diff options
author | Eric W. Biederman <ebiederm@xmission.com> | 2011-11-17 02:15:31 -0500 |
---|---|---|
committer | Eric W. Biederman <ebiederm@xmission.com> | 2012-04-07 19:55:51 -0400 |
commit | c4a4d603796c727b9555867571f89483be9c565e (patch) | |
tree | ae3b47a7b8b35c866df53cb4b4a051d49a28904a /security/commoncap.c | |
parent | 7e6bd8fadd1216f50468f965d0308f45e5109ced (diff) |
userns: Use cred->user_ns instead of cred->user->user_ns
Optimize performance and prepare for the removal of the user_ns reference
from user_struct. Remove the slow long walk through cred->user->user_ns and
instead go straight to cred->user_ns.
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'security/commoncap.c')
-rw-r--r-- | security/commoncap.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index 0cf4b53480a7..8b3e10e2eac7 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
@@ -81,7 +81,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, | |||
81 | return 0; | 81 | return 0; |
82 | 82 | ||
83 | /* Do we have the necessary capabilities? */ | 83 | /* Do we have the necessary capabilities? */ |
84 | if (targ_ns == cred->user->user_ns) | 84 | if (targ_ns == cred->user_ns) |
85 | return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; | 85 | return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; |
86 | 86 | ||
87 | /* Have we tried all of the parent namespaces? */ | 87 | /* Have we tried all of the parent namespaces? */ |
@@ -136,10 +136,10 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) | |||
136 | rcu_read_lock(); | 136 | rcu_read_lock(); |
137 | cred = current_cred(); | 137 | cred = current_cred(); |
138 | child_cred = __task_cred(child); | 138 | child_cred = __task_cred(child); |
139 | if (cred->user->user_ns == child_cred->user->user_ns && | 139 | if (cred->user_ns == child_cred->user_ns && |
140 | cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) | 140 | cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) |
141 | goto out; | 141 | goto out; |
142 | if (ns_capable(child_cred->user->user_ns, CAP_SYS_PTRACE)) | 142 | if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE)) |
143 | goto out; | 143 | goto out; |
144 | ret = -EPERM; | 144 | ret = -EPERM; |
145 | out: | 145 | out: |
@@ -168,10 +168,10 @@ int cap_ptrace_traceme(struct task_struct *parent) | |||
168 | rcu_read_lock(); | 168 | rcu_read_lock(); |
169 | cred = __task_cred(parent); | 169 | cred = __task_cred(parent); |
170 | child_cred = current_cred(); | 170 | child_cred = current_cred(); |
171 | if (cred->user->user_ns == child_cred->user->user_ns && | 171 | if (cred->user_ns == child_cred->user_ns && |
172 | cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) | 172 | cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) |
173 | goto out; | 173 | goto out; |
174 | if (has_ns_capability(parent, child_cred->user->user_ns, CAP_SYS_PTRACE)) | 174 | if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE)) |
175 | goto out; | 175 | goto out; |
176 | ret = -EPERM; | 176 | ret = -EPERM; |
177 | out: | 177 | out: |
@@ -214,7 +214,7 @@ static inline int cap_inh_is_capped(void) | |||
214 | /* they are so limited unless the current task has the CAP_SETPCAP | 214 | /* they are so limited unless the current task has the CAP_SETPCAP |
215 | * capability | 215 | * capability |
216 | */ | 216 | */ |
217 | if (cap_capable(current_cred(), current_cred()->user->user_ns, | 217 | if (cap_capable(current_cred(), current_cred()->user_ns, |
218 | CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0) | 218 | CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0) |
219 | return 0; | 219 | return 0; |
220 | return 1; | 220 | return 1; |
@@ -866,7 +866,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
866 | || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ | 866 | || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ |
867 | || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ | 867 | || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ |
868 | || (cap_capable(current_cred(), | 868 | || (cap_capable(current_cred(), |
869 | current_cred()->user->user_ns, CAP_SETPCAP, | 869 | current_cred()->user_ns, CAP_SETPCAP, |
870 | SECURITY_CAP_AUDIT) != 0) /*[4]*/ | 870 | SECURITY_CAP_AUDIT) != 0) /*[4]*/ |
871 | /* | 871 | /* |
872 | * [1] no changing of bits that are locked | 872 | * [1] no changing of bits that are locked |