diff options
| author | Eric W. Biederman <ebiederm@xmission.com> | 2011-11-14 19:24:06 -0500 |
|---|---|---|
| committer | Eric W. Biederman <ebiederm@xmission.com> | 2012-04-07 20:02:46 -0400 |
| commit | 1a48e2ac034d47ed843081c4523b63c46b46888b (patch) | |
| tree | d3a32ac7ffc47b075a64701a2fd74e00bbccf84d /include | |
| parent | 973c5914260d75292f71a4729753086b9e863d57 (diff) | |
userns: Replace the hard to write inode_userns with inode_capable.
This represents a change in strategy of how to handle user namespaces.
Instead of tagging everything explicitly with a user namespace and bulking
up all of the comparisons of uids and gids in the kernel, all uids and gids
in use will have a mapping to a flat kuid and kgid spaces respectively. This
allows much more of the existing logic to be preserved and in general
allows for faster code.
In this new and improved world we allow someone to utiliize capabilities
over an inode if the inodes owner mapps into the capabilities holders user
namespace and the user has capabilities in their user namespace. Which
is simple and efficient.
Moving the fs uid comparisons to be comparisons in a flat kuid space
follows in later patches, something that is only significant if you
are using user namespaces.
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/capability.h | 2 | ||||
| -rw-r--r-- | include/linux/fs.h | 6 |
2 files changed, 2 insertions, 6 deletions
diff --git a/include/linux/capability.h b/include/linux/capability.h index 12d52dedb229..a76eca907470 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h | |||
| @@ -374,6 +374,7 @@ struct cpu_vfs_cap_data { | |||
| 374 | 374 | ||
| 375 | #ifdef __KERNEL__ | 375 | #ifdef __KERNEL__ |
| 376 | 376 | ||
| 377 | struct inode; | ||
| 377 | struct dentry; | 378 | struct dentry; |
| 378 | struct user_namespace; | 379 | struct user_namespace; |
| 379 | 380 | ||
| @@ -548,6 +549,7 @@ extern bool has_ns_capability_noaudit(struct task_struct *t, | |||
| 548 | extern bool capable(int cap); | 549 | extern bool capable(int cap); |
| 549 | extern bool ns_capable(struct user_namespace *ns, int cap); | 550 | extern bool ns_capable(struct user_namespace *ns, int cap); |
| 550 | extern bool nsown_capable(int cap); | 551 | extern bool nsown_capable(int cap); |
| 552 | extern bool inode_capable(const struct inode *inode, int cap); | ||
| 551 | 553 | ||
| 552 | /* audit system wants to get cap info from files as well */ | 554 | /* audit system wants to get cap info from files as well */ |
| 553 | extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps); | 555 | extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps); |
diff --git a/include/linux/fs.h b/include/linux/fs.h index 135693e79f2b..a6c5efbee0d7 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h | |||
| @@ -1522,12 +1522,6 @@ enum { | |||
| 1522 | #define vfs_check_frozen(sb, level) \ | 1522 | #define vfs_check_frozen(sb, level) \ |
| 1523 | wait_event((sb)->s_wait_unfrozen, ((sb)->s_frozen < (level))) | 1523 | wait_event((sb)->s_wait_unfrozen, ((sb)->s_frozen < (level))) |
| 1524 | 1524 | ||
| 1525 | /* | ||
| 1526 | * until VFS tracks user namespaces for inodes, just make all files | ||
| 1527 | * belong to init_user_ns | ||
| 1528 | */ | ||
| 1529 | extern struct user_namespace init_user_ns; | ||
| 1530 | #define inode_userns(inode) (&init_user_ns) | ||
| 1531 | extern bool inode_owner_or_capable(const struct inode *inode); | 1525 | extern bool inode_owner_or_capable(const struct inode *inode); |
| 1532 | 1526 | ||
| 1533 | /* not quite ready to be deprecated, but... */ | 1527 | /* not quite ready to be deprecated, but... */ |