aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2011-11-17 02:15:31 -0500
committerEric W. Biederman <ebiederm@xmission.com>2012-04-07 19:55:51 -0400
commitc4a4d603796c727b9555867571f89483be9c565e (patch)
treeae3b47a7b8b35c866df53cb4b4a051d49a28904a
parent7e6bd8fadd1216f50468f965d0308f45e5109ced (diff)
userns: Use cred->user_ns instead of cred->user->user_ns
Optimize performance and prepare for the removal of the user_ns reference from user_struct. Remove the slow long walk through cred->user->user_ns and instead go straight to cred->user_ns. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
-rw-r--r--fs/ecryptfs/messaging.c2
-rw-r--r--ipc/namespace.c2
-rw-r--r--kernel/ptrace.c4
-rw-r--r--kernel/sched/core.c2
-rw-r--r--kernel/signal.c4
-rw-r--r--kernel/sys.c8
-rw-r--r--kernel/user_namespace.c4
-rw-r--r--kernel/utsname.c2
-rw-r--r--security/commoncap.c14
-rw-r--r--security/keys/key.c2
-rw-r--r--security/keys/permission.c2
-rw-r--r--security/keys/process_keys.c2
12 files changed, 24 insertions, 24 deletions
diff --git a/fs/ecryptfs/messaging.c b/fs/ecryptfs/messaging.c
index ab2248090515..a750f957b145 100644
--- a/fs/ecryptfs/messaging.c
+++ b/fs/ecryptfs/messaging.c
@@ -303,7 +303,7 @@ int ecryptfs_process_response(struct ecryptfs_message *msg, uid_t euid,
303 mutex_unlock(&ecryptfs_daemon_hash_mux); 303 mutex_unlock(&ecryptfs_daemon_hash_mux);
304 goto wake_up; 304 goto wake_up;
305 } 305 }
306 tsk_user_ns = __task_cred(msg_ctx->task)->user->user_ns; 306 tsk_user_ns = __task_cred(msg_ctx->task)->user_ns;
307 ctx_euid = task_euid(msg_ctx->task); 307 ctx_euid = task_euid(msg_ctx->task);
308 rc = ecryptfs_find_daemon_by_euid(&daemon, ctx_euid, tsk_user_ns); 308 rc = ecryptfs_find_daemon_by_euid(&daemon, ctx_euid, tsk_user_ns);
309 rcu_read_unlock(); 309 rcu_read_unlock();
diff --git a/ipc/namespace.c b/ipc/namespace.c
index ce0a647869b1..f362298c5ce4 100644
--- a/ipc/namespace.c
+++ b/ipc/namespace.c
@@ -46,7 +46,7 @@ static struct ipc_namespace *create_ipc_ns(struct task_struct *tsk,
46 ipcns_notify(IPCNS_CREATED); 46 ipcns_notify(IPCNS_CREATED);
47 register_ipcns_notifier(ns); 47 register_ipcns_notifier(ns);
48 48
49 ns->user_ns = get_user_ns(task_cred_xxx(tsk, user)->user_ns); 49 ns->user_ns = get_user_ns(task_cred_xxx(tsk, user_ns));
50 50
51 return ns; 51 return ns;
52} 52}
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index ee8d49b9c309..24e0a5a94824 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -198,7 +198,7 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode)
198 return 0; 198 return 0;
199 rcu_read_lock(); 199 rcu_read_lock();
200 tcred = __task_cred(task); 200 tcred = __task_cred(task);
201 if (cred->user->user_ns == tcred->user->user_ns && 201 if (cred->user_ns == tcred->user_ns &&
202 (cred->uid == tcred->euid && 202 (cred->uid == tcred->euid &&
203 cred->uid == tcred->suid && 203 cred->uid == tcred->suid &&
204 cred->uid == tcred->uid && 204 cred->uid == tcred->uid &&
@@ -206,7 +206,7 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode)
206 cred->gid == tcred->sgid && 206 cred->gid == tcred->sgid &&
207 cred->gid == tcred->gid)) 207 cred->gid == tcred->gid))
208 goto ok; 208 goto ok;
209 if (ptrace_has_cap(tcred->user->user_ns, mode)) 209 if (ptrace_has_cap(tcred->user_ns, mode))
210 goto ok; 210 goto ok;
211 rcu_read_unlock(); 211 rcu_read_unlock();
212 return -EPERM; 212 return -EPERM;
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 4603b9d8f30a..96bff855b866 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4042,7 +4042,7 @@ static bool check_same_owner(struct task_struct *p)
4042 4042
4043 rcu_read_lock(); 4043 rcu_read_lock();
4044 pcred = __task_cred(p); 4044 pcred = __task_cred(p);
4045 if (cred->user->user_ns == pcred->user->user_ns) 4045 if (cred->user_ns == pcred->user_ns)
4046 match = (cred->euid == pcred->euid || 4046 match = (cred->euid == pcred->euid ||
4047 cred->euid == pcred->uid); 4047 cred->euid == pcred->uid);
4048 else 4048 else
diff --git a/kernel/signal.c b/kernel/signal.c
index 17afcaf582d0..e2c5d84f2dac 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -767,14 +767,14 @@ static int kill_ok_by_cred(struct task_struct *t)
767 const struct cred *cred = current_cred(); 767 const struct cred *cred = current_cred();
768 const struct cred *tcred = __task_cred(t); 768 const struct cred *tcred = __task_cred(t);
769 769
770 if (cred->user->user_ns == tcred->user->user_ns && 770 if (cred->user_ns == tcred->user_ns &&
771 (cred->euid == tcred->suid || 771 (cred->euid == tcred->suid ||
772 cred->euid == tcred->uid || 772 cred->euid == tcred->uid ||
773 cred->uid == tcred->suid || 773 cred->uid == tcred->suid ||
774 cred->uid == tcred->uid)) 774 cred->uid == tcred->uid))
775 return 1; 775 return 1;
776 776
777 if (ns_capable(tcred->user->user_ns, CAP_KILL)) 777 if (ns_capable(tcred->user_ns, CAP_KILL))
778 return 1; 778 return 1;
779 779
780 return 0; 780 return 0;
diff --git a/kernel/sys.c b/kernel/sys.c
index f7a43514ac65..82d8714bbede 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -133,11 +133,11 @@ static bool set_one_prio_perm(struct task_struct *p)
133{ 133{
134 const struct cred *cred = current_cred(), *pcred = __task_cred(p); 134 const struct cred *cred = current_cred(), *pcred = __task_cred(p);
135 135
136 if (pcred->user->user_ns == cred->user->user_ns && 136 if (pcred->user_ns == cred->user_ns &&
137 (pcred->uid == cred->euid || 137 (pcred->uid == cred->euid ||
138 pcred->euid == cred->euid)) 138 pcred->euid == cred->euid))
139 return true; 139 return true;
140 if (ns_capable(pcred->user->user_ns, CAP_SYS_NICE)) 140 if (ns_capable(pcred->user_ns, CAP_SYS_NICE))
141 return true; 141 return true;
142 return false; 142 return false;
143} 143}
@@ -1498,7 +1498,7 @@ static int check_prlimit_permission(struct task_struct *task)
1498 return 0; 1498 return 0;
1499 1499
1500 tcred = __task_cred(task); 1500 tcred = __task_cred(task);
1501 if (cred->user->user_ns == tcred->user->user_ns && 1501 if (cred->user_ns == tcred->user_ns &&
1502 (cred->uid == tcred->euid && 1502 (cred->uid == tcred->euid &&
1503 cred->uid == tcred->suid && 1503 cred->uid == tcred->suid &&
1504 cred->uid == tcred->uid && 1504 cred->uid == tcred->uid &&
@@ -1506,7 +1506,7 @@ static int check_prlimit_permission(struct task_struct *task)
1506 cred->gid == tcred->sgid && 1506 cred->gid == tcred->sgid &&
1507 cred->gid == tcred->gid)) 1507 cred->gid == tcred->gid))
1508 return 0; 1508 return 0;
1509 if (ns_capable(tcred->user->user_ns, CAP_SYS_RESOURCE)) 1509 if (ns_capable(tcred->user_ns, CAP_SYS_RESOURCE))
1510 return 0; 1510 return 0;
1511 1511
1512 return -EPERM; 1512 return -EPERM;
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 3b906e98b1db..f084083a0fd3 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -90,7 +90,7 @@ uid_t user_ns_map_uid(struct user_namespace *to, const struct cred *cred, uid_t
90{ 90{
91 struct user_namespace *tmp; 91 struct user_namespace *tmp;
92 92
93 if (likely(to == cred->user->user_ns)) 93 if (likely(to == cred->user_ns))
94 return uid; 94 return uid;
95 95
96 96
@@ -112,7 +112,7 @@ gid_t user_ns_map_gid(struct user_namespace *to, const struct cred *cred, gid_t
112{ 112{
113 struct user_namespace *tmp; 113 struct user_namespace *tmp;
114 114
115 if (likely(to == cred->user->user_ns)) 115 if (likely(to == cred->user_ns))
116 return gid; 116 return gid;
117 117
118 /* Is cred->user the creator of the target user_ns 118 /* Is cred->user the creator of the target user_ns
diff --git a/kernel/utsname.c b/kernel/utsname.c
index 405caf91aad5..679d97a5d3fd 100644
--- a/kernel/utsname.c
+++ b/kernel/utsname.c
@@ -43,7 +43,7 @@ static struct uts_namespace *clone_uts_ns(struct task_struct *tsk,
43 43
44 down_read(&uts_sem); 44 down_read(&uts_sem);
45 memcpy(&ns->name, &old_ns->name, sizeof(ns->name)); 45 memcpy(&ns->name, &old_ns->name, sizeof(ns->name));
46 ns->user_ns = get_user_ns(task_cred_xxx(tsk, user)->user_ns); 46 ns->user_ns = get_user_ns(task_cred_xxx(tsk, user_ns));
47 up_read(&uts_sem); 47 up_read(&uts_sem);
48 return ns; 48 return ns;
49} 49}
diff --git a/security/commoncap.c b/security/commoncap.c
index 0cf4b53480a7..8b3e10e2eac7 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -81,7 +81,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
81 return 0; 81 return 0;
82 82
83 /* Do we have the necessary capabilities? */ 83 /* Do we have the necessary capabilities? */
84 if (targ_ns == cred->user->user_ns) 84 if (targ_ns == cred->user_ns)
85 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; 85 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
86 86
87 /* Have we tried all of the parent namespaces? */ 87 /* Have we tried all of the parent namespaces? */
@@ -136,10 +136,10 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
136 rcu_read_lock(); 136 rcu_read_lock();
137 cred = current_cred(); 137 cred = current_cred();
138 child_cred = __task_cred(child); 138 child_cred = __task_cred(child);
139 if (cred->user->user_ns == child_cred->user->user_ns && 139 if (cred->user_ns == child_cred->user_ns &&
140 cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) 140 cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
141 goto out; 141 goto out;
142 if (ns_capable(child_cred->user->user_ns, CAP_SYS_PTRACE)) 142 if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
143 goto out; 143 goto out;
144 ret = -EPERM; 144 ret = -EPERM;
145out: 145out:
@@ -168,10 +168,10 @@ int cap_ptrace_traceme(struct task_struct *parent)
168 rcu_read_lock(); 168 rcu_read_lock();
169 cred = __task_cred(parent); 169 cred = __task_cred(parent);
170 child_cred = current_cred(); 170 child_cred = current_cred();
171 if (cred->user->user_ns == child_cred->user->user_ns && 171 if (cred->user_ns == child_cred->user_ns &&
172 cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) 172 cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
173 goto out; 173 goto out;
174 if (has_ns_capability(parent, child_cred->user->user_ns, CAP_SYS_PTRACE)) 174 if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
175 goto out; 175 goto out;
176 ret = -EPERM; 176 ret = -EPERM;
177out: 177out:
@@ -214,7 +214,7 @@ static inline int cap_inh_is_capped(void)
214 /* they are so limited unless the current task has the CAP_SETPCAP 214 /* they are so limited unless the current task has the CAP_SETPCAP
215 * capability 215 * capability
216 */ 216 */
217 if (cap_capable(current_cred(), current_cred()->user->user_ns, 217 if (cap_capable(current_cred(), current_cred()->user_ns,
218 CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0) 218 CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
219 return 0; 219 return 0;
220 return 1; 220 return 1;
@@ -866,7 +866,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
866 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ 866 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
867 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ 867 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
868 || (cap_capable(current_cred(), 868 || (cap_capable(current_cred(),
869 current_cred()->user->user_ns, CAP_SETPCAP, 869 current_cred()->user_ns, CAP_SETPCAP,
870 SECURITY_CAP_AUDIT) != 0) /*[4]*/ 870 SECURITY_CAP_AUDIT) != 0) /*[4]*/
871 /* 871 /*
872 * [1] no changing of bits that are locked 872 * [1] no changing of bits that are locked
diff --git a/security/keys/key.c b/security/keys/key.c
index 06783cffb3af..7e6034793af3 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -253,7 +253,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
253 quotalen = desclen + type->def_datalen; 253 quotalen = desclen + type->def_datalen;
254 254
255 /* get hold of the key tracking for this user */ 255 /* get hold of the key tracking for this user */
256 user = key_user_lookup(uid, cred->user->user_ns); 256 user = key_user_lookup(uid, cred->user_ns);
257 if (!user) 257 if (!user)
258 goto no_memory_1; 258 goto no_memory_1;
259 259
diff --git a/security/keys/permission.c b/security/keys/permission.c
index c35b5229e3cd..e146cbd714bd 100644
--- a/security/keys/permission.c
+++ b/security/keys/permission.c
@@ -36,7 +36,7 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
36 36
37 key = key_ref_to_ptr(key_ref); 37 key = key_ref_to_ptr(key_ref);
38 38
39 if (key->user->user_ns != cred->user->user_ns) 39 if (key->user->user_ns != cred->user_ns)
40 goto use_other_perms; 40 goto use_other_perms;
41 41
42 /* use the second 8-bits of permissions for keys the caller owns */ 42 /* use the second 8-bits of permissions for keys the caller owns */
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index be7ecb2018dd..70febff06da9 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -858,7 +858,7 @@ void key_replace_session_keyring(void)
858 new-> sgid = old-> sgid; 858 new-> sgid = old-> sgid;
859 new->fsgid = old->fsgid; 859 new->fsgid = old->fsgid;
860 new->user = get_uid(old->user); 860 new->user = get_uid(old->user);
861 new->user_ns = new->user->user_ns; 861 new->user_ns = new->user_ns;
862 new->group_info = get_group_info(old->group_info); 862 new->group_info = get_group_info(old->group_info);
863 863
864 new->securebits = old->securebits; 864 new->securebits = old->securebits;