userns: Require CAP_SYS_ADMIN for most uses of setns.

[thirdparty/kernel/stable.git] / ipc / namespace.c

diff --git a/ipc/namespace.c b/ipc/namespace.c
index cf3386a51de25509f15c85871d447e95feee07fe..7c1fa451b0b0d75ae5265fea8fbe1193cb865223 100644 (file)
--- a/ipc/namespace.c
+++ b/ipc/namespace.c
@@ -170,7 +170,8 @@ static void ipcns_put(void *ns)
 static int ipcns_install(struct nsproxy *nsproxy, void *new)
 {
        struct ipc_namespace *ns = new;
-       if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN))
+       if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN) ||
+           !nsown_capable(CAP_SYS_ADMIN))
                return -EPERM;
 
        /* Ditch state from the old ipc namespace */