[PATCH] security: Use user_namespace::level to avoid redundant iterations in cap_capable()

From: Kirill Tkhai
Date: Tue May 02 2017 - 08:40:47 EST

Next message: Rob Herring: "Re: [PATCH] serdev: Restore serdev_device_write_buf for atomic context"
Previous message: Fabrice Gasnier: "Re: [PATCH] iio: stm32 trigger: Add support for TRGO2 triggers"
Next in thread: Andy Lutomirski: "Re: [PATCH] security: Use user_namespace::level to avoid redundant iterations in cap_capable()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When ns->level is not larger then cred->user_ns->level,
then ns can't be cred->user_ns's descendant, and
there is no a sence to search in parents.

So, breake the cycle earlier and skip needless iterations.

Signed-off-by: Kirill Tkhai <ktkhai@xxxxxxxxxxxxx>
---
security/commoncap.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 78b37838a2d3..f6ef78208d2d 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -82,8 +82,11 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
if (ns == cred->user_ns)
return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;

- /* Have we tried all of the parent namespaces? */
- if (ns == &init_user_ns)
+ /*
+ * If ns can't be a descendant of cred->user_ns, then it's
+ * needlessly to go up.
+ */
+ if (ns->level <= cred->user_ns->level)
return -EPERM;

/*

Next message: Rob Herring: "Re: [PATCH] serdev: Restore serdev_device_write_buf for atomic context"
Previous message: Fabrice Gasnier: "Re: [PATCH] iio: stm32 trigger: Add support for TRGO2 triggers"
Next in thread: Andy Lutomirski: "Re: [PATCH] security: Use user_namespace::level to avoid redundant iterations in cap_capable()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]