summaryrefslogtreecommitdiff
path: root/kernel/user_namespace.c
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2016-08-08 14:41:52 -0500
committerEric W. Biederman <ebiederm@xmission.com>2016-08-08 14:41:52 -0500
commit25f9c0817c535a728c1088542230fa327c577c9e (patch)
tree50e60f8d962702d92b94392d536a1c71d77c851c /kernel/user_namespace.c
parentf6b2db1a3e8d141dd144df58900fb0444d5d7c53 (diff)
downloadlwn-25f9c0817c535a728c1088542230fa327c577c9e.tar.gz
lwn-25f9c0817c535a728c1088542230fa327c577c9e.zip
userns: Generalize the user namespace count into ucount
The same kind of recursive sane default limit and policy countrol that has been implemented for the user namespace is desirable for the other namespaces, so generalize the user namespace refernce count into a ucount. Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Diffstat (limited to 'kernel/user_namespace.c')
-rw-r--r--kernel/user_namespace.c16
1 files changed, 14 insertions, 2 deletions
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 58c67e5f851c..0edafe305861 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -31,6 +31,16 @@ static bool new_idmap_permitted(const struct file *file,
struct uid_gid_map *map);
static void free_user_ns(struct work_struct *work);
+static struct ucounts *inc_user_namespaces(struct user_namespace *ns, kuid_t uid)
+{
+ return inc_ucount(ns, uid, UCOUNT_USER_NAMESPACES);
+}
+
+static void dec_user_namespaces(struct ucounts *ucounts)
+{
+ return dec_ucount(ucounts, UCOUNT_USER_NAMESPACES);
+}
+
static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
{
/* Start with the same capabilities as init but useless for doing
@@ -64,7 +74,7 @@ int create_user_ns(struct cred *new)
kuid_t owner = new->euid;
kgid_t group = new->egid;
struct ucounts *ucounts;
- int ret;
+ int ret, i;
ret = -EUSERS;
if (parent_ns->level > 32)
@@ -110,7 +120,9 @@ int create_user_ns(struct cred *new)
ns->owner = owner;
ns->group = group;
INIT_WORK(&ns->work, free_user_ns);
- ns->max_user_namespaces = INT_MAX;
+ for (i = 0; i < UCOUNT_COUNTS; i++) {
+ ns->ucount_max[i] = INT_MAX;
+ }
ns->ucounts = ucounts;
/* Inherit USERNS_SETGROUPS_ALLOWED from our parent */