diff options
author | Eric W. Biederman <ebiederm@xmission.com> | 2016-08-08 14:41:52 -0500 |
---|---|---|
committer | Eric W. Biederman <ebiederm@xmission.com> | 2016-08-08 14:41:52 -0500 |
commit | 25f9c0817c535a728c1088542230fa327c577c9e (patch) | |
tree | 50e60f8d962702d92b94392d536a1c71d77c851c /kernel/user_namespace.c | |
parent | f6b2db1a3e8d141dd144df58900fb0444d5d7c53 (diff) | |
download | lwn-25f9c0817c535a728c1088542230fa327c577c9e.tar.gz lwn-25f9c0817c535a728c1088542230fa327c577c9e.zip |
userns: Generalize the user namespace count into ucount
The same kind of recursive sane default limit and policy
countrol that has been implemented for the user namespace
is desirable for the other namespaces, so generalize
the user namespace refernce count into a ucount.
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Diffstat (limited to 'kernel/user_namespace.c')
-rw-r--r-- | kernel/user_namespace.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index 58c67e5f851c..0edafe305861 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c @@ -31,6 +31,16 @@ static bool new_idmap_permitted(const struct file *file, struct uid_gid_map *map); static void free_user_ns(struct work_struct *work); +static struct ucounts *inc_user_namespaces(struct user_namespace *ns, kuid_t uid) +{ + return inc_ucount(ns, uid, UCOUNT_USER_NAMESPACES); +} + +static void dec_user_namespaces(struct ucounts *ucounts) +{ + return dec_ucount(ucounts, UCOUNT_USER_NAMESPACES); +} + static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns) { /* Start with the same capabilities as init but useless for doing @@ -64,7 +74,7 @@ int create_user_ns(struct cred *new) kuid_t owner = new->euid; kgid_t group = new->egid; struct ucounts *ucounts; - int ret; + int ret, i; ret = -EUSERS; if (parent_ns->level > 32) @@ -110,7 +120,9 @@ int create_user_ns(struct cred *new) ns->owner = owner; ns->group = group; INIT_WORK(&ns->work, free_user_ns); - ns->max_user_namespaces = INT_MAX; + for (i = 0; i < UCOUNT_COUNTS; i++) { + ns->ucount_max[i] = INT_MAX; + } ns->ucounts = ucounts; /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */ |