kernel: conditionally support non-root users, groups and capabilities

There are a lot of embedded systems that run most or all of their
functionality in init, running as root:root.  For these systems,
supporting multiple users is not necessary.

This patch adds a new symbol, CONFIG_MULTIUSER, that makes support for
non-root users, non-root groups, and capabilities optional.  It is enabled
under CONFIG_EXPERT menu.

When this symbol is not defined, UID and GID are zero in any possible case
and processes always have all capabilities.

The following syscalls are compiled out: setuid, setregid, setgid,
setreuid, setresuid, getresuid, setresgid, getresgid, setgroups,
getgroups, setfsuid, setfsgid, capget, capset.

Also, groups.c is compiled out completely.

In kernel/capability.c, capable function was moved in order to avoid
adding two ifdef blocks.

This change saves about 25 KB on a defconfig build.  The most minimal
kernels have total text sizes in the high hundreds of kB rather than
low MB.  (The 25k goes down a bit with allnoconfig, but not that much.

The kernel was booted in Qemu.  All the common functionalities work.
Adding users/groups is not possible, failing with -ENOSYS.

Bloat-o-meter output:
add/remove: 7/87 grow/shrink: 19/397 up/down: 1675/-26325 (-24650)

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Iulia Manda <iulia.manda21@gmail.com>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Tested-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 files changed, 18 insertions, 1 deletions

diff --git a/init/Kconfig b/init/Kconfig
index a905b7301e10..3b9df1aa35db 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -394,6 +394,7 @@ endchoice
 
 config BSD_PROCESS_ACCT
         bool "BSD Process Accounting"
+        depends on MULTIUSER
         help
           If you say Y here, a user level program will be able to instruct the
           kernel (via a special system call) to write process accounting
@@ -420,6 +421,7 @@ config BSD_PROCESS_ACCT_V3
 config TASKSTATS
         bool "Export task/process statistics through netlink"
         depends on NET
+        depends on MULTIUSER
         default n
         help
           Export selected statistics for tasks/processes through the
@@ -1160,6 +1162,7 @@ config CHECKPOINT_RESTORE
 
 menuconfig NAMESPACES
         bool "Namespaces support" if EXPERT
+        depends on MULTIUSER
         default !EXPERT
         help
           Provides the way to make tasks work with different objects using
@@ -1356,11 +1359,25 @@ menuconfig EXPERT
 
 config UID16
         bool "Enable 16-bit UID system calls" if EXPERT
-        depends on HAVE_UID16
+        depends on HAVE_UID16 && MULTIUSER
         default y
         help
           This enables the legacy 16-bit UID syscall wrappers.
 
+config MULTIUSER
+        bool "Multiple users, groups and capabilities support" if EXPERT
+        default y
+        help
+          This option enables support for non-root users, groups and
+          capabilities.
+
+          If you say N here, all processes will run with UID 0, GID 0, and all
+          possible capabilities.  Saying N here also compiles out support for
+          system calls related to UIDs, GIDs, and capabilities, such as setuid,
+          setgid, and capset.
+
+          If unsure, say Y here.
+
 config SGETMASK_SYSCALL
         bool "sgetmask/ssetmask syscalls support" if EXPERT
         def_bool PARISC || MN10300 || BLACKFIN || M68K || PPC || MIPS || X86 || SPARC || CRIS || MICROBLAZE || SUPERH