From 210af573bede5441c8ece851aba8551e53235958 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Wed, 13 Nov 2013 10:21:18 -0500
Subject: [PATCH] Revert "userns: Allow unprivileged users to create user
 namespaces."

This reverts commit 5eaf563e53294d6696e651466697eb9d491f3946.

Bugzilla: 917708
Upstream-status: Fedora mustard

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>

Conflicts:
	kernel/fork.c
---
 kernel/fork.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/kernel/fork.c b/kernel/fork.c
index 0cf9cdb6e491..31d3a9763887 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1624,6 +1624,19 @@ long do_fork(unsigned long clone_flags,
 	long nr;
 
 	/*
+	 * Do some preliminary argument and permissions checking before we
+	 * actually start allocating stuff
+	 */
+	if (clone_flags & CLONE_NEWUSER) {
+		/* hopefully this check will go away when userns support is
+		 * complete
+		 */
+		if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
+				!capable(CAP_SETGID))
+			return -EPERM;
+	}
+
+	/*
 	 * Determine whether and which event to report to ptracer.  When
 	 * called from kernel_thread or CLONE_UNTRACED is explicitly
 	 * requested, no event is reported; otherwise, report if the event
-- 
1.9.3