On Mon, Jan 10, 2011 at 09:14:07PM +0000, Serge E. Hallyn wrote: > - if (pcred->uid != cred->euid && > - pcred->euid != cred->euid && !capable(CAP_SYS_NICE)) { > + if (pcred->user->user_ns != cred->user->user_ns && > + pcred->uid != cred->euid && > + pcred->euid != cred->euid && > + !ns_capable(pcred->user->user_ns, CAP_SYS_NICE)) { I don't think this is correct. This would not error out if the both userns are the same. Because the same patern (check uid if same userns, otherwise only capability) shows up in several parts of the code, maybe this should be factored out. > @@ -496,7 +498,7 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid) > if (rgid != (gid_t) -1) { > if (old->gid == rgid || > old->egid == rgid || > - capable(CAP_SETGID)) > + ns_capable(current_user_ns(), CAP_SETGID)) Would it not possible to add another function (nsown_capable?) that checks against the own userns? Bastian -- Change is the essential process of all existence. -- Spock, "Let That Be Your Last Battlefield", stardate 5730.2 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers