security: Use user_namespace::level to avoid redundant iterations in cap_capable()
When ns->level is not larger then cred->user_ns->level, then ns can't be cred->user_ns's descendant, and there is no a sense to search in parents. So, break the cycle earlier and skip needless iterations. v2: Change comment on suggested by Andy Lutomirski. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
This commit is contained in:
parent
a2b426267c
commit
64db4c7f4c
@ -82,8 +82,11 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
|
||||
if (ns == cred->user_ns)
|
||||
return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
|
||||
|
||||
/* Have we tried all of the parent namespaces? */
|
||||
if (ns == &init_user_ns)
|
||||
/*
|
||||
* If we're already at a lower level than we're looking for,
|
||||
* we're done searching.
|
||||
*/
|
||||
if (ns->level <= cred->user_ns->level)
|
||||
return -EPERM;
|
||||
|
||||
/*
|
||||
|
Loading…
Reference in New Issue
Block a user