mirror of
https://github.com/Fishwaldo/linux-bl808.git
synced 2025-06-17 20:25:19 +00:00
kernel: conditionally support non-root users, groups and capabilities
There are a lot of embedded systems that run most or all of their functionality in init, running as root:root. For these systems, supporting multiple users is not necessary. This patch adds a new symbol, CONFIG_MULTIUSER, that makes support for non-root users, non-root groups, and capabilities optional. It is enabled under CONFIG_EXPERT menu. When this symbol is not defined, UID and GID are zero in any possible case and processes always have all capabilities. The following syscalls are compiled out: setuid, setregid, setgid, setreuid, setresuid, getresuid, setresgid, getresgid, setgroups, getgroups, setfsuid, setfsgid, capget, capset. Also, groups.c is compiled out completely. In kernel/capability.c, capable function was moved in order to avoid adding two ifdef blocks. This change saves about 25 KB on a defconfig build. The most minimal kernels have total text sizes in the high hundreds of kB rather than low MB. (The 25k goes down a bit with allnoconfig, but not that much. The kernel was booted in Qemu. All the common functionalities work. Adding users/groups is not possible, failing with -ENOSYS. Bloat-o-meter output: add/remove: 7/87 grow/shrink: 19/397 up/down: 1675/-26325 (-24650) [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Iulia Manda <iulia.manda21@gmail.com> Reviewed-by: Josh Triplett <josh@joshtriplett.org> Acked-by: Geert Uytterhoeven <geert@linux-m68k.org> Tested-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Iulia Manda
Linus Torvalds
parent
c79574abe2
commit
2813893f8b
16 changed files with 126 additions and 26 deletions
|
|
@ -62,9 +62,27 @@ do { \
|
|||
groups_free(group_info); \
|
||||
} while (0)
|
||||
|
||||
extern struct group_info *groups_alloc(int);
|
||||
extern struct group_info init_groups;
|
||||
#ifdef CONFIG_MULTIUSER
|
||||
extern struct group_info *groups_alloc(int);
|
||||
extern void groups_free(struct group_info *);
|
||||
|
||||
extern int in_group_p(kgid_t);
|
||||
extern int in_egroup_p(kgid_t);
|
||||
#else
|
||||
static inline void groups_free(struct group_info *group_info)
|
||||
{
|
||||
}
|
||||
|
||||
static inline int in_group_p(kgid_t grp)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
static inline int in_egroup_p(kgid_t grp)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
extern int set_current_groups(struct group_info *);
|
||||
extern void set_groups(struct cred *, struct group_info *);
|
||||
extern int groups_search(const struct group_info *, kgid_t);
|
||||
|
|
@ -74,9 +92,6 @@ extern bool may_setgroups(void);
|
|||
#define GROUP_AT(gi, i) \
|
||||
((gi)->blocks[(i) / NGROUPS_PER_BLOCK][(i) % NGROUPS_PER_BLOCK])
|
||||
|
||||
extern int in_group_p(kgid_t);
|
||||
extern int in_egroup_p(kgid_t);
|
||||
|
||||
/*
|
||||
* The security context of a task
|
||||
*
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue