[PATCH] cred: plug a hole in struct cred

Mateusz Guzik mjguzik at gmail.com
Thu May 30 14:40:40 UTC 2024


/*     40      |       4 */    unsigned int securebits;
/* XXX  4-byte hole      */
/*     48      |       8 */    kernel_cap_t cap_inheritable;
[snip]
/*     88      |       1 */    unsigned char jit_keyring;
/* XXX  7-byte hole      */
/*     96      |       8 */    struct key *session_keyring;

jit_keyring can be moved up to the 4-byte hole.

Size goes down from 184 to 176 bytes.

Note total memory usage does not go down because the struct remains
backed by 192-byte chunks, but space is made for future expansion.

No functional changes.

Signed-off-by: Mateusz Guzik <mjguzik at gmail.com>
---

I have some plans to hack up distributed reference counting for this
struct, soon(tm). Should it land it is going to add at least 8 bytes.

But even if nothing comes out of it this looks like a trivial clean up
worth including.

 include/linux/cred.h | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/include/linux/cred.h b/include/linux/cred.h
index 2976f534a7a3..a936a291e9b1 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -107,6 +107,9 @@ static inline int groups_search(const struct group_info *group_info, kgid_t grp)
  * that task is going to act upon another object.  This may be overridden
  * temporarily to point to another security context, but normally points to the
  * same context as task->real_cred.
+ *
+ * NOTE: some fields have placement picked to plug alignment gaps -- don't
+ * shuffle things around without looking at output of pahole(1).
  */
 struct cred {
 	atomic_long_t	usage;
@@ -119,14 +122,16 @@ struct cred {
 	kuid_t		fsuid;		/* UID for VFS ops */
 	kgid_t		fsgid;		/* GID for VFS ops */
 	unsigned	securebits;	/* SUID-less security management */
+#ifdef CONFIG_KEYS
+	unsigned char	jit_keyring;	/* default keyring to attach requested
+					 * keys to */
+#endif
 	kernel_cap_t	cap_inheritable; /* caps our children can inherit */
 	kernel_cap_t	cap_permitted;	/* caps we're permitted */
 	kernel_cap_t	cap_effective;	/* caps we can actually use */
 	kernel_cap_t	cap_bset;	/* capability bounding set */
 	kernel_cap_t	cap_ambient;	/* Ambient capability set */
 #ifdef CONFIG_KEYS
-	unsigned char	jit_keyring;	/* default keyring to attach requested
-					 * keys to */
 	struct key	*session_keyring; /* keyring inherited over fork */
 	struct key	*process_keyring; /* keyring private to this process */
 	struct key	*thread_keyring; /* keyring private to this thread */
-- 
2.39.2




More information about the Linux-security-module-archive mailing list