diff options
author | Kirill Tkhai <ktkhai@virtuozzo.com> | 2017-05-02 19:11:52 +0200 |
---|---|---|
committer | Eric W. Biederman <ebiederm@xmission.com> | 2017-07-20 14:46:06 +0200 |
commit | 64db4c7f4c1dde23d47b60f887000e28f82b268f (patch) | |
tree | e7f344fb2015e7c138fc1d05804da2969c205be9 /security | |
parent | userns,pidns: Verify the userns for new pid namespaces (diff) | |
download | linux-64db4c7f4c1dde23d47b60f887000e28f82b268f.tar.xz linux-64db4c7f4c1dde23d47b60f887000e28f82b268f.zip |
security: Use user_namespace::level to avoid redundant iterations in cap_capable()
When ns->level is not larger then cred->user_ns->level,
then ns can't be cred->user_ns's descendant, and
there is no a sense to search in parents.
So, break the cycle earlier and skip needless iterations.
v2: Change comment on suggested by Andy Lutomirski.
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/commoncap.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index 7abebd782d5e..d59320282294 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -82,8 +82,11 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, if (ns == cred->user_ns) return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; - /* Have we tried all of the parent namespaces? */ - if (ns == &init_user_ns) + /* + * If we're already at a lower level than we're looking for, + * we're done searching. + */ + if (ns->level <= cred->user_ns->level) return -EPERM; /* |