From 94e5f81b298c96696217a0bdaacf1b068bbfa3e6 Mon Sep 17 00:00:00 2001
From: Mark Huang <mlhuang@cs.princeton.edu>
Date: Tue, 7 Jun 2005 18:10:04 +0000
Subject: [PATCH] - merge revision 1.3 date: 2005/06/07 18:09:06;  author:
 mlhuang;  state: Exp;  lines: +4 -0 - fix 2.6.10 merge regression - PL3131
 fix: prevent vservers from escaping chroot() barriers

---
 fs/posix_acl.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 97fbb8619..9c676901a 100644
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -215,6 +215,10 @@ posix_acl_permission(struct inode *inode, const struct posix_acl *acl, int want)
 	const struct posix_acl_entry *pa, *pe, *mask_obj;
 	int found = 0;
 
+	/* Prevent vservers from escaping chroot() barriers */
+	if (IS_BARRIER(inode) && !vx_check(0, VX_ADMIN))
+		return -EACCES;
+
 	FOREACH_ACL_ENTRY(pa, acl, pe) {
                 switch(pa->e_tag) {
                         case ACL_USER_OBJ:
-- 
2.47.0