userns: Use cred->user_ns instead of cred->user->user_ns
authorEric W. Biederman <ebiederm@xmission.com>
Thu, 17 Nov 2011 07:15:31 +0000 (23:15 -0800)
committerEric W. Biederman <ebiederm@xmission.com>
Sat, 7 Apr 2012 23:55:51 +0000 (16:55 -0700)
Optimize performance and prepare for the removal of the user_ns reference
from user_struct.  Remove the slow long walk through cred->user->user_ns and
instead go straight to cred->user_ns.

Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
12 files changed:
fs/ecryptfs/messaging.c
ipc/namespace.c
kernel/ptrace.c
kernel/sched/core.c
kernel/signal.c
kernel/sys.c
kernel/user_namespace.c
kernel/utsname.c
security/commoncap.c
security/keys/key.c
security/keys/permission.c
security/keys/process_keys.c

index ab2248090515534dfd47b940b83aef63c696b545..a750f957b14567e68cab2aee69b7e5e2357a4da8 100644 (file)
@@ -303,7 +303,7 @@ int ecryptfs_process_response(struct ecryptfs_message *msg, uid_t euid,
                mutex_unlock(&ecryptfs_daemon_hash_mux);
                goto wake_up;
        }
-       tsk_user_ns = __task_cred(msg_ctx->task)->user->user_ns;
+       tsk_user_ns = __task_cred(msg_ctx->task)->user_ns;
        ctx_euid = task_euid(msg_ctx->task);
        rc = ecryptfs_find_daemon_by_euid(&daemon, ctx_euid, tsk_user_ns);
        rcu_read_unlock();
index ce0a647869b1e8797290930770bbfc9557d19fab..f362298c5ce465e3585dfd2cbfdd528e29e4790d 100644 (file)
@@ -46,7 +46,7 @@ static struct ipc_namespace *create_ipc_ns(struct task_struct *tsk,
        ipcns_notify(IPCNS_CREATED);
        register_ipcns_notifier(ns);
 
-       ns->user_ns = get_user_ns(task_cred_xxx(tsk, user)->user_ns);
+       ns->user_ns = get_user_ns(task_cred_xxx(tsk, user_ns));
 
        return ns;
 }
index ee8d49b9c3094e9de1946c3d0cb1df4d3cb1cf71..24e0a5a94824b56396e9b515941b583a9725d350 100644 (file)
@@ -198,7 +198,7 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode)
                return 0;
        rcu_read_lock();
        tcred = __task_cred(task);
-       if (cred->user->user_ns == tcred->user->user_ns &&
+       if (cred->user_ns == tcred->user_ns &&
            (cred->uid == tcred->euid &&
             cred->uid == tcred->suid &&
             cred->uid == tcred->uid  &&
@@ -206,7 +206,7 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode)
             cred->gid == tcred->sgid &&
             cred->gid == tcred->gid))
                goto ok;
-       if (ptrace_has_cap(tcred->user->user_ns, mode))
+       if (ptrace_has_cap(tcred->user_ns, mode))
                goto ok;
        rcu_read_unlock();
        return -EPERM;
index 4603b9d8f30a362d15dc60e4bd0cd659fd7c3f89..96bff855b8666e2f82dee00e611e46030bc68f3e 100644 (file)
@@ -4042,7 +4042,7 @@ static bool check_same_owner(struct task_struct *p)
 
        rcu_read_lock();
        pcred = __task_cred(p);
-       if (cred->user->user_ns == pcred->user->user_ns)
+       if (cred->user_ns == pcred->user_ns)
                match = (cred->euid == pcred->euid ||
                         cred->euid == pcred->uid);
        else
index 17afcaf582d07a5bb8abf843a44d1f593403e473..e2c5d84f2dacaab913966308c74b8070aed3deb4 100644 (file)
@@ -767,14 +767,14 @@ static int kill_ok_by_cred(struct task_struct *t)
        const struct cred *cred = current_cred();
        const struct cred *tcred = __task_cred(t);
 
-       if (cred->user->user_ns == tcred->user->user_ns &&
+       if (cred->user_ns == tcred->user_ns &&
            (cred->euid == tcred->suid ||
             cred->euid == tcred->uid ||
             cred->uid  == tcred->suid ||
             cred->uid  == tcred->uid))
                return 1;
 
-       if (ns_capable(tcred->user->user_ns, CAP_KILL))
+       if (ns_capable(tcred->user_ns, CAP_KILL))
                return 1;
 
        return 0;
index f7a43514ac65163fb028daf9238eef2f0f854233..82d8714bbedecb8bb3c0063c33fdd271ed1f2462 100644 (file)
@@ -133,11 +133,11 @@ static bool set_one_prio_perm(struct task_struct *p)
 {
        const struct cred *cred = current_cred(), *pcred = __task_cred(p);
 
-       if (pcred->user->user_ns == cred->user->user_ns &&
+       if (pcred->user_ns == cred->user_ns &&
            (pcred->uid  == cred->euid ||
             pcred->euid == cred->euid))
                return true;
-       if (ns_capable(pcred->user->user_ns, CAP_SYS_NICE))
+       if (ns_capable(pcred->user_ns, CAP_SYS_NICE))
                return true;
        return false;
 }
@@ -1498,7 +1498,7 @@ static int check_prlimit_permission(struct task_struct *task)
                return 0;
 
        tcred = __task_cred(task);
-       if (cred->user->user_ns == tcred->user->user_ns &&
+       if (cred->user_ns == tcred->user_ns &&
            (cred->uid == tcred->euid &&
             cred->uid == tcred->suid &&
             cred->uid == tcred->uid  &&
@@ -1506,7 +1506,7 @@ static int check_prlimit_permission(struct task_struct *task)
             cred->gid == tcred->sgid &&
             cred->gid == tcred->gid))
                return 0;
-       if (ns_capable(tcred->user->user_ns, CAP_SYS_RESOURCE))
+       if (ns_capable(tcred->user_ns, CAP_SYS_RESOURCE))
                return 0;
 
        return -EPERM;
index 3b906e98b1db5a6085cb8a115899a997f4863221..f084083a0fd3f9e119016baf52c3c2b3ce53c58a 100644 (file)
@@ -90,7 +90,7 @@ uid_t user_ns_map_uid(struct user_namespace *to, const struct cred *cred, uid_t
 {
        struct user_namespace *tmp;
 
-       if (likely(to == cred->user->user_ns))
+       if (likely(to == cred->user_ns))
                return uid;
 
 
@@ -112,7 +112,7 @@ gid_t user_ns_map_gid(struct user_namespace *to, const struct cred *cred, gid_t
 {
        struct user_namespace *tmp;
 
-       if (likely(to == cred->user->user_ns))
+       if (likely(to == cred->user_ns))
                return gid;
 
        /* Is cred->user the creator of the target user_ns
index 405caf91aad578f6ae1bfa48ace29262a550f431..679d97a5d3fdf95c7f22958bc3f8276dd0657984 100644 (file)
@@ -43,7 +43,7 @@ static struct uts_namespace *clone_uts_ns(struct task_struct *tsk,
 
        down_read(&uts_sem);
        memcpy(&ns->name, &old_ns->name, sizeof(ns->name));
-       ns->user_ns = get_user_ns(task_cred_xxx(tsk, user)->user_ns);
+       ns->user_ns = get_user_ns(task_cred_xxx(tsk, user_ns));
        up_read(&uts_sem);
        return ns;
 }
index 0cf4b53480a778ffeacd46149aa785c63db81c07..8b3e10e2eac7f9193f2c4950f2c27691bcd1c294 100644 (file)
@@ -81,7 +81,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
                        return 0;
 
                /* Do we have the necessary capabilities? */
-               if (targ_ns == cred->user->user_ns)
+               if (targ_ns == cred->user_ns)
                        return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
 
                /* Have we tried all of the parent namespaces? */
@@ -136,10 +136,10 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
        rcu_read_lock();
        cred = current_cred();
        child_cred = __task_cred(child);
-       if (cred->user->user_ns == child_cred->user->user_ns &&
+       if (cred->user_ns == child_cred->user_ns &&
            cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
                goto out;
-       if (ns_capable(child_cred->user->user_ns, CAP_SYS_PTRACE))
+       if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
                goto out;
        ret = -EPERM;
 out:
@@ -168,10 +168,10 @@ int cap_ptrace_traceme(struct task_struct *parent)
        rcu_read_lock();
        cred = __task_cred(parent);
        child_cred = current_cred();
-       if (cred->user->user_ns == child_cred->user->user_ns &&
+       if (cred->user_ns == child_cred->user_ns &&
            cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
                goto out;
-       if (has_ns_capability(parent, child_cred->user->user_ns, CAP_SYS_PTRACE))
+       if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
                goto out;
        ret = -EPERM;
 out:
@@ -214,7 +214,7 @@ static inline int cap_inh_is_capped(void)
        /* they are so limited unless the current task has the CAP_SETPCAP
         * capability
         */
-       if (cap_capable(current_cred(), current_cred()->user->user_ns,
+       if (cap_capable(current_cred(), current_cred()->user_ns,
                        CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
                return 0;
        return 1;
@@ -866,7 +866,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
                    || ((new->securebits & SECURE_ALL_LOCKS & ~arg2))   /*[2]*/
                    || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS))   /*[3]*/
                    || (cap_capable(current_cred(),
-                                   current_cred()->user->user_ns, CAP_SETPCAP,
+                                   current_cred()->user_ns, CAP_SETPCAP,
                                    SECURITY_CAP_AUDIT) != 0)           /*[4]*/
                        /*
                         * [1] no changing of bits that are locked
index 06783cffb3afa631fcca8efee90d17cc4f711b2c..7e6034793af3845447e69f2673cd47150b8c37cc 100644 (file)
@@ -253,7 +253,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
        quotalen = desclen + type->def_datalen;
 
        /* get hold of the key tracking for this user */
-       user = key_user_lookup(uid, cred->user->user_ns);
+       user = key_user_lookup(uid, cred->user_ns);
        if (!user)
                goto no_memory_1;
 
index c35b5229e3cdca80bcd6b44da70b5123871e1874..e146cbd714bd57e7c1a174301472dacf76a0b1bb 100644 (file)
@@ -36,7 +36,7 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
 
        key = key_ref_to_ptr(key_ref);
 
-       if (key->user->user_ns != cred->user->user_ns)
+       if (key->user->user_ns != cred->user_ns)
                goto use_other_perms;
 
        /* use the second 8-bits of permissions for keys the caller owns */
index be7ecb2018dddd2190a606c0954b794a1317c28e..70febff06da914ffce830aaad683650070fc8bdb 100644 (file)
@@ -858,7 +858,7 @@ void key_replace_session_keyring(void)
        new-> sgid      = old-> sgid;
        new->fsgid      = old->fsgid;
        new->user       = get_uid(old->user);
-       new->user_ns    = new->user->user_ns;
+       new->user_ns    = new->user_ns;
        new->group_info = get_group_info(old->group_info);
 
        new->securebits = old->securebits;