Add a new symbol that permits compiling out support for non-root users. As
capabilities depend on the existance of multiple users, they are also stubbed
out if we only keep the root user.
When this symbol is not defined, UID and GID are zero in any possible case.
Also, the corresponding syscalls are compiled out.
This patch saves 24447 bytes. Check the attachment for the bloat-o-meter
output.
Signed-off-by: Iulia Manda <
iulia....@gmail.com>
---
include/linux/capability.h | 11 +++++++++++
include/linux/uidgid.h | 13 ++++++++++++-
init/Kconfig | 12 ++++++++++++
kernel/capability.c | 6 ++++++
kernel/sys.c | 3 ++-
kernel/sys_ni.c | 10 ++++++++++
6 files changed, 53 insertions(+), 2 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index aa93e5e..79f098b 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -211,8 +211,19 @@ extern bool has_ns_capability(struct task_struct *t,
extern bool has_capability_noaudit(struct task_struct *t, int cap);
extern bool has_ns_capability_noaudit(struct task_struct *t,
struct user_namespace *ns, int cap);
+#ifdef CONFIG_NON_ROOT
extern bool capable(int cap);
extern bool ns_capable(struct user_namespace *ns, int cap);
+#else
+static inline bool capable(int cap)
+{
+ return true;
+}
+static inline bool ns_capable(struct user_namespace *ns, int cap)
+{
+ return true;
+}
+#endif /* CONFIG_NON_ROOT */
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
diff --git a/include/linux/uidgid.h b/include/linux/uidgid.h
index 2d1f9b6..70da49a 100644
--- a/include/linux/uidgid.h
+++ b/include/linux/uidgid.h
@@ -29,15 +29,26 @@ typedef struct {
#define KUIDT_INIT(value) (kuid_t){ value }
#define KGIDT_INIT(value) (kgid_t){ value }
+#ifdef CONFIG_NON_ROOT
static inline uid_t __kuid_val(kuid_t uid)
{
return uid.val;
}
-
static inline gid_t __kgid_val(kgid_t gid)
{
return gid.val;
}
+#else
+static inline uid_t __kuid_val(kuid_t uid)
+{
+ return 0;
+}
+static inline gid_t __kgid_val(kgid_t gid)
+{
+ return 0;
+}
+#endif
+
#define GLOBAL_ROOT_UID KUIDT_INIT(0)
#define GLOBAL_ROOT_GID KGIDT_INIT(0)
diff --git a/init/Kconfig b/init/Kconfig
index 9afb971..d7f5924 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -394,6 +394,7 @@ endchoice
config BSD_PROCESS_ACCT
bool "BSD Process Accounting"
+ select NON_ROOT
help
If you say Y here, a user level program will be able to instruct the
kernel (via a special system call) to write process accounting
@@ -420,6 +421,7 @@ config BSD_PROCESS_ACCT_V3
config TASKSTATS
bool "Export task/process statistics through netlink"
depends on NET
+ select NON_ROOT
default n
help
Export selected statistics for tasks/processes through the
@@ -1140,6 +1142,7 @@ config CHECKPOINT_RESTORE
menuconfig NAMESPACES
bool "Namespaces support" if EXPERT
+ depends on NON_ROOT
default !EXPERT
help
Provides the way to make tasks work with different objects using
@@ -1357,6 +1360,15 @@ config UID16
help
This enables the legacy 16-bit UID syscall wrappers.
+config NON_ROOT
+ bool "Enable support for multiple users" if EXPERT
+ default y
+ help
+ This option enables support for non-root users.
+ If not set, capabilities are also disabled.
+
+ Leave this option as it is if unsure.
+
config SGETMASK_SYSCALL
bool "sgetmask/ssetmask syscalls support" if EXPERT
def_bool PARISC || MN10300 || BLACKFIN || M68K || PPC || MIPS || X86 || SPARC || CRIS || MICROBLAZE || SUPERH
diff --git a/kernel/capability.c b/kernel/capability.c
index 989f5bf..bead84a 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -35,6 +35,7 @@ static int __init file_caps_disable(char *str)
}
__setup("no_file_caps", file_caps_disable);
+#ifdef CONFIG_NON_ROOT
/*
* More recent versions of libcap are available from:
*
@@ -279,6 +280,7 @@ error:
abort_creds(new);
return ret;
}
+#endif
/**
* has_ns_capability - Does a task have a capability in a specific user ns
@@ -360,6 +362,7 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
return has_ns_capability_noaudit(t, &init_user_ns, cap);
}
+#ifdef CONFIG_NON_ROOT
/**
* ns_capable - Determine if the current task has a superior capability in effect
* @ns: The usernamespace we want the capability in
@@ -385,6 +388,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
return false;
}
EXPORT_SYMBOL(ns_capable);
+#endif
/**
* file_ns_capable - Determine if the file's opener had a capability in effect
@@ -411,6 +415,7 @@ bool file_ns_capable(const struct file *file, struct user_namespace *ns,
}
EXPORT_SYMBOL(file_ns_capable);
+#ifdef CONFIG_NON_ROOT
/**
* capable - Determine if the current task has a superior capability in effect
* @cap: The capability to be tested for
@@ -426,6 +431,7 @@ bool capable(int cap)
return ns_capable(&init_user_ns, cap);
}
EXPORT_SYMBOL(capable);
+#endif
/**
* capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped
diff --git a/kernel/sys.c b/kernel/sys.c
index a8c9f5a..bb7c2a8 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -319,6 +319,7 @@ out_unlock:
* SMP: There are not races, the GIDs are checked only by filesystem
* operations (as far as semantic preservation is concerned).
*/
+#ifdef CONFIG_NON_ROOT
SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)
{
struct user_namespace *ns = current_user_ns();
@@ -565,7 +566,6 @@ error:
return retval;
}
-
/*
* This function implements a generic ability to update ruid, euid,
* and suid. This allows you to implement the 4.4 compatible seteuid().
@@ -729,6 +729,7 @@ SYSCALL_DEFINE3(getresgid, gid_t __user *, rgidp, gid_t __user *, egidp, gid_t _
return retval;
}
+#endif
/*
* "setfsuid()" sets the fsuid - the uid used for filesystem checks. This
diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c
index 5adcb0a..0f79b39 100644
--- a/kernel/sys_ni.c
+++ b/kernel/sys_ni.c
@@ -159,6 +159,16 @@ cond_syscall(sys_uselib);
cond_syscall(sys_fadvise64);
cond_syscall(sys_fadvise64_64);
cond_syscall(sys_madvise);
+cond_syscall(sys_setuid);
+cond_syscall(sys_setregid);
+cond_syscall(sys_setgid);
+cond_syscall(sys_setreuid);
+cond_syscall(sys_setresuid);
+cond_syscall(sys_getresuid);
+cond_syscall(sys_getresgid);
+cond_syscall(sys_setresgid);
+cond_syscall(sys_capget);
+cond_syscall(sys_capset);
/* arch-specific weak syscall entries */
cond_syscall(sys_pciconfig_read);
--
1.7.10.4