userns: Implement unshare of the user namespace

- Add CLONE_THREAD to the unshare flags if CLONE_NEWUSER is selected
  As changing user namespaces is only valid if all there is only
  a single thread.
- Restore the code to add CLONE_VM if CLONE_THREAD is selected and
  the code to addCLONE_SIGHAND if CLONE_VM is selected.
  Making the constraints in the code clear.

Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

1 files changed, 4 insertions, 4 deletions

diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index 2ddd81657a2a..78e2ecb20165 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -186,7 +186,7 @@ void free_nsproxy(struct nsproxy *ns)
  * On success, returns the new nsproxy.
  */
 int unshare_nsproxy_namespaces(unsigned long unshare_flags,
-                struct nsproxy **new_nsp, struct fs_struct *new_fs)
+        struct nsproxy **new_nsp, struct cred *new_cred, struct fs_struct *new_fs)
 {
         struct user_namespace *user_ns;
         int err = 0;
@@ -195,12 +195,12 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
                                CLONE_NEWNET | CLONE_NEWPID)))
                 return 0;
 
-        if (!nsown_capable(CAP_SYS_ADMIN))
+        user_ns = new_cred ? new_cred->user_ns : current_user_ns();
+        if (!ns_capable(user_ns, CAP_SYS_ADMIN))
                 return -EPERM;
 
-        user_ns = current_user_ns();
         *new_nsp = create_new_namespaces(unshare_flags, current, user_ns,
-                                new_fs ? new_fs : current->fs);
+                                         new_fs ? new_fs : current->fs);
         if (IS_ERR(*new_nsp)) {
                 err = PTR_ERR(*new_nsp);
                 goto out;