diff options
| author | Iulia Manda <iulia.manda21@gmail.com> | 2015-04-15 19:16:41 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-04-15 19:35:22 -0400 |
| commit | 2813893f8b197a14f1e1ddb04d99bce46817c84a (patch) | |
| tree | 650651e638f867a6bda23e08c70bdd9857d121ca /kernel/sys_ni.c | |
| parent | c79574abe2baddf569532e7e430e4977771dd25c (diff) | |
kernel: conditionally support non-root users, groups and capabilities
There are a lot of embedded systems that run most or all of their
functionality in init, running as root:root. For these systems,
supporting multiple users is not necessary.
This patch adds a new symbol, CONFIG_MULTIUSER, that makes support for
non-root users, non-root groups, and capabilities optional. It is enabled
under CONFIG_EXPERT menu.
When this symbol is not defined, UID and GID are zero in any possible case
and processes always have all capabilities.
The following syscalls are compiled out: setuid, setregid, setgid,
setreuid, setresuid, getresuid, setresgid, getresgid, setgroups,
getgroups, setfsuid, setfsgid, capget, capset.
Also, groups.c is compiled out completely.
In kernel/capability.c, capable function was moved in order to avoid
adding two ifdef blocks.
This change saves about 25 KB on a defconfig build. The most minimal
kernels have total text sizes in the high hundreds of kB rather than
low MB. (The 25k goes down a bit with allnoconfig, but not that much.
The kernel was booted in Qemu. All the common functionalities work.
Adding users/groups is not possible, failing with -ENOSYS.
Bloat-o-meter output:
add/remove: 7/87 grow/shrink: 19/397 up/down: 1675/-26325 (-24650)
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Iulia Manda <iulia.manda21@gmail.com>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Tested-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'kernel/sys_ni.c')
| -rw-r--r-- | kernel/sys_ni.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c index 5adcb0ae3a58..7995ef5868d8 100644 --- a/kernel/sys_ni.c +++ b/kernel/sys_ni.c | |||
| @@ -159,6 +159,20 @@ cond_syscall(sys_uselib); | |||
| 159 | cond_syscall(sys_fadvise64); | 159 | cond_syscall(sys_fadvise64); |
| 160 | cond_syscall(sys_fadvise64_64); | 160 | cond_syscall(sys_fadvise64_64); |
| 161 | cond_syscall(sys_madvise); | 161 | cond_syscall(sys_madvise); |
| 162 | cond_syscall(sys_setuid); | ||
| 163 | cond_syscall(sys_setregid); | ||
| 164 | cond_syscall(sys_setgid); | ||
| 165 | cond_syscall(sys_setreuid); | ||
| 166 | cond_syscall(sys_setresuid); | ||
| 167 | cond_syscall(sys_getresuid); | ||
| 168 | cond_syscall(sys_setresgid); | ||
| 169 | cond_syscall(sys_getresgid); | ||
| 170 | cond_syscall(sys_setgroups); | ||
| 171 | cond_syscall(sys_getgroups); | ||
| 172 | cond_syscall(sys_setfsuid); | ||
| 173 | cond_syscall(sys_setfsgid); | ||
| 174 | cond_syscall(sys_capget); | ||
| 175 | cond_syscall(sys_capset); | ||
| 162 | 176 | ||
| 163 | /* arch-specific weak syscall entries */ | 177 | /* arch-specific weak syscall entries */ |
| 164 | cond_syscall(sys_pciconfig_read); | 178 | cond_syscall(sys_pciconfig_read); |