From 64db4c7f4c1dde23d47b60f887000e28f82b268f Mon Sep 17 00:00:00 2001 From: Kirill Tkhai Date: Tue, 2 May 2017 20:11:52 +0300 Subject: [PATCH] security: Use user_namespace::level to avoid redundant iterations in cap_capable() When ns->level is not larger then cred->user_ns->level, then ns can't be cred->user_ns's descendant, and there is no a sense to search in parents. So, break the cycle earlier and skip needless iterations. v2: Change comment on suggested by Andy Lutomirski. Signed-off-by: Kirill Tkhai Signed-off-by: Eric W. Biederman --- security/commoncap.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index 7abebd782d5e..d59320282294 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -82,8 +82,11 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, if (ns == cred->user_ns) return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; - /* Have we tried all of the parent namespaces? */ - if (ns == &init_user_ns) + /* + * If we're already at a lower level than we're looking for, + * we're done searching. + */ + if (ns->level <= cred->user_ns->level) return -EPERM; /* -- GitLab