userns: Use cred->user_ns instead of cred->user->user_ns

Optimize performance and prepare for the removal of the user_ns reference from user_struct. Remove the slow long walk through cred->user->user_ns and instead go straight to cred->user_ns. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
author: Eric W. Biederman <ebiederm@xmission.com> 2011-11-17 02:15:31 -0500
committer: Eric W. Biederman <ebiederm@xmission.com> 2012-04-07 19:55:51 -0400
commit: c4a4d603796c727b9555867571f89483be9c565e (patch)
tree: ae3b47a7b8b35c866df53cb4b4a051d49a28904a /security/commoncap.c
parent: 7e6bd8fadd1216f50468f965d0308f45e5109ced (diff)
1 files changed, 7 insertions, 7 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index 0cf4b53480a7..8b3e10e2eac7 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -81,7 +81,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
                        return 0;
                /* Do we have the necessary capabilities? */
-                if (targ_ns == cred->user->user_ns)
+                if (targ_ns == cred->user_ns)
                        return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
                /* Have we tried all of the parent namespaces? */
@@ -136,10 +136,10 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
        rcu_read_lock();
        cred = current_cred();
        child_cred = __task_cred(child);
-        if (cred->user->user_ns == child_cred->user->user_ns &&
+        if (cred->user_ns == child_cred->user_ns &&
            cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
                goto out;
-        if (ns_capable(child_cred->user->user_ns, CAP_SYS_PTRACE))
+        if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
                goto out;
        ret = -EPERM;
 out:
@@ -168,10 +168,10 @@ int cap_ptrace_traceme(struct task_struct *parent)
        rcu_read_lock();
        cred = __task_cred(parent);
        child_cred = current_cred();
-        if (cred->user->user_ns == child_cred->user->user_ns &&
+        if (cred->user_ns == child_cred->user_ns &&
            cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
                goto out;
-        if (has_ns_capability(parent, child_cred->user->user_ns, CAP_SYS_PTRACE))
+        if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
                goto out;
        ret = -EPERM;
 out:
@@ -214,7 +214,7 @@ static inline int cap_inh_is_capped(void)
        /* they are so limited unless the current task has the CAP_SETPCAP
         * capability
         */
-        if (cap_capable(current_cred(), current_cred()->user->user_ns,
+        if (cap_capable(current_cred(), current_cred()->user_ns,
                        CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
                return 0;
        return 1;
@@ -866,7 +866,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
                    || ((new->securebits & SECURE_ALL_LOCKS & ~arg2))   /*[2]*/
                    || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS))   /*[3]*/
                    || (cap_capable(current_cred(),
-                                    current_cred()->user->user_ns, CAP_SETPCAP,
+                                    current_cred()->user_ns, CAP_SETPCAP,
                                    SECURITY_CAP_AUDIT) != 0)           /*[4]*/
                        /*
                         * [1] no changing of bits that are locked
author	Eric W. Biederman <ebiederm@xmission.com>	2011-11-17 02:15:31 -0500
committer	Eric W. Biederman <ebiederm@xmission.com>	2012-04-07 19:55:51 -0400
commit	c4a4d603796c727b9555867571f89483be9c565e (patch)
tree	ae3b47a7b8b35c866df53cb4b4a051d49a28904a /security/commoncap.c
parent	7e6bd8fadd1216f50468f965d0308f45e5109ced (diff)

diff --git a/security/commoncap.c b/security/commoncap.c index 0cf4b53480a7..8b3e10e2eac7 100644 --- a/security/commoncap.c +++ b/security/commoncap.c
@@ -81,7 +81,7 @@ int cap_capable(const struct cred cred, struct user_namespace targ_ns,
81	return 0;	81	return 0;
82		82
83	/* Do we have the necessary capabilities? */	83	/* Do we have the necessary capabilities? */
84	if (targ_ns == cred->user->user_ns)	84	if (targ_ns == cred->user_ns)
85	return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;	85	return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
86		86
87	/* Have we tried all of the parent namespaces? */	87	/* Have we tried all of the parent namespaces? */
@@ -136,10 +136,10 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
136	rcu_read_lock();	136	rcu_read_lock();
137	cred = current_cred();	137	cred = current_cred();
138	child_cred = __task_cred(child);	138	child_cred = __task_cred(child);
139	if (cred->user->user_ns == child_cred->user->user_ns &&	139	if (cred->user_ns == child_cred->user_ns &&
140	cap_issubset(child_cred->cap_permitted, cred->cap_permitted))	140	cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
141	goto out;	141	goto out;
142	if (ns_capable(child_cred->user->user_ns, CAP_SYS_PTRACE))	142	if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
143	goto out;	143	goto out;
144	ret = -EPERM;	144	ret = -EPERM;
145	out:	145	out:
@@ -168,10 +168,10 @@ int cap_ptrace_traceme(struct task_struct *parent)
168	rcu_read_lock();	168	rcu_read_lock();
169	cred = __task_cred(parent);	169	cred = __task_cred(parent);
170	child_cred = current_cred();	170	child_cred = current_cred();
171	if (cred->user->user_ns == child_cred->user->user_ns &&	171	if (cred->user_ns == child_cred->user_ns &&
172	cap_issubset(child_cred->cap_permitted, cred->cap_permitted))	172	cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
173	goto out;	173	goto out;
174	if (has_ns_capability(parent, child_cred->user->user_ns, CAP_SYS_PTRACE))	174	if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
175	goto out;	175	goto out;
176	ret = -EPERM;	176	ret = -EPERM;
177	out:	177	out:
@@ -214,7 +214,7 @@ static inline int cap_inh_is_capped(void)
214	/* they are so limited unless the current task has the CAP_SETPCAP	214	/* they are so limited unless the current task has the CAP_SETPCAP
215	* capability	215	* capability
216	*/	216	*/
217	if (cap_capable(current_cred(), current_cred()->user->user_ns,	217	if (cap_capable(current_cred(), current_cred()->user_ns,
218	CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)	218	CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
219	return 0;	219	return 0;
220	return 1;	220	return 1;
@@ -866,7 +866,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
866	\|\| ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /[2]/	866	\|\| ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /[2]/
867	\|\| (arg2 & ~(SECURE_ALL_LOCKS \| SECURE_ALL_BITS)) /[3]/	867	\|\| (arg2 & ~(SECURE_ALL_LOCKS \| SECURE_ALL_BITS)) /[3]/
868	\|\| (cap_capable(current_cred(),	868	\|\| (cap_capable(current_cred(),
869	current_cred()->user->user_ns, CAP_SETPCAP,	869	current_cred()->user_ns, CAP_SETPCAP,
870	SECURITY_CAP_AUDIT) != 0) /[4]/	870	SECURITY_CAP_AUDIT) != 0) /[4]/
871	/*	871	/*
872	* [1] no changing of bits that are locked	872	* [1] no changing of bits that are locked