aboutsummaryrefslogtreecommitdiffstats
path: root/security/commoncap.c
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2011-11-17 02:15:31 -0500
committerEric W. Biederman <ebiederm@xmission.com>2012-04-07 19:55:51 -0400
commitc4a4d603796c727b9555867571f89483be9c565e (patch)
treeae3b47a7b8b35c866df53cb4b4a051d49a28904a /security/commoncap.c
parent7e6bd8fadd1216f50468f965d0308f45e5109ced (diff)
userns: Use cred->user_ns instead of cred->user->user_ns
Optimize performance and prepare for the removal of the user_ns reference from user_struct. Remove the slow long walk through cred->user->user_ns and instead go straight to cred->user_ns. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'security/commoncap.c')
-rw-r--r--security/commoncap.c14
1 files changed, 7 insertions, 7 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index 0cf4b53480a7..8b3e10e2eac7 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -81,7 +81,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
81 return 0; 81 return 0;
82 82
83 /* Do we have the necessary capabilities? */ 83 /* Do we have the necessary capabilities? */
84 if (targ_ns == cred->user->user_ns) 84 if (targ_ns == cred->user_ns)
85 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; 85 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
86 86
87 /* Have we tried all of the parent namespaces? */ 87 /* Have we tried all of the parent namespaces? */
@@ -136,10 +136,10 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
136 rcu_read_lock(); 136 rcu_read_lock();
137 cred = current_cred(); 137 cred = current_cred();
138 child_cred = __task_cred(child); 138 child_cred = __task_cred(child);
139 if (cred->user->user_ns == child_cred->user->user_ns && 139 if (cred->user_ns == child_cred->user_ns &&
140 cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) 140 cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
141 goto out; 141 goto out;
142 if (ns_capable(child_cred->user->user_ns, CAP_SYS_PTRACE)) 142 if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
143 goto out; 143 goto out;
144 ret = -EPERM; 144 ret = -EPERM;
145out: 145out:
@@ -168,10 +168,10 @@ int cap_ptrace_traceme(struct task_struct *parent)
168 rcu_read_lock(); 168 rcu_read_lock();
169 cred = __task_cred(parent); 169 cred = __task_cred(parent);
170 child_cred = current_cred(); 170 child_cred = current_cred();
171 if (cred->user->user_ns == child_cred->user->user_ns && 171 if (cred->user_ns == child_cred->user_ns &&
172 cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) 172 cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
173 goto out; 173 goto out;
174 if (has_ns_capability(parent, child_cred->user->user_ns, CAP_SYS_PTRACE)) 174 if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
175 goto out; 175 goto out;
176 ret = -EPERM; 176 ret = -EPERM;
177out: 177out:
@@ -214,7 +214,7 @@ static inline int cap_inh_is_capped(void)
214 /* they are so limited unless the current task has the CAP_SETPCAP 214 /* they are so limited unless the current task has the CAP_SETPCAP
215 * capability 215 * capability
216 */ 216 */
217 if (cap_capable(current_cred(), current_cred()->user->user_ns, 217 if (cap_capable(current_cred(), current_cred()->user_ns,
218 CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0) 218 CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
219 return 0; 219 return 0;
220 return 1; 220 return 1;
@@ -866,7 +866,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
866 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ 866 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
867 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ 867 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
868 || (cap_capable(current_cred(), 868 || (cap_capable(current_cred(),
869 current_cred()->user->user_ns, CAP_SETPCAP, 869 current_cred()->user_ns, CAP_SETPCAP,
870 SECURITY_CAP_AUDIT) != 0) /*[4]*/ 870 SECURITY_CAP_AUDIT) != 0) /*[4]*/
871 /* 871 /*
872 * [1] no changing of bits that are locked 872 * [1] no changing of bits that are locked