lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date:   Tue, 2 May 2017 20:11:52 +0300
From:   Kirill Tkhai <ktkhai@...tuozzo.com>
To:     <serge@...lyn.com>, <ebiederm@...ssion.com>, <agruenba@...hat.com>,
        <gregkh@...uxfoundation.org>, <oleg@...hat.com>,
        <linux-kernel@...r.kernel.org>, <paul@...l-moore.com>,
        <ktkhai@...tuozzo.com>, <viro@...iv.linux.org.uk>,
        <avagin@...nvz.org>, <gorcunov@...nvz.org>,
        <mtk.manpages@...il.com>, <akpm@...ux-foundation.org>,
        <luto@...capital.net>, <mingo@...nel.org>, <keescook@...omium.org>
Subject: [PATCH v2] security: Use user_namespace::level to avoid redundant
 iterations in cap_capable()

When ns->level is not larger then cred->user_ns->level,
then ns can't be cred->user_ns's descendant, and
there is no a sence to search in parents.

So, breake the cycle earlier and skip needless iterations.

v2: Change comment on suggested by Andy Lutomirski.

Signed-off-by: Kirill Tkhai <ktkhai@...tuozzo.com>
---
 security/commoncap.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 78b37838a2d3..a424aa0123af 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -82,8 +82,11 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
 		if (ns == cred->user_ns)
 			return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
 
-		/* Have we tried all of the parent namespaces? */
-		if (ns == &init_user_ns)
+		/*
+		 * If we're already at a lower level than we're looking for, we're
+		 * done searching.
+		 */
+		if (ns->level <= cred->user_ns->level)
 			return -EPERM;
 
 		/* 

Powered by blists - more mailing lists