path: root/security
diff options
authorSerge E. Hallyn <>2007-10-18 23:39:52 -0700
committerLinus Torvalds <>2007-10-19 11:53:37 -0700
commitb460cbc581a53cc088ceba80608021dd49c63c43 (patch)
tree83c28d0adbc15f4157c77b40fa60c40a71cb8673 /security
parent3743ca05ff464b8a9e345c08a6c9ce30485f9805 (diff)
pid namespaces: define is_global_init() and is_container_init()
is_init() is an ambiguous name for the pid==1 check. Split it into is_global_init() and is_container_init(). A cgroup init has it's tsk->pid == 1. A global init also has it's tsk->pid == 1 and it's active pid namespace is the init_pid_ns. But rather than check the active pid namespace, compare the task structure with 'init_pid_ns.child_reaper', which is initialized during boot to the /sbin/init process and never changes. Changelog: 2.6.22-rc4-mm2-pidns1: - Use 'init_pid_ns.child_reaper' to determine if a given task is the global init (/sbin/init) process. This would improve performance and remove dependence on the task_pid(). 2.6.21-mm2-pidns2: - [Sukadev Bhattiprolu] Changed is_container_init() calls in {powerpc, ppc,avr32}/traps.c for the _exception() call to is_global_init(). This way, we kill only the cgroup if the cgroup's init has a bug rather than force a kernel panic. [ fix comment] [ Use is_global_init() in arch/m32r/mm/fault.c] [ kernel/pid.c: remove unused exports] [ Fix capability.c to work with threaded init] Signed-off-by: Serge E. Hallyn <> Signed-off-by: Sukadev Bhattiprolu <> Acked-by: Pavel Emelianov <> Cc: Eric W. Biederman <> Cc: Cedric Le Goater <> Cc: Dave Hansen <> Cc: Herbert Poetzel <> Cc: Kirill Korotaev <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
Diffstat (limited to 'security')
1 files changed, 2 insertions, 1 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index 48ca5b092768..43f902750a1b 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -23,6 +23,7 @@
#include <linux/xattr.h>
#include <linux/hugetlb.h>
#include <linux/mount.h>
+#include <linux/sched.h>
@@ -334,7 +335,7 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
/* For init, we want to retain the capabilities set
* in the init_task struct. Thus we skip the usual
* capability rules */
- if (!is_init(current)) {
+ if (!is_global_init(current)) {
current->cap_permitted = new_permitted;
current->cap_effective = bprm->cap_effective ?
new_permitted : 0;