From: Eric W. Biederman <ebiederm@xxxxxxxxxxxx> Make it possible to easily switch between strong mandatory type checks and relaxed type checks so that the code can easily be tested with the type checks and then built with the strong type checks disabled so the resulting code can be used. Require strong mandatory type checks when enabling the user namespace. It is very simple to make a typo and use the wrong type allowing conversions to/from userspace values to be bypassed by accident, the strong type checks prevent this. Acked-by: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> Signed-off-by: Eric W. Biederman <ebiederm@xxxxxxxxxxxx> --- include/linux/uidgid.h | 2 +- init/Kconfig | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/include/linux/uidgid.h b/include/linux/uidgid.h index a0addb8..5398568 100644 --- a/include/linux/uidgid.h +++ b/include/linux/uidgid.h @@ -17,7 +17,7 @@ struct user_namespace; extern struct user_namespace init_user_ns; -#if defined(NOTYET) +#ifdef CONFIG_UIDGID_STRICT_TYPE_CHECKS typedef struct { uid_t val; diff --git a/init/Kconfig b/init/Kconfig index 72f33fa..86cf760 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -828,7 +828,8 @@ config IPC_NS config USER_NS bool "User namespace (EXPERIMENTAL)" depends on EXPERIMENTAL - default y + select UIDGID_STRICT_TYPE_CHECKS + default n help This allows containers, i.e. vservers, to use user namespaces to provide different user info for different servers. @@ -852,6 +853,15 @@ config NET_NS endif # NAMESPACES +config UIDGID_STRICT_TYPE_CHECKS + bool "Require conversions between uid/gids and their internal representation" + default n + help + While the nececessary conversions are being added to all subsystems this option allows + the code to continue to build for unconverted subsystems. + + Say Y here if you want the strict type checking enabled + config SCHED_AUTOGROUP bool "Automatic process group scheduling" select EVENTFD -- 1.7.2.5 -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html