sentry/kernel: unshare atomically and without holding Task.mu unnecessarily

nixprime · gvisor-bot · commit 234848462044 · 2025-10-16T16:00:23.000-07:00
Both changes are consistent with Linux's kernel/fork.c:ksys_unshare().

PiperOrigin-RevId: 820375452
diff --git a/pkg/sentry/kernel/auth/credentials.go b/pkg/sentry/kernel/auth/credentials.go
@@ -152,6 +152,28 @@ func (c *Credentials) Fork() *Credentials {
 	return nc
 }
 
+// ForkIntoUserNamespace returns a copy of c after its caller has entered user
+// namespace ns.
+func (c *Credentials) ForkIntoUserNamespace(ns *UserNamespace) *Credentials {
+	nc := c.Fork()
+	nc.UserNamespace = ns
+	// "The child process created by clone(2) with the CLONE_NEWUSER flag
+	// starts out with a complete set of capabilities in the new user
+	// namespace. Likewise, a process that creates a new user namespace using
+	// unshare(2) or joins an existing user namespace using setns(2) gains a
+	// full set of capabilities in that namespace."
+	nc.PermittedCaps = AllCapabilities
+	nc.InheritableCaps = 0
+	nc.EffectiveCaps = AllCapabilities
+	nc.BoundingCaps = AllCapabilities
+	// "A call to clone(2), unshare(2), or setns(2) using the CLONE_NEWUSER
+	// flag sets the "securebits" flags (see capabilities(7)) to their default
+	// values (all flags disabled) in the child (for clone(2)) or caller (for
+	// unshare(2), or setns(2)." - user_namespaces(7)
+	nc.KeepCaps = false
+	return nc
+}
+
 // InGroup returns true if c is in group kgid. Compare Linux's
 // kernel/groups.c:in_group_p().
 func (c *Credentials) InGroup(kgid KGID) bool {
@@ -242,34 +264,6 @@ func (c *Credentials) UseGID(gid GID) (KGID, error) {
 	return NoID, linuxerr.EPERM
 }
 
-// SetUID translates the provided uid to the root user namespace and updates c's
-// uids to it. This performs no permissions or capabilities checks, the caller
-// is responsible for ensuring the calling context is permitted to modify c.
-func (c *Credentials) SetUID(uid UID) error {
-	kuid := c.UserNamespace.MapToKUID(uid)
-	if !kuid.Ok() {
-		return linuxerr.EINVAL
-	}
-	c.RealKUID = kuid
-	c.EffectiveKUID = kuid
-	c.SavedKUID = kuid
-	return nil
-}
-
-// SetGID translates the provided gid to the root user namespace and updates c's
-// gids to it. This performs no permissions or capabilities checks, the caller
-// is responsible for ensuring the calling context is permitted to modify c.
-func (c *Credentials) SetGID(gid GID) error {
-	kgid := c.UserNamespace.MapToKGID(gid)
-	if !kgid.Ok() {
-		return linuxerr.EINVAL
-	}
-	c.RealKGID = kgid
-	c.EffectiveKGID = kgid
-	c.SavedKGID = kgid
-	return nil
-}
-
 // LoadSeccheckData sets credential data based on mask.
 func (c *Credentials) LoadSeccheckData(mask seccheck.FieldMask, info *pb.ContextData) {
 	if mask.Contains(seccheck.FieldCtxtCredentials) {
diff --git a/pkg/sentry/kernel/task_clone.go b/pkg/sentry/kernel/task_clone.go
@@ -298,11 +298,7 @@ func (t *Task) Clone(args *linux.CloneArgs) (ThreadID, *SyscallControl, error) {
 	}
 
 	if userns != creds.UserNamespace {
-		if err := nt.SetUserNamespace(userns); err != nil {
-			// This shouldn't be possible: userns was created from nt.creds, so
-			// nt should have CAP_SYS_ADMIN in userns.
-			panic("Task.Clone: SetUserNamespace failed: " + err.Error())
-		}
+		nt.creds.Store(creds.ForkIntoUserNamespace(userns))
 	}
 
 	// This has to happen last, because e.g. ptraceClone may send a SIGSTOP to
@@ -618,7 +614,6 @@ func (t *Task) Unshare(flags int32) error {
 	if flags&(linux.CLONE_VM|linux.CLONE_SIGHAND) != 0 {
 		return linuxerr.EINVAL
 	}
-	creds := t.Credentials()
 	if flags&linux.CLONE_THREAD != 0 {
 		t.tg.signalHandlers.mu.Lock()
 		if t.tg.tasksCount != 1 {
@@ -629,98 +624,137 @@ func (t *Task) Unshare(flags int32) error {
 		// This isn't racy because we're the only living task, and therefore
 		// the only task capable of creating new ones, in our thread group.
 	}
+
+	// Prepare new execution context.
+	creds := t.Credentials()
+	var (
+		newFSContext  *FSContext
+		newFDTable    *FDTable
+		newCreds      bool
+		newChildPIDNS *PIDNamespace
+		newNetNS      *inet.Namespace
+		newUTSNS      *UTSNamespace
+		newIPCNS      *IPCNamespace
+		newMountNS    *vfs.MountNamespace
+	)
+	defer func() {
+		if newFSContext != nil {
+			newFSContext.destroy(t)
+		}
+		if newFDTable != nil {
+			newFDTable.DecRef(t)
+		}
+		if newNetNS != nil {
+			newNetNS.DecRef(t)
+		}
+		if newUTSNS != nil {
+			newUTSNS.DecRef(t)
+		}
+		if newIPCNS != nil {
+			newIPCNS.DecRef(t)
+		}
+		if newMountNS != nil {
+			newMountNS.DecRef(t)
+		}
+	}()
+	if flags&linux.CLONE_FS != 0 || flags&linux.CLONE_NEWNS != 0 {
+		newFSContext = t.FSContext().Fork()
+	}
+	if flags&linux.CLONE_FILES != 0 {
+		newFDTable = t.fdTable.Fork(t, MaxFdLimit)
+	}
 	if flags&linux.CLONE_NEWUSER != 0 {
 		if t.IsChrooted() {
 			return linuxerr.EPERM
 		}
+		var err error
 		newUserNS, err := creds.NewChildUserNamespace()
 		if err != nil {
 			return err
 		}
-		err = t.SetUserNamespace(newUserNS)
-		if err != nil {
-			return err
-		}
-		// Need to reload creds, because t.SetUserNamespace() changed task credentials.
-		creds = t.Credentials()
+		creds = t.Credentials().ForkIntoUserNamespace(newUserNS)
+		newCreds = true
 	}
-	haveCapSysAdmin := t.HasCapability(linux.CAP_SYS_ADMIN)
+	haveCapSysAdmin := creds.HasCapability(linux.CAP_SYS_ADMIN)
 	if flags&linux.CLONE_NEWPID != 0 {
 		if !haveCapSysAdmin {
 			return linuxerr.EPERM
 		}
-		t.childPIDNamespace = t.tg.pidns.NewChild(t, t.k, t.UserNamespace())
+		newChildPIDNS = t.tg.pidns.NewChild(t, t.k, creds.UserNamespace)
 	}
 	if flags&linux.CLONE_NEWNET != 0 {
 		if !haveCapSysAdmin {
 			return linuxerr.EPERM
 		}
-		netns := t.NetworkNamespace()
-		netns = inet.NewNamespace(netns, t.UserNamespace())
-		netnsInode := nsfs.NewInode(t, t.k.nsfsMount, netns)
-		netns.SetInode(netnsInode)
-		t.mu.Lock()
-		oldNetns := t.netns
-		t.netns = netns
-		t.mu.Unlock()
-		oldNetns.DecRef(t)
+		newNetNS = inet.NewNamespace(t.netns, creds.UserNamespace)
+		newNetNS.SetInode(nsfs.NewInode(t, t.k.nsfsMount, newNetNS))
 	}
-
-	cu := cleanup.Cleanup{}
-	// All cu actions has to be executed after releasing t.mu.
-	defer cu.Clean()
-	t.mu.Lock()
-	defer t.mu.Unlock()
 	if flags&linux.CLONE_NEWUTS != 0 {
 		if !haveCapSysAdmin {
 			return linuxerr.EPERM
 		}
-		// Note that this must happen after NewUserNamespace, so the
-		// new user namespace is used if there is one.
-		oldUTSNS := t.utsns
-		t.utsns = t.utsns.Clone(creds.UserNamespace)
-		t.utsns.SetInode(nsfs.NewInode(t, t.k.nsfsMount, t.utsns))
-		cu.Add(func() { oldUTSNS.DecRef(t) })
+		newUTSNS = t.utsns.Clone(creds.UserNamespace)
+		newUTSNS.SetInode(nsfs.NewInode(t, t.k.nsfsMount, newUTSNS))
 	}
 	if flags&linux.CLONE_NEWIPC != 0 {
 		if !haveCapSysAdmin {
 			return linuxerr.EPERM
 		}
-		// Note that "If CLONE_NEWIPC is set, then create the process in a new IPC
-		// namespace"
-		oldIPCNS := t.ipcns
-		t.ipcns = NewIPCNamespace(creds.UserNamespace)
-		t.ipcns.InitPosixQueues(t, t.k.VFS(), creds)
-		t.ipcns.SetInode(nsfs.NewInode(t, t.k.nsfsMount, t.ipcns))
-		cu.Add(func() { oldIPCNS.DecRef(t) })
-	}
-	if flags&linux.CLONE_FILES != 0 {
-		oldFDTable := t.fdTable
-		t.fdTable = oldFDTable.Fork(t, MaxFdLimit)
-		cu.Add(func() { oldFDTable.DecRef(t) })
-	}
-	if flags&linux.CLONE_FS != 0 || flags&linux.CLONE_NEWNS != 0 {
-		oldFSContext := t.FSContext()
-		// unshareFromTask() lowers the old fs context's ref count, but its for us to
-		// destroy it if there are no other references.
-		if oldFSContext.unshareFromTask(t, oldFSContext.Fork()) {
-			// destroy() requires t.mu to not be held, hence the deferral.
-			cu.Add(func() { oldFSContext.destroy(t) })
-		}
+		newIPCNS = NewIPCNamespace(creds.UserNamespace)
+		newIPCNS.InitPosixQueues(t, t.k.VFS(), creds)
+		newIPCNS.SetInode(nsfs.NewInode(t, t.k.nsfsMount, newIPCNS))
 	}
 	if flags&linux.CLONE_NEWNS != 0 {
 		if !haveCapSysAdmin {
 			return linuxerr.EPERM
 		}
-		oldMountNS := t.mountNamespace
-		fsContext := t.FSContext()
-		mntns, err := t.k.vfs.CloneMountNamespace(t, creds.UserNamespace, oldMountNS, &fsContext.root, &fsContext.cwd, t.k)
+		fsContext := newFSContext
+		if fsContext == nil {
+			fsContext = t.FSContext()
+		}
+		var err error
+		newMountNS, err = t.k.vfs.CloneMountNamespace(t, creds.UserNamespace, t.mountNamespace, &fsContext.root, &fsContext.cwd, t.k)
 		if err != nil {
 			return err
 		}
-		t.mountNamespace = mntns
-		cu.Add(func() { oldMountNS.DecRef(t) })
 	}
+
+	// Switch to new execution context. Store replaced resources in new* so
+	// that they're cleaned up by the deferred function.
+	if newCreds {
+		t.creds.Store(creds)
+	}
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	if newFSContext != nil {
+		oldFSContext := t.FSContext()
+		// unshareFromTask() lowers the old fs context's ref count, but its for us to
+		// destroy it if there are no other references.
+		if oldFSContext.unshareFromTask(t, newFSContext) {
+			newFSContext = oldFSContext
+		} else {
+			newFSContext = nil
+		}
+	}
+	if newFDTable != nil {
+		t.fdTable, newFDTable = newFDTable, t.fdTable
+	}
+	if newChildPIDNS != nil {
+		t.childPIDNamespace = newChildPIDNS
+	}
+	if newNetNS != nil {
+		t.netns, newNetNS = newNetNS, t.netns
+	}
+	if newUTSNS != nil {
+		t.utsns, newUTSNS = newUTSNS, t.utsns
+	}
+	if newIPCNS != nil {
+		t.ipcns, newIPCNS = newIPCNS, t.ipcns
+	}
+	if newMountNS != nil {
+		t.mountNamespace, newMountNS = newMountNS, t.mountNamespace
+	}
+
 	return nil
 }
 
diff --git a/pkg/sentry/kernel/task_identity.go b/pkg/sentry/kernel/task_identity.go
@@ -419,41 +419,6 @@ func (t *Task) DropBoundingCapability(cp linux.Capability) error {
 	return nil
 }
 
-// SetUserNamespace attempts to move c into ns.
-//
-// Preconditions: The caller must be running on the task goroutine.
-func (t *Task) SetUserNamespace(ns *auth.UserNamespace) error {
-	creds := t.Credentials()
-	// "A process reassociating itself with a user namespace must have the
-	// CAP_SYS_ADMIN capability in the target user namespace." - setns(2)
-	//
-	// If t just created ns, then t.creds is guaranteed to have CAP_SYS_ADMIN
-	// in ns (by rule 3 in auth.Credentials.HasCapability).
-	if !creds.HasCapabilityIn(linux.CAP_SYS_ADMIN, ns) {
-		return linuxerr.EPERM
-	}
-
-	creds = creds.Fork() // The credentials object is immutable. See doc for creds.
-	creds.UserNamespace = ns
-	// "The child process created by clone(2) with the CLONE_NEWUSER flag
-	// starts out with a complete set of capabilities in the new user
-	// namespace. Likewise, a process that creates a new user namespace using
-	// unshare(2) or joins an existing user namespace using setns(2) gains a
-	// full set of capabilities in that namespace."
-	creds.PermittedCaps = auth.AllCapabilities
-	creds.InheritableCaps = 0
-	creds.EffectiveCaps = auth.AllCapabilities
-	creds.BoundingCaps = auth.AllCapabilities
-	// "A call to clone(2), unshare(2), or setns(2) using the CLONE_NEWUSER
-	// flag sets the "securebits" flags (see capabilities(7)) to their default
-	// values (all flags disabled) in the child (for clone(2)) or caller (for
-	// unshare(2), or setns(2)." - user_namespaces(7)
-	creds.KeepCaps = false
-	t.creds.Store(creds)
-
-	return nil
-}
-
 // SetKeepCaps will set the keep capabilities flag PR_SET_KEEPCAPS.
 //
 // Preconditions: The caller must be running on the task goroutine.
