summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorKirill Tkhai <ktkhai@virtuozzo.com>2017-05-02 19:11:52 +0200
committerEric W. Biederman <ebiederm@xmission.com>2017-07-20 14:46:06 +0200
commit64db4c7f4c1dde23d47b60f887000e28f82b268f (patch)
treee7f344fb2015e7c138fc1d05804da2969c205be9 /security
parentuserns,pidns: Verify the userns for new pid namespaces (diff)
downloadlinux-64db4c7f4c1dde23d47b60f887000e28f82b268f.tar.xz
linux-64db4c7f4c1dde23d47b60f887000e28f82b268f.zip
security: Use user_namespace::level to avoid redundant iterations in cap_capable()
When ns->level is not larger then cred->user_ns->level, then ns can't be cred->user_ns's descendant, and there is no a sense to search in parents. So, break the cycle earlier and skip needless iterations. v2: Change comment on suggested by Andy Lutomirski. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'security')
-rw-r--r--security/commoncap.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index 7abebd782d5e..d59320282294 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -82,8 +82,11 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
if (ns == cred->user_ns)
return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
- /* Have we tried all of the parent namespaces? */
- if (ns == &init_user_ns)
+ /*
+ * If we're already at a lower level than we're looking for,
+ * we're done searching.
+ */
+ if (ns->level <= cred->user_ns->level)
return -EPERM;
/*