• Iulia Manda's avatar
    kernel: conditionally support non-root users, groups and capabilities · 2813893f
    Iulia Manda authored
    There are a lot of embedded systems that run most or all of their
    functionality in init, running as root:root.  For these systems,
    supporting multiple users is not necessary.
    This patch adds a new symbol, CONFIG_MULTIUSER, that makes support for
    non-root users, non-root groups, and capabilities optional.  It is enabled
    under CONFIG_EXPERT menu.
    When this symbol is not defined, UID and GID are zero in any possible case
    and processes always have all capabilities.
    The following syscalls are compiled out: setuid, setregid, setgid,
    setreuid, setresuid, getresuid, setresgid, getresgid, setgroups,
    getgroups, setfsuid, setfsgid, capget, capset.
    Also, groups.c is compiled out completely.
    In kernel/capability.c, capable function was moved in order to avoid
    adding two ifdef blocks.
    This change saves about 25 KB on a defconfig build.  The most minimal
    kernels have total text sizes in the high hundreds of kB rather than
    low MB.  (The 25k goes down a bit with allnoconfig, but not that much.
    The kernel was booted in Qemu.  All the common functionalities work.
    Adding users/groups is not possible, failing with -ENOSYS.
    Bloat-o-meter output:
    add/remove: 7/87 grow/shrink: 19/397 up/down: 1675/-26325 (-24650)
    [akpm@linux-foundation.org: coding-style fixes]
    Signed-off-by: default avatarIulia Manda <iulia.manda21@gmail.com>
    Reviewed-by: default avatarJosh Triplett <josh@joshtriplett.org>
    Acked-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
    Tested-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
    Reviewed-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
groups.c 5.86 KB