locks: Don't allow mounts in user namespaces to enable mandatory locking

author Eric W. Biederman <ebiederm@xmission.com>

Wed, 11 Nov 2015 23:22:33 +0000 (17:22 -0600)

committer Jeff Layton <jeff.layton@primarydata.com>

Mon, 16 Nov 2015 15:01:34 +0000 (10:01 -0500)
author Eric W. Biederman <ebiederm@xmission.com>
Wed, 11 Nov 2015 23:22:33 +0000 (17:22 -0600)
committer Jeff Layton <jeff.layton@primarydata.com>
Mon, 16 Nov 2015 15:01:34 +0000 (10:01 -0500)
diff --git a/fs/namespace.c b/fs/namespace.c

index 4219885e9681124747f1266c402c219e0ce05918..4d2c8f64b7bf03e4ca0817bcfa1c51a11c8891cb 100644 (file)
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1589,7 +1589,7 @@ static inline bool may_mandlock(void)
  #ifndef        CONFIG_MANDATORY_FILE_LOCKING
         return false;
  #endif
-       return true;
+       return capable(CAP_SYS_ADMIN);
  }
  
  /*
author	Eric W. Biederman <ebiederm@xmission.com>
	Wed, 11 Nov 2015 23:22:33 +0000 (17:22 -0600)
committer	Jeff Layton <jeff.layton@primarydata.com>
	Mon, 16 Nov 2015 15:01:34 +0000 (10:01 -0500)