From 5673a94c14574d7c6495c320c6b0e480673d54bd Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Thu, 17 Nov 2011 10:23:55 -0800 Subject: [PATCH] userns: Add a Kconfig option to enforce strict kuid and kgid type checks Make it possible to easily switch between strong mandatory type checks and relaxed type checks so that the code can easily be tested with the type checks and then built with the strong type checks disabled so the resulting code can be used. Require strong mandatory type checks when enabling the user namespace. It is very simple to make a typo and use the wrong type allowing conversions to/from userspace values to be bypassed by accident, the strong type checks prevent this. Acked-by: Serge Hallyn Signed-off-by: Eric W. Biederman --- include/linux/uidgid.h | 2 +- init/Kconfig | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/include/linux/uidgid.h b/include/linux/uidgid.h index a0addb8e5889..539856829caf 100644 --- a/include/linux/uidgid.h +++ b/include/linux/uidgid.h @@ -17,7 +17,7 @@ struct user_namespace; extern struct user_namespace init_user_ns; -#if defined(NOTYET) +#ifdef CONFIG_UIDGID_STRICT_TYPE_CHECKS typedef struct { uid_t val; diff --git a/init/Kconfig b/init/Kconfig index 72f33faca44f..86cf760893b3 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -828,7 +828,8 @@ config IPC_NS config USER_NS bool "User namespace (EXPERIMENTAL)" depends on EXPERIMENTAL - default y + select UIDGID_STRICT_TYPE_CHECKS + default n help This allows containers, i.e. vservers, to use user namespaces to provide different user info for different servers. @@ -852,6 +853,15 @@ config NET_NS endif # NAMESPACES +config UIDGID_STRICT_TYPE_CHECKS + bool "Require conversions between uid/gids and their internal representation" + default n + help + While the nececessary conversions are being added to all subsystems this option allows + the code to continue to build for unconverted subsystems. + + Say Y here if you want the strict type checking enabled + config SCHED_AUTOGROUP bool "Automatic process group scheduling" select EVENTFD -- GitLab