lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 May 2017 20:11:52 +0300 From: Kirill Tkhai <ktkhai@...tuozzo.com> To: <serge@...lyn.com>, <ebiederm@...ssion.com>, <agruenba@...hat.com>, <gregkh@...uxfoundation.org>, <oleg@...hat.com>, <linux-kernel@...r.kernel.org>, <paul@...l-moore.com>, <ktkhai@...tuozzo.com>, <viro@...iv.linux.org.uk>, <avagin@...nvz.org>, <gorcunov@...nvz.org>, <mtk.manpages@...il.com>, <akpm@...ux-foundation.org>, <luto@...capital.net>, <mingo@...nel.org>, <keescook@...omium.org> Subject: [PATCH v2] security: Use user_namespace::level to avoid redundant iterations in cap_capable() When ns->level is not larger then cred->user_ns->level, then ns can't be cred->user_ns's descendant, and there is no a sence to search in parents. So, breake the cycle earlier and skip needless iterations. v2: Change comment on suggested by Andy Lutomirski. Signed-off-by: Kirill Tkhai <ktkhai@...tuozzo.com> --- security/commoncap.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index 78b37838a2d3..a424aa0123af 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -82,8 +82,11 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, if (ns == cred->user_ns) return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; - /* Have we tried all of the parent namespaces? */ - if (ns == &init_user_ns) + /* + * If we're already at a lower level than we're looking for, we're + * done searching. + */ + if (ns->level <= cred->user_ns->level) return -EPERM; /*
Powered by blists - more mailing lists