If only the dynamic part of procfs is mounted (subset=pid), then there is no need to check if procfs is fully visible to the user in the new user namespace. Alexey Gladkov (2): proc: Relax check of mount visibility Show /proc/self/net only for CAP_NET_ADMIN fs/namespace.c | 27 ++++++++++++++++----------- fs/proc/proc_net.c | 6 ++++++ fs/proc/root.c | 16 +++++++++------- include/linux/fs.h | 1 + 4 files changed, 32 insertions(+), 18 deletions(-) -- 2.25.4