>> There are good precedents for this sort of argument: see
>> 'set_current_state()' & friends.
> I don't really see the benefit. The macros you're talking
> about are only there to provide different behavior for MP and
> UP.
... which begs the question: are you saying that there are no SMP
issues with CLONE_CRED and setting/reading the 'struct cred' members?
> There aren't macros for any of the other shareable structures
> hanging off the task struct.
Which other shareable structures? Are there other any that can get
changed at random places in the code?
Please read what I said. The macros help to enforce the idea that you
should not change ->state for anything other than the current task.
> I'm not opposed to enhancing the cred structure so it can be
> used like you describe. It's not a job I want to tackle, but
> I'd think my change would be a step in the right direction.
> I'm confused by your example, though. If a thread makes a
> system call to change its credentials, all other threads should
> see it. That's POSIX behavior, and the whole point of the
> patch. If you're talking about kernel code that assumes
> another identity under the covers, then yes, that's
> interesting. And could be achieved by allocating a temporary
> cred structure and attaching it to the task for the duration of
> the operation.
Authentication under UNIX usually requires you to check the process'
uid/gid/groups affiliation. As such, it is useful to be able to pass
that information around the kernel. Most OSes use some variation of
the BSD 'ucred' structure which is reference counted and obeys COW
(copy on write).
struct ucred {
atomic_t count;
uid_t uid; /* == fsuid if you like */
gid_t gid; /* == fsgid " " " */
int ngroups;
gid_t *groups;
};
This means that 'struct file', the underlying filesystems, whoever
else... can hold a reference to the above structure and be assured
that it will never change. Changing the fsuid etc. are extremely rare
operations compared to opening/closing a file, so the whole idea is
precisely to *avoid* having to copy the above information all the time
(which, given all the races that CLONE_CRED introduces, is a good
thing).
As for POSIX behaviour: it is quite compatible with the above. The
only change would be that your shared 'struct cred' would require a
reference to a struct ucred rather than including fsuid, fsgid, groups
as cred structure members.
Note: Given that Linux has adopted the 'capability' model on top of
the standard UNIX authentication model, it might perhaps be necessary
to move the capabilities into the ucred in order to make them COW too?
Cheers,
Trond
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/