From 95ace75414f312f9a7b93d873f386987b92a5301 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Wed, 11 Nov 2015 17:22:33 -0600 Subject: [PATCH] locks: Don't allow mounts in user namespaces to enable mandatory locking Since no one uses mandatory locking and files with mandatory locks can cause problems don't allow them in user namespaces. Signed-off-by: "Eric W. Biederman" Signed-off-by: Jeff Layton --- fs/namespace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/namespace.c b/fs/namespace.c index 4219885e9681..4d2c8f64b7bf 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1589,7 +1589,7 @@ static inline bool may_mandlock(void) #ifndef CONFIG_MANDATORY_FILE_LOCKING return false; #endif - return true; + return capable(CAP_SYS_ADMIN); } /* -- 2.20.1