Skip to content

Commit

Permalink
security: Use user_namespace::level to avoid redundant iterations in …
Browse files Browse the repository at this point in the history
…cap_capable()

When ns->level is not larger then cred->user_ns->level,
then ns can't be cred->user_ns's descendant, and
there is no a sense to search in parents.

So, break the cycle earlier and skip needless iterations.

v2: Change comment on suggested by Andy Lutomirski.

Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
  • Loading branch information
Kirill Tkhai authored and Eric W. Biederman committed Jul 20, 2017
1 parent a2b4262 commit 64db4c7
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions security/commoncap.c
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,11 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
if (ns == cred->user_ns)
return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;

/* Have we tried all of the parent namespaces? */
if (ns == &init_user_ns)
/*
* If we're already at a lower level than we're looking for,
* we're done searching.
*/
if (ns->level <= cred->user_ns->level)
return -EPERM;

/*
Expand Down

0 comments on commit 64db4c7

Please sign in to comment.