userns: Use cred->user_ns instead of cred->user->user_ns

Optimize performance and prepare for the removal of the user_ns reference from user_struct. Remove the slow long walk through cred->user->user_ns and instead go straight to cred->user_ns. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
author: Eric W. Biederman <ebiederm@xmission.com> 2011-11-17 02:15:31 -0500
committer: Eric W. Biederman <ebiederm@xmission.com> 2012-04-07 19:55:51 -0400
commit: c4a4d603796c727b9555867571f89483be9c565e (patch)
tree: ae3b47a7b8b35c866df53cb4b4a051d49a28904a /security
parent: 7e6bd8fadd1216f50468f965d0308f45e5109ced (diff)
4 files changed, 10 insertions, 10 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index 0cf4b53480a7..8b3e10e2eac7 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -81,7 +81,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
                        return 0;
                /* Do we have the necessary capabilities? */
-                if (targ_ns == cred->user->user_ns)
+                if (targ_ns == cred->user_ns)
                        return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
                /* Have we tried all of the parent namespaces? */
@@ -136,10 +136,10 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
        rcu_read_lock();
        cred = current_cred();
        child_cred = __task_cred(child);
-        if (cred->user->user_ns == child_cred->user->user_ns &&
+        if (cred->user_ns == child_cred->user_ns &&
            cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
                goto out;
-        if (ns_capable(child_cred->user->user_ns, CAP_SYS_PTRACE))
+        if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
                goto out;
        ret = -EPERM;
 out:
@@ -168,10 +168,10 @@ int cap_ptrace_traceme(struct task_struct *parent)
        rcu_read_lock();
        cred = __task_cred(parent);
        child_cred = current_cred();
-        if (cred->user->user_ns == child_cred->user->user_ns &&
+        if (cred->user_ns == child_cred->user_ns &&
            cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
                goto out;
-        if (has_ns_capability(parent, child_cred->user->user_ns, CAP_SYS_PTRACE))
+        if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
                goto out;
        ret = -EPERM;
 out:
@@ -214,7 +214,7 @@ static inline int cap_inh_is_capped(void)
        /* they are so limited unless the current task has the CAP_SETPCAP
         * capability
         */
-        if (cap_capable(current_cred(), current_cred()->user->user_ns,
+        if (cap_capable(current_cred(), current_cred()->user_ns,
                        CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
                return 0;
        return 1;
@@ -866,7 +866,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
                    || ((new->securebits & SECURE_ALL_LOCKS & ~arg2))   /*[2]*/
                    || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS))   /*[3]*/
                    || (cap_capable(current_cred(),
-                                    current_cred()->user->user_ns, CAP_SETPCAP,
+                                    current_cred()->user_ns, CAP_SETPCAP,
                                    SECURITY_CAP_AUDIT) != 0)           /*[4]*/
                        /*
                         * [1] no changing of bits that are locked
diff --git a/security/keys/key.c b/security/keys/key.c
index 06783cffb3af..7e6034793af3 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -253,7 +253,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
        quotalen = desclen + type->def_datalen;
        /* get hold of the key tracking for this user */
-        user = key_user_lookup(uid, cred->user->user_ns);
+        user = key_user_lookup(uid, cred->user_ns);
        if (!user)
                goto no_memory_1;
diff --git a/security/keys/permission.c b/security/keys/permission.c
index c35b5229e3cd..e146cbd714bd 100644
--- a/security/keys/permission.c
+++ b/security/keys/permission.c
@@ -36,7 +36,7 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
        key = key_ref_to_ptr(key_ref);
-        if (key->user->user_ns != cred->user->user_ns)
+        if (key->user->user_ns != cred->user_ns)
                goto use_other_perms;
        /* use the second 8-bits of permissions for keys the caller owns */
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index be7ecb2018dd..70febff06da9 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -858,7 +858,7 @@ void key_replace_session_keyring(void)
        new-> sgid      = old-> sgid;
        new->fsgid      = old->fsgid;
        new->user       = get_uid(old->user);
-        new->user_ns    = new->user->user_ns;
+        new->user_ns    = new->user_ns;
        new->group_info = get_group_info(old->group_info);
        new->securebits = old->securebits;
author	Eric W. Biederman <ebiederm@xmission.com>	2011-11-17 02:15:31 -0500
committer	Eric W. Biederman <ebiederm@xmission.com>	2012-04-07 19:55:51 -0400
commit	c4a4d603796c727b9555867571f89483be9c565e (patch)
tree	ae3b47a7b8b35c866df53cb4b4a051d49a28904a /security
parent	7e6bd8fadd1216f50468f965d0308f45e5109ced (diff)

diff --git a/security/commoncap.c b/security/commoncap.c index 0cf4b53480a7..8b3e10e2eac7 100644 --- a/security/commoncap.c +++ b/security/commoncap.c
@@ -81,7 +81,7 @@ int cap_capable(const struct cred cred, struct user_namespace targ_ns,
81	return 0;	81	return 0;
82		82
83	/* Do we have the necessary capabilities? */	83	/* Do we have the necessary capabilities? */
84	if (targ_ns == cred->user->user_ns)	84	if (targ_ns == cred->user_ns)
85	return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;	85	return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
86		86
87	/* Have we tried all of the parent namespaces? */	87	/* Have we tried all of the parent namespaces? */
@@ -136,10 +136,10 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
136	rcu_read_lock();	136	rcu_read_lock();
137	cred = current_cred();	137	cred = current_cred();
138	child_cred = __task_cred(child);	138	child_cred = __task_cred(child);
139	if (cred->user->user_ns == child_cred->user->user_ns &&	139	if (cred->user_ns == child_cred->user_ns &&
140	cap_issubset(child_cred->cap_permitted, cred->cap_permitted))	140	cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
141	goto out;	141	goto out;
142	if (ns_capable(child_cred->user->user_ns, CAP_SYS_PTRACE))	142	if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
143	goto out;	143	goto out;
144	ret = -EPERM;	144	ret = -EPERM;
145	out:	145	out:
@@ -168,10 +168,10 @@ int cap_ptrace_traceme(struct task_struct *parent)
168	rcu_read_lock();	168	rcu_read_lock();
169	cred = __task_cred(parent);	169	cred = __task_cred(parent);
170	child_cred = current_cred();	170	child_cred = current_cred();
171	if (cred->user->user_ns == child_cred->user->user_ns &&	171	if (cred->user_ns == child_cred->user_ns &&
172	cap_issubset(child_cred->cap_permitted, cred->cap_permitted))	172	cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
173	goto out;	173	goto out;
174	if (has_ns_capability(parent, child_cred->user->user_ns, CAP_SYS_PTRACE))	174	if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
175	goto out;	175	goto out;
176	ret = -EPERM;	176	ret = -EPERM;
177	out:	177	out:
@@ -214,7 +214,7 @@ static inline int cap_inh_is_capped(void)
214	/* they are so limited unless the current task has the CAP_SETPCAP	214	/* they are so limited unless the current task has the CAP_SETPCAP
215	* capability	215	* capability
216	*/	216	*/
217	if (cap_capable(current_cred(), current_cred()->user->user_ns,	217	if (cap_capable(current_cred(), current_cred()->user_ns,
218	CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)	218	CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
219	return 0;	219	return 0;
220	return 1;	220	return 1;
@@ -866,7 +866,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
866	\|\| ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /[2]/	866	\|\| ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /[2]/
867	\|\| (arg2 & ~(SECURE_ALL_LOCKS \| SECURE_ALL_BITS)) /[3]/	867	\|\| (arg2 & ~(SECURE_ALL_LOCKS \| SECURE_ALL_BITS)) /[3]/
868	\|\| (cap_capable(current_cred(),	868	\|\| (cap_capable(current_cred(),
869	current_cred()->user->user_ns, CAP_SETPCAP,	869	current_cred()->user_ns, CAP_SETPCAP,
870	SECURITY_CAP_AUDIT) != 0) /[4]/	870	SECURITY_CAP_AUDIT) != 0) /[4]/
871	/*	871	/*
872	* [1] no changing of bits that are locked	872	* [1] no changing of bits that are locked


diff --git a/security/keys/key.c b/security/keys/key.c index 06783cffb3af..7e6034793af3 100644 --- a/security/keys/key.c +++ b/security/keys/key.c
@@ -253,7 +253,7 @@ struct key key_alloc(struct key_type type, const char *desc,
253	quotalen = desclen + type->def_datalen;	253	quotalen = desclen + type->def_datalen;
254		254
255	/* get hold of the key tracking for this user */	255	/* get hold of the key tracking for this user */
256	user = key_user_lookup(uid, cred->user->user_ns);	256	user = key_user_lookup(uid, cred->user_ns);
257	if (!user)	257	if (!user)
258	goto no_memory_1;	258	goto no_memory_1;
259		259


diff --git a/security/keys/permission.c b/security/keys/permission.c index c35b5229e3cd..e146cbd714bd 100644 --- a/security/keys/permission.c +++ b/security/keys/permission.c
@@ -36,7 +36,7 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
36		36
37	key = key_ref_to_ptr(key_ref);	37	key = key_ref_to_ptr(key_ref);
38		38
39	if (key->user->user_ns != cred->user->user_ns)	39	if (key->user->user_ns != cred->user_ns)
40	goto use_other_perms;	40	goto use_other_perms;
41		41
42	/* use the second 8-bits of permissions for keys the caller owns */	42	/* use the second 8-bits of permissions for keys the caller owns */


diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index be7ecb2018dd..70febff06da9 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c
@@ -858,7 +858,7 @@ void key_replace_session_keyring(void)
858	new-> sgid = old-> sgid;	858	new-> sgid = old-> sgid;
859	new->fsgid = old->fsgid;	859	new->fsgid = old->fsgid;
860	new->user = get_uid(old->user);	860	new->user = get_uid(old->user);
861	new->user_ns = new->user->user_ns;	861	new->user_ns = new->user_ns;
862	new->group_info = get_group_info(old->group_info);	862	new->group_info = get_group_info(old->group_info);
863		863
864	new->securebits = old->securebits;	864	new->securebits = old->securebits;