--- /dev/null
+From f9171eb92ffd260debce2b28111dc7018d258588 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Tue, 31 Oct 2017 09:08:42 +0100
+Subject: [PATCH 3/3] Use user namespaces for FSETID policy check.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+With this we also need to verify the group id of a file with
+the setgid flag has a valid mapping in the current
+namespace.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ module/zfs/policy.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/module/zfs/policy.c b/module/zfs/policy.c
+index 03e8f748b..dbbcfefa3 100644
+--- a/module/zfs/policy.c
++++ b/module/zfs/policy.c
+@@ -42,19 +42,26 @@
+ * all other cases this function must fail and return the passed err.
+ */
+ static int
+-priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
++priv_policy_ns(const cred_t *cr, int capability, boolean_t all, int err,
++ struct user_namespace *ns)
+ {
+ ASSERT3S(all, ==, B_FALSE);
+
+ if (cr != CRED() && (cr != kcred))
+ return (err);
+
+- if (!capable(capability))
++ if (!(ns ? ns_capable(ns, capability) : capable(capability)))
+ return (err);
+
+ return (0);
+ }
+
++static int
++priv_policy(const cred_t *cr, int capability, boolean_t all, int err)
++{
++ return priv_policy_ns(cr, capability, all, err, NULL);
++}
++
+ /*
+ * Checks for operations that are either client-only or are used by
+ * both clients and servers.
+@@ -175,8 +182,11 @@ secpolicy_vnode_setid_retain(const cred_t *cr, boolean_t issuidroot)
+ int
+ secpolicy_vnode_setids_setgids(const cred_t *cr, gid_t gid)
+ {
++ if (!kgid_has_mapping(cr->user_ns, SGID_TO_KGID(gid)))
++ return (EPERM);
+ if (crgetfsgid(cr) != gid && !groupmember(gid, cr))
+- return (priv_policy(cr, CAP_FSETID, B_FALSE, EPERM));
++ return (priv_policy_ns(cr, CAP_FSETID, B_FALSE, EPERM,
++ cr->user_ns));
+
+ return (0);
+ }
+--
+2.14.2
+