mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-04 04:06:26 +00:00
userns: Use cred->user_ns instead of cred->user->user_ns
Optimize performance and prepare for the removal of the user_ns reference from user_struct. Remove the slow long walk through cred->user->user_ns and instead go straight to cred->user_ns. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
This commit is contained in:
parent
7e6bd8fadd
commit
c4a4d60379
@ -303,7 +303,7 @@ int ecryptfs_process_response(struct ecryptfs_message *msg, uid_t euid,
|
|||||||
mutex_unlock(&ecryptfs_daemon_hash_mux);
|
mutex_unlock(&ecryptfs_daemon_hash_mux);
|
||||||
goto wake_up;
|
goto wake_up;
|
||||||
}
|
}
|
||||||
tsk_user_ns = __task_cred(msg_ctx->task)->user->user_ns;
|
tsk_user_ns = __task_cred(msg_ctx->task)->user_ns;
|
||||||
ctx_euid = task_euid(msg_ctx->task);
|
ctx_euid = task_euid(msg_ctx->task);
|
||||||
rc = ecryptfs_find_daemon_by_euid(&daemon, ctx_euid, tsk_user_ns);
|
rc = ecryptfs_find_daemon_by_euid(&daemon, ctx_euid, tsk_user_ns);
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
|
@ -46,7 +46,7 @@ static struct ipc_namespace *create_ipc_ns(struct task_struct *tsk,
|
|||||||
ipcns_notify(IPCNS_CREATED);
|
ipcns_notify(IPCNS_CREATED);
|
||||||
register_ipcns_notifier(ns);
|
register_ipcns_notifier(ns);
|
||||||
|
|
||||||
ns->user_ns = get_user_ns(task_cred_xxx(tsk, user)->user_ns);
|
ns->user_ns = get_user_ns(task_cred_xxx(tsk, user_ns));
|
||||||
|
|
||||||
return ns;
|
return ns;
|
||||||
}
|
}
|
||||||
|
@ -198,7 +198,7 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode)
|
|||||||
return 0;
|
return 0;
|
||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
tcred = __task_cred(task);
|
tcred = __task_cred(task);
|
||||||
if (cred->user->user_ns == tcred->user->user_ns &&
|
if (cred->user_ns == tcred->user_ns &&
|
||||||
(cred->uid == tcred->euid &&
|
(cred->uid == tcred->euid &&
|
||||||
cred->uid == tcred->suid &&
|
cred->uid == tcred->suid &&
|
||||||
cred->uid == tcred->uid &&
|
cred->uid == tcred->uid &&
|
||||||
@ -206,7 +206,7 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode)
|
|||||||
cred->gid == tcred->sgid &&
|
cred->gid == tcred->sgid &&
|
||||||
cred->gid == tcred->gid))
|
cred->gid == tcred->gid))
|
||||||
goto ok;
|
goto ok;
|
||||||
if (ptrace_has_cap(tcred->user->user_ns, mode))
|
if (ptrace_has_cap(tcred->user_ns, mode))
|
||||||
goto ok;
|
goto ok;
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
return -EPERM;
|
return -EPERM;
|
||||||
|
@ -4042,7 +4042,7 @@ static bool check_same_owner(struct task_struct *p)
|
|||||||
|
|
||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
pcred = __task_cred(p);
|
pcred = __task_cred(p);
|
||||||
if (cred->user->user_ns == pcred->user->user_ns)
|
if (cred->user_ns == pcred->user_ns)
|
||||||
match = (cred->euid == pcred->euid ||
|
match = (cred->euid == pcred->euid ||
|
||||||
cred->euid == pcred->uid);
|
cred->euid == pcred->uid);
|
||||||
else
|
else
|
||||||
|
@ -767,14 +767,14 @@ static int kill_ok_by_cred(struct task_struct *t)
|
|||||||
const struct cred *cred = current_cred();
|
const struct cred *cred = current_cred();
|
||||||
const struct cred *tcred = __task_cred(t);
|
const struct cred *tcred = __task_cred(t);
|
||||||
|
|
||||||
if (cred->user->user_ns == tcred->user->user_ns &&
|
if (cred->user_ns == tcred->user_ns &&
|
||||||
(cred->euid == tcred->suid ||
|
(cred->euid == tcred->suid ||
|
||||||
cred->euid == tcred->uid ||
|
cred->euid == tcred->uid ||
|
||||||
cred->uid == tcred->suid ||
|
cred->uid == tcred->suid ||
|
||||||
cred->uid == tcred->uid))
|
cred->uid == tcred->uid))
|
||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
if (ns_capable(tcred->user->user_ns, CAP_KILL))
|
if (ns_capable(tcred->user_ns, CAP_KILL))
|
||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -133,11 +133,11 @@ static bool set_one_prio_perm(struct task_struct *p)
|
|||||||
{
|
{
|
||||||
const struct cred *cred = current_cred(), *pcred = __task_cred(p);
|
const struct cred *cred = current_cred(), *pcred = __task_cred(p);
|
||||||
|
|
||||||
if (pcred->user->user_ns == cred->user->user_ns &&
|
if (pcred->user_ns == cred->user_ns &&
|
||||||
(pcred->uid == cred->euid ||
|
(pcred->uid == cred->euid ||
|
||||||
pcred->euid == cred->euid))
|
pcred->euid == cred->euid))
|
||||||
return true;
|
return true;
|
||||||
if (ns_capable(pcred->user->user_ns, CAP_SYS_NICE))
|
if (ns_capable(pcred->user_ns, CAP_SYS_NICE))
|
||||||
return true;
|
return true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@ -1498,7 +1498,7 @@ static int check_prlimit_permission(struct task_struct *task)
|
|||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
tcred = __task_cred(task);
|
tcred = __task_cred(task);
|
||||||
if (cred->user->user_ns == tcred->user->user_ns &&
|
if (cred->user_ns == tcred->user_ns &&
|
||||||
(cred->uid == tcred->euid &&
|
(cred->uid == tcred->euid &&
|
||||||
cred->uid == tcred->suid &&
|
cred->uid == tcred->suid &&
|
||||||
cred->uid == tcred->uid &&
|
cred->uid == tcred->uid &&
|
||||||
@ -1506,7 +1506,7 @@ static int check_prlimit_permission(struct task_struct *task)
|
|||||||
cred->gid == tcred->sgid &&
|
cred->gid == tcred->sgid &&
|
||||||
cred->gid == tcred->gid))
|
cred->gid == tcred->gid))
|
||||||
return 0;
|
return 0;
|
||||||
if (ns_capable(tcred->user->user_ns, CAP_SYS_RESOURCE))
|
if (ns_capable(tcred->user_ns, CAP_SYS_RESOURCE))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
return -EPERM;
|
return -EPERM;
|
||||||
|
@ -90,7 +90,7 @@ uid_t user_ns_map_uid(struct user_namespace *to, const struct cred *cred, uid_t
|
|||||||
{
|
{
|
||||||
struct user_namespace *tmp;
|
struct user_namespace *tmp;
|
||||||
|
|
||||||
if (likely(to == cred->user->user_ns))
|
if (likely(to == cred->user_ns))
|
||||||
return uid;
|
return uid;
|
||||||
|
|
||||||
|
|
||||||
@ -112,7 +112,7 @@ gid_t user_ns_map_gid(struct user_namespace *to, const struct cred *cred, gid_t
|
|||||||
{
|
{
|
||||||
struct user_namespace *tmp;
|
struct user_namespace *tmp;
|
||||||
|
|
||||||
if (likely(to == cred->user->user_ns))
|
if (likely(to == cred->user_ns))
|
||||||
return gid;
|
return gid;
|
||||||
|
|
||||||
/* Is cred->user the creator of the target user_ns
|
/* Is cred->user the creator of the target user_ns
|
||||||
|
@ -43,7 +43,7 @@ static struct uts_namespace *clone_uts_ns(struct task_struct *tsk,
|
|||||||
|
|
||||||
down_read(&uts_sem);
|
down_read(&uts_sem);
|
||||||
memcpy(&ns->name, &old_ns->name, sizeof(ns->name));
|
memcpy(&ns->name, &old_ns->name, sizeof(ns->name));
|
||||||
ns->user_ns = get_user_ns(task_cred_xxx(tsk, user)->user_ns);
|
ns->user_ns = get_user_ns(task_cred_xxx(tsk, user_ns));
|
||||||
up_read(&uts_sem);
|
up_read(&uts_sem);
|
||||||
return ns;
|
return ns;
|
||||||
}
|
}
|
||||||
|
@ -81,7 +81,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
|
|||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
/* Do we have the necessary capabilities? */
|
/* Do we have the necessary capabilities? */
|
||||||
if (targ_ns == cred->user->user_ns)
|
if (targ_ns == cred->user_ns)
|
||||||
return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
|
return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
|
||||||
|
|
||||||
/* Have we tried all of the parent namespaces? */
|
/* Have we tried all of the parent namespaces? */
|
||||||
@ -136,10 +136,10 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
|
|||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
cred = current_cred();
|
cred = current_cred();
|
||||||
child_cred = __task_cred(child);
|
child_cred = __task_cred(child);
|
||||||
if (cred->user->user_ns == child_cred->user->user_ns &&
|
if (cred->user_ns == child_cred->user_ns &&
|
||||||
cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
|
cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
|
||||||
goto out;
|
goto out;
|
||||||
if (ns_capable(child_cred->user->user_ns, CAP_SYS_PTRACE))
|
if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
|
||||||
goto out;
|
goto out;
|
||||||
ret = -EPERM;
|
ret = -EPERM;
|
||||||
out:
|
out:
|
||||||
@ -168,10 +168,10 @@ int cap_ptrace_traceme(struct task_struct *parent)
|
|||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
cred = __task_cred(parent);
|
cred = __task_cred(parent);
|
||||||
child_cred = current_cred();
|
child_cred = current_cred();
|
||||||
if (cred->user->user_ns == child_cred->user->user_ns &&
|
if (cred->user_ns == child_cred->user_ns &&
|
||||||
cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
|
cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
|
||||||
goto out;
|
goto out;
|
||||||
if (has_ns_capability(parent, child_cred->user->user_ns, CAP_SYS_PTRACE))
|
if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
|
||||||
goto out;
|
goto out;
|
||||||
ret = -EPERM;
|
ret = -EPERM;
|
||||||
out:
|
out:
|
||||||
@ -214,7 +214,7 @@ static inline int cap_inh_is_capped(void)
|
|||||||
/* they are so limited unless the current task has the CAP_SETPCAP
|
/* they are so limited unless the current task has the CAP_SETPCAP
|
||||||
* capability
|
* capability
|
||||||
*/
|
*/
|
||||||
if (cap_capable(current_cred(), current_cred()->user->user_ns,
|
if (cap_capable(current_cred(), current_cred()->user_ns,
|
||||||
CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
|
CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
|
||||||
return 0;
|
return 0;
|
||||||
return 1;
|
return 1;
|
||||||
@ -866,7 +866,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
|
|||||||
|| ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
|
|| ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
|
||||||
|| (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
|
|| (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
|
||||||
|| (cap_capable(current_cred(),
|
|| (cap_capable(current_cred(),
|
||||||
current_cred()->user->user_ns, CAP_SETPCAP,
|
current_cred()->user_ns, CAP_SETPCAP,
|
||||||
SECURITY_CAP_AUDIT) != 0) /*[4]*/
|
SECURITY_CAP_AUDIT) != 0) /*[4]*/
|
||||||
/*
|
/*
|
||||||
* [1] no changing of bits that are locked
|
* [1] no changing of bits that are locked
|
||||||
|
@ -253,7 +253,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
|
|||||||
quotalen = desclen + type->def_datalen;
|
quotalen = desclen + type->def_datalen;
|
||||||
|
|
||||||
/* get hold of the key tracking for this user */
|
/* get hold of the key tracking for this user */
|
||||||
user = key_user_lookup(uid, cred->user->user_ns);
|
user = key_user_lookup(uid, cred->user_ns);
|
||||||
if (!user)
|
if (!user)
|
||||||
goto no_memory_1;
|
goto no_memory_1;
|
||||||
|
|
||||||
|
@ -36,7 +36,7 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
|
|||||||
|
|
||||||
key = key_ref_to_ptr(key_ref);
|
key = key_ref_to_ptr(key_ref);
|
||||||
|
|
||||||
if (key->user->user_ns != cred->user->user_ns)
|
if (key->user->user_ns != cred->user_ns)
|
||||||
goto use_other_perms;
|
goto use_other_perms;
|
||||||
|
|
||||||
/* use the second 8-bits of permissions for keys the caller owns */
|
/* use the second 8-bits of permissions for keys the caller owns */
|
||||||
|
@ -858,7 +858,7 @@ void key_replace_session_keyring(void)
|
|||||||
new-> sgid = old-> sgid;
|
new-> sgid = old-> sgid;
|
||||||
new->fsgid = old->fsgid;
|
new->fsgid = old->fsgid;
|
||||||
new->user = get_uid(old->user);
|
new->user = get_uid(old->user);
|
||||||
new->user_ns = new->user->user_ns;
|
new->user_ns = new->user_ns;
|
||||||
new->group_info = get_group_info(old->group_info);
|
new->group_info = get_group_info(old->group_info);
|
||||||
|
|
||||||
new->securebits = old->securebits;
|
new->securebits = old->securebits;
|
||||||
|
Loading…
Reference in New Issue
Block a user