From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Kirill Tkhai <ktkhai-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org>
Cc: Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org,
agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org,
viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org,
avagin-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org,
akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org,
luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org,
gorcunov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org,
mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org,
keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org
Subject: Re: [PATCH] userns,pidns: Verify the userns for new pid namespaces
Date: Tue, 02 May 2017 15:39:50 -0500 [thread overview]
Message-ID: <87y3ufgfhl.fsf@xmission.com> (raw)
In-Reply-To: <fab323b8-a909-bbce-77d2-afbcd3b0452e-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> (Kirill Tkhai's message of "Tue, 2 May 2017 13:04:37 +0300")
Kirill Tkhai <ktkhai-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> writes:
>>> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
>>> index 2f735cbe05e8..7d8658fbabc8 100644
>>> --- a/kernel/user_namespace.c
>>> +++ b/kernel/user_namespace.c
>>> @@ -986,19 +986,25 @@ bool userns_may_setgroups(const struct user_namespace *ns)
>>> }
>>>
>>> /*
>>> - * Returns true if @ns is the same namespace as or a descendant of
>>> - * @target_ns.
>>> + * Returns true if @child is the same namespace or a descendant of
>>> + * @ancestor.
>>> */
>>> -bool current_in_userns(const struct user_namespace *target_ns)
>>> +bool in_userns(const struct user_namespace *ancestor,
>>> + const struct user_namespace *child)
>>> {
>>> - struct user_namespace *ns;
>>> - for (ns = current_user_ns(); ns; ns = ns->parent) {
>>> - if (ns == target_ns)
>>> + const struct user_namespace *ns;
>>> + for (ns = child; ns; ns = ns->parent) {
>>> + if (ns == ancestor)
>>> return true;
>>> }
>>> return false;
>>> }
>>
>> We have user_namespace::level, so it's possible to stop iterations earlier
>> and save some cpu cycles:
>>
>> for (ns = child; ns->level >= ancestor->level; ns = ns->parent)
>
> Just ">" here.
>
>> ;
>> return (ns == ancestor);
Good observation. Thank you.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Kirill Tkhai <ktkhai@virtuozzo.com>
Cc: Linux Containers <containers@lists.linux-foundation.org>,
<serge@hallyn.com>, <agruenba@redhat.com>,
<gregkh@linuxfoundation.org>, <linux-kernel@vger.kernel.org>,
<oleg@redhat.com>, <paul@paul-moore.com>,
<viro@zeniv.linux.org.uk>, <avagin@openvz.org>,
<linux-api@vger.kernel.org>, <linux-fsdevel@vger.kernel.org>,
<mtk.manpages@gmail.com>, <akpm@linux-foundation.org>,
<luto@amacapital.net>, <gorcunov@openvz.org>, <mingo@kernel.org>,
<keescook@chromium.org>
Subject: Re: [PATCH] userns,pidns: Verify the userns for new pid namespaces
Date: Tue, 02 May 2017 15:39:50 -0500 [thread overview]
Message-ID: <87y3ufgfhl.fsf@xmission.com> (raw)
In-Reply-To: <fab323b8-a909-bbce-77d2-afbcd3b0452e@virtuozzo.com> (Kirill Tkhai's message of "Tue, 2 May 2017 13:04:37 +0300")
Kirill Tkhai <ktkhai@virtuozzo.com> writes:
>>> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
>>> index 2f735cbe05e8..7d8658fbabc8 100644
>>> --- a/kernel/user_namespace.c
>>> +++ b/kernel/user_namespace.c
>>> @@ -986,19 +986,25 @@ bool userns_may_setgroups(const struct user_namespace *ns)
>>> }
>>>
>>> /*
>>> - * Returns true if @ns is the same namespace as or a descendant of
>>> - * @target_ns.
>>> + * Returns true if @child is the same namespace or a descendant of
>>> + * @ancestor.
>>> */
>>> -bool current_in_userns(const struct user_namespace *target_ns)
>>> +bool in_userns(const struct user_namespace *ancestor,
>>> + const struct user_namespace *child)
>>> {
>>> - struct user_namespace *ns;
>>> - for (ns = current_user_ns(); ns; ns = ns->parent) {
>>> - if (ns == target_ns)
>>> + const struct user_namespace *ns;
>>> + for (ns = child; ns; ns = ns->parent) {
>>> + if (ns == ancestor)
>>> return true;
>>> }
>>> return false;
>>> }
>>
>> We have user_namespace::level, so it's possible to stop iterations earlier
>> and save some cpu cycles:
>>
>> for (ns = child; ns->level >= ancestor->level; ns = ns->parent)
>
> Just ">" here.
>
>> ;
>> return (ns == ancestor);
Good observation. Thank you.
Eric
next prev parent reply other threads:[~2017-05-02 20:39 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-27 12:32 [PATCH v3] pid_ns: Introduce ioctl to set vector of ns_last_pid's on ns hierarhy Kirill Tkhai
2017-04-27 12:32 ` Kirill Tkhai
[not found] ` <149329634856.21195.14196911999722279118.stgit-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2017-04-27 15:15 ` Eric W. Biederman
2017-04-27 15:15 ` Eric W. Biederman
[not found] ` <87mvb16fv7.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-04-27 15:52 ` Kirill Tkhai
2017-04-27 15:52 ` Kirill Tkhai
[not found] ` <12a73543-79ea-4bac-7e96-6ab237534af2-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org>
2017-04-27 16:07 ` Eric W. Biederman
2017-04-27 16:07 ` Eric W. Biederman
[not found] ` <877f254yx0.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-04-28 9:13 ` Kirill Tkhai
2017-04-28 9:13 ` Kirill Tkhai
[not found] ` <a9941daf-861b-453c-37b8-e95389a9959b-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org>
2017-04-29 19:12 ` Eric W. Biederman
2017-04-29 19:12 ` Eric W. Biederman
[not found] ` <8737crt4dz.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-04-29 19:25 ` [PATCH] userns,pidns: Verify the userns for new pid namespaces Eric W. Biederman
2017-04-29 19:25 ` Eric W. Biederman
2017-04-29 20:53 ` Serge E. Hallyn
[not found] ` <20170429205325.GB1119-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-04-30 4:33 ` Eric W. Biederman
2017-04-30 4:33 ` Eric W. Biederman
[not found] ` <87a86yseej.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-04-30 4:42 ` Eric W. Biederman
2017-04-30 4:42 ` Eric W. Biederman
[not found] ` <87vapnrp7f.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-04-29 20:53 ` Serge E. Hallyn
2017-05-02 10:03 ` Kirill Tkhai
2017-05-02 10:03 ` Kirill Tkhai
[not found] ` <d67c8c06-2e6b-9cc0-df81-71d3cf4bb43d-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org>
2017-05-02 10:04 ` Kirill Tkhai
2017-05-02 10:04 ` Kirill Tkhai
2017-05-02 10:04 ` Kirill Tkhai
[not found] ` <fab323b8-a909-bbce-77d2-afbcd3b0452e-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org>
2017-05-02 20:39 ` Eric W. Biederman [this message]
2017-05-02 20:39 ` Eric W. Biederman
2017-05-02 20:39 ` Eric W. Biederman
2017-05-02 10:03 ` Kirill Tkhai
2017-05-02 9:53 ` [PATCH v3] pid_ns: Introduce ioctl to set vector of ns_last_pid's on ns hierarhy Kirill Tkhai
2017-05-02 9:53 ` Kirill Tkhai
[not found] ` <d2b88252-d579-8deb-2c32-4118b8464b6b-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org>
2017-05-02 21:26 ` Eric W. Biederman
2017-05-02 21:26 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y3ufgfhl.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=avagin-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=gorcunov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org \
--cc=gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=ktkhai-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org \
--cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
--cc=viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.