From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751188AbdEBMkp (ORCPT <rfc822;w@1wt.eu>);
        Tue, 2 May 2017 08:40:45 -0400
Received: from mail-eopbgr50120.outbound.protection.outlook.com ([40.107.5.120]:61000
        "EHLO EUR03-VE1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1750886AbdEBMkm (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 2 May 2017 08:40:42 -0400
Authentication-Results: redhat.com; dkim=none (message not signed)
 header.d=none;redhat.com; dmarc=none action=none header.from=virtuozzo.com;
Subject: [PATCH] security: Use user_namespace::level to avoid redundant
 iterations in cap_capable()
From: Kirill Tkhai <ktkhai@virtuozzo.com>
To: <serge@hallyn.com>, <ebiederm@xmission.com>, <agruenba@redhat.com>,
        <gregkh@linuxfoundation.org>, <linux-kernel@vger.kernel.org>,
        <oleg@redhat.com>, <paul@paul-moore.com>, <ktkhai@virtuozzo.com>,
        <viro@zeniv.linux.org.uk>, <avagin@openvz.org>,
        <linux-api@vger.kernel.org>, <linux-fsdevel@vger.kernel.org>,
        <mtk.manpages@gmail.com>, <akpm@linux-foundation.org>,
        <luto@amacapital.net>, <gorcunov@openvz.org>, <mingo@kernel.org>,
        <keescook@chromium.org>
Date: Tue, 2 May 2017 15:40:33 +0300
Message-ID: <149372879732.11927.12565684278286604561.stgit@localhost.localdomain>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [195.214.232.6]
X-ClientProxiedBy: VI1PR07CA0099.eurprd07.prod.outlook.com (10.165.229.153) To
 HE1PR0802MB2284.eurprd08.prod.outlook.com (10.172.127.14)
X-MS-Office365-Filtering-Correlation-Id: 18ed9659-1fd5-4666-6ae9-08d491586ee4
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(201703131423075)(201703031133081);SRVR:HE1PR0802MB2284;
X-Microsoft-Exchange-Diagnostics: 1;HE1PR0802MB2284;3:n5jcqPHcCv6bOSTFOog4+TsnDVNRArRPhLKutQTOrLFnmKF+4Hcvud/Z0e6XzbTn89wRYJbXNSpWwJyC8g4Oxu8niZ5q+YzU5R9SUq5jv9VNHvRr6CqdbLg64FiylcD7m1vEtzNqSZmyEZi1dARs/P1uhWrB9qutyz12Nt1PvIaBuyQgG4tnbXzkgxObwFdlPECMG3Bi1+oxifuZLBgqhELBVFR7BnC+ToKRH1BA/80fKLN5HCncFI81hQAXXdVNA73xPwbMysbJGwGg+S8NyD5SP9wvbZfAjXbBkEvBD2vCdV/ofE5chDH5uG/sXlQMnU6GI6XJRDNhZMN91OEuYg==;25:MBydCD/RSUAgwUPYbupYw3zTIAOi39ODdaGCGmN7AaRj6WCvldGP9HVKbmGUTmDlCukKgTkWbY0REEtwPDoeE8rFEsUjQB2gsv6ApduYcp7wK/uWHm0mCx3b5cDvmqIvM/LwAS1fNW5SBEQrbglZANQCtqDG+KTex1jU/0+BMiLSotpUaqUFuKvaVzszgbaqU4zpxJretvReVobH0VMN+UhUbzHh/Ktr65bQ4W1pQ0MuOm5VhlKdhF1z/0XY7ZOjTo/mOcW7zaSjo6F0am1MsSvmNqJN88uMn08dY3168JyiENhFuEiWw/sm3orWXAGeHHKNMxZnJvTk+70AviLkhWa9iA1xXqgMO9UFaQdBnhi0o1eawrW1LQ6EpDrI8++ig2PLL/JMRypEuSG9wUfxK86QlL+DOHtvH8g51ZuwbwDd0X7kQH5W7n7s/obZB2p9vdvaWgDRjaxZ9ch6P2lzPA==
X-Microsoft-Exchange-Diagnostics: 1;HE1PR0802MB2284;31:6zKGFm5w3tbWJcHmdLxtbnn0X8Gcn3+i+0PLjb1q65XLkO1QVDkItkHJwByy+SCiNZBaq7x7GUR6dRmjufMzGhhoz1reR8XAsDFbQCaMuS9LVwL2bu6RAOWmx6TC1qlCcV/qbsE6EKjRle91aTrObE6MzM6LHHEXB8eFqUnVz0SEkv4xNc2C6iaBnSruih3MJuby4q0dv2TZNuC1D5EPEvawMvsc3QhMWcJUcngH1aFg+eROu3kiSoZX2cz44aj4;20:AQn+IBISN3fKBaKWxmGC2MbAZq9vnHZkL4nBHT+6yn5hVjLNZ1fn4hC1LnbyIGOmcbKajNlEjXfByeSOtLYS/u7F80o4fEPj8Wpr5Uoh8gjwtgaWtoVdGVi2xqMpRZFh/DKGvaeUNYkjEnpDUfQ0IcwcTovs6LMPY1xfb28rtV85WL+H7ykNxuTWC7B+iGqVPFpM9iJnU8NlK1MISQMcvZsM9ooaSvepkLR1Iv6Zsh2PUZ5thje5HIZ5AVd90lIweVwQoJU8arHSPahhN970eugLJsjDI1UJAn7he3wrFyOU4eWvGJdCvQG1iUkVnQL8DYCEein3M3ONpQy29pVSXvOMxly9EsLaAYD7cu3U78Tu0Seru2T3CdgEVfmKDSAk5JrMIlwBiSvxvot9jXQfa+nKZvel10juTxeH4BxqVFc=
X-Microsoft-Antispam-PRVS: <HE1PR0802MB22846356302490FA5F9898E3CD170@HE1PR0802MB2284.eurprd08.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(192374486261705);
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040450)(601004)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(10201501046)(6041248)(20161123560025)(20161123555025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(20161123562025)(6072148);SRVR:HE1PR0802MB2284;BCL:0;PCL:0;RULEID:;SRVR:HE1PR0802MB2284;
X-Microsoft-Exchange-Diagnostics: 1;HE1PR0802MB2284;4:mCaaS5+uthT4PGmBGC96Pn/8Ezve/xXoDD7/ryaLFEg1oQUFD1K3FNz4d4qmf+kUCpGy1na8DG5ExqRD2Ry5HRBTizOZKNhZhDeNXpfti3IVKKbLyG60to4/PFpJBBU4ocz9F2WV/QqSob9LzS8SwZdtTSffZ4UMw55sVf25H0rQGaxJE9KwbywXP52L7VuJsh5Zkhh/+LaM94lYhAXCTh38+TiE5p5RiBRrrvm4HRM0x728N6k8nCxCtcitoKpqmJXnobfmgsjhWR6fWVU0pBQkL2+1lp6/sR52y5oa/XxtsB2DWMw8ko6UI+yOtJdrb1Kzt359+MxvxtoK2CbMiKwn75oauOlzYSIkSIpRoVwJm9csj4j4wlpFzJRww3BmXYWh9B9nZbV+bX+g0DzDdNtoSvyht8nSDwG2HAMA+lXOV9pSHcUDt+8Gw8dipXIthhnQINdkAjAxbwhpaf4MBarqz6WIgUNg4Uf0U9lK2zXqcyN69rEOS16VtZAi9t70tclWLG1blU8Wvo/RG7whPkeyAIuh/tzkxpuuDlDrQW/g1eICSOhTgHOpgYJVJ/NX8PH5jPLeWqHGcvxeEPsbssV1sdQ8FqyjXgQX9/VilVRVBZSeg6jntuHck5+/6ibFA1EPLIhlE5d4A/9y5DiFrEroLQxu2c2kzMKFi5FwYU8h20h8FwXmW8PXbf13bK63aqdxpTBzMfiC6mg+J3udAEmKYVlicotQgUYCNT9XACwtbqPeIUADQqWQHasdVHpC
X-Forefront-PRVS: 02951C14DC
X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(4630300001)(6069001)(6009001)(39400400002)(39410400002)(39450400003)(39830400002)(4001350100001)(3846002)(2906002)(25786009)(42186005)(15650500001)(103116003)(7416002)(189998001)(6116002)(81166006)(8676002)(508600001)(7736002)(6506006)(55016002)(9686003)(53936002)(83506001)(38730400002)(305945005)(230700001)(86362001)(66066001)(61506002)(47776003)(50466002)(5660300001)(2201001)(50986999)(54356999)(23676002)(33646002)(921003)(1121003);DIR:OUT;SFP:1102;SCL:1;SRVR:HE1PR0802MB2284;H:localhost.localdomain;FPR:;SPF:None;MLV:sfv;LANG:en;
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtIRTFQUjA4MDJNQjIyODQ7MjM6eXAxakVGM3F0RUNUdWkvdVNHd2xWUG5O?=
 =?utf-8?B?TUwrZWxwaDNaakhuZStFeE1pcTl6MFpKQ3pZdWJvTzJUWU5FWTNrRnZqODYw?=
 =?utf-8?B?eHp3VklOTTVuRUZkQVR3MEZ2L0x4NVRFQVorRURaaUN0RWFMS1NXaGwyNFgz?=
 =?utf-8?B?Rjg1UGNkek00RzloUEVicmZwazNFbHNBV3BEN1F3YXFYbGZvNjcydk5GNGRH?=
 =?utf-8?B?Y1hTRmJYT2JkQUI1WEhXZXBaVGxJdUdsdngwZTc3a2ExdEQvbXVZUDhWVUQ2?=
 =?utf-8?B?Y1dGR3kvQmlSTnNySG92WEJWNWFVd29WekhUNFAwOE5YZmJnSVJQL04zdXQx?=
 =?utf-8?B?U1Q3aUlRRHNJOWlITG1iNEdvZGtab0h5M3RYUzJvQnhLUUpHa2w1Q1NhclVZ?=
 =?utf-8?B?YTlEV3pLcGFZZllzVCtFSGN1MFhmQTVpRlJyVVQ1QW9BZS9ycWUyWjNLZGx3?=
 =?utf-8?B?enIvb09NUXdOdWFEVFRBTk5KSHdacGVFZENiWGIrcDJxbmNZZW00eVg2ZE9K?=
 =?utf-8?B?SU50ajBpbkRlK21aOCtPenptTjhKdFhNTS9pRXppSHJEUzdsZUVxVVEyaDF0?=
 =?utf-8?B?L0M4NlorYTJXOUhGZ2FkUWM0RzR6ZE5FSDFCazlCRFdPNm5nTmJCbmVsUk4v?=
 =?utf-8?B?dXpwbEczcGtta3dKNmM4UUJHM1NjUTNrcmZkSkVrVmN3NVZxZXk5TjNRQW5U?=
 =?utf-8?B?clpkbEwzcEQ1Q1Fkbk1naTVmZUFKaXl0YVZCNEtybEkwR3BpdkFMMVFRKzF0?=
 =?utf-8?B?VDlTNGZKRm5rendrTlBpNmt4T2MxbTRGaEVXSjV5TiswcWhVQzZVVmxCM1gw?=
 =?utf-8?B?VWVUWmdBK1BnbU5YNnJqTXdLT3ozMnR0R29rVDAzS3Fzdi9YdkRSMW43cVhH?=
 =?utf-8?B?V2RKWnA4K3ZocTBXYmlBQy83dDdIQTh2N2EzRHBjcnlUUU91U00ycDNSN2tN?=
 =?utf-8?B?TDJyeXFOVm55V0pXVTZnbFlyNVRxQ3VYcmt3WWx6ZWZEa1Yyc1gxV3ZGVTBp?=
 =?utf-8?B?TDZSM0NpelNRMWY4L2JUcEVsUEtmVVpVUStGbGNSN01YazIrVXM5L2RVeGg3?=
 =?utf-8?B?dzNaUStvcVh0UnMwZlpsSWVVWFlnL0QxYnl4OGdQSDR5Zk94WUZnaDhuWmNG?=
 =?utf-8?B?eHFLVkRQU1o4QXJPTzJhTEhSR0Z2bjluaVhRdTF5VGtpbzBTY3U0UTNLVTB5?=
 =?utf-8?B?TWNZQXNIV2N5eXNtdnEyRDNFcis4QnUyY3drUDR1NkMyaUhSa1IwcEYrcVNW?=
 =?utf-8?B?OXJYQm9LMVMyTHJydmRqR1NGaFo3aEIyWURmNXpLNkx0cW91NXlnVFlHanl2?=
 =?utf-8?B?cmZ1b2NQekwvcDNSOGJYRTgxT09CU2QwNnp4ZlYrZ21uTS9iNUVVKy8rYmlQ?=
 =?utf-8?B?UlVuOHg4ak9SQThWYXpNZlBGWWpEZ09qS2JOZ1Ztb2VVcmRGa2xMdWNCSDdl?=
 =?utf-8?Q?iqAM9fLs=3D?=
X-Microsoft-Exchange-Diagnostics: 1;HE1PR0802MB2284;6:v49HJvDG2OPQM+rln/rSM+tQbi7WA7JKPTaNBtzPyGlBs3MNHxjiUymz49IFdaU2HBA/Vh+uRt4ex3pyeR+ajaXAjUyWYwEVp5dtRrnYZ2Nz43gn/iamiP8oJ4nMud7k0qCQYAcg8mG+/6uLQEYsREjMPoxeuWOXFr8ENqLerKDoLtQdzp4rGV2EOBCP+hw7EBwuCKUyJ60fbyZlEMvuowDWFQXgd3365V7izK1pZIIkWmKEaYXi4NDli+lUd3nUH73s4Pf4nVCk3snfl8fnz7ctKFoLZ5HVsvxJAN1HvCj7Wr8TWOSO0tXmnR3/37VDrMR9Z+TLHZTHVg9XHNGVMyfXUN7qfUhMAczhxXiyhJyBoBEo6LNcKuXaXnU4piIqSae2zd8vIMM4SzES78FT35xKgpNLva+nDDoqeskcrzdpolxm6EwIKFDJrhZ1f7Ung5XrT2dNppo++Ng21diZE61fd/ijwUYtlEaqog+4hvFvsc7vk3pUT80T9edDRidrrXzwX6bpilKWVu/wlgjcBw==;5:Rsj7QRw/+PQfFj8JxN7RQH5tc2fhkIHxo6MSi7nBVmB2NHBVS+gorq/icGWu4Uh6uF+8XvodbeMJb0ujINdQ+MXaTjNs06exJ8+fxfIW75F/yMO6SLwXkopqnI4OVBy0ZJ3RsPFLRh4or6K+fIm7eg==;24:cgi2SBdGfB4AnH3MP2RYrzj5oFMy9v5PB8ZAluOHmoa1ETGttnTsMymzmGrBWluSwnAveawVTYe/CeqFOHOv9WZezTmEDaXFuEGfvjBd1oc=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1;HE1PR0802MB2284;7:U5j95q5doPPBCbZo8b6yep5/JXo4Ql+q22UH0xPVbamIKZkLQzQ2+n2XErZNUcPh8ySjCl+C2Uq2UcI4Npj5GIMC+et1WF3CIt5abIufm+yxTj4PV21QzBo1DBOF/XVFcqL9x0gZ/FPf8kGPkisllTT2QWFi21R8zcGIKqlN8UfAvN++UZtAd7mi5FdQXzA5i7KrOwNlQGEvQJtHLnxg/XjDV4FrJmQMgGJ23p5QIhIN/bNftJ8MlSnpDhyI6y+XtxDvZJ1HNGSeW150ZucZJv4Y2IRctH19jT9kZrWQrkLPqB5s1qXVdxZ4HwouWC8W0Dr1eYQh4LXsm9IubjW4BQ==;20:Hef9CYBL9UESPc/4tkGxICCzHYrOmgwDII7spelyWIgWNnI5dQT4bdzBCoTgvI4bjyuiEtHEMBBUo7Wqb4soOyCblIbuydbxsdhM6waULpYZg506+LEueZeIRTg689nBuyZoJy6MAOd8C9w8Npo0BxXj4/CKdu/qk20AEoB05ww=
X-OriginatorOrg: virtuozzo.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 May 2017 12:40:35.0009 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0802MB2284
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

When ns->level is not larger then cred->user_ns->level,
then ns can't be cred->user_ns's descendant, and
there is no a sence to search in parents.

So, breake the cycle earlier and skip needless iterations.

Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
---
 security/commoncap.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 78b37838a2d3..f6ef78208d2d 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -82,8 +82,11 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
 		if (ns == cred->user_ns)
 			return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
 
-		/* Have we tried all of the parent namespaces? */
-		if (ns == &init_user_ns)
+		/*
+		 * If ns can't be a descendant of cred->user_ns, then it's
+		 * needlessly to go up.
+		 */
+		if (ns->level <= cred->user_ns->level)
 			return -EPERM;
 
 		/*