2 * This program is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU General Public License as
4 * published by the Free Software Foundation, version 2 of the
8 #include <linux/export.h>
9 #include <linux/nsproxy.h>
10 #include <linux/slab.h>
11 #include <linux/user_namespace.h>
12 #include <linux/proc_ns.h>
13 #include <linux/highuid.h>
14 #include <linux/cred.h>
15 #include <linux/securebits.h>
16 #include <linux/keyctl.h>
17 #include <linux/key-type.h>
18 #include <keys/user-type.h>
19 #include <linux/seq_file.h>
21 #include <linux/uaccess.h>
22 #include <linux/ctype.h>
23 #include <linux/projid.h>
24 #include <linux/fs_struct.h>
26 static struct kmem_cache *user_ns_cachep __read_mostly;
27 static DEFINE_MUTEX(userns_state_mutex);
29 static bool new_idmap_permitted(const struct file *file,
30 struct user_namespace *ns, int cap_setid,
31 struct uid_gid_map *map);
33 static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
35 /* Start with the same capabilities as init but useless for doing
36 * anything as the capabilities are bound to the new user namespace.
38 cred->securebits = SECUREBITS_DEFAULT;
39 cred->cap_inheritable = CAP_EMPTY_SET;
40 cred->cap_permitted = CAP_FULL_SET;
41 cred->cap_effective = CAP_FULL_SET;
42 cred->cap_bset = CAP_FULL_SET;
44 key_put(cred->request_key_auth);
45 cred->request_key_auth = NULL;
47 /* tgcred will be cleared in our caller bc CLONE_THREAD won't be set */
48 cred->user_ns = user_ns;
52 * Create a new user namespace, deriving the creator from the user in the
53 * passed credentials, and replacing that user with the new root user for the
56 * This is called by copy_creds(), which will finish setting the target task's
59 int create_user_ns(struct cred *new)
61 struct user_namespace *ns, *parent_ns = new->user_ns;
62 kuid_t owner = new->euid;
63 kgid_t group = new->egid;
66 if (parent_ns->level > 32)
70 * Verify that we can not violate the policy of which files
71 * may be accessed that is specified by the root directory,
72 * by verifing that the root directory is at the root of the
73 * mount namespace which allows all files to be accessed.
75 if (current_chrooted())
78 /* The creator needs a mapping in the parent user namespace
79 * or else we won't be able to reasonably tell userspace who
80 * created a user_namespace.
82 if (!kuid_has_mapping(parent_ns, owner) ||
83 !kgid_has_mapping(parent_ns, group))
86 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
90 ret = proc_alloc_inum(&ns->proc_inum);
92 kmem_cache_free(user_ns_cachep, ns);
96 atomic_set(&ns->count, 1);
97 /* Leave the new->user_ns reference with the new user namespace. */
98 ns->parent = parent_ns;
99 ns->level = parent_ns->level + 1;
103 /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
104 mutex_lock(&userns_state_mutex);
105 ns->flags = parent_ns->flags;
106 mutex_unlock(&userns_state_mutex);
108 set_cred_user_ns(new, ns);
110 update_mnt_policy(ns);
115 int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
120 if (!(unshare_flags & CLONE_NEWUSER))
123 cred = prepare_creds();
125 err = create_user_ns(cred);
135 void free_user_ns(struct user_namespace *ns)
137 struct user_namespace *parent;
141 proc_free_inum(ns->proc_inum);
142 kmem_cache_free(user_ns_cachep, ns);
144 } while (atomic_dec_and_test(&parent->count));
146 EXPORT_SYMBOL(free_user_ns);
148 static u32 map_id_range_down(struct uid_gid_map *map, u32 id, u32 count)
150 unsigned idx, extents;
151 u32 first, last, id2;
153 id2 = id + count - 1;
155 /* Find the matching extent */
156 extents = map->nr_extents;
158 for (idx = 0; idx < extents; idx++) {
159 first = map->extent[idx].first;
160 last = first + map->extent[idx].count - 1;
161 if (id >= first && id <= last &&
162 (id2 >= first && id2 <= last))
165 /* Map the id or note failure */
167 id = (id - first) + map->extent[idx].lower_first;
174 static u32 map_id_down(struct uid_gid_map *map, u32 id)
176 unsigned idx, extents;
179 /* Find the matching extent */
180 extents = map->nr_extents;
182 for (idx = 0; idx < extents; idx++) {
183 first = map->extent[idx].first;
184 last = first + map->extent[idx].count - 1;
185 if (id >= first && id <= last)
188 /* Map the id or note failure */
190 id = (id - first) + map->extent[idx].lower_first;
197 static u32 map_id_up(struct uid_gid_map *map, u32 id)
199 unsigned idx, extents;
202 /* Find the matching extent */
203 extents = map->nr_extents;
205 for (idx = 0; idx < extents; idx++) {
206 first = map->extent[idx].lower_first;
207 last = first + map->extent[idx].count - 1;
208 if (id >= first && id <= last)
211 /* Map the id or note failure */
213 id = (id - first) + map->extent[idx].first;
221 * make_kuid - Map a user-namespace uid pair into a kuid.
222 * @ns: User namespace that the uid is in
223 * @uid: User identifier
225 * Maps a user-namespace uid pair into a kernel internal kuid,
226 * and returns that kuid.
228 * When there is no mapping defined for the user-namespace uid
229 * pair INVALID_UID is returned. Callers are expected to test
230 * for and handle handle INVALID_UID being returned. INVALID_UID
231 * may be tested for using uid_valid().
233 kuid_t make_kuid(struct user_namespace *ns, uid_t uid)
235 /* Map the uid to a global kernel uid */
236 return KUIDT_INIT(map_id_down(&ns->uid_map, uid));
238 EXPORT_SYMBOL(make_kuid);
241 * from_kuid - Create a uid from a kuid user-namespace pair.
242 * @targ: The user namespace we want a uid in.
243 * @kuid: The kernel internal uid to start with.
245 * Map @kuid into the user-namespace specified by @targ and
246 * return the resulting uid.
248 * There is always a mapping into the initial user_namespace.
250 * If @kuid has no mapping in @targ (uid_t)-1 is returned.
252 uid_t from_kuid(struct user_namespace *targ, kuid_t kuid)
254 /* Map the uid from a global kernel uid */
255 return map_id_up(&targ->uid_map, __kuid_val(kuid));
257 EXPORT_SYMBOL(from_kuid);
260 * from_kuid_munged - Create a uid from a kuid user-namespace pair.
261 * @targ: The user namespace we want a uid in.
262 * @kuid: The kernel internal uid to start with.
264 * Map @kuid into the user-namespace specified by @targ and
265 * return the resulting uid.
267 * There is always a mapping into the initial user_namespace.
269 * Unlike from_kuid from_kuid_munged never fails and always
270 * returns a valid uid. This makes from_kuid_munged appropriate
271 * for use in syscalls like stat and getuid where failing the
272 * system call and failing to provide a valid uid are not an
275 * If @kuid has no mapping in @targ overflowuid is returned.
277 uid_t from_kuid_munged(struct user_namespace *targ, kuid_t kuid)
280 uid = from_kuid(targ, kuid);
282 if (uid == (uid_t) -1)
286 EXPORT_SYMBOL(from_kuid_munged);
289 * make_kgid - Map a user-namespace gid pair into a kgid.
290 * @ns: User namespace that the gid is in
291 * @uid: group identifier
293 * Maps a user-namespace gid pair into a kernel internal kgid,
294 * and returns that kgid.
296 * When there is no mapping defined for the user-namespace gid
297 * pair INVALID_GID is returned. Callers are expected to test
298 * for and handle INVALID_GID being returned. INVALID_GID may be
299 * tested for using gid_valid().
301 kgid_t make_kgid(struct user_namespace *ns, gid_t gid)
303 /* Map the gid to a global kernel gid */
304 return KGIDT_INIT(map_id_down(&ns->gid_map, gid));
306 EXPORT_SYMBOL(make_kgid);
309 * from_kgid - Create a gid from a kgid user-namespace pair.
310 * @targ: The user namespace we want a gid in.
311 * @kgid: The kernel internal gid to start with.
313 * Map @kgid into the user-namespace specified by @targ and
314 * return the resulting gid.
316 * There is always a mapping into the initial user_namespace.
318 * If @kgid has no mapping in @targ (gid_t)-1 is returned.
320 gid_t from_kgid(struct user_namespace *targ, kgid_t kgid)
322 /* Map the gid from a global kernel gid */
323 return map_id_up(&targ->gid_map, __kgid_val(kgid));
325 EXPORT_SYMBOL(from_kgid);
328 * from_kgid_munged - Create a gid from a kgid user-namespace pair.
329 * @targ: The user namespace we want a gid in.
330 * @kgid: The kernel internal gid to start with.
332 * Map @kgid into the user-namespace specified by @targ and
333 * return the resulting gid.
335 * There is always a mapping into the initial user_namespace.
337 * Unlike from_kgid from_kgid_munged never fails and always
338 * returns a valid gid. This makes from_kgid_munged appropriate
339 * for use in syscalls like stat and getgid where failing the
340 * system call and failing to provide a valid gid are not options.
342 * If @kgid has no mapping in @targ overflowgid is returned.
344 gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
347 gid = from_kgid(targ, kgid);
349 if (gid == (gid_t) -1)
353 EXPORT_SYMBOL(from_kgid_munged);
356 * make_kprojid - Map a user-namespace projid pair into a kprojid.
357 * @ns: User namespace that the projid is in
358 * @projid: Project identifier
360 * Maps a user-namespace uid pair into a kernel internal kuid,
361 * and returns that kuid.
363 * When there is no mapping defined for the user-namespace projid
364 * pair INVALID_PROJID is returned. Callers are expected to test
365 * for and handle handle INVALID_PROJID being returned. INVALID_PROJID
366 * may be tested for using projid_valid().
368 kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
370 /* Map the uid to a global kernel uid */
371 return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
373 EXPORT_SYMBOL(make_kprojid);
376 * from_kprojid - Create a projid from a kprojid user-namespace pair.
377 * @targ: The user namespace we want a projid in.
378 * @kprojid: The kernel internal project identifier to start with.
380 * Map @kprojid into the user-namespace specified by @targ and
381 * return the resulting projid.
383 * There is always a mapping into the initial user_namespace.
385 * If @kprojid has no mapping in @targ (projid_t)-1 is returned.
387 projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
389 /* Map the uid from a global kernel uid */
390 return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
392 EXPORT_SYMBOL(from_kprojid);
395 * from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
396 * @targ: The user namespace we want a projid in.
397 * @kprojid: The kernel internal projid to start with.
399 * Map @kprojid into the user-namespace specified by @targ and
400 * return the resulting projid.
402 * There is always a mapping into the initial user_namespace.
404 * Unlike from_kprojid from_kprojid_munged never fails and always
405 * returns a valid projid. This makes from_kprojid_munged
406 * appropriate for use in syscalls like stat and where
407 * failing the system call and failing to provide a valid projid are
410 * If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
412 projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
415 projid = from_kprojid(targ, kprojid);
417 if (projid == (projid_t) -1)
418 projid = OVERFLOW_PROJID;
421 EXPORT_SYMBOL(from_kprojid_munged);
424 static int uid_m_show(struct seq_file *seq, void *v)
426 struct user_namespace *ns = seq->private;
427 struct uid_gid_extent *extent = v;
428 struct user_namespace *lower_ns;
431 lower_ns = seq_user_ns(seq);
432 if ((lower_ns == ns) && lower_ns->parent)
433 lower_ns = lower_ns->parent;
435 lower = from_kuid(lower_ns, KUIDT_INIT(extent->lower_first));
437 seq_printf(seq, "%10u %10u %10u\n",
445 static int gid_m_show(struct seq_file *seq, void *v)
447 struct user_namespace *ns = seq->private;
448 struct uid_gid_extent *extent = v;
449 struct user_namespace *lower_ns;
452 lower_ns = seq_user_ns(seq);
453 if ((lower_ns == ns) && lower_ns->parent)
454 lower_ns = lower_ns->parent;
456 lower = from_kgid(lower_ns, KGIDT_INIT(extent->lower_first));
458 seq_printf(seq, "%10u %10u %10u\n",
466 static int projid_m_show(struct seq_file *seq, void *v)
468 struct user_namespace *ns = seq->private;
469 struct uid_gid_extent *extent = v;
470 struct user_namespace *lower_ns;
473 lower_ns = seq_user_ns(seq);
474 if ((lower_ns == ns) && lower_ns->parent)
475 lower_ns = lower_ns->parent;
477 lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
479 seq_printf(seq, "%10u %10u %10u\n",
487 static void *m_start(struct seq_file *seq, loff_t *ppos, struct uid_gid_map *map)
489 struct uid_gid_extent *extent = NULL;
492 if (pos < map->nr_extents)
493 extent = &map->extent[pos];
498 static void *uid_m_start(struct seq_file *seq, loff_t *ppos)
500 struct user_namespace *ns = seq->private;
502 return m_start(seq, ppos, &ns->uid_map);
505 static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
507 struct user_namespace *ns = seq->private;
509 return m_start(seq, ppos, &ns->gid_map);
512 static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
514 struct user_namespace *ns = seq->private;
516 return m_start(seq, ppos, &ns->projid_map);
519 static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
522 return seq->op->start(seq, pos);
525 static void m_stop(struct seq_file *seq, void *v)
530 struct seq_operations proc_uid_seq_operations = {
531 .start = uid_m_start,
537 struct seq_operations proc_gid_seq_operations = {
538 .start = gid_m_start,
544 struct seq_operations proc_projid_seq_operations = {
545 .start = projid_m_start,
548 .show = projid_m_show,
551 static bool mappings_overlap(struct uid_gid_map *new_map, struct uid_gid_extent *extent)
553 u32 upper_first, lower_first, upper_last, lower_last;
556 upper_first = extent->first;
557 lower_first = extent->lower_first;
558 upper_last = upper_first + extent->count - 1;
559 lower_last = lower_first + extent->count - 1;
561 for (idx = 0; idx < new_map->nr_extents; idx++) {
562 u32 prev_upper_first, prev_lower_first;
563 u32 prev_upper_last, prev_lower_last;
564 struct uid_gid_extent *prev;
566 prev = &new_map->extent[idx];
568 prev_upper_first = prev->first;
569 prev_lower_first = prev->lower_first;
570 prev_upper_last = prev_upper_first + prev->count - 1;
571 prev_lower_last = prev_lower_first + prev->count - 1;
573 /* Does the upper range intersect a previous extent? */
574 if ((prev_upper_first <= upper_last) &&
575 (prev_upper_last >= upper_first))
578 /* Does the lower range intersect a previous extent? */
579 if ((prev_lower_first <= lower_last) &&
580 (prev_lower_last >= lower_first))
586 static ssize_t map_write(struct file *file, const char __user *buf,
587 size_t count, loff_t *ppos,
589 struct uid_gid_map *map,
590 struct uid_gid_map *parent_map)
592 struct seq_file *seq = file->private_data;
593 struct user_namespace *ns = seq->private;
594 struct uid_gid_map new_map;
596 struct uid_gid_extent *extent = NULL;
597 unsigned long page = 0;
598 char *kbuf, *pos, *next_line;
599 ssize_t ret = -EINVAL;
602 * The userns_state_mutex serializes all writes to any given map.
604 * Any map is only ever written once.
606 * An id map fits within 1 cache line on most architectures.
608 * On read nothing needs to be done unless you are on an
609 * architecture with a crazy cache coherency model like alpha.
611 * There is a one time data dependency between reading the
612 * count of the extents and the values of the extents. The
613 * desired behavior is to see the values of the extents that
614 * were written before the count of the extents.
616 * To achieve this smp_wmb() is used on guarantee the write
617 * order and smp_rmb() is guaranteed that we don't have crazy
618 * architectures returning stale data.
620 mutex_lock(&userns_state_mutex);
623 /* Only allow one successful write to the map */
624 if (map->nr_extents != 0)
628 * Adjusting namespace settings requires capabilities on the target.
630 if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
635 page = __get_free_page(GFP_TEMPORARY);
636 kbuf = (char *) page;
640 /* Only allow <= page size writes at the beginning of the file */
642 if ((*ppos != 0) || (count >= PAGE_SIZE))
645 /* Slurp in the user data */
647 if (copy_from_user(kbuf, buf, count))
651 /* Parse the user data */
654 new_map.nr_extents = 0;
655 for (;pos; pos = next_line) {
656 extent = &new_map.extent[new_map.nr_extents];
658 /* Find the end of line and ensure I don't look past it */
659 next_line = strchr(pos, '\n');
663 if (*next_line == '\0')
667 pos = skip_spaces(pos);
668 extent->first = simple_strtoul(pos, &pos, 10);
672 pos = skip_spaces(pos);
673 extent->lower_first = simple_strtoul(pos, &pos, 10);
677 pos = skip_spaces(pos);
678 extent->count = simple_strtoul(pos, &pos, 10);
679 if (*pos && !isspace(*pos))
682 /* Verify there is not trailing junk on the line */
683 pos = skip_spaces(pos);
687 /* Verify we have been given valid starting values */
688 if ((extent->first == (u32) -1) ||
689 (extent->lower_first == (u32) -1 ))
692 /* Verify count is not zero and does not cause the extent to wrap */
693 if ((extent->first + extent->count) <= extent->first)
695 if ((extent->lower_first + extent->count) <= extent->lower_first)
698 /* Do the ranges in extent overlap any previous extents? */
699 if (mappings_overlap(&new_map, extent))
702 new_map.nr_extents++;
704 /* Fail if the file contains too many extents */
705 if ((new_map.nr_extents == UID_GID_MAP_MAX_EXTENTS) &&
709 /* Be very certaint the new map actually exists */
710 if (new_map.nr_extents == 0)
714 /* Validate the user is allowed to use user id's mapped to. */
715 if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
718 /* Map the lower ids from the parent user namespace to the
719 * kernel global id space.
721 for (idx = 0; idx < new_map.nr_extents; idx++) {
723 extent = &new_map.extent[idx];
725 lower_first = map_id_range_down(parent_map,
729 /* Fail if we can not map the specified extent to
730 * the kernel global id space.
732 if (lower_first == (u32) -1)
735 extent->lower_first = lower_first;
738 /* Install the map */
739 memcpy(map->extent, new_map.extent,
740 new_map.nr_extents*sizeof(new_map.extent[0]));
742 map->nr_extents = new_map.nr_extents;
747 mutex_unlock(&userns_state_mutex);
753 ssize_t proc_uid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
755 struct seq_file *seq = file->private_data;
756 struct user_namespace *ns = seq->private;
757 struct user_namespace *seq_ns = seq_user_ns(seq);
762 if ((seq_ns != ns) && (seq_ns != ns->parent))
765 return map_write(file, buf, size, ppos, CAP_SETUID,
766 &ns->uid_map, &ns->parent->uid_map);
769 ssize_t proc_gid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
771 struct seq_file *seq = file->private_data;
772 struct user_namespace *ns = seq->private;
773 struct user_namespace *seq_ns = seq_user_ns(seq);
778 if ((seq_ns != ns) && (seq_ns != ns->parent))
781 return map_write(file, buf, size, ppos, CAP_SETGID,
782 &ns->gid_map, &ns->parent->gid_map);
785 ssize_t proc_projid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
787 struct seq_file *seq = file->private_data;
788 struct user_namespace *ns = seq->private;
789 struct user_namespace *seq_ns = seq_user_ns(seq);
794 if ((seq_ns != ns) && (seq_ns != ns->parent))
797 /* Anyone can set any valid project id no capability needed */
798 return map_write(file, buf, size, ppos, -1,
799 &ns->projid_map, &ns->parent->projid_map);
802 static bool new_idmap_permitted(const struct file *file,
803 struct user_namespace *ns, int cap_setid,
804 struct uid_gid_map *new_map)
806 const struct cred *cred = file->f_cred;
807 /* Don't allow mappings that would allow anything that wouldn't
808 * be allowed without the establishment of unprivileged mappings.
810 if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
811 uid_eq(ns->owner, cred->euid)) {
812 u32 id = new_map->extent[0].lower_first;
813 if (cap_setid == CAP_SETUID) {
814 kuid_t uid = make_kuid(ns->parent, id);
815 if (uid_eq(uid, cred->euid))
817 } else if (cap_setid == CAP_SETGID) {
818 kgid_t gid = make_kgid(ns->parent, id);
819 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
820 gid_eq(gid, cred->egid))
825 /* Allow anyone to set a mapping that doesn't require privilege */
826 if (!cap_valid(cap_setid))
829 /* Allow the specified ids if we have the appropriate capability
830 * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
831 * And the opener of the id file also had the approprpiate capability.
833 if (ns_capable(ns->parent, cap_setid) &&
834 file_ns_capable(file, ns->parent, cap_setid))
840 int proc_setgroups_show(struct seq_file *seq, void *v)
842 struct user_namespace *ns = seq->private;
843 unsigned long userns_flags = ACCESS_ONCE(ns->flags);
845 seq_printf(seq, "%s\n",
846 (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
851 ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
852 size_t count, loff_t *ppos)
854 struct seq_file *seq = file->private_data;
855 struct user_namespace *ns = seq->private;
857 bool setgroups_allowed;
860 /* Only allow a very narrow range of strings to be written */
862 if ((*ppos != 0) || (count >= sizeof(kbuf)))
865 /* What was written? */
867 if (copy_from_user(kbuf, buf, count))
872 /* What is being requested? */
874 if (strncmp(pos, "allow", 5) == 0) {
876 setgroups_allowed = true;
878 else if (strncmp(pos, "deny", 4) == 0) {
880 setgroups_allowed = false;
885 /* Verify there is not trailing junk on the line */
886 pos = skip_spaces(pos);
891 mutex_lock(&userns_state_mutex);
892 if (setgroups_allowed) {
893 /* Enabling setgroups after setgroups has been disabled
896 if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
899 /* Permanently disabling setgroups after setgroups has
900 * been enabled by writing the gid_map is not allowed.
902 if (ns->gid_map.nr_extents != 0)
904 ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
906 mutex_unlock(&userns_state_mutex);
908 /* Report a successful write */
914 mutex_unlock(&userns_state_mutex);
918 bool userns_may_setgroups(const struct user_namespace *ns)
922 mutex_lock(&userns_state_mutex);
923 /* It is not safe to use setgroups until a gid mapping in
924 * the user namespace has been established.
926 allowed = ns->gid_map.nr_extents != 0;
927 /* Is setgroups allowed? */
928 allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
929 mutex_unlock(&userns_state_mutex);
934 static void *userns_get(struct task_struct *task)
936 struct user_namespace *user_ns;
939 user_ns = get_user_ns(__task_cred(task)->user_ns);
945 static void userns_put(void *ns)
950 static int userns_install(struct nsproxy *nsproxy, void *ns)
952 struct user_namespace *user_ns = ns;
955 /* Don't allow gaining capabilities by reentering
956 * the same user namespace.
958 if (user_ns == current_user_ns())
961 /* Threaded processes may not enter a different user namespace */
962 if (atomic_read(¤t->mm->mm_users) > 1)
965 if (current->fs->users != 1)
968 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
971 cred = prepare_creds();
975 put_user_ns(cred->user_ns);
976 set_cred_user_ns(cred, get_user_ns(user_ns));
978 return commit_creds(cred);
981 static unsigned int userns_inum(void *ns)
983 struct user_namespace *user_ns = ns;
984 return user_ns->proc_inum;
987 const struct proc_ns_operations userns_operations = {
989 .type = CLONE_NEWUSER,
992 .install = userns_install,
996 static __init int user_namespaces_init(void)
998 user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC);
1001 module_init(user_namespaces_init);