WRITE_ONCE(me->self_exec_id, me->self_exec_id + 1);
flush_signal_handlers(me, 0);
- retval = set_cred_ucounts(bprm->cred);
- if (retval < 0)
- goto out_unlock;
-
/*
* install the new credentials for this executable
*/
#endif
struct user_struct *user; /* real user ID subscription */
struct user_namespace *user_ns; /* user_ns the caps and keyrings are relative to. */
- struct ucounts *ucounts;
struct group_info *group_info; /* supplementary groups for euid/fsgid */
/* RCU deletion */
union {
extern int set_create_files_as(struct cred *, struct inode *);
extern int cred_fscmp(const struct cred *, const struct cred *);
extern void __init cred_init(void);
-extern int set_cred_ucounts(struct cred *);
/*
* check for validity of credentials
};
extern struct user_namespace init_user_ns;
-extern struct ucounts init_ucounts;
bool setup_userns_sysctls(struct user_namespace *ns);
void retire_userns_sysctls(struct user_namespace *ns);
struct ucounts *inc_ucount(struct user_namespace *ns, kuid_t uid, enum ucount_type type);
void dec_ucount(struct ucounts *ucounts, enum ucount_type type);
-struct ucounts *alloc_ucounts(struct user_namespace *ns, kuid_t uid);
-struct ucounts *get_ucounts(struct ucounts *ucounts);
-void put_ucounts(struct ucounts *ucounts);
#ifdef CONFIG_USER_NS
.user = INIT_USER,
.user_ns = &init_user_ns,
.group_info = &init_groups,
- .ucounts = &init_ucounts,
};
static inline void set_cred_subscribers(struct cred *cred, int n)
if (cred->group_info)
put_group_info(cred->group_info);
free_uid(cred->user);
- if (cred->ucounts)
- put_ucounts(cred->ucounts);
put_user_ns(cred->user_ns);
kmem_cache_free(cred_jar, cred);
}
#ifdef CONFIG_DEBUG_CREDENTIALS
new->magic = CRED_MAGIC;
#endif
- new->ucounts = get_ucounts(&init_ucounts);
if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0)
goto error;
if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
goto error;
-
- new->ucounts = get_ucounts(new->ucounts);
- if (!new->ucounts)
- goto error;
-
validate_creds(new);
return new;
ret = create_user_ns(new);
if (ret < 0)
goto error_put;
- if (set_cred_ucounts(new) < 0)
- goto error_put;
}
#ifdef CONFIG_KEYS
}
EXPORT_SYMBOL(cred_fscmp);
-int set_cred_ucounts(struct cred *new)
-{
- struct task_struct *task = current;
- const struct cred *old = task->real_cred;
- struct ucounts *old_ucounts = new->ucounts;
-
- if (new->user == old->user && new->user_ns == old->user_ns)
- return 0;
-
- /*
- * This optimization is needed because alloc_ucounts() uses locks
- * for table lookups.
- */
- if (old_ucounts && old_ucounts->ns == new->user_ns && uid_eq(old_ucounts->uid, new->euid))
- return 0;
-
- if (!(new->ucounts = alloc_ucounts(new->user_ns, new->euid)))
- return -EAGAIN;
-
- if (old_ucounts)
- put_ucounts(old_ucounts);
-
- return 0;
-}
-
/*
* initialise the credentials stuff
*/
if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
goto error;
- new->ucounts = get_ucounts(new->ucounts);
- if (!new->ucounts)
- goto error;
-
put_cred(old);
validate_creds(new);
return new;
if (err)
goto bad_unshare_cleanup_cred;
- if (new_cred) {
- err = set_cred_ucounts(new_cred);
- if (err)
- goto bad_unshare_cleanup_cred;
- }
-
if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {
if (do_sysvsem) {
/*
if (retval < 0)
goto error;
- retval = set_cred_ucounts(new);
- if (retval < 0)
- goto error;
-
return commit_creds(new);
error:
if (retval < 0)
goto error;
- retval = set_cred_ucounts(new);
- if (retval < 0)
- goto error;
-
return commit_creds(new);
error:
if (retval < 0)
goto error;
- retval = set_cred_ucounts(new);
- if (retval < 0)
- goto error;
-
return commit_creds(new);
error:
#include <linux/kmemleak.h>
#include <linux/user_namespace.h>
-struct ucounts init_ucounts = {
- .ns = &init_user_ns,
- .uid = GLOBAL_ROOT_UID,
- .count = 1,
-};
-
#define UCOUNTS_HASHTABLE_BITS 10
static struct hlist_head ucounts_hashtable[(1 << UCOUNTS_HASHTABLE_BITS)];
static DEFINE_SPINLOCK(ucounts_lock);
return NULL;
}
-static void hlist_add_ucounts(struct ucounts *ucounts)
-{
- struct hlist_head *hashent = ucounts_hashentry(ucounts->ns, ucounts->uid);
- spin_lock_irq(&ucounts_lock);
- hlist_add_head(&ucounts->node, hashent);
- spin_unlock_irq(&ucounts_lock);
-}
-
-struct ucounts *alloc_ucounts(struct user_namespace *ns, kuid_t uid)
+static struct ucounts *get_ucounts(struct user_namespace *ns, kuid_t uid)
{
struct hlist_head *hashent = ucounts_hashentry(ns, uid);
struct ucounts *ucounts, *new;
return ucounts;
}
-struct ucounts *get_ucounts(struct ucounts *ucounts)
-{
- unsigned long flags;
-
- if (!ucounts)
- return NULL;
-
- spin_lock_irqsave(&ucounts_lock, flags);
- if (ucounts->count == INT_MAX) {
- WARN_ONCE(1, "ucounts: counter has reached its maximum value");
- ucounts = NULL;
- } else {
- ucounts->count += 1;
- }
- spin_unlock_irqrestore(&ucounts_lock, flags);
-
- return ucounts;
-}
-
-void put_ucounts(struct ucounts *ucounts)
+static void put_ucounts(struct ucounts *ucounts)
{
unsigned long flags;
{
struct ucounts *ucounts, *iter, *bad;
struct user_namespace *tns;
- ucounts = alloc_ucounts(ns, uid);
+ ucounts = get_ucounts(ns, uid);
for (iter = ucounts; iter; iter = tns->ucounts) {
int max;
tns = iter->ns;
BUG_ON(!user_header);
BUG_ON(!setup_userns_sysctls(&init_user_ns));
#endif
- hlist_add_ucounts(&init_ucounts);
return 0;
}
subsys_initcall(user_namespace_sysctl_init);
put_user_ns(cred->user_ns);
set_cred_user_ns(cred, get_user_ns(user_ns));
- if (set_cred_ucounts(cred) < 0)
- return -EINVAL;
-
return 0;
}
projects / linux-block.git / commitdiff