From patchwork Mon Dec 19 14:38:35 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
X-Patchwork-Id: 9480345
Return-Path: <linux-fsdevel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	D462B60237 for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Mon, 19 Dec 2016 14:41:08 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CA21B28487
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Mon, 19 Dec 2016 14:41:08 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id BEF54284B6; Mon, 19 Dec 2016 14:41:08 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6BC2328487
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Mon, 19 Dec 2016 14:41:08 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933353AbcLSOj2 (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Mon, 19 Dec 2016 09:39:28 -0500
Received: from mail-wm0-f67.google.com ([74.125.82.67]:36406 "EHLO
	mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755875AbcLSOij (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Mon, 19 Dec 2016 09:38:39 -0500
Received: by mail-wm0-f67.google.com with SMTP id m203so18952244wma.3;
	Mon, 19 Dec 2016 06:38:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=subject:to:references:from:cc:message-id:date:user-agent
	:mime-version:in-reply-to:content-transfer-encoding;
	bh=gqSMmYNcJlqvVTK+S/TaSBdXQNz9gFGPLbAhjZv8Sy4=;
	b=S/XWzJIr8SWZr5gVs599UidGExJCug3A+OznSQgjS4+t8XxDTGejw+SKIf1v97CpdE
	/NsZEdB/Z8KYtF2KJvqtBRcNElsKWiRkX2faXMxgdRAMzozsLC5N8kOy+Rcr3StbOC4U
	NXnNBXBBXLM7Iy7KKGiZVLsF6188RQKFjQ7i/Ly2iETAzmm7qOwKleRtP3FDaj91DCbv
	9oM3c8rJVYJ29K5dK9PIBiN9CRvBpz5HCKpA01NR8u0q/DY96BBb4BMe4/fDNav56+YT
	asghGirYuc80CLHCs4TbdYqIA6BBTuDwGjl4y1NSOsdFHejHBc7/6jpDrFW2nUh6akMe
	WGoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:subject:to:references:from:cc:message-id:date
	:user-agent:mime-version:in-reply-to:content-transfer-encoding;
	bh=gqSMmYNcJlqvVTK+S/TaSBdXQNz9gFGPLbAhjZv8Sy4=;
	b=n7TYXF5L94SKz4Tf/1jUwSZh6DmPbdyssR38Zrqn2GaFM7XC1RrDkeuE2MYeB92v6w
	I3oHQVt3qPCXDt1PgLO0t1ULyolFBHZNYXgmNUI+2u6/JRO40v72+jUxtzYnbH9vM3d+
	2hrg6Ey40fEtJ6yHYkao6D6yAu6PlBEo/CwMC4aWzRtXX85DoFU3ZH7Rx29NdQ73uMc9
	G9iA35SIOu9AbAn23xEuoo8DFbaTTAQrIXhirS1ymhqXEzRKorB4hzwnDVqYIYTNznIC
	8CNtKU9P+MatlBzLTIx+56tVGNToMl/6hsjprbvlByEIZ6UZxGIZ1wuZa548bjyE+JTb
	jE9w==
X-Gm-Message-State: 
 AIkVDXIct1EWbQtQzk1m2Ntb9sapkTaITcO+81jBebT/+JoAZssqDQjOZw5HJaEpOEhGug==
X-Received: by 10.28.236.205 with SMTP id h74mr13579746wmi.104.1482158317622;
	Mon, 19 Dec 2016 06:38:37 -0800 (PST)
Received: from [192.168.232.166] (mail.jambit.com. [95.157.63.22])
	by smtp.gmail.com with ESMTPSA id
	81sm17507934wmw.7.2016.12.19.06.38.36
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 19 Dec 2016 06:38:36 -0800 (PST)
Subject: [PATCH 2/2] nsfs: Add an ioctl() to return creator UID of a userns
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	"Serge E. Hallyn" <serge@hallyn.com>
References: <fdce894d-8385-b4b4-da3c-6282a7e4ecba@gmail.com>
From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Cc: mtk.manpages@gmail.com, linux-api@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	Andrey Vagin <avagin@openvz.org>,
	James Bottomley <James.Bottomley@hansenpartnership.com>,
	"W. Trevor King" <wking@tremily.us>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Jonathan Corbet <corbet@lwn.net>
Message-ID: <46b85444-dc97-17a3-4445-439923936450@gmail.com>
Date: Mon, 19 Dec 2016 15:38:35 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <fdce894d-8385-b4b4-da3c-6282a7e4ecba@gmail.com>
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

# Some open questions about this patch below.
#
One of the rules regarding capabilities is:

    A process that resides in the parent of the user namespace and
    whose effective user ID matches the owner of the namespace has
    all capabilities in the namespace.

Therefore, in order to write code that discovers whether process X has
capabilities in namespace Y, we need a way to find out who the creator
of a user namespace is. This patch adds an NS_GET_CREATOR_UID ioctl()
that returns the (munged) UID of the creator of the user namespace
referred to by the specified file descriptor.

If the supplied file descriptor does not refer to a user namespace,
the operation fails with the error EINVAL.

Signed-off-by: Michael Kerrisk <mtk-manpages@gmail.com>
---
 fs/nsfs.c                 | 6 ++++++
 include/uapi/linux/nsfs.h | 8 +++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

Open questions:

* Would it be preferabe to separate the logic for NS_GET_CREATOR_UID
  into a small helper function?
* Is this a correct use of container_of()? I did not immediately
  see another way to get to the user_namespace struct, but I
  may well have missed something.

diff --git a/fs/nsfs.c b/fs/nsfs.c
index 5d53476..26f6d94 100644
--- a/fs/nsfs.c
+++ b/fs/nsfs.c
@@ -163,6 +163,7 @@ int open_related_ns(struct ns_common *ns,
 static long ns_ioctl(struct file *filp, unsigned int ioctl,
 			unsigned long arg)
 {
+	struct user_namespace *user_ns;
 	struct ns_common *ns = get_proc_ns(file_inode(filp));
 
 	switch (ioctl) {
@@ -174,6 +175,11 @@ static long ns_ioctl(struct file *filp, unsigned int ioctl,
 		return open_related_ns(ns, ns->ops->get_parent);
 	case NS_GET_NSTYPE:
 		return ns->ops->type;
+	case NS_GET_CREATOR_UID:
+		if (ns->ops->type != CLONE_NEWUSER)
+			return -EINVAL;
+		user_ns = container_of(ns, struct user_namespace, ns);
+		return from_kuid_munged(current_user_ns(), user_ns->owner);
 	default:
 		return -ENOTTY;
 	}
diff --git a/include/uapi/linux/nsfs.h b/include/uapi/linux/nsfs.h
index 2b48df1..b3c6c78 100644
--- a/include/uapi/linux/nsfs.h
+++ b/include/uapi/linux/nsfs.h
@@ -6,11 +6,13 @@
 #define NSIO	0xb7
 
 /* Returns a file descriptor that refers to an owning user namespace */
-#define NS_GET_USERNS	_IO(NSIO, 0x1)
+#define NS_GET_USERNS		_IO(NSIO, 0x1)
 /* Returns a file descriptor that refers to a parent namespace */
-#define NS_GET_PARENT	_IO(NSIO, 0x2)
+#define NS_GET_PARENT		_IO(NSIO, 0x2)
 /* Returns the type of namespace (CLONE_NEW* value) referred to by
    file descriptor */
-#define NS_GET_NSTYPE	_IO(NSIO, 0x3)
+#define NS_GET_NSTYPE		_IO(NSIO, 0x3)
+/* Get creator UID for a user namespace */
+#define NS_GET_CREATOR_UID	_IO(NSIO, 0x4)
 
 #endif /* __LINUX_NSFS_H */