Building a root only system

Some of the embedded systems that run Linux, usually have to run a small number of specific processes. This kinds of tasks usually are run only by the root user, with full permissions. As controversial as it may seem, adding an option to run a root-only Linux kernel may prove to be a valuable feature for some applications.

The kernel API for retrieving group and user ids is based on these two functions:

static inline uid_t __kuid_val(kuid_t uid)
static inline gid_t __kgid_val(kgid_t gid)

These two functions return actual uid/gid number from the kuid_t/gkid_t structures. As all the permission checks are done using wrappers over these functions, a sensitive idea is to make them always return the root uid/gid (0) in a root-only system. This way a great amount of code would be shed by constant folding procedure in the compiler.

Because many of the permission checks are done for the 0 uid/gid, the code handling the non-zero case won’t ever be executed so it can be removed. As the bloat-o-meter script shown, this change only removes around 25k from the final kernel image. Considering a tiny build has around 1000k uncompressed, this apparently trivial change gets to decrease the kernel size by 2.5%.

The patch implementing this change also removes code that is useful only in multi-user systems, such as uid and gid related syscalls and capabilities. If the community sees value in this change, it should be included in the next release.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s