current_chrooted())
> -		return -EPERM;
> +		goto fail_dec;
>  
>  	/* The creator needs a mapping in the parent user namespace
>  	 * or else we won't be able to reasonably tell userspace who
>  	 * created a user_namespace.
>  	 */
> +	ret = -EPERM;
>  	if (!kuid_has_mapping(parent_ns, owner) ||
>  	    !kgid_has_mapping(parent_ns, group))
> -		return -EPERM;
> +		goto fail_dec;
>  
> +	ret = -ENOMEM;
>  	ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
>  	if (!ns)
> -		return -ENOMEM;
> +		goto fail_dec;
>  
>  	ret = ns_alloc_inum(&ns->ns);
> -	if (ret) {
> -		kmem_cache_free(user_ns_cachep, ns);
> -		return ret;
> -	}
> +	if (ret)
> +		goto fail_free;
>  	ns->ns.ops = &userns_operations;
>  
>  	atomic_set(&ns->count, 1);
> @@ -165,6 +212,7 @@ int create_user_ns(struct cred *new)
>  	ns->level = parent_ns->level + 1;
>  	ns->owner = owner;
>  	ns->group = group;
> +	ns->max_user_namespaces = COUNT_MAX;
>  
>  	/* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
>  	mutex_lock(&userns_state_mutex);
> @@ -185,7 +233,11 @@ fail_keyring:
>  	key_put(ns->persistent_keyring_register);
>  #endif
>  	ns_free_inum(&ns->ns);
> +fail_free:
>  	kmem_cache_free(user_ns_cachep, ns);
> +fail_dec:
> +	dec_user_namespaces(parent_ns);
> +fail:
>  	return ret;
>  }
>  
> @@ -221,6 +273,7 @@ void free_user_ns(struct user_namespace *ns)
>  #endif
>  		ns_free_inum(&ns->ns);
>  		kmem_cache_free(user_ns_cachep, ns);
> +		dec_user_namespaces(parent);
>  		ns = parent;
>  	} while (atomic_dec_and_test(&parent->count));
>  }
> -- 
> 2.8.3
--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux