• Cedric Le Goater's avatar
    user namespace: add the framework · acce292c
    Cedric Le Goater authored
    Basically, it will allow a process to unshare its user_struct table,
    resetting at the same time its own user_struct and all the associated
    accounting.
    
    A new root user (uid == 0) is added to the user namespace upon creation.
    Such root users have full privileges and it seems that theses privileges
    should be controlled through some means (process capabilities ?)
    
    The unshare is not included in this patch.
    
    Changes since [try #4]:
    	- Updated get_user_ns and put_user_ns to accept NULL, and
    	  get_user_ns to return the namespace.
    
    Changes since [try #3]:
    	- moved struct user_namespace to files user_namespace.{c,h}
    
    Changes since [try #2]:
    	- removed struct user_namespace* argument from find_user()
    
    Changes since [try #1]:
    	- removed struct user_namespace* argument from find_user()
    	- added a root_user per user namespace
    Signed-off-by: default avatarCedric Le Goater <clg@fr.ibm.com>
    Signed-off-by: default avatarSerge E. Hallyn <serue@us.ibm.com>
    Acked-by: default avatarPavel Emelianov <xemul@openvz.org>
    Cc: Herbert Poetzl <herbert@13thfloor.at>
    Cc: Kirill Korotaev <dev@sw.ru>
    Cc: Eric W. Biederman <ebiederm@xmission.com>
    Cc: Chris Wright <chrisw@sous-sol.org>
    Cc: Stephen Smalley <sds@tycho.nsa.gov>
    Cc: James Morris <jmorris@namei.org>
    Cc: Andrew Morgan <agm@google.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    acce292c
fork.c 40.9 KB