Kernel Credential Guards Merged For Linux 6.19
Merged yesterday for the Linux 6.19 kernel were "substantial" improvements to the kernel's credential infrastructure to provide guard-based management that allows for kernel code simplification and avoiding manual reference counting across many subsystems.
The new Kernel Credential Guards functionality is described by Microsoft engineer Christian Brauner as:
The pull also includes work on Generic Credential Guards for the Linux kernel for further improving credential management within the kernel.
Beyond adding the Kernel Credential Guards infrastructure itself, the new code merged for Linux 6.19 also adapts NFS, EROFS, cgroup, the DNS resolver, Trace, AIO, and other areas of the kernel to using credential guards. All of this work was authored by Crhstian Brauner.
More details for those interested in Kernel Credential Guards via this Git merge.
The new Kernel Credential Guards functionality is described by Microsoft engineer Christian Brauner as:
"Add with_kernel_creds() and scoped_with_kernel_creds() guards that allow using the kernel credentials without allocating and copying them. This was requested by Linus after seeing repeated prepare_kernel_creds() calls that duplicate the kernel credentials only to drop them again later.
The new guards completely avoid the allocation and never expose the temporary variable to hold the kernel credentials anywhere in callers."
The pull also includes work on Generic Credential Guards for the Linux kernel for further improving credential management within the kernel.
Beyond adding the Kernel Credential Guards infrastructure itself, the new code merged for Linux 6.19 also adapts NFS, EROFS, cgroup, the DNS resolver, Trace, AIO, and other areas of the kernel to using credential guards. All of this work was authored by Crhstian Brauner.
More details for those interested in Kernel Credential Guards via this Git merge.