userns: Don't let unprivileged users trick privileged users into setting the id_map

When we require privilege for setting /proc/<pid>/uid_map or
/proc/<pid>/gid_map no longer allow an unprivileged user to
open the file and pass it to a privileged program to write
to the file.

Instead when privilege is required require both the opener and the
writer to have the necessary capabilities.

I have tested this code and verified that setting /proc/<pid>/uid_map
fails when an unprivileged user opens the file and a privielged user
attempts to set the mapping, that unprivileged users can still map
their own id, and that a privileged users can still setup an arbitrary

Reported-by: Andy Lutomirski <>
Signed-off-by: "Eric W. Biederman" <>
Signed-off-by: Andy Lutomirski <>
1 file changed