[PATCH] security: Use user_namespace::level to avoid redundant iterations in cap_capable()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



When ns->level is not larger then cred->user_ns->level,
then ns can't be cred->user_ns's descendant, and
there is no a sence to search in parents.

So, breake the cycle earlier and skip needless iterations.

Signed-off-by: Kirill Tkhai <ktkhai@xxxxxxxxxxxxx>
---
 security/commoncap.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 78b37838a2d3..f6ef78208d2d 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -82,8 +82,11 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
 		if (ns == cred->user_ns)
 			return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
 
-		/* Have we tried all of the parent namespaces? */
-		if (ns == &init_user_ns)
+		/*
+		 * If ns can't be a descendant of cred->user_ns, then it's
+		 * needlessly to go up.
+		 */
+		if (ns->level <= cred->user_ns->level)
 			return -EPERM;
 
 		/* 

--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux