Bugzilla: 917708

Upstream-status: Fedora mustard

From e3da68be55914bfeedb8866f191cc0958579611d Mon Sep 17 00:00:00 2001

From: Josh Boyer <jwboyer@fedoraproject.org>

Date: Wed, 13 Nov 2013 10:21:18 -0500

Subject: [PATCH] Revert "userns: Allow unprivileged users to create user

 namespaces."

This reverts commit 5eaf563e53294d6696e651466697eb9d491f3946.

Conflicts:

	kernel/fork.c

---

 kernel/fork.c | 13 +++++++++++++

 1 file changed, 13 insertions(+)

diff --git a/kernel/fork.c b/kernel/fork.c

index f6d11fc..e04c9a7 100644

--- a/kernel/fork.c

+++ b/kernel/fork.c

@@ -1573,6 +1573,19 @@ long do_fork(unsigned long clone_flags,

 	long nr;

 	/*

+	 * Do some preliminary argument and permissions checking before we

+	 * actually start allocating stuff

+	 */

+	if (clone_flags & CLONE_NEWUSER) {

+		/* hopefully this check will go away when userns support is

+		 * complete

+		 */

+		if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||

+				!capable(CAP_SETGID))

+			return -EPERM;

+	}

+

+	/*

 	 * Determine whether and which event to report to ptracer.  When

 	 * called from kernel_thread or CLONE_UNTRACED is explicitly

 	 * requested, no event is reported; otherwise, report if the event

-- 

1.8.3.1