need this for docker as docker tries to mount:
mount("","/","", MS_PRIVATE | MS_REC, "")
and as we will not allow CAP_SYS_ADMIN in container.* after switching to user namespaces we won't need this patch https://jira.sw.ru/browse/PSBM-34523 Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> --- fs/namespace.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/namespace.c b/fs/namespace.c index b9dfd0c..a73464f 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1306,7 +1306,9 @@ static int do_umount(struct mount *mnt, int flags) */ static inline bool may_mount(void) { - return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN) || nsown_capable(CAP_SYS_ADMIN); + return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN) || + nsown_capable(CAP_SYS_ADMIN) || + nsown_capable(CAP_VE_SYS_ADMIN); } /* -- 1.9.3 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
