[systemd-devel] [PATCH 2/2] policy: make policy checks work across user namespaces
Djalal Harouni
tixxdz at opendz.org
Mon Sep 8 06:50:09 PDT 2014
On Mon, Sep 08, 2014 at 03:27:42PM +0200, Daniel Mack wrote:
> On 09/08/2014 03:18 PM, Djalal Harouni wrote:
> > * This is the internal version of struct kdbus_policy_db_access.
> > @@ -51,7 +52,8 @@ struct kdbus_policy_db_cache_entry {
> > struct kdbus_policy_db_entry_access {
> > u8 type; /* USER, GROUP, WORLD */
> > u8 access; /* OWN, TALK, SEE */
> > - u64 id; /* uid, gid, 0 */
> > + kuid_t uid; /* global uid */
> > + kgid_t gid; /* global gid */
>
> Such an entry can only either be referring to a user or group rule,
> determined by the 'type' field. Hence, having two members in the struct
> is overkill. I understand you did this to have the real kernel types in
> place, but we can put the two things in a union, right?
Yes there are compile time checks, and it is perhaps easier/consistent
to read this way! but yes a union is also good. OK I'll update it.
BTW there is a *small* optimization that we can also add later to the
"case KDBUS_POLICY_ACCESS_GROUP:" when we walk the additional group and
match, instead of linear we can do a binary search since groups are
sorted, there is kernel/groups.c:groups_search() which should do the job
but the symbol is not exported...
Ok will update/test for the union case and send it later, thank you!
--
Djalal Harouni
http://opendz.org
More information about the systemd-devel
mailing list