Re: [PATCH ] Fix capability check to allow privileged CLONE_NEWUSER from nested user namespaces

On 1/31/18 9:01 AM, Serge E. Hallyn wrote: > Quoting Srivatsa S. Bhat (sriva...@csail.mit.edu): >> From: Srivatsa S. Bhat >> >> The existing patch which disallows unprivileged CLONE_NEWUSER applies >> the check for CAP_SYS_ADMIN capability on the 'init_user_ns'

[PATCH ] Fix capability check to allow privileged CLONE_NEWUSER from nested user namespaces

From: Srivatsa S. Bhat The existing patch which disallows unprivileged CLONE_NEWUSER applies the check for CAP_SYS_ADMIN capability on the 'init_user_ns' namespace, which is not entirely correct. Consider the following sequence: 1. A process with root privileges calls clon