namespace.c 3.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157
  1. // SPDX-License-Identifier: GPL-2.0
  2. #include "cgroup-internal.h"
  3. #include <linux/sched/task.h>
  4. #include <linux/slab.h>
  5. #include <linux/nsproxy.h>
  6. #include <linux/proc_ns.h>
  7. /* cgroup namespaces */
  8. static struct ucounts *inc_cgroup_namespaces(struct user_namespace *ns)
  9. {
  10. return inc_ucount(ns, current_euid(), UCOUNT_CGROUP_NAMESPACES);
  11. }
  12. static void dec_cgroup_namespaces(struct ucounts *ucounts)
  13. {
  14. dec_ucount(ucounts, UCOUNT_CGROUP_NAMESPACES);
  15. }
  16. static struct cgroup_namespace *alloc_cgroup_ns(void)
  17. {
  18. struct cgroup_namespace *new_ns;
  19. int ret;
  20. new_ns = kzalloc(sizeof(struct cgroup_namespace), GFP_KERNEL);
  21. if (!new_ns)
  22. return ERR_PTR(-ENOMEM);
  23. ret = ns_alloc_inum(&new_ns->ns);
  24. if (ret) {
  25. kfree(new_ns);
  26. return ERR_PTR(ret);
  27. }
  28. refcount_set(&new_ns->count, 1);
  29. new_ns->ns.ops = &cgroupns_operations;
  30. return new_ns;
  31. }
  32. void free_cgroup_ns(struct cgroup_namespace *ns)
  33. {
  34. put_css_set(ns->root_cset);
  35. dec_cgroup_namespaces(ns->ucounts);
  36. put_user_ns(ns->user_ns);
  37. ns_free_inum(&ns->ns);
  38. kfree(ns);
  39. }
  40. EXPORT_SYMBOL(free_cgroup_ns);
  41. struct cgroup_namespace *copy_cgroup_ns(unsigned long flags,
  42. struct user_namespace *user_ns,
  43. struct cgroup_namespace *old_ns)
  44. {
  45. struct cgroup_namespace *new_ns;
  46. struct ucounts *ucounts;
  47. struct css_set *cset;
  48. BUG_ON(!old_ns);
  49. if (!(flags & CLONE_NEWCGROUP)) {
  50. get_cgroup_ns(old_ns);
  51. return old_ns;
  52. }
  53. /* Allow only sysadmin to create cgroup namespace. */
  54. if (!ns_capable(user_ns, CAP_SYS_ADMIN))
  55. return ERR_PTR(-EPERM);
  56. ucounts = inc_cgroup_namespaces(user_ns);
  57. if (!ucounts)
  58. return ERR_PTR(-ENOSPC);
  59. /* It is not safe to take cgroup_mutex here */
  60. spin_lock_irq(&css_set_lock);
  61. cset = task_css_set(current);
  62. get_css_set(cset);
  63. spin_unlock_irq(&css_set_lock);
  64. new_ns = alloc_cgroup_ns();
  65. if (IS_ERR(new_ns)) {
  66. put_css_set(cset);
  67. dec_cgroup_namespaces(ucounts);
  68. return new_ns;
  69. }
  70. new_ns->user_ns = get_user_ns(user_ns);
  71. new_ns->ucounts = ucounts;
  72. new_ns->root_cset = cset;
  73. return new_ns;
  74. }
  75. static inline struct cgroup_namespace *to_cg_ns(struct ns_common *ns)
  76. {
  77. return container_of(ns, struct cgroup_namespace, ns);
  78. }
  79. static int cgroupns_install(struct nsproxy *nsproxy, struct ns_common *ns)
  80. {
  81. struct cgroup_namespace *cgroup_ns = to_cg_ns(ns);
  82. if (!ns_capable(current_user_ns(), CAP_SYS_ADMIN) ||
  83. !ns_capable(cgroup_ns->user_ns, CAP_SYS_ADMIN))
  84. return -EPERM;
  85. /* Don't need to do anything if we are attaching to our own cgroupns. */
  86. if (cgroup_ns == nsproxy->cgroup_ns)
  87. return 0;
  88. get_cgroup_ns(cgroup_ns);
  89. put_cgroup_ns(nsproxy->cgroup_ns);
  90. nsproxy->cgroup_ns = cgroup_ns;
  91. return 0;
  92. }
  93. static struct ns_common *cgroupns_get(struct task_struct *task)
  94. {
  95. struct cgroup_namespace *ns = NULL;
  96. struct nsproxy *nsproxy;
  97. task_lock(task);
  98. nsproxy = task->nsproxy;
  99. if (nsproxy) {
  100. ns = nsproxy->cgroup_ns;
  101. get_cgroup_ns(ns);
  102. }
  103. task_unlock(task);
  104. return ns ? &ns->ns : NULL;
  105. }
  106. static void cgroupns_put(struct ns_common *ns)
  107. {
  108. put_cgroup_ns(to_cg_ns(ns));
  109. }
  110. static struct user_namespace *cgroupns_owner(struct ns_common *ns)
  111. {
  112. return to_cg_ns(ns)->user_ns;
  113. }
  114. const struct proc_ns_operations cgroupns_operations = {
  115. .name = "cgroup",
  116. .type = CLONE_NEWCGROUP,
  117. .get = cgroupns_get,
  118. .put = cgroupns_put,
  119. .install = cgroupns_install,
  120. .owner = cgroupns_owner,
  121. };
  122. static __init int cgroup_namespaces_init(void)
  123. {
  124. return 0;
  125. }
  126. subsys_initcall(cgroup_namespaces_init);