kernel/user_namespace.c

    1. 不能reenter 同一个user namespace,避免通过这种方式获得权限
    2. 不能修改一个线程的user namespace,一个进程内所有线程必须使用同一个namespace
    3. 调用者和其他进程共享root directory (current->fs->users != 1)
    4. target user namespace必须拥有CAP_SYS_ADMIN
    1. static int userns_install(struct nsset *nsset, struct ns_common *ns)
    2. {
    3.     struct user_namespace *user_ns = to_user_ns(ns);
    4.     struct cred *cred;
    6.     /* Don't allow gaining capabilities by reentering
    7.      * the same user namespace.
    8.      */
    9.     if (user_ns == current_user_ns())
    10.         return -EINVAL;
    12.     /* Tasks that share a thread group must share a user namespace */
    13.     if (!thread_group_empty(current))
    14.         return -EINVAL;
    16.     if (current->fs->users != 1)
    17.         return -EINVAL;
    19.     if (!ns_capable(user_ns, CAP_SYS_ADMIN))
    20.         return -EPERM;
    22.     cred = nsset_cred(nsset);
    23.     if (!cred)
    24.         return -EINVAL;
    26.     put_user_ns(cred->user_ns);
    27.     set_cred_user_ns(cred, get_user_ns(user_ns));
    29.     return 0;
    30. }