security: Use user_namespace::level to avoid redundant iterations in cap_capable() When ns->level is not larger then cred->user_ns->level, then ns can't be cred->user_ns's descendant, and there is no a sense to search in parents. So, break the cycle earlier and skip needless iterations. v2: Change comment on suggested by Andy Lutomirski. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>

commit: 64db4c7f4c1dde23d47b60f887000e28f82b268f [log] [tgz]
author: Kirill Tkhai <ktkhai@virtuozzo.com> Tue May 02 20:11:52 2017 +0300
committer: Eric W. Biederman <ebiederm@xmission.com> Thu Jul 20 07:46:06 2017 -0500
tree: e7f344fb2015e7c138fc1d05804da2969c205be9
parent: a2b426267c56773201f968fdb5eda6ab9ae94e34 [diff] [blame]
diff --git a/security/commoncap.c b/security/commoncap.c
index 7abebd7..d593202 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c

@@ -82,8 +82,11 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
 		if (ns == cred->user_ns)
 			return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
 
-		/* Have we tried all of the parent namespaces? */
-		if (ns == &init_user_ns)
+		/*
+		 * If we're already at a lower level than we're looking for,
+		 * we're done searching.
+		 */
+		if (ns->level <= cred->user_ns->level)
 			return -EPERM;
 
 		/*
commit	64db4c7f4c1dde23d47b60f887000e28f82b268f	[log] [tgz]
author	Kirill Tkhai <ktkhai@virtuozzo.com>	Tue May 02 20:11:52 2017 +0300
committer	Eric W. Biederman <ebiederm@xmission.com>	Thu Jul 20 07:46:06 2017 -0500
tree	e7f344fb2015e7c138fc1d05804da2969c205be9
parent	a2b426267c56773201f968fdb5eda6ab9ae94e34 [diff] [blame]