path: root/security/Kconfig
diff options
authorIulia Manda <>2015-04-15 16:16:41 -0700
committerLinus Torvalds <>2015-04-15 16:35:22 -0700
commit2813893f8b197a14f1e1ddb04d99bce46817c84a (patch)
tree650651e638f867a6bda23e08c70bdd9857d121ca /security/Kconfig
parentc79574abe2baddf569532e7e430e4977771dd25c (diff)
kernel: conditionally support non-root users, groups and capabilities
There are a lot of embedded systems that run most or all of their functionality in init, running as root:root. For these systems, supporting multiple users is not necessary. This patch adds a new symbol, CONFIG_MULTIUSER, that makes support for non-root users, non-root groups, and capabilities optional. It is enabled under CONFIG_EXPERT menu. When this symbol is not defined, UID and GID are zero in any possible case and processes always have all capabilities. The following syscalls are compiled out: setuid, setregid, setgid, setreuid, setresuid, getresuid, setresgid, getresgid, setgroups, getgroups, setfsuid, setfsgid, capget, capset. Also, groups.c is compiled out completely. In kernel/capability.c, capable function was moved in order to avoid adding two ifdef blocks. This change saves about 25 KB on a defconfig build. The most minimal kernels have total text sizes in the high hundreds of kB rather than low MB. (The 25k goes down a bit with allnoconfig, but not that much. The kernel was booted in Qemu. All the common functionalities work. Adding users/groups is not possible, failing with -ENOSYS. Bloat-o-meter output: add/remove: 7/87 grow/shrink: 19/397 up/down: 1675/-26325 (-24650) [ coding-style fixes] Signed-off-by: Iulia Manda <> Reviewed-by: Josh Triplett <> Acked-by: Geert Uytterhoeven <> Tested-by: Paul E. McKenney <> Reviewed-by: Paul E. McKenney <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
Diffstat (limited to 'security/Kconfig')
1 files changed, 1 insertions, 0 deletions
diff --git a/security/Kconfig b/security/Kconfig
index beb86b500adf..bf4ec46474b6 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -21,6 +21,7 @@ config SECURITY_DMESG_RESTRICT
bool "Enable different security models"
depends on SYSFS
+ depends on MULTIUSER
This allows you to choose different security modules to be
configured into your kernel.