0f44e4d976
Move the user and user-session keyrings to the user_namespace struct rather than pinning them from the user_struct struct. This prevents these keyrings from propagating across user-namespaces boundaries with regard to the KEY_SPEC_* flags, thereby making them more useful in a containerised environment. The issue is that a single user_struct may be represent UIDs in several different namespaces. The way the patch does this is by attaching a 'register keyring' in each user_namespace and then sticking the user and user-session keyrings into that. It can then be searched to retrieve them. Signed-off-by: David Howells <dhowells@redhat.com> cc: Jann Horn <jannh@google.com>
62 lines
1.7 KiB
C
62 lines
1.7 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _LINUX_SCHED_USER_H
|
|
#define _LINUX_SCHED_USER_H
|
|
|
|
#include <linux/uidgid.h>
|
|
#include <linux/atomic.h>
|
|
#include <linux/refcount.h>
|
|
#include <linux/ratelimit.h>
|
|
|
|
/*
|
|
* Some day this will be a full-fledged user tracking system..
|
|
*/
|
|
struct user_struct {
|
|
refcount_t __count; /* reference count */
|
|
atomic_t processes; /* How many processes does this user have? */
|
|
atomic_t sigpending; /* How many pending signals does this user have? */
|
|
#ifdef CONFIG_FANOTIFY
|
|
atomic_t fanotify_listeners;
|
|
#endif
|
|
#ifdef CONFIG_EPOLL
|
|
atomic_long_t epoll_watches; /* The number of file descriptors currently watched */
|
|
#endif
|
|
#ifdef CONFIG_POSIX_MQUEUE
|
|
/* protected by mq_lock */
|
|
unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */
|
|
#endif
|
|
unsigned long locked_shm; /* How many pages of mlocked shm ? */
|
|
unsigned long unix_inflight; /* How many files in flight in unix sockets */
|
|
atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */
|
|
|
|
/* Hash table maintenance information */
|
|
struct hlist_node uidhash_node;
|
|
kuid_t uid;
|
|
|
|
#if defined(CONFIG_PERF_EVENTS) || defined(CONFIG_BPF_SYSCALL) || \
|
|
defined(CONFIG_NET) || defined(CONFIG_IO_URING)
|
|
atomic_long_t locked_vm;
|
|
#endif
|
|
|
|
/* Miscellaneous per-user rate limit */
|
|
struct ratelimit_state ratelimit;
|
|
};
|
|
|
|
extern int uids_sysfs_init(void);
|
|
|
|
extern struct user_struct *find_user(kuid_t);
|
|
|
|
extern struct user_struct root_user;
|
|
#define INIT_USER (&root_user)
|
|
|
|
|
|
/* per-UID process charging. */
|
|
extern struct user_struct * alloc_uid(kuid_t);
|
|
static inline struct user_struct *get_uid(struct user_struct *u)
|
|
{
|
|
refcount_inc(&u->__count);
|
|
return u;
|
|
}
|
|
extern void free_uid(struct user_struct *);
|
|
|
|
#endif /* _LINUX_SCHED_USER_H */
|