From: Eric W. Biederman <ebiederm@xmission.com>
Date: Wed, 11 Nov 2015 23:22:33 +0000 (-0600)
Subject: locks: Don't allow mounts in user namespaces to enable mandatory locking
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=95ace75414f312f9a7b93d873f386987b92a5301;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git

locks: Don't allow mounts in user namespaces to enable mandatory locking

Since no one uses mandatory locking and files with mandatory locks can
cause problems don't allow them in user namespaces.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Jeff Layton <jeff.layton@primarydata.com>
---

diff --git a/fs/namespace.c b/fs/namespace.c
index 4219885e9681..4d2c8f64b7bf 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1589,7 +1589,7 @@ static inline bool may_mandlock(void)
 #ifndef	CONFIG_MANDATORY_FILE_LOCKING
 	return false;
 #endif
-	return true;
+	return capable(CAP_SYS_ADMIN);
 }
 
 /*