Commit 078de5f7 authored by Eric W. Biederman's avatar Eric W. Biederman
Browse files

userns: Store uid and gid values in struct cred with kuid_t and kgid_t types 



cred.h and a few trivial users of struct cred are changed.  The rest of the users
of struct cred are left for other patches as there are too many changes to make
in one go and leave the change reviewable.  If the user namespace is disabled and
CONFIG_UIDGID_STRICT_TYPE_CHECKS are disabled the code will contiue to compile
and behave correctly.

Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
parent ae2975bc

arch/x86/mm/fault.c

+1 −1
Original line number Diff line number Diff line
@@ -582,7 +582,7 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code, 
		pte_t *pte = lookup_address(address, &level);



		if (pte && pte_present(*pte) && !pte_exec(*pte))

			printk(nx_warning, current_uid());

			printk(nx_warning, from_kuid(&init_user_ns, current_uid()));

	}



	printk(KERN_ALERT "BUG: unable to handle kernel ");

fs/ioprio.c

+2 −6
Original line number Diff line number Diff line
@@ -123,9 +123,7 @@ SYSCALL_DEFINE3(ioprio_set, int, which, int, who, int, ioprio) 
				break;



			do_each_thread(g, p) {

				const struct cred *tcred = __task_cred(p);

				kuid_t tcred_uid = make_kuid(tcred->user_ns, tcred->uid);

				if (!uid_eq(tcred_uid, uid))

				if (!uid_eq(task_uid(p), uid))

					continue;

				ret = set_task_ioprio(p, ioprio);

				if (ret)
@@ -220,9 +218,7 @@ SYSCALL_DEFINE2(ioprio_get, int, which, int, who) 
				break;



			do_each_thread(g, p) {

				const struct cred *tcred = __task_cred(p);

				kuid_t tcred_uid = make_kuid(tcred->user_ns, tcred->uid);

				if (!uid_eq(tcred_uid, user->uid))

				if (!uid_eq(task_uid(p), user->uid))

					continue;

				tmpio = get_task_ioprio(p);

				if (tmpio < 0)

include/linux/cred.h

+8 −8
Original line number Diff line number Diff line
@@ -123,14 +123,14 @@ struct cred { 
#define CRED_MAGIC	0x43736564

#define CRED_MAGIC_DEAD	0x44656144

#endif

	uid_t		uid;		/* real UID of the task */

	gid_t		gid;		/* real GID of the task */

	uid_t		suid;		/* saved UID of the task */

	gid_t		sgid;		/* saved GID of the task */

	uid_t		euid;		/* effective UID of the task */

	gid_t		egid;		/* effective GID of the task */

	uid_t		fsuid;		/* UID for VFS ops */

	gid_t		fsgid;		/* GID for VFS ops */

	kuid_t		uid;		/* real UID of the task */

	kgid_t		gid;		/* real GID of the task */

	kuid_t		suid;		/* saved UID of the task */

	kgid_t		sgid;		/* saved GID of the task */

	kuid_t		euid;		/* effective UID of the task */

	kgid_t		egid;		/* effective GID of the task */

	kuid_t		fsuid;		/* UID for VFS ops */

	kgid_t		fsgid;		/* GID for VFS ops */

	unsigned	securebits;	/* SUID-less security management */

	kernel_cap_t	cap_inheritable; /* caps our children can inherit */

	kernel_cap_t	cap_permitted;	/* caps we're permitted */

include/linux/user_namespace.h

+4 −4
Original line number Diff line number Diff line
@@ -70,15 +70,15 @@ static inline void put_user_ns(struct user_namespace *ns) 
#endif



static inline uid_t user_ns_map_uid(struct user_namespace *to,

	const struct cred *cred, uid_t uid)

	const struct cred *cred, kuid_t uid)

{

	return from_kuid_munged(to, make_kuid(cred->user_ns, uid));

	return from_kuid_munged(to, uid);

}



static inline gid_t user_ns_map_gid(struct user_namespace *to,

	const struct cred *cred, gid_t gid)

	const struct cred *cred, kgid_t gid)

{

	return from_kgid_munged(to, make_kgid(cred->user_ns, gid));

	return from_kgid_munged(to, gid);

}



#endif /* _LINUX_USER_H */

kernel/cred.c

+22 −14
Original line number Diff line number Diff line
@@ -49,6 +49,14 @@ struct cred init_cred = { 
	.subscribers		= ATOMIC_INIT(2),

	.magic			= CRED_MAGIC,

#endif

	.uid			= GLOBAL_ROOT_UID,

	.gid			= GLOBAL_ROOT_GID,

	.suid			= GLOBAL_ROOT_UID,

	.sgid			= GLOBAL_ROOT_GID,

	.euid			= GLOBAL_ROOT_UID,

	.egid			= GLOBAL_ROOT_GID,

	.fsuid			= GLOBAL_ROOT_UID,

	.fsgid			= GLOBAL_ROOT_GID,

	.securebits		= SECUREBITS_DEFAULT,

	.cap_inheritable	= CAP_EMPTY_SET,

	.cap_permitted		= CAP_FULL_SET,
@@ -488,10 +496,10 @@ int commit_creds(struct cred *new) 
	get_cred(new); /* we will require a ref for the subj creds too */



	/* dumpability changes */

	if (old->euid != new->euid ||

	    old->egid != new->egid ||

	    old->fsuid != new->fsuid ||

	    old->fsgid != new->fsgid ||

	if (!uid_eq(old->euid, new->euid) ||

	    !gid_eq(old->egid, new->egid) ||

	    !uid_eq(old->fsuid, new->fsuid) ||

	    !gid_eq(old->fsgid, new->fsgid) ||

	    !cap_issubset(new->cap_permitted, old->cap_permitted)) {

		if (task->mm)

			set_dumpable(task->mm, suid_dumpable);
@@ -500,9 +508,9 @@ int commit_creds(struct cred *new) 
	}



	/* alter the thread keyring */

	if (new->fsuid != old->fsuid)

	if (!uid_eq(new->fsuid, old->fsuid))

		key_fsuid_changed(task);

	if (new->fsgid != old->fsgid)

	if (!gid_eq(new->fsgid, old->fsgid))

		key_fsgid_changed(task);



	/* do it
@@ -519,16 +527,16 @@ int commit_creds(struct cred *new) 
	alter_cred_subscribers(old, -2);



	/* send notifications */

	if (new->uid   != old->uid  ||

	    new->euid  != old->euid ||

	    new->suid  != old->suid ||

	    new->fsuid != old->fsuid)

	if (!uid_eq(new->uid,   old->uid)  ||

	    !uid_eq(new->euid,  old->euid) ||

	    !uid_eq(new->suid,  old->suid) ||

	    !uid_eq(new->fsuid, old->fsuid))

		proc_id_connector(task, PROC_EVENT_UID);



	if (new->gid   != old->gid  ||

	    new->egid  != old->egid ||

	    new->sgid  != old->sgid ||

	    new->fsgid != old->fsgid)

	if (!gid_eq(new->gid,   old->gid)  ||

	    !gid_eq(new->egid,  old->egid) ||

	    !gid_eq(new->sgid,  old->sgid) ||

	    !gid_eq(new->fsgid, old->fsgid))

		proc_id_connector(task, PROC_EVENT_GID);



	/* release the old obj and subj refs both */

CRA Git | Maintained and supported by SUSTech CRA and CCSE