static int proc_sys_setattr(struct dentry *dentry, struct iattr *attr)
{
struct inode *inode = d_inode(dentry);
+ struct user_namespace *s_user_ns;
int error;
if (attr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
return -EPERM;
+ /* Don't let anyone mess with weird proc files */
+ s_user_ns = inode->i_sb->s_user_ns;
+ if (!kuid_has_mapping(s_user_ns, inode->i_uid) ||
+ !kgid_has_mapping(s_user_ns, inode->i_gid))
+ return -EPERM;
+
error = setattr_prepare(dentry, attr);
if (error)
return error;