security: Use user_namespace::level to avoid redundant iterations in cap_capable()

When ns->level is not larger then cred->user_ns->level,
then ns can't be cred->user_ns's descendant, and
there is no a sense to search in parents.

So, break the cycle earlier and skip needless iterations.

v2: Change comment on suggested by Andy Lutomirski.

Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>

diff --git a/security/commoncap.c b/security/commoncap.c
index 7abebd782d5e02d0c024ca0b2b1b189b1f4f83d1..d5932028229413e52577d7b1ab7ba02987f2c7cf 100644 (file)
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -82,8 +82,11 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
                if (ns == cred->user_ns)
                        return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
 
-               /* Have we tried all of the parent namespaces? */
-               if (ns == &init_user_ns)
+               /*
+                * If we're already at a lower level than we're looking for,
+                * we're done searching.
+                */
+               if (ns->level <= cred->user_ns->level)
                        return -EPERM;
 
                /*