Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2813893f authored by Iulia Manda's avatar Iulia Manda Committed by Linus Torvalds
Browse files

kernel: conditionally support non-root users, groups and capabilities 



There are a lot of embedded systems that run most or all of their
functionality in init, running as root:root.  For these systems,
supporting multiple users is not necessary.

This patch adds a new symbol, CONFIG_MULTIUSER, that makes support for
non-root users, non-root groups, and capabilities optional.  It is enabled
under CONFIG_EXPERT menu.

When this symbol is not defined, UID and GID are zero in any possible case
and processes always have all capabilities.

The following syscalls are compiled out: setuid, setregid, setgid,
setreuid, setresuid, getresuid, setresgid, getresgid, setgroups,
getgroups, setfsuid, setfsgid, capget, capset.

Also, groups.c is compiled out completely.

In kernel/capability.c, capable function was moved in order to avoid
adding two ifdef blocks.

This change saves about 25 KB on a defconfig build.  The most minimal
kernels have total text sizes in the high hundreds of kB rather than
low MB.  (The 25k goes down a bit with allnoconfig, but not that much.

The kernel was booted in Qemu.  All the common functionalities work.
Adding users/groups is not possible, failing with -ENOSYS.

Bloat-o-meter output:
add/remove: 7/87 grow/shrink: 19/397 up/down: 1675/-26325 (-24650)

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: default avatarIulia Manda <iulia.manda21@gmail.com>
Reviewed-by: default avatarJosh Triplett <josh@joshtriplett.org>
Acked-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
Tested-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
Reviewed-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent c79574ab

arch/s390/Kconfig

+1 −0
Original line number Diff line number Diff line
@@ -328,6 +328,7 @@ config COMPAT 
	select COMPAT_BINFMT_ELF if BINFMT_ELF

	select ARCH_WANT_OLD_COMPAT_IPC

	select COMPAT_OLD_SIGACTION

	depends on MULTIUSER

	help

	  Select this option if you want to enable your system kernel to

	  handle system-calls from ELF binaries for 31 bit ESA.  This option

drivers/staging/lustre/lustre/Kconfig

+1 −0
Original line number Diff line number Diff line
@@ -10,6 +10,7 @@ config LUSTRE_FS 
	select CRYPTO_SHA1

	select CRYPTO_SHA256

	select CRYPTO_SHA512

	depends on MULTIUSER

	help

	  This option enables Lustre file system client support. Choose Y

	  here if you want to access a Lustre file system cluster. To compile

fs/nfs/Kconfig

+1 −1
Original line number Diff line number Diff line 
config NFS_FS

	tristate "NFS client support"

	depends on INET && FILE_LOCKING

	depends on INET && FILE_LOCKING && MULTIUSER

	select LOCKD

	select SUNRPC

	select NFS_ACL_SUPPORT if NFS_V3_ACL

fs/nfsd/Kconfig

+1 −0
Original line number Diff line number Diff line
@@ -6,6 +6,7 @@ config NFSD 
	select SUNRPC

	select EXPORTFS

	select NFS_ACL_SUPPORT if NFSD_V2_ACL

	depends on MULTIUSER

	help

	  Choose Y here if you want to allow other computers to access

	  files residing on this system using Sun's Network File System

include/linux/capability.h

+29 −0
Original line number Diff line number Diff line
@@ -205,6 +205,7 @@ static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a, 
			   cap_intersect(permitted, __cap_nfsd_set));

}



#ifdef CONFIG_MULTIUSER

extern bool has_capability(struct task_struct *t, int cap);

extern bool has_ns_capability(struct task_struct *t,

			      struct user_namespace *ns, int cap);
@@ -213,6 +214,34 @@ extern bool has_ns_capability_noaudit(struct task_struct *t, 
				      struct user_namespace *ns, int cap);

extern bool capable(int cap);

extern bool ns_capable(struct user_namespace *ns, int cap);

#else

static inline bool has_capability(struct task_struct *t, int cap)

{

	return true;

}

static inline bool has_ns_capability(struct task_struct *t,

			      struct user_namespace *ns, int cap)

{

	return true;

}

static inline bool has_capability_noaudit(struct task_struct *t, int cap)

{

	return true;

}

static inline bool has_ns_capability_noaudit(struct task_struct *t,

				      struct user_namespace *ns, int cap)

{

	return true;

}

static inline bool capable(int cap)

{

	return true;

}

static inline bool ns_capable(struct user_namespace *ns, int cap)

{

	return true;

}

#endif /* CONFIG_MULTIUSER */

extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);

extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);