[PATCH 2/8] user_ns: Introduce user_nsmap_uid and user_ns_map_gid.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: ebiederm@xmission.com (Eric W. Biederman)
To: David Miller <davem@davemloft.net>
Cc: Serge Hallyn <serue@us.ibm.com>,
	Linux Containers <containers@lists.osdl.org>,
	Daniel Lezcano <daniel.lezcano@free.fr>,
	netdev@vger.kernel.org, Pavel Emelyanov <xemul@parallels.com>
Subject: [PATCH 2/8] user_ns: Introduce user_nsmap_uid and user_ns_map_gid.
Date: Sun, 13 Jun 2010 06:28:03 -0700	[thread overview]
Message-ID: <m17hm3hxjw.fsf_-_@fess.ebiederm.org> (raw)
In-Reply-To: <m1d3vvhxlj.fsf@fess.ebiederm.org> (Eric W. Biederman's message of "Sun\, 13 Jun 2010 06\:27\:04 -0700")


Define what happens when a we view a uid from one user_namespace
in another user_namepece.

- If the user namespaces are the same no mapping is necessary.

- For most cases of difference use overflowuid and overflowgid,
  the uid and gid currently used for 16bit apis when we have a 32bit uid
  that does fit in 16bits.  Effectively the situation is the same,
  we want to return a uid or gid that is not assigned to any user.

- For the case when we happen to be mapping the uid or gid of the
  creator of the target user namespace use uid 0 and gid as confusing
  that user with root is not a problem.

Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
---
 include/linux/user_namespace.h |   14 ++++++++++++
 kernel/user_namespace.c        |   44 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 58 insertions(+), 0 deletions(-)

diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index cc4f453..8178156 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -36,6 +36,9 @@ static inline void put_user_ns(struct user_namespace *ns)
 		kref_put(&ns->kref, free_user_ns);
 }
 
+uid_t user_ns_map_uid(struct user_namespace *to, const struct cred *cred, uid_t uid);
+gid_t user_ns_map_gid(struct user_namespace *to, const struct cred *cred, gid_t gid);
+
 #else
 
 static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
@@ -52,6 +55,17 @@ static inline void put_user_ns(struct user_namespace *ns)
 {
 }
 
+static inline uid_t user_ns_map_uid(struct user_namespace *to,
+	const struct cred *cred, uid_t uid)
+{
+	return uid;
+}
+static inline gid_t user_ns_map_gid(struct user_namespace *to,
+	const struct cred *cred, gid_t gid)
+{
+	return gid;
+}
+
 #endif
 
 #endif /* _LINUX_USER_H */
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 076c7c8..825abfb 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -9,6 +9,7 @@
 #include <linux/nsproxy.h>
 #include <linux/slab.h>
 #include <linux/user_namespace.h>
+#include <linux/highuid.h>
 #include <linux/cred.h>
 
 /*
@@ -82,3 +83,46 @@ void free_user_ns(struct kref *kref)
 	schedule_work(&ns->destroyer);
 }
 EXPORT_SYMBOL(free_user_ns);
+
+uid_t user_ns_map_uid(struct user_namespace *to, const struct cred *cred, uid_t uid)
+{
+	struct user_namespace *tmp;
+
+	if (likely(to == cred->user->user_ns))
+		return uid;
+
+
+	/* Is cred->user the creator of the target user_ns
+	 * or the creator of one of it's parents?
+	 */
+	for ( tmp = to; tmp != &init_user_ns;
+	      tmp = tmp->creator->user_ns ) {
+		if (cred->user == tmp->creator) {
+			return (uid_t)0;
+		}
+	}
+
+	/* No useful relationship so no mapping */
+	return overflowuid;
+}
+
+gid_t user_ns_map_gid(struct user_namespace *to, const struct cred *cred, gid_t gid)
+{
+	struct user_namespace *tmp;
+
+	if (likely(to == cred->user->user_ns))
+		return gid;
+
+	/* Is cred->user the creator of the target user_ns
+	 * or the creator of one of it's parents?
+	 */
+	for ( tmp = to; tmp != &init_user_ns;
+	      tmp = tmp->creator->user_ns ) {
+		if (cred->user == tmp->creator) {
+			return (gid_t)0;
+		}
+	}
+
+	/* No useful relationship so no mapping */
+	return overflowgid;
+}
-- 
1.6.5.2.143.g8cc62

next prev parent reply	other threads:[~2010-06-13 13:28 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-06-13 13:25 [PATCH 0/8] Support unix domain sockets across namespaces Eric W. Biederman
2010-06-13 13:27 ` [PATCH 1/8] scm: Reorder scm_cookie Eric W. Biederman
2010-06-13 13:28   ` Eric W. Biederman [this message]
     [not found]     ` <m17hm3hxjw.fsf_-_-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-06-15  8:02       ` [PATCH 2/8] user_ns: Introduce user_nsmap_uid and user_ns_map_gid Pavel Emelyanov
2010-06-15 22:37         ` Eric W. Biederman
2010-06-15 20:58     ` Serge E. Hallyn
2010-06-15  8:00   ` [PATCH 1/8] scm: Reorder scm_cookie Pavel Emelyanov
2010-06-13 13:28 ` [PATCH 3/8] sock: Introduce cred_to_ucred Eric W. Biederman
2010-06-15  8:03   ` Pavel Emelyanov
2010-06-13 13:30 ` [PATCH 4/8] af_unix: Allow SO_PEERCRED to work across namespaces Eric W. Biederman
2010-06-14 13:37   ` Daniel Lezcano
2010-06-15  8:04   ` Pavel Emelyanov
2010-06-13 13:31 ` [PATCH 5/8] af_netlink: Add needed scm_destroy after scm_send Eric W. Biederman
2010-06-14 13:37   ` Daniel Lezcano
2010-06-15  8:06   ` Pavel Emelyanov
2010-06-13 13:32 ` [PATCH 6/8] scm: Capture the full credentials of the scm sender Eric W. Biederman
2010-06-15  8:08   ` Pavel Emelyanov
2010-06-15  9:53     ` Eric W. Biederman
2010-06-15 21:45   ` Serge E. Hallyn
2010-06-15 22:08     ` Eric W. Biederman
2010-06-16  4:47       ` Serge E. Hallyn
2010-06-13 13:34 ` [PATCH 7/8] af_unix: Allow credentials to work across user and pid namespaces Eric W. Biederman
     [not found]   ` <m17hm3giom.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-06-15  8:11     ` Pavel Emelyanov
2010-06-13 13:35 ` [PATCH 8/8] af_unix: Allow connecting to sockets in other network namespaces Eric W. Biederman
2010-06-14 13:37   ` Daniel Lezcano
     [not found]   ` <m11vcbgimj.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-06-15  8:12     ` Pavel Emelyanov
2010-06-16 22:15 ` [PATCH 0/8] Support unix domain sockets across namespaces David Miller
2010-06-16 23:17   ` David Miller
2010-06-16 23:32     ` Eric W. Biederman

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:cc4f453 dfblob:8178156 dfblob:076c7c8 dfblob:825abfb )
 OR (
bs:"[PATCH 2/8] user_ns: Introduce user_nsmap_uid and user_ns_map_gid." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m17hm3hxjw.fsf_-_@fess.ebiederm.org \
    --to=ebiederm@xmission.com \
    --cc=containers@lists.osdl.org \
    --cc=daniel.lezcano@free.fr \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    --cc=serue@us.ibm.com \
    --cc=xemul@parallels.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.