anolis: userns: add a sysctl to control the max depth

ANBZ: #1474 Add "sysctl.kernel.userns_max_level" to control the maximum nested level of user namespace. The valid configuration values are 0-33. When configured to zero, user namespace is effectively disabled. Originally the check is "if (parent_ns->level > 32)" and init_user_ns.level is zero, so the actually maximum level is 33 instead of 32. Signed-off-by: Jiang Liu <gerry@linux.alibaba.com> Signed-off-by: Jeffle Xu <jefflexu@linux.alibaba.com> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
2022-04-24 09:54:17 +08:00 · 2022-04-24 09:54:17 +08:00 · a380e9e60f
parent a702079920
commit a380e9e60f
4 changed files with 27 additions and 1 deletions
--- a/Documentation/admin-guide/sysctl/kernel.rst
+++ b/Documentation/admin-guide/sysctl/kernel.rst
@ -1480,6 +1480,14 @@ are not affected and are always capable of unsharing a new user
 namespace.


+userns_max_level
+================
+
+This value indicates the maximum nested level of user namespace. The
+valid configuration values are 0-33. When configured to zero, user
+namespace is effectively disabled.
+
+
 watchdog
 ========

--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@ -142,6 +142,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns);
 struct ns_common *ns_get_owner(struct ns_common *ns);

 extern int unprivileged_userns_clone;
+extern int userns_max_level;
+extern int userns_max_level_max;
 #else

 static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@ -2074,6 +2074,15 @@ static struct ctl_table kern_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
 	},
+	{
+		.procname	= "userns_max_level",
+		.data		= &userns_max_level,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec_minmax,
+		.extra1		= SYSCTL_ZERO,
+		.extra2		= &userns_max_level_max,
+	},
 #endif
 #ifdef CONFIG_PROC_SYSCTL
 	{
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@ -27,6 +27,13 @@
 */
 int unprivileged_userns_clone = 1;

+/*
+ * sysctl determining the maximum of nested level.
+ * Default to 33 to keep compatible with upstream.
+ */
+int userns_max_level = 33;
+int userns_max_level_max = 33;
+
 static struct kmem_cache *user_ns_cachep __read_mostly;
 static DEFINE_MUTEX(userns_state_mutex);

@ -81,7 +88,7 @@ int create_user_ns(struct cred *new)
 	int ret, i;

 	ret = -ENOSPC;
-	if (parent_ns->level > 32)
+	if (parent_ns->level >= userns_max_level)
 		goto fail;

 	ucounts = inc_user_namespaces(parent_ns, owner);