| Message ID | 201705161302.v4GD2pPv021109@finist_cl7.x64_64.work.ct |
|---|---|
| State | New |
| Series | "prctl: Allow local CAP_SYS_ADMIN changing exe_file" |
| Headers | show
Delivered-To: criupatchwork@gmail.com Received: from gmail-imap.l.google.com [64.233.162.108] by patchwork.criu.org with IMAP (fetchmail-6.3.26) for <root@localhost> (single-drop); Tue, 16 May 2017 15:05:37 +0200 (CEST) Received: by 10.100.181.142 with SMTP id r14csp1853146pjb; Tue, 16 May 2017 06:05:32 -0700 (PDT) X-Received: by 10.98.31.2 with SMTP id f2mr11582944pff.95.1494939932202; Tue, 16 May 2017 06:05:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494939932; cv=none; d=google.com; s=arc-20160816; b=SHl7dwE2KdJKVWkcSVCfWOQCGnsYaAatVTDGhRV/8eOojlBDk2DbUg/Nj20B3iRJD8 AF9IRAOXuE1gwvRBZzKiYUsWFbJs2iQHKKv1O5wkg+mUc624bEA2594/BPOY1wUD2xA6 CcYGDuTIgNcZPfvadp/roPH7tCwr3xJa6gu05sYTPhsE7GwQc8tAgC5zp9vg4di+X2Q+ gF26U9MJk0TCfN4+ioe5Ln5dZ3omxdKD2iPujmC+sasPxN5DzXKqjQvI5gg4k3Zt6tki RXuM6Jj4atNeWOFxxNBQCYywwRRKdOAq4mLvL/ObF94DIx/n9FsRUwKL72XAwHvsiARs mG8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :cc:spamdiagnosticmetadata:spamdiagnosticoutput:mime-version :in-reply-to:to:from:message-id:date:arc-authentication-results; bh=r5EW945xAPz9K3Mc+c9ayusfnqbcLC05n1WOlHhYwHc=; b=PrICa3tZC2TtO8HMsaVqkNglH20c6IpCpzah34aiPiKG2bPj8WQhVULH2ByPOk3zGq yDjzw2938T/W09QtSizf9UIBK8YOoI6x5ervERE0FZIRCdZFPGFdPLFH0kJnWVSJT46Q 2Vb1OkZDOIzYF8f96DXSfb6xWNRHLcZzL7LpONu66yl3aaGVQc59I0Fdfw55b4Tbg/XD 5stXkeBh6m0CcqzisiR8jcmkUWUq5cUwfk5j2sdGGwX4iKHl1mb2NXwTcdjo5tf9lNKj SYSyPgl1GiMFJiNBtK6qO/ulGuzq2ScThLwJEpQf+EWFRJmzUS2HtyLGYRLL+cMol4a9 TSCA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of devel-bounces@openvz.org designates 195.214.232.140 as permitted sender) smtp.mailfrom=devel-bounces@openvz.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Return-Path: <devel-bounces@openvz.org> Received: from mail.openvz.org (mail.openvz.org. [195.214.232.140]) by mx.google.com with ESMTPS id u12si13607387pgn.138.2017.05.16.06.05.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 May 2017 06:05:32 -0700 (PDT) Received-SPF: pass (google.com: domain of devel-bounces@openvz.org designates 195.214.232.140 as permitted sender) client-ip=195.214.232.140; Authentication-Results: mx.google.com; spf=pass (google.com: domain of devel-bounces@openvz.org designates 195.214.232.140 as permitted sender) smtp.mailfrom=devel-bounces@openvz.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: from mail.openvz.org (localhost [127.0.0.1]) by mail.openvz.org (8.14.4/8.14.4) with ESMTP id v4GD33jG003801; Tue, 16 May 2017 06:03:04 -0700 Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-db5eur03lp0084.outbound.protection.outlook.com [94.245.120.84]) by mail.openvz.org (8.14.4/8.14.4) with ESMTP id v4GD32TT003798 for <devel@openvz.org>; Tue, 16 May 2017 06:03:02 -0700 Received: from DB5PR08CA0041.eurprd08.prod.outlook.com (2a01:111:e400:52c3::51) by AM4PR0801MB1489.eurprd08.prod.outlook.com (2603:10a6:200:3d::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1084.16; Tue, 16 May 2017 13:02:54 +0000 Received: from HE1EUR01FT026.eop-EUR01.prod.protection.outlook.com (2a01:111:f400:7e1f::200) by DB5PR08CA0041.outlook.office365.com (2a01:111:e400:52c3::51) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1101.14 via Frontend Transport; Tue, 16 May 2017 13:02:53 +0000 Authentication-Results: spf=pass (sender IP is 195.214.232.25) smtp.mailfrom=virtuozzo.com; openvz.org; dkim=none (message not signed) header.d=none; openvz.org; dmarc=pass action=none header.from=virtuozzo.com; Received-SPF: Pass (protection.outlook.com: domain of virtuozzo.com designates 195.214.232.25 as permitted sender) receiver=protection.outlook.com; client-ip=195.214.232.25; helo=relay.sw.ru; Received: from relay.sw.ru (195.214.232.25) by HE1EUR01FT026.mail.protection.outlook.com (10.152.0.158) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.1075.5 via Frontend Transport; Tue, 16 May 2017 13:02:52 +0000 Received: from finist_cl7.x64_64.work.ct (msk-vpn.virtuozzo.com [195.214.232.6]) by relay.sw.ru (8.13.4/8.13.4) with ESMTP id v4GD2pO8026774 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 16 May 2017 16:02:51 +0300 (MSK) Received: from finist_cl7.x64_64.work.ct (localhost [127.0.0.1]) by finist_cl7.x64_64.work.ct (8.14.7/8.14.7) with ESMTP id v4GD2pYY021110; Tue, 16 May 2017 17:02:51 +0400 Received: (from khorenko@localhost) by finist_cl7.x64_64.work.ct (8.14.7/8.14.7/Submit) id v4GD2pPv021109; Tue, 16 May 2017 17:02:51 +0400 Date: Tue, 16 May 2017 17:02:51 +0400 Message-ID: <201705161302.v4GD2pPv021109@finist_cl7.x64_64.work.ct> X-Authentication-Warning: finist_cl7.x64_64.work.ct: khorenko set sender to khorenko@virtuozzo.com using -f From: Konstantin Khorenko <khorenko@virtuozzo.com> To: Kirill Tkhai <ktkhai@virtuozzo.com> In-Reply-To: <149460677394.12666.5846700084460689681.stgit@localhost.localdomain> X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:195.214.232.25; IPV:CAL; SCL:-1; CTRY:RU; EFV:NLI; SFV:SKN; SFS:; DIR:INB; SFP:; SCL:-1; SRVR:AM4PR0801MB1489; H:relay.sw.ru; FPR:; SPF:None; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; HE1EUR01FT026; 1:+wS725vgMqNtURsxYuKnn5SPBH4sC8AuvET7339MX+FeeMcoAa+H3SHf4uYJvM5R2qhESqEUVwQiVGqc4EKLJ2EbyNDE/TSRWNC2AAmyDyI2t2cNh44FaC2U1/pMVnLpkDGexGcrD9F8PiGIfnw9ozQjJy9oDcCAA8YXCCROz/QL0I8pA8Zez2P4yH3AprRbLKPUkmbE5yDkb8Z/7n/q2dO9Epmy2Ez97TtVI0WZPnRh9iJs2UzviFs6c8spUnU70f73p4MQQ1QHdwNYgdOo3o56kRGE8CC0bpBkK2UveM4jf0YOh3jhpTEopRyD20zflyoK4jQfs+ZUMpIuzNR+99Wq2uQ0bUZU2QvSyS+hy7eDCjmLpBanR3Fn0ZNusOQ0PkBhakY645P9SP5Bt16yVsm4G43/W1tZm3onTxgkbvT1KNbVmV7Fx3mmJ3Wcd8eDt4KTPnFcVgL5wOayNVJXUgLe9L9Mgc5wSlxJW7IQ8j4zbnLI6KB8iwrsopZYYtXNFsLnc18QtLw8KcQj+EwM8Q== MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: da9a368b-ea55-4c8f-cb60-08d49c5bdd22 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(8251501002)(2017030254075)(201703131423075)(201703031133081)(201702281549075); SRVR:AM4PR0801MB1489; X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 3:2qX3wb7KysxVckcbArQn3AeM8B+9T3+FT5cQ5ChKqbwSxfxr0gaHjCz1mDJmskmnvewgvZ0wirRCCvIUCqH5OsZ6vWTKkK8wNPU8AshiS6o8ajmOZXdNN4siU4mfsUH9dNKwR9ozgWe/WOCWkxRrmF8GZ9JehyDtY/cO6VDVkFLNgdrZ99Gric/QK2Q7ppPSfeFnwwconE3W4/WuBB9FjYwK9cXz/9y2X+ovrytJZ/6mN5Q/uz+X9YD9DIqDq29MhtQGokvN+ABRXke1EyFkEXR6sROt3iExLCw1q909XDaI9FrVjuC72cwHwNo+ugTeOYLcpj3OKaM8luF0BGKMFXL/KDqhg79j49AHvuD5JHgVzE7apvjz9F1pE+d0EVsoAOeFYAHQLl2RomLe/oAjoz8Yal4W2W1+quF3cZaz84ZEInHmIZaLiciZ4jUnFfn6Gx0gBbWq08YEe5944+b0lSDiMS4/Y4Y/O1RPrB+sx6cKhM8FxXvlFu8frI4FbiZ+sf/5B0ee7fC0Sfo/Xl30hg== X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 25:IHlbMCiIAgFNdqofjdYFHVcDbuYyGv4vaBEx862UuoXNaFka0Mqvkf15uZlSnNqouexPCEnLlM1acmvx6aEFUCzZMnnLHPcEno7kiZ3mYO3GUSPBn5lKQG5vJv8215p8cn5DqB+N+lVC2fVrhjvPnWUcsH9HmvPpqGFF56oMSd7fAa64+bO641H1lXb7THPvTtZ1tS9bmb3iwVshP1J7OaBcxZVs8zxSkEdxVOixYLFrsmY868mnBsXeBBpH8RyzPrzTdVJIwXAD8EGvfeJM39jt2U4VlNjiSSm8Zfp5DuNGF5cWsPeEnQ4o2V7SIL36nUuOVEU+1t1AL0q0XvpbazjiJlP/5G4k8cAgqwk2CzMacxxzxeXqjOnim/WFmfcb8/y9oIo98UVDpK9iC2tKBPpHAKxMAHNm5rUU4uz/xETYkbX0z35L/mWvI1IGq8HEeucgEdzHQlFXJYeMzANkWaPgitlD6zewrd8GPjUMVs8=; 31:u6AolBDYUef1+ZE3joCWbjQi4axV3L4vGaJg4u24JlkoqQdbmvtQcYuJ7gn8hXyF3ELKR9DXp4mEZvr69IR1VxzHnMR6/KzvCh4VjCC3s6HfBaX9aUaLUne1fbzEjhNcKhA3KYVnJndPMJseguOsqkUMsc7M1AxHVMgfjR0Iv115maKcUEGrm3EPdFVW6P/ILH5PkuPdEfyl0ycIBHKfbduU5HXkkKDHQw1LOF3x57dO3ZnGXkNge0qfr1A0RuqWe9Z7q9OsI3rVh8ISB+P5DSBtSMlqpCmMH3y9/JiD8KS6+vtxd1ks+NpdGZ52dSZI X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 20:YdFwyr3VvQQ8yDk2/e1QKc6u5Ftq42hl0cvv0Ae7BAMbqKFWc+PtECm9uQxc4jpGEO5N3A/y+yZQSewOUwvGNmVSqFEz7cClqjP4rNVrEe/kHjOtq+tvxp6W2Ar6ii/unlDNJy21hg8DhlRf409f6we3McfQjOv29XFHvqUp7uxYAr88QefTl4c5UfUN2nMPWmujP1e0uQfQdkufTnZ8gdftuHv8MECEmEO7KKDUf8G92c4n8eBJBL3jAFc9BaySvJ9qYJBABj4qAoLOcTSNZp2T+pita1rsWvOllzU0JMOUKTEQMBICytRGM/SBy+49T5k0fFpVrw1j4j/sYSmcn8c2w2azidFap+JXxyt8lmYAaYSVltdBxhMW07VF+PUj7SYjy8rX0ABgAscNdbpnVGJK3ozLiD1oZptDMvYpQPjbeV1XjxM0vaF66U0CtWVuxzeAh4vIHaS4gd1xQ72NRHYvGTLxgKeQnCGjMoSAEO+08qrauUmLoSUcbHmVHOKyNXcbS77qriZ9x4AiCOyqZw== X-Exchange-Antispam-Report-Test: UriScan:(84791874153150)(215187933766430); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(9101521199)(601004)(2401047)(13013025)(13020025)(13023025)(8121501046)(10201501046)(3002001)(93006095)(93004095); SRVR:AM4PR0801MB1489; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0801MB1489; X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 4:GKsGsPU6typa7B0SHtyJzlcFafv4MzWv6IzBEo82p7wLaljy7NzTjQ/pXajrFVkwr/eugk3+BSAgiTJ8snS11UWaJyiFIrtfMQYseH8mWp7Frec99vl2o5MfyHtu9BR2iiOANk+Y2Ewmf1uXNFwIPTUDSN99QbVKnCW4eoAV1MoZABJvga28h1zjQnmqWgR1qVHAKivQok748liw00uyCM5cqLPuGILR6UafDbTLGJQiIqJyd1GKh5pePN+mjsGk3eSvWSARZQYhFyOuziCm/lK31VKfKWx+IV6Y46Va3cZVGkfOrrgNgj2o6m1UXjWoTAmu97XjBGxGqKMyBb0lvcpRtmJteyjh920zUukQGHrRHF7c31xxEzOdWPzaaw+t74/R4Q6fNpOyQjCPbyIcUdj78q0CiRoGGTjLaTr3Y8ZOqLoFBPE4/D1tBhjMjzisClSYICLZcIEIkBt5Sw7nt+gNsJBoEn2nXadS7IwVAik3PjL1kX3Ee9LK0Pw8CbzSHzQNbl/sJKf4JqIijDJlektamfGl051tbcl2+5fuPpf3TGWasL6TLAoG9mfqdwEy; 23:AiXNC0+PhKwUyEp/LEVJm7qEaqv9sDkOZmxXeA1n5sepvQWvLRHSXd9aWinlwQIXI8GPhhS4OVP4zBE1Ph1qvc6Pl14jhamUTok5k1Lm7qoYdsmPgZHqNmRmN1OT9iMY9XACu8/tB0UbEhUCxXVs3xO3c68STznvpeR6TSabB+zXcP5P8yb8xAnPvPrkXCIV X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 6:x6w+NF9gWNUQA2MR17I/NGQvl0qfmp3a+F7KsueHz3PyxhyEEno+YAEGwOqxTiT12RAR0fyfmZ5mEKp7fX+gZKHUtlzKaO2XviNKIbIc4WWvVz/nQm56E2Fv3WvxgzywSPgcyHw2YkhrIJGcmfTZpWWKjCqkm/yZZdKKzhhBok8zTxP9n/kiBmkApXuNmq8DGRrMo0JbivhfInUZ9M7QE6+PZS646T4b1Vusvu2/mVaGIbb8bdOHDT0poiTOXKU0AUmGSXBD00nn+HDkVHd7SzMBwyU3Xo/PK/TWnD4YnAj7Jd9VeEF+2wdhUDlQFsxJWWVo6okBi7kcyag/01K6HUULLTlOh7wD69hX4FDHd363zotFI7rBxlC+v8ZYPf7vqwszO5GZUCXq0S/KmIa0U5bu1W6fsJzgFko0jjBdxubytWRR5yVltRFTLoA1cZt5; 5:jrQq6qqw4Q8ZyccL5COyYTmV/FK49XPCJclR6jtb0ZblWeKJvR6H+xWe3afDJKCygsGq42AYN3+vXZvA2Me53IQnZ8DicdhwPVi3iILjD6Eg2NoiAQypai8t42mkTL0lEllyiIUndpLAzKvYOGGSpw==; 24:cMD5W8Mjgj+bZmWeVoBSYrAUpJHbVII4f+kpEBdEF63bzleUI/XcByFmPymJZcJ0XAcYsbWgqct9U0r3lqVpE7NE40XDW0QNZF+1AqETqTQ= SpamDiagnosticOutput: 1:2 SpamDiagnosticMetadata: 2b2090aae5154f77b71484475de18b04 X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 7:9aLyEQzvZYpRfrpArQ48SISDnUmreqot9cwQsf9dmYcinTOqy7ibUGTOPn9CGDUTWNok/hEnGetbRRs3Rt0lievKLxx88PkKeo2nJpy1oxLd5aJ87hYp2i9Rp+rOtjIaQA4acGdkThKZPvJ7+rQejMD5+z3WN9iF2F9VHt5cjAD2mfrhrdfAX6paHx69buBnJ9nheSri/gplrdD4ih16VolttGJJgK6RcwSJT3ZskqsQCU3lfAbspUGjFRCYpSKBl/SLA47OsYhzjP1X2/7sQxYy4neIYyYqJi3jBA/t66cNYS3d0V99TAVUOJ24V8YD2tbQMrb5GUmhX+K1+WRHslQFC7feRMkM8uEPnEBn2eIIGCKk+X+SUgc9SqDj6A2hKNbEEjrNdgJCqPVO6qGmQw==; 20:SThBhpo/naXQ6easVfeDdNB0fmvhvsiOlOt3BmrZPaq+UNADs5t6zExWcQDzKWhMQR1yuREqUFDYK5Ck1yu5P3xZJfkJiE5l2rioV6bSQndHJPLjSIBGBA6mwPK2Y8nzjfF41g7q25eXuRokxlLsd6hXJQa4ZsWLh6dLFNlzH5Q= X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 May 2017 13:02:52.7865 (UTC) X-MS-Exchange-CrossTenant-Id: 0bc7f26d-0264-416e-a6fc-8352af79c58f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=0bc7f26d-0264-416e-a6fc-8352af79c58f; Ip=[195.214.232.25]; Helo=[relay.sw.ru] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0801MB1489 X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 195.214.232.25 X-MS-Exchange-CrossPremises-SCL: -1 X-MS-Exchange-CrossPremises-AuthSource: HE1EUR01FT026.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-CrossPremises-AuthAs: Anonymous X-MS-Exchange-CrossPremises-TransportTrafficType: Email X-MS-Exchange-CrossPremises-TransportTrafficSubType: X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:SKN; SKIP:0; X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent X-OrganizationHeadersPreserved: AM4PR0801MB1489.eurprd08.prod.outlook.com Cc: OpenVZ devel <devel@openvz.org> Subject: [Devel] [PATCH RHEL7 COMMIT] ms/prctl: Allow local CAP_SYS_ADMIN changing exe_file X-BeenThere: devel@openvz.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OpenVZ development <devel.openvz.org> List-Unsubscribe: <https://lists.openvz.org/mailman/options/devel>, <mailto:devel-request@openvz.org?subject=unsubscribe> List-Archive: <http://lists.openvz.org/pipermail/devel/> List-Post: <mailto:devel@openvz.org> List-Help: <mailto:devel-request@openvz.org?subject=help> List-Subscribe: <https://lists.openvz.org/mailman/listinfo/devel>, <mailto:devel-request@openvz.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: devel-bounces@openvz.org Errors-To: devel-bounces@openvz.org |
diff --git a/kernel/sys.c b/kernel/sys.c index be563d9..9a681ae 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2183,15 +2183,11 @@ static int validate_prctl_map(struct prctl_mm_map *prctl_map) /* * Finally, make sure the caller has the rights to - * change /proc/pid/exe link: only local root should + * change /proc/pid/exe link: only local sys admin should * be allowed to. */ if (prctl_map->exe_fd != (u32)-1) { - struct user_namespace *ns = current_user_ns(); - const struct cred *cred = current_cred(); - - if (!uid_eq(cred->uid, make_kuid(ns, 0)) || - !gid_eq(cred->gid, make_kgid(ns, 0))) + if (!ns_capable(current_user_ns(), CAP_SYS_ADMIN)) goto out; }
The commit is pushed to "branch-rh7-3.10.0-514.16.1.vz7.32.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-514.16.1.vz7.32.3 ------> commit 81ab8ba12f41c8056e236c6a0a8f01cdfd98a983 Author: Kirill Tkhai <ktkhai@virtuozzo.com> Date: Tue May 16 17:02:51 2017 +0400 ms/prctl: Allow local CAP_SYS_ADMIN changing exe_file This patch is going to mainstream, Eric W.Biederman took it to his tree. https://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-testing&id=f4434071b18b119aa2474be8746b49a9734fe505 During checkpointing and restore of userspace tasks we bumped into the situation, that it's not possible to restore the tasks, which user namespace does not have uid 0 or gid 0 mapped. People create user namespace mappings like they want, and there is no a limitation on obligatory uid and gid "must be mapped". So, if there is no uid 0 or gid 0 in the mapping, it's impossible to restore mm->exe_file of the processes belonging to this user namespace. Also, there is no a workaround. It's impossible to create a temporary uid/gid mapping, because only one write to /proc/[pid]/uid_map and gid_map is allowed during a namespace lifetime. If there is an entry, then no more mapings can't be written. If there isn't an entry, we can't write there too, otherwise user task won't be able to do that in the future. The patch changes the check, and looks for CAP_SYS_ADMIN instead of zero uid and gid. This allows to restore a task independently of its user namespace mappings. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> CC: Andrew Morton <akpm@linux-foundation.org> CC: Serge Hallyn <serge@hallyn.com> CC: "Eric W. Biederman" <ebiederm@xmission.com> CC: Oleg Nesterov <oleg@redhat.com> CC: Michal Hocko <mhocko@suse.com> CC: Andrei Vagin <avagin@openvz.org> CC: Cyrill Gorcunov <gorcunov@openvz.org> CC: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com> CC: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org> https://jira.sw.ru/browse/PSBM-66313 Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> --- kernel/sys.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-)