[PATCH] userns,pidns: Verify the userns for new pid namespaces
Eric W. Biederman
ebiederm at xmission.com
Tue May 2 20:39:50 UTC 2017
Kirill Tkhai <ktkhai at virtuozzo.com> writes:
>>> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
>>> index 2f735cbe05e8..7d8658fbabc8 100644
>>> --- a/kernel/user_namespace.c
>>> +++ b/kernel/user_namespace.c
>>> @@ -986,19 +986,25 @@ bool userns_may_setgroups(const struct user_namespace *ns)
>>> }
>>>
>>> /*
>>> - * Returns true if @ns is the same namespace as or a descendant of
>>> - * @target_ns.
>>> + * Returns true if @child is the same namespace or a descendant of
>>> + * @ancestor.
>>> */
>>> -bool current_in_userns(const struct user_namespace *target_ns)
>>> +bool in_userns(const struct user_namespace *ancestor,
>>> + const struct user_namespace *child)
>>> {
>>> - struct user_namespace *ns;
>>> - for (ns = current_user_ns(); ns; ns = ns->parent) {
>>> - if (ns == target_ns)
>>> + const struct user_namespace *ns;
>>> + for (ns = child; ns; ns = ns->parent) {
>>> + if (ns == ancestor)
>>> return true;
>>> }
>>> return false;
>>> }
>>
>> We have user_namespace::level, so it's possible to stop iterations earlier
>> and save some cpu cycles:
>>
>> for (ns = child; ns->level >= ancestor->level; ns = ns->parent)
>
> Just ">" here.
>
>> ;
>> return (ns == ancestor);
Good observation. Thank you.
Eric
More information about the Containers
mailing list