From: Mateusz Guzik <mjguzik@gmail.com>
To: linux-security-module@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, paul@paul-moore.com,
Mateusz Guzik <mjguzik@gmail.com>
Subject: [PATCH] cred: plug a hole in struct cred
Date: Thu, 30 May 2024 16:40:40 +0200 [thread overview]
Message-ID: <20240530144041.569927-1-mjguzik@gmail.com> (raw)
/* 40 | 4 */ unsigned int securebits;
/* XXX 4-byte hole */
/* 48 | 8 */ kernel_cap_t cap_inheritable;
[snip]
/* 88 | 1 */ unsigned char jit_keyring;
/* XXX 7-byte hole */
/* 96 | 8 */ struct key *session_keyring;
jit_keyring can be moved up to the 4-byte hole.
Size goes down from 184 to 176 bytes.
Note total memory usage does not go down because the struct remains
backed by 192-byte chunks, but space is made for future expansion.
No functional changes.
Signed-off-by: Mateusz Guzik <mjguzik@gmail.com>
---
I have some plans to hack up distributed reference counting for this
struct, soon(tm). Should it land it is going to add at least 8 bytes.
But even if nothing comes out of it this looks like a trivial clean up
worth including.
include/linux/cred.h | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/include/linux/cred.h b/include/linux/cred.h
index 2976f534a7a3..a936a291e9b1 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -107,6 +107,9 @@ static inline int groups_search(const struct group_info *group_info, kgid_t grp)
* that task is going to act upon another object. This may be overridden
* temporarily to point to another security context, but normally points to the
* same context as task->real_cred.
+ *
+ * NOTE: some fields have placement picked to plug alignment gaps -- don't
+ * shuffle things around without looking at output of pahole(1).
*/
struct cred {
atomic_long_t usage;
@@ -119,14 +122,16 @@ struct cred {
kuid_t fsuid; /* UID for VFS ops */
kgid_t fsgid; /* GID for VFS ops */
unsigned securebits; /* SUID-less security management */
+#ifdef CONFIG_KEYS
+ unsigned char jit_keyring; /* default keyring to attach requested
+ * keys to */
+#endif
kernel_cap_t cap_inheritable; /* caps our children can inherit */
kernel_cap_t cap_permitted; /* caps we're permitted */
kernel_cap_t cap_effective; /* caps we can actually use */
kernel_cap_t cap_bset; /* capability bounding set */
kernel_cap_t cap_ambient; /* Ambient capability set */
#ifdef CONFIG_KEYS
- unsigned char jit_keyring; /* default keyring to attach requested
- * keys to */
struct key *session_keyring; /* keyring inherited over fork */
struct key *process_keyring; /* keyring private to this process */
struct key *thread_keyring; /* keyring private to this thread */
--
2.39.2
reply other threads:[~2024-05-30 14:40 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240530144041.569927-1-mjguzik@gmail.com \
--to=mjguzik@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).