Pandora Sourcecodes - pandora-kernel.git/commit

author	Serge E. Hallyn <serue@us.ibm.com>
	Mon, 16 Jul 2007 06:41:01 +0000 (23:41 -0700)
committer	Linus Torvalds <torvalds@woody.linux-foundation.org>
	Mon, 16 Jul 2007 16:05:47 +0000 (09:05 -0700)
commit	77ec739d8d0979477fc91f530403805afa2581a4
tree	0cefb80a7ff8d57a8f735954fdeb88e9efbaf05c	tree \| snapshot
parent	acce292c82d4d82d35553b928df2b0597c3a9c78	commit \| diff

user namespace: add unshare

This patch enables the unshare of user namespaces.

It adds a new clone flag CLONE_NEWUSER and implements copy_user_ns() which
resets the current user_struct and adds a new root user (uid == 0)

For now, unsharing the user namespace allows a process to reset its
user_struct accounting and uid 0 in the new user namespace should be contained
using appropriate means, for instance selinux

The plan, when the full support is complete (all uid checks covered), is to
keep the original user's rights in the original namespace, and let a process
become uid 0 in the new namespace, with full capabilities to the new
namespace.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Acked-by: Pavel Emelianov <xemul@openvz.org>
Cc: Herbert Poetzl <herbert@13thfloor.at>
Cc: Kirill Korotaev <dev@sw.ru>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Cc: Andrew Morgan <agm@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

include/linux/sched.h		diff \| blob \| history
include/linux/user_namespace.h		diff \| blob \| history
kernel/fork.c		diff \| blob \| history
kernel/nsproxy.c		diff \| blob \| history
kernel/user_namespace.c		diff \| blob \| history