diff options
| author | Serge E. Hallyn <serue@us.ibm.com> | 2007-10-19 02:39:52 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-10-19 14:53:37 -0400 |
| commit | b460cbc581a53cc088ceba80608021dd49c63c43 (patch) | |
| tree | 83c28d0adbc15f4157c77b40fa60c40a71cb8673 /security/commoncap.c | |
| parent | 3743ca05ff464b8a9e345c08a6c9ce30485f9805 (diff) | |
pid namespaces: define is_global_init() and is_container_init()
is_init() is an ambiguous name for the pid==1 check. Split it into
is_global_init() and is_container_init().
A cgroup init has it's tsk->pid == 1.
A global init also has it's tsk->pid == 1 and it's active pid namespace
is the init_pid_ns. But rather than check the active pid namespace,
compare the task structure with 'init_pid_ns.child_reaper', which is
initialized during boot to the /sbin/init process and never changes.
Changelog:
2.6.22-rc4-mm2-pidns1:
- Use 'init_pid_ns.child_reaper' to determine if a given task is the
global init (/sbin/init) process. This would improve performance
and remove dependence on the task_pid().
2.6.21-mm2-pidns2:
- [Sukadev Bhattiprolu] Changed is_container_init() calls in {powerpc,
ppc,avr32}/traps.c for the _exception() call to is_global_init().
This way, we kill only the cgroup if the cgroup's init has a
bug rather than force a kernel panic.
[akpm@linux-foundation.org: fix comment]
[sukadev@us.ibm.com: Use is_global_init() in arch/m32r/mm/fault.c]
[bunk@stusta.de: kernel/pid.c: remove unused exports]
[sukadev@us.ibm.com: Fix capability.c to work with threaded init]
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Signed-off-by: Sukadev Bhattiprolu <sukadev@us.ibm.com>
Acked-by: Pavel Emelianov <xemul@openvz.org>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Cedric Le Goater <clg@fr.ibm.com>
Cc: Dave Hansen <haveblue@us.ibm.com>
Cc: Herbert Poetzel <herbert@13thfloor.at>
Cc: Kirill Korotaev <dev@sw.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security/commoncap.c')
| -rw-r--r-- | security/commoncap.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index 48ca5b092768..43f902750a1b 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
| @@ -23,6 +23,7 @@ | |||
| 23 | #include <linux/xattr.h> | 23 | #include <linux/xattr.h> |
| 24 | #include <linux/hugetlb.h> | 24 | #include <linux/hugetlb.h> |
| 25 | #include <linux/mount.h> | 25 | #include <linux/mount.h> |
| 26 | #include <linux/sched.h> | ||
| 26 | 27 | ||
| 27 | #ifdef CONFIG_SECURITY_FILE_CAPABILITIES | 28 | #ifdef CONFIG_SECURITY_FILE_CAPABILITIES |
| 28 | /* | 29 | /* |
| @@ -334,7 +335,7 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) | |||
| 334 | /* For init, we want to retain the capabilities set | 335 | /* For init, we want to retain the capabilities set |
| 335 | * in the init_task struct. Thus we skip the usual | 336 | * in the init_task struct. Thus we skip the usual |
| 336 | * capability rules */ | 337 | * capability rules */ |
| 337 | if (!is_init(current)) { | 338 | if (!is_global_init(current)) { |
| 338 | current->cap_permitted = new_permitted; | 339 | current->cap_permitted = new_permitted; |
| 339 | current->cap_effective = bprm->cap_effective ? | 340 | current->cap_effective = bprm->cap_effective ? |
| 340 | new_permitted : 0; | 341 | new_permitted : 0; |