| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <149372879732.11927.12565684278286604561.stgit@localhost.localdomain>
Date: Tue, 2 May 2017 15:40:33 +0300
From: Kirill Tkhai <ktkhai@...tuozzo.com>
To: <serge@...lyn.com>, <ebiederm@...ssion.com>, <agruenba@...hat.com>,
<gregkh@...uxfoundation.org>, <linux-kernel@...r.kernel.org>,
<oleg@...hat.com>, <paul@...l-moore.com>, <ktkhai@...tuozzo.com>,
<viro@...iv.linux.org.uk>, <avagin@...nvz.org>,
<linux-api@...r.kernel.org>, <linux-fsdevel@...r.kernel.org>,
<mtk.manpages@...il.com>, <akpm@...ux-foundation.org>,
<luto@...capital.net>, <gorcunov@...nvz.org>, <mingo@...nel.org>,
<keescook@...omium.org>
Subject: [PATCH] security: Use user_namespace::level to avoid redundant
iterations in cap_capable()
When ns->level is not larger then cred->user_ns->level,
then ns can't be cred->user_ns's descendant, and
there is no a sence to search in parents.
So, breake the cycle earlier and skip needless iterations.
Signed-off-by: Kirill Tkhai <ktkhai@...tuozzo.com>
---
security/commoncap.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/security/commoncap.c b/security/commoncap.c
index 78b37838a2d3..f6ef78208d2d 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -82,8 +82,11 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
if (ns == cred->user_ns)
return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
- /* Have we tried all of the parent namespaces? */
- if (ns == &init_user_ns)
+ /*
+ * If ns can't be a descendant of cred->user_ns, then it's
+ * needlessly to go up.
+ */
+ if (ns->level <= cred->user_ns->level)
return -EPERM;
/*
Powered by blists - more mailing lists