userns subsystem conversions v2

From: Eric W. Biederman
Date: Wed Sep 19 2012 - 21:45:58 EST



Witht the previous review comments it was clear that my previous
patchset was a little premature and the patches were a bit large, making
the changes less clear than they needed to be. To that end To that end
I have revisited and split up my audit, posix acl, and, and quota
support so they are now a series of smaller patches.

In my respin I have made a few extra simplifications to the audit code
to take advantage of the fact that netlink messages are processed in
the context of the sending userspace process, which allows for a lot
of simplifications.

This patchset updates all of the major linux subsystems that use uids
and gids to store them in kuid_t and kgid_t types.

This update allows some of the subsystems to work in all user namespaces
while other subsystems were updated to only work in the initial user
namespace.

kuid_t and kgid_t values have been pushed as deeply into the code as
possible to allow type checking to find as many places where I need
conversion to and from the kernel internal representation as possible.
In a couple of cases this involved taking an implicit union stored in an
unsigned int and making it an explicit union.

This patchset is based on 3.6-rc1 and strictly against:
git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-next

My intention after these patches have been reviewed is to add them to my
non-rebasing for-next branch of my user namespace tree and to merge
these changes into 3.7.

I had hoped when I converted the core kernel that I would have removed
the interactions between subsystems and would be able to merge these
changes independently through maintainer trees in a timely fashion, but
there are just enough dependencies and interactions that the changes
really all need to be in one tree to make these changes testable/usable.

Once these changes hit my for-next branch I won't be rebasing them so if
a maintainer wants to merge them to avoid conflicts feel free.

The biggest cross subystem change this round is probably the change to
have audit_get_loginuid return a kuid_t, but it certainly isn't the only
cross subsystem change.

The biggest clarification of the core kernel code is to bring the quota
projid concept out of hiding and into the open.

Eric W. Biederman (27):
userns: Convert security/keys to the new userns infrastructure
userns: net: Call key_alloc with GLOBAL_ROOT_UID, GLOBAL_ROOT_GID instead of 0, 0
audit: Limit audit requests to processes in the initial pid and user namespaces.
audit: Use current instead of NETLINK_CREDS() in audit_filter
audit: kill audit_prepare_user_tty
audit: Simply AUDIT_TTY_SET and AUDIT_TTY_GET
audit: Properly set the origin port id of audit messages.
audit: Remove the unused uid parameter from audit_receive_filter
audit: Don't pass pid or uid to audit_log_common_recv_msg
audit: Add typespecific uid and gid comparators
userns: Convert the audit loginuid to be a kuid
userns: Convert audit to work with user namespaces enabled
userns: Convert taskstats to handle the user and pid namespaces.
userns: Convert bsd process accounting to use kuid and kgid where appropriate
userns: Teach trace to use from_kuid
userns: Convert vfs posix_acl support to use kuids and kgids
userns: Pass a userns parameter into posix_acl_to_xattr and posix_acl_from_xattr
userns: Convert extN to support kuids and kgids in posix acls
userns: Convert configfs to use kuid and kgid where appropriate
userns: Add kprojid_t and associated infrastructure in projid.h
userns: Implement struct kqid
userns: Convert qutoactl
userns: Modify dqget to take struct kqid
userns: Convert quota netlink aka quota_send_warning
userns: Convert struct dquot dq_id to be a struct kqid
userns: Convert struct dquot_warn
userns: Convert quota

drivers/tty/tty_audit.c | 17 ++-
fs/9p/acl.c | 8 +-
fs/btrfs/acl.c | 8 +-
fs/configfs/inode.c | 4 +-
fs/ext2/acl.c | 32 ++++--
fs/ext3/acl.c | 32 ++++--
fs/ext4/acl.c | 31 ++++--
fs/generic_acl.c | 4 +-
fs/gfs2/acl.c | 14 +-
fs/gfs2/quota.c | 32 +++--
fs/jffs2/acl.c | 4 +-
fs/jfs/acl.c | 4 +-
fs/jfs/xattr.c | 4 +-
fs/nfs/nfs3acl.c | 4 +-
fs/nfsd/vfs.c | 8 +-
fs/ocfs2/acl.c | 4 +-
fs/posix_acl.c | 30 +++---
fs/proc/base.c | 27 ++++-
fs/quota/Makefile | 2 +-
fs/quota/dquot.c | 10 +-
fs/quota/kqid.c | 132 ++++++++++++++++++++++
fs/quota/netlink.c | 10 +-
fs/quota/quota.c | 28 ++++-
fs/reiserfs/xattr_acl.c | 4 +-
fs/xattr.c | 7 +
fs/xattr_acl.c | 96 +++++++++++++++-
fs/xfs/xfs_acl.c | 4 +-
fs/xfs/xfs_quotaops.c | 12 +-
fs/xfs/xfs_trans_dquot.c | 8 +-
include/linux/audit.h | 12 +-
include/linux/init_task.h | 2 +-
include/linux/key.h | 9 +-
include/linux/posix_acl.h | 8 +-
include/linux/posix_acl_xattr.h | 18 +++-
include/linux/projid.h | 104 ++++++++++++++++++
include/linux/quota.h | 133 ++++++++++++++++++++++-
include/linux/quotaops.h | 4 +-
include/linux/sched.h | 2 +-
include/linux/tsacct_kern.h | 8 +-
include/linux/tty.h | 4 +-
include/linux/user_namespace.h | 3 +
include/net/netlabel.h | 2 +-
include/net/xfrm.h | 23 ++--
init/Kconfig | 11 --
kernel/acct.c | 4 +-
kernel/audit.c | 121 ++++++++------------
kernel/audit.h | 4 +-
kernel/audit_watch.c | 2 +-
kernel/auditfilter.c | 137 ++++++++++++++++++++---
kernel/auditsc.c | 219 +++++++++++++++++++------------------
kernel/taskstats.c | 23 +++-
kernel/trace/trace.c | 3 +-
kernel/trace/trace.h | 2 +-
kernel/tsacct.c | 12 +-
kernel/user.c | 8 ++
kernel/user_namespace.c | 128 +++++++++++++++++++++-
net/core/dev.c | 2 +-
net/dns_resolver/dns_key.c | 3 +-
net/netlabel/netlabel_unlabeled.c | 2 +-
net/netlabel/netlabel_user.c | 2 +-
net/rxrpc/ar-key.c | 6 +-
net/xfrm/xfrm_policy.c | 8 +-
net/xfrm/xfrm_state.c | 6 +-
net/xfrm/xfrm_user.c | 12 +-
security/keys/internal.h | 6 +-
security/keys/key.c | 23 ++---
security/keys/keyctl.c | 50 +++++----
security/keys/keyring.c | 4 +-
security/keys/permission.c | 14 +--
security/keys/proc.c | 44 ++++----
security/keys/process_keys.c | 15 ++-
security/keys/request_key.c | 6 +-
72 files changed, 1288 insertions(+), 501 deletions(-)

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/