Skip to content
Commits on Apr 15, 2015
  1. @iuliam

    kernel: conditionally support non-root users, groups and capabilities

    iuliam committed with
    There are a lot of embedded systems that run most or all of their
    functionality in init, running as root:root.  For these systems,
    supporting multiple users is not necessary.
    This patch adds a new symbol, CONFIG_MULTIUSER, that makes support for
    non-root users, non-root groups, and capabilities optional.  It is enabled
    under CONFIG_EXPERT menu.
    When this symbol is not defined, UID and GID are zero in any possible case
    and processes always have all capabilities.
    The following syscalls are compiled out: setuid, setregid, setgid,
    setreuid, setresuid, getresuid, setresgid, getresgid, setgroups,
    getgroups, setfsuid, setfsgid, capget, capset.
    Also, groups.c is compiled out completely.
    In kernel/capability.c, capable function was moved in order to avoid
    adding two ifdef blocks.
    This change saves about 25 KB on a defconfig build.  The most minimal
    kernels have total text sizes in the high hundreds of kB rather than
    low MB.  (The 25k goes down a bit with allnoconfig, but not that much.
    The kernel was booted in Qemu.  All the common functionalities work.
    Adding users/groups is not possible, failing with -ENOSYS.
    Bloat-o-meter output:
    add/remove: 7/87 grow/shrink: 19/397 up/down: 1675/-26325 (-24650)
    [ coding-style fixes]
    Signed-off-by: Iulia Manda <>
    Reviewed-by: Josh Triplett <>
    Acked-by: Geert Uytterhoeven <>
    Tested-by: Paul E. McKenney <>
    Reviewed-by: Paul E. McKenney <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
Commits on Dec 9, 2014
  1. @ebiederm

    userns: Don't allow setgroups until a gid mapping has been setablished

    ebiederm committed
    setgroups is unique in not needing a valid mapping before it can be called,
    in the case of setgroups(0, NULL) which drops all supplemental groups.
    The design of the user namespace assumes that CAP_SETGID can not actually
    be used until a gid mapping is established.  Therefore add a helper function
    to see if the user namespace gid mapping has been established and call
    that function in the setgroups permission check.
    This is part of the fix for CVE-2014-8989, being able to drop groups
    without privilege using user namespaces.
    Reviewed-by: Andy Lutomirski <>
    Signed-off-by: "Eric W. Biederman" <>
Commits on Dec 5, 2014
  1. @ebiederm

    groups: Consolidate the setgroups permission checks

    ebiederm committed
    Today there are 3 instances of setgroups and due to an oversight their
    permission checking has diverged.  Add a common function so that
    they may all share the same permission checking code.
    This corrects the current oversight in the current permission checks
    and adds a helper to avoid this in the future.
    A user namespace security fix will update this new helper, shortly.
    Signed-off-by: "Eric W. Biederman" <>
Commits on Apr 3, 2014
  1. @udknight

    kernel/groups.c: remove return value of set_groups

    udknight committed with
    After commit 6307f8f ("security: remove dead hook task_setgroups"),
    set_groups will always return zero, so we could just remove return value
    of set_groups.
    This patch reduces code size, and simplfies code to use set_groups,
    because we don't need to check its return value any more.
    [ remove obsolete claims from set_groups() comment]
    Signed-off-by: Wang YanQing <>
    Cc: "Eric W. Biederman" <>
    Cc: Serge Hallyn <>
    Cc: Eric Paris <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
Commits on Aug 31, 2013
  1. @ebiederm

    userns: Kill nsown_capable it makes the wrong thing easy

    ebiederm committed
    nsown_capable is a special case of ns_capable essentially for just CAP_SETUID and
    CAP_SETGID.  For the existing users it doesn't noticably simplify things and
    from the suggested patches I have seen it encourages people to do the wrong
    thing.  So remove nsown_capable.
    Acked-by: Serge Hallyn <>
    Signed-off-by: "Eric W. Biederman" <>
Commits on May 3, 2012
  1. @ebiederm

    userns: Convert in_group_p and in_egroup_p to use kgid_t

    ebiederm committed
    Acked-by: Serge Hallyn <>
    Signed-off-by: Eric W. Biederman <>
  2. @ebiederm

    userns: Convert group_info values from gid_t to kgid_t.

    ebiederm committed
    As a first step to converting struct cred to be all kuid_t and kgid_t
    values convert the group values stored in group_info to always be
    kgid_t values.   Unless user namespaces are used this change should
    have no effect.
    Acked-by: Serge Hallyn <>
    Signed-off-by: Eric W. Biederman <>
Commits on Oct 31, 2011
  1. @paulgortmaker

    kernel: Map most files to use export.h instead of module.h

    paulgortmaker committed
    The changed files were only including linux/module.h for the
    EXPORT_SYMBOL infrastructure, and nothing else.  Revector them
    onto the isolated export header for faster compile times.
    Nothing to see here but a whole lot of instances of:
      -#include <linux/module.h>
      +#include <linux/export.h>
    This commit is only changing the kernel dir; next targets
    will probably be mm, fs, the arch dirs, etc.
    Signed-off-by: Paul Gortmaker <>
Commits on Mar 24, 2011
  1. @hallyn

    userns: user namespaces: convert several capable() calls

    hallyn committed with
    CAP_IPC_OWNER and CAP_IPC_LOCK can be checked against current_user_ns(),
    because the resource comes from current's own ipc namespace.
    setuid/setgid are to uids in own namespace, so again checks can be against
    	Jan 11: Use task_ns_capable() in place of sched_capable().
    	Jan 11: Use nsown_capable() as suggested by Bastian Blank.
    	Jan 11: Clarify (hopefully) some logic in futex and sched.c
    	Feb 15: use ns_capable for ipc, not nsown_capable
    	Feb 23: let copy_ipcs handle setting ipc_ns->user_ns
    	Feb 23: pass ns down rather than taking it from current
    [ coding-style fixes]
    Signed-off-by: Serge E. Hallyn <>
    Acked-by: "Eric W. Biederman" <>
    Acked-by: Daniel Lezcano <>
    Acked-by: David Howells <>
    Cc: James Morris <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
Commits on Sep 10, 2010
  1. kernel/groups.c: fix integer overflow in groups_search

    Jerome Marchand committed with
    gid_t is a unsigned int.  If group_info contains a gid greater than
    MAX_INT, groups_search() function may look on the wrong side of the search
    This solves some unfair "permission denied" problems.
    Signed-off-by: Jerome Marchand <>
    Cc: <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
Commits on Apr 12, 2010
  1. @eparis

    security: remove dead hook task_setgroups

    eparis committed with James Morris
    Unused hook.  Remove.
    Signed-off-by: Eric Paris <>
    Signed-off-by: James Morris <>
Commits on Jun 17, 2009
  1. groups: move code to kernel/groups.c

    Alexey Dobriyan committed with
    Move supplementary groups implementation to kernel/groups.c .
    kernel/sys.c already accumulated quite a few random stuff.
    Do strictly copy/paste + add required headers to compile.  Compile-tested
    on many configs and archs.
    Signed-off-by: Alexey Dobriyan <>
    Cc: Ingo Molnar <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
Something went wrong with that request. Please try again.