diff options
author | Eric W. Biederman <ebiederm@xmission.com> | 2011-11-17 02:15:31 -0500 |
---|---|---|
committer | Eric W. Biederman <ebiederm@xmission.com> | 2012-04-07 19:55:51 -0400 |
commit | c4a4d603796c727b9555867571f89483be9c565e (patch) | |
tree | ae3b47a7b8b35c866df53cb4b4a051d49a28904a | |
parent | 7e6bd8fadd1216f50468f965d0308f45e5109ced (diff) |
userns: Use cred->user_ns instead of cred->user->user_ns
Optimize performance and prepare for the removal of the user_ns reference
from user_struct. Remove the slow long walk through cred->user->user_ns and
instead go straight to cred->user_ns.
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
-rw-r--r-- | fs/ecryptfs/messaging.c | 2 | ||||
-rw-r--r-- | ipc/namespace.c | 2 | ||||
-rw-r--r-- | kernel/ptrace.c | 4 | ||||
-rw-r--r-- | kernel/sched/core.c | 2 | ||||
-rw-r--r-- | kernel/signal.c | 4 | ||||
-rw-r--r-- | kernel/sys.c | 8 | ||||
-rw-r--r-- | kernel/user_namespace.c | 4 | ||||
-rw-r--r-- | kernel/utsname.c | 2 | ||||
-rw-r--r-- | security/commoncap.c | 14 | ||||
-rw-r--r-- | security/keys/key.c | 2 | ||||
-rw-r--r-- | security/keys/permission.c | 2 | ||||
-rw-r--r-- | security/keys/process_keys.c | 2 |
12 files changed, 24 insertions, 24 deletions
diff --git a/fs/ecryptfs/messaging.c b/fs/ecryptfs/messaging.c index ab2248090515..a750f957b145 100644 --- a/fs/ecryptfs/messaging.c +++ b/fs/ecryptfs/messaging.c | |||
@@ -303,7 +303,7 @@ int ecryptfs_process_response(struct ecryptfs_message *msg, uid_t euid, | |||
303 | mutex_unlock(&ecryptfs_daemon_hash_mux); | 303 | mutex_unlock(&ecryptfs_daemon_hash_mux); |
304 | goto wake_up; | 304 | goto wake_up; |
305 | } | 305 | } |
306 | tsk_user_ns = __task_cred(msg_ctx->task)->user->user_ns; | 306 | tsk_user_ns = __task_cred(msg_ctx->task)->user_ns; |
307 | ctx_euid = task_euid(msg_ctx->task); | 307 | ctx_euid = task_euid(msg_ctx->task); |
308 | rc = ecryptfs_find_daemon_by_euid(&daemon, ctx_euid, tsk_user_ns); | 308 | rc = ecryptfs_find_daemon_by_euid(&daemon, ctx_euid, tsk_user_ns); |
309 | rcu_read_unlock(); | 309 | rcu_read_unlock(); |
diff --git a/ipc/namespace.c b/ipc/namespace.c index ce0a647869b1..f362298c5ce4 100644 --- a/ipc/namespace.c +++ b/ipc/namespace.c | |||
@@ -46,7 +46,7 @@ static struct ipc_namespace *create_ipc_ns(struct task_struct *tsk, | |||
46 | ipcns_notify(IPCNS_CREATED); | 46 | ipcns_notify(IPCNS_CREATED); |
47 | register_ipcns_notifier(ns); | 47 | register_ipcns_notifier(ns); |
48 | 48 | ||
49 | ns->user_ns = get_user_ns(task_cred_xxx(tsk, user)->user_ns); | 49 | ns->user_ns = get_user_ns(task_cred_xxx(tsk, user_ns)); |
50 | 50 | ||
51 | return ns; | 51 | return ns; |
52 | } | 52 | } |
diff --git a/kernel/ptrace.c b/kernel/ptrace.c index ee8d49b9c309..24e0a5a94824 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c | |||
@@ -198,7 +198,7 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode) | |||
198 | return 0; | 198 | return 0; |
199 | rcu_read_lock(); | 199 | rcu_read_lock(); |
200 | tcred = __task_cred(task); | 200 | tcred = __task_cred(task); |
201 | if (cred->user->user_ns == tcred->user->user_ns && | 201 | if (cred->user_ns == tcred->user_ns && |
202 | (cred->uid == tcred->euid && | 202 | (cred->uid == tcred->euid && |
203 | cred->uid == tcred->suid && | 203 | cred->uid == tcred->suid && |
204 | cred->uid == tcred->uid && | 204 | cred->uid == tcred->uid && |
@@ -206,7 +206,7 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode) | |||
206 | cred->gid == tcred->sgid && | 206 | cred->gid == tcred->sgid && |
207 | cred->gid == tcred->gid)) | 207 | cred->gid == tcred->gid)) |
208 | goto ok; | 208 | goto ok; |
209 | if (ptrace_has_cap(tcred->user->user_ns, mode)) | 209 | if (ptrace_has_cap(tcred->user_ns, mode)) |
210 | goto ok; | 210 | goto ok; |
211 | rcu_read_unlock(); | 211 | rcu_read_unlock(); |
212 | return -EPERM; | 212 | return -EPERM; |
diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 4603b9d8f30a..96bff855b866 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c | |||
@@ -4042,7 +4042,7 @@ static bool check_same_owner(struct task_struct *p) | |||
4042 | 4042 | ||
4043 | rcu_read_lock(); | 4043 | rcu_read_lock(); |
4044 | pcred = __task_cred(p); | 4044 | pcred = __task_cred(p); |
4045 | if (cred->user->user_ns == pcred->user->user_ns) | 4045 | if (cred->user_ns == pcred->user_ns) |
4046 | match = (cred->euid == pcred->euid || | 4046 | match = (cred->euid == pcred->euid || |
4047 | cred->euid == pcred->uid); | 4047 | cred->euid == pcred->uid); |
4048 | else | 4048 | else |
diff --git a/kernel/signal.c b/kernel/signal.c index 17afcaf582d0..e2c5d84f2dac 100644 --- a/kernel/signal.c +++ b/kernel/signal.c | |||
@@ -767,14 +767,14 @@ static int kill_ok_by_cred(struct task_struct *t) | |||
767 | const struct cred *cred = current_cred(); | 767 | const struct cred *cred = current_cred(); |
768 | const struct cred *tcred = __task_cred(t); | 768 | const struct cred *tcred = __task_cred(t); |
769 | 769 | ||
770 | if (cred->user->user_ns == tcred->user->user_ns && | 770 | if (cred->user_ns == tcred->user_ns && |
771 | (cred->euid == tcred->suid || | 771 | (cred->euid == tcred->suid || |
772 | cred->euid == tcred->uid || | 772 | cred->euid == tcred->uid || |
773 | cred->uid == tcred->suid || | 773 | cred->uid == tcred->suid || |
774 | cred->uid == tcred->uid)) | 774 | cred->uid == tcred->uid)) |
775 | return 1; | 775 | return 1; |
776 | 776 | ||
777 | if (ns_capable(tcred->user->user_ns, CAP_KILL)) | 777 | if (ns_capable(tcred->user_ns, CAP_KILL)) |
778 | return 1; | 778 | return 1; |
779 | 779 | ||
780 | return 0; | 780 | return 0; |
diff --git a/kernel/sys.c b/kernel/sys.c index f7a43514ac65..82d8714bbede 100644 --- a/kernel/sys.c +++ b/kernel/sys.c | |||
@@ -133,11 +133,11 @@ static bool set_one_prio_perm(struct task_struct *p) | |||
133 | { | 133 | { |
134 | const struct cred *cred = current_cred(), *pcred = __task_cred(p); | 134 | const struct cred *cred = current_cred(), *pcred = __task_cred(p); |
135 | 135 | ||
136 | if (pcred->user->user_ns == cred->user->user_ns && | 136 | if (pcred->user_ns == cred->user_ns && |
137 | (pcred->uid == cred->euid || | 137 | (pcred->uid == cred->euid || |
138 | pcred->euid == cred->euid)) | 138 | pcred->euid == cred->euid)) |
139 | return true; | 139 | return true; |
140 | if (ns_capable(pcred->user->user_ns, CAP_SYS_NICE)) | 140 | if (ns_capable(pcred->user_ns, CAP_SYS_NICE)) |
141 | return true; | 141 | return true; |
142 | return false; | 142 | return false; |
143 | } | 143 | } |
@@ -1498,7 +1498,7 @@ static int check_prlimit_permission(struct task_struct *task) | |||
1498 | return 0; | 1498 | return 0; |
1499 | 1499 | ||
1500 | tcred = __task_cred(task); | 1500 | tcred = __task_cred(task); |
1501 | if (cred->user->user_ns == tcred->user->user_ns && | 1501 | if (cred->user_ns == tcred->user_ns && |
1502 | (cred->uid == tcred->euid && | 1502 | (cred->uid == tcred->euid && |
1503 | cred->uid == tcred->suid && | 1503 | cred->uid == tcred->suid && |
1504 | cred->uid == tcred->uid && | 1504 | cred->uid == tcred->uid && |
@@ -1506,7 +1506,7 @@ static int check_prlimit_permission(struct task_struct *task) | |||
1506 | cred->gid == tcred->sgid && | 1506 | cred->gid == tcred->sgid && |
1507 | cred->gid == tcred->gid)) | 1507 | cred->gid == tcred->gid)) |
1508 | return 0; | 1508 | return 0; |
1509 | if (ns_capable(tcred->user->user_ns, CAP_SYS_RESOURCE)) | 1509 | if (ns_capable(tcred->user_ns, CAP_SYS_RESOURCE)) |
1510 | return 0; | 1510 | return 0; |
1511 | 1511 | ||
1512 | return -EPERM; | 1512 | return -EPERM; |
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index 3b906e98b1db..f084083a0fd3 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c | |||
@@ -90,7 +90,7 @@ uid_t user_ns_map_uid(struct user_namespace *to, const struct cred *cred, uid_t | |||
90 | { | 90 | { |
91 | struct user_namespace *tmp; | 91 | struct user_namespace *tmp; |
92 | 92 | ||
93 | if (likely(to == cred->user->user_ns)) | 93 | if (likely(to == cred->user_ns)) |
94 | return uid; | 94 | return uid; |
95 | 95 | ||
96 | 96 | ||
@@ -112,7 +112,7 @@ gid_t user_ns_map_gid(struct user_namespace *to, const struct cred *cred, gid_t | |||
112 | { | 112 | { |
113 | struct user_namespace *tmp; | 113 | struct user_namespace *tmp; |
114 | 114 | ||
115 | if (likely(to == cred->user->user_ns)) | 115 | if (likely(to == cred->user_ns)) |
116 | return gid; | 116 | return gid; |
117 | 117 | ||
118 | /* Is cred->user the creator of the target user_ns | 118 | /* Is cred->user the creator of the target user_ns |
diff --git a/kernel/utsname.c b/kernel/utsname.c index 405caf91aad5..679d97a5d3fd 100644 --- a/kernel/utsname.c +++ b/kernel/utsname.c | |||
@@ -43,7 +43,7 @@ static struct uts_namespace *clone_uts_ns(struct task_struct *tsk, | |||
43 | 43 | ||
44 | down_read(&uts_sem); | 44 | down_read(&uts_sem); |
45 | memcpy(&ns->name, &old_ns->name, sizeof(ns->name)); | 45 | memcpy(&ns->name, &old_ns->name, sizeof(ns->name)); |
46 | ns->user_ns = get_user_ns(task_cred_xxx(tsk, user)->user_ns); | 46 | ns->user_ns = get_user_ns(task_cred_xxx(tsk, user_ns)); |
47 | up_read(&uts_sem); | 47 | up_read(&uts_sem); |
48 | return ns; | 48 | return ns; |
49 | } | 49 | } |
diff --git a/security/commoncap.c b/security/commoncap.c index 0cf4b53480a7..8b3e10e2eac7 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
@@ -81,7 +81,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, | |||
81 | return 0; | 81 | return 0; |
82 | 82 | ||
83 | /* Do we have the necessary capabilities? */ | 83 | /* Do we have the necessary capabilities? */ |
84 | if (targ_ns == cred->user->user_ns) | 84 | if (targ_ns == cred->user_ns) |
85 | return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; | 85 | return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; |
86 | 86 | ||
87 | /* Have we tried all of the parent namespaces? */ | 87 | /* Have we tried all of the parent namespaces? */ |
@@ -136,10 +136,10 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) | |||
136 | rcu_read_lock(); | 136 | rcu_read_lock(); |
137 | cred = current_cred(); | 137 | cred = current_cred(); |
138 | child_cred = __task_cred(child); | 138 | child_cred = __task_cred(child); |
139 | if (cred->user->user_ns == child_cred->user->user_ns && | 139 | if (cred->user_ns == child_cred->user_ns && |
140 | cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) | 140 | cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) |
141 | goto out; | 141 | goto out; |
142 | if (ns_capable(child_cred->user->user_ns, CAP_SYS_PTRACE)) | 142 | if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE)) |
143 | goto out; | 143 | goto out; |
144 | ret = -EPERM; | 144 | ret = -EPERM; |
145 | out: | 145 | out: |
@@ -168,10 +168,10 @@ int cap_ptrace_traceme(struct task_struct *parent) | |||
168 | rcu_read_lock(); | 168 | rcu_read_lock(); |
169 | cred = __task_cred(parent); | 169 | cred = __task_cred(parent); |
170 | child_cred = current_cred(); | 170 | child_cred = current_cred(); |
171 | if (cred->user->user_ns == child_cred->user->user_ns && | 171 | if (cred->user_ns == child_cred->user_ns && |
172 | cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) | 172 | cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) |
173 | goto out; | 173 | goto out; |
174 | if (has_ns_capability(parent, child_cred->user->user_ns, CAP_SYS_PTRACE)) | 174 | if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE)) |
175 | goto out; | 175 | goto out; |
176 | ret = -EPERM; | 176 | ret = -EPERM; |
177 | out: | 177 | out: |
@@ -214,7 +214,7 @@ static inline int cap_inh_is_capped(void) | |||
214 | /* they are so limited unless the current task has the CAP_SETPCAP | 214 | /* they are so limited unless the current task has the CAP_SETPCAP |
215 | * capability | 215 | * capability |
216 | */ | 216 | */ |
217 | if (cap_capable(current_cred(), current_cred()->user->user_ns, | 217 | if (cap_capable(current_cred(), current_cred()->user_ns, |
218 | CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0) | 218 | CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0) |
219 | return 0; | 219 | return 0; |
220 | return 1; | 220 | return 1; |
@@ -866,7 +866,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
866 | || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ | 866 | || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ |
867 | || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ | 867 | || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ |
868 | || (cap_capable(current_cred(), | 868 | || (cap_capable(current_cred(), |
869 | current_cred()->user->user_ns, CAP_SETPCAP, | 869 | current_cred()->user_ns, CAP_SETPCAP, |
870 | SECURITY_CAP_AUDIT) != 0) /*[4]*/ | 870 | SECURITY_CAP_AUDIT) != 0) /*[4]*/ |
871 | /* | 871 | /* |
872 | * [1] no changing of bits that are locked | 872 | * [1] no changing of bits that are locked |
diff --git a/security/keys/key.c b/security/keys/key.c index 06783cffb3af..7e6034793af3 100644 --- a/security/keys/key.c +++ b/security/keys/key.c | |||
@@ -253,7 +253,7 @@ struct key *key_alloc(struct key_type *type, const char *desc, | |||
253 | quotalen = desclen + type->def_datalen; | 253 | quotalen = desclen + type->def_datalen; |
254 | 254 | ||
255 | /* get hold of the key tracking for this user */ | 255 | /* get hold of the key tracking for this user */ |
256 | user = key_user_lookup(uid, cred->user->user_ns); | 256 | user = key_user_lookup(uid, cred->user_ns); |
257 | if (!user) | 257 | if (!user) |
258 | goto no_memory_1; | 258 | goto no_memory_1; |
259 | 259 | ||
diff --git a/security/keys/permission.c b/security/keys/permission.c index c35b5229e3cd..e146cbd714bd 100644 --- a/security/keys/permission.c +++ b/security/keys/permission.c | |||
@@ -36,7 +36,7 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred, | |||
36 | 36 | ||
37 | key = key_ref_to_ptr(key_ref); | 37 | key = key_ref_to_ptr(key_ref); |
38 | 38 | ||
39 | if (key->user->user_ns != cred->user->user_ns) | 39 | if (key->user->user_ns != cred->user_ns) |
40 | goto use_other_perms; | 40 | goto use_other_perms; |
41 | 41 | ||
42 | /* use the second 8-bits of permissions for keys the caller owns */ | 42 | /* use the second 8-bits of permissions for keys the caller owns */ |
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index be7ecb2018dd..70febff06da9 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c | |||
@@ -858,7 +858,7 @@ void key_replace_session_keyring(void) | |||
858 | new-> sgid = old-> sgid; | 858 | new-> sgid = old-> sgid; |
859 | new->fsgid = old->fsgid; | 859 | new->fsgid = old->fsgid; |
860 | new->user = get_uid(old->user); | 860 | new->user = get_uid(old->user); |
861 | new->user_ns = new->user->user_ns; | 861 | new->user_ns = new->user_ns; |
862 | new->group_info = get_group_info(old->group_info); | 862 | new->group_info = get_group_info(old->group_info); |
863 | 863 | ||
864 | new->securebits = old->securebits; | 864 | new->securebits = old->securebits; |