diff -u linux-2.6.16-vs2.1.1-rc15.6/kernel/vserver/context.c linux-2.6.16-vs2.1.1-rc15.6/kernel/vserver/context.c --- linux-2.6.16-vs2.1.1-rc15.6/kernel/vserver/context.c 2006-04-12 02:59:41 +0200 +++ linux-2.6.16-vs2.1.1-rc15.6/kernel/vserver/context.c 2006-04-12 02:59:41 +0200 @@ -794,7 +794,7 @@ struct vx_info *vxi; struct vcmd_vx_info_v0 vc_data; - if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RESOURCE)) + if (!capable(CAP_SYS_RESOURCE)) return -EPERM; vxi = lookup_vx_info(id); @@ -819,8 +819,6 @@ struct vx_info *new_vxi; int ret; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; if (data && copy_from_user (&vc_data, data, sizeof(vc_data))) return -EFAULT; @@ -854,8 +852,6 @@ struct vcmd_ctx_migrate vc_data = { .flagword = 0 }; struct vx_info *vxi; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; if (data && copy_from_user (&vc_data, data, sizeof(vc_data))) return -EFAULT; @@ -883,9 +879,6 @@ struct vx_info *vxi; struct vcmd_ctx_flags_v0 vc_data; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; - vxi = lookup_vx_info(id); if (!vxi) return -ESRCH; @@ -908,8 +901,6 @@ struct vcmd_ctx_flags_v0 vc_data; uint64_t mask, trigger; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; if (copy_from_user (&vc_data, data, sizeof(vc_data))) return -EFAULT; diff -u linux-2.6.16-vs2.1.1-rc15.6/kernel/vserver/switch.c linux-2.6.16-vs2.1.1-rc15.6/kernel/vserver/switch.c --- linux-2.6.16-vs2.1.1-rc15.6/kernel/vserver/switch.c 2006-04-12 02:47:34 +0200 +++ linux-2.6.16-vs2.1.1-rc15.6/kernel/vserver/switch.c 2006-04-12 02:47:34 +0200 @@ -83,6 +83,9 @@ if (!capable(CAP_CONTEXT)) return -EPERM; #endif + /* moved here from the individual commands */ + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; switch (cmd) { case VCMD_get_version: --- linux-2.6.16-vs2.1.1-rc15.5/kernel/vserver/cvirt.c 2006-03-20 17:34:50 +0100 +++ linux-2.6.16-vs2.1.1-rc15.6/kernel/vserver/cvirt.c 2006-04-12 02:45:41 +0200 @@ -217,8 +217,6 @@ int vc_set_vhi_name(uint32_t id, void __ struct vcmd_vhi_name_v0 vc_data; char *name; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; if (copy_from_user (&vc_data, data, sizeof(vc_data))) return -EFAULT; --- linux-2.6.16-vs2.1.1-rc15.5/kernel/vserver/inode.c 2006-03-24 16:59:16 +0100 +++ linux-2.6.16-vs2.1.1-rc15.6/kernel/vserver/inode.c 2006-04-12 02:55:02 +0200 @@ -205,7 +205,7 @@ int vc_set_iattr(uint32_t id, void __use struct vcmd_ctx_iattr_v1 vc_data; int ret; - if (!capable(CAP_SYS_ADMIN) || !capable(CAP_LINUX_IMMUTABLE)) + if (!capable(CAP_LINUX_IMMUTABLE)) return -EPERM; if (copy_from_user (&vc_data, data, sizeof(vc_data))) return -EFAULT; @@ -230,7 +230,7 @@ int vc_set_iattr_x32(uint32_t id, void _ struct vcmd_ctx_iattr_v1_x32 vc_data; int ret; - if (!capable(CAP_SYS_ADMIN) || !capable(CAP_LINUX_IMMUTABLE)) + if (!capable(CAP_LINUX_IMMUTABLE)) return -EPERM; if (copy_from_user (&vc_data, data, sizeof(vc_data))) return -EFAULT; --- linux-2.6.16-vs2.1.1-rc15.5/kernel/vserver/limit.c 2006-04-03 01:38:32 +0200 +++ linux-2.6.16-vs2.1.1-rc15.6/kernel/vserver/limit.c 2006-04-12 02:51:55 +0200 @@ -144,7 +144,7 @@ int vc_set_rlimit(uint32_t id, void __us { struct vcmd_ctx_rlimit_v0 vc_data; - if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RESOURCE)) + if (!capable(CAP_SYS_RESOURCE)) return -EPERM; if (copy_from_user (&vc_data, data, sizeof(vc_data))) return -EFAULT; @@ -159,7 +159,7 @@ int vc_set_rlimit_x32(uint32_t id, void { struct vcmd_ctx_rlimit_v0_x32 vc_data; - if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RESOURCE)) + if (!capable(CAP_SYS_RESOURCE)) return -EPERM; if (copy_from_user (&vc_data, data, sizeof(vc_data))) return -EFAULT; @@ -209,7 +209,7 @@ int vc_get_rlimit_mask(uint32_t id, void 0 }; - if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RESOURCE)) + if (!capable(CAP_SYS_RESOURCE)) return -EPERM; if (copy_to_user(data, &mask, sizeof(mask))) return -EFAULT; --- linux-2.6.16-vs2.1.1-rc15.5/kernel/vserver/network.c 2006-03-24 17:01:11 +0100 +++ linux-2.6.16-vs2.1.1-rc15.6/kernel/vserver/network.c 2006-04-12 02:53:26 +0200 @@ -549,7 +549,7 @@ int vc_nx_info(uint32_t id, void __user struct nx_info *nxi; struct vcmd_nx_info_v0 vc_data; - if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RESOURCE)) + if (!capable(CAP_SYS_RESOURCE)) return -EPERM; nxi = lookup_nx_info(id); @@ -573,8 +573,6 @@ int vc_net_create(uint32_t nid, void __u struct nx_info *new_nxi; int ret; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; if (data && copy_from_user (&vc_data, data, sizeof(vc_data))) return -EFAULT; @@ -607,9 +605,6 @@ int vc_net_migrate(uint32_t id, void __u { struct nx_info *nxi; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; - nxi = lookup_nx_info(id); if (!nxi) return -ESRCH; @@ -624,8 +619,6 @@ int vc_net_add(uint32_t nid, void __user struct nx_info *nxi; int index, pos, ret = 0; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; if (data && copy_from_user (&vc_data, data, sizeof(vc_data))) return -EFAULT; @@ -676,8 +669,6 @@ int vc_net_remove(uint32_t nid, void __u struct nx_info *nxi; int ret = 0; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; if (data && copy_from_user (&vc_data, data, sizeof(vc_data))) return -EFAULT; @@ -704,9 +695,6 @@ int vc_get_nflags(uint32_t id, void __us struct nx_info *nxi; struct vcmd_net_flags_v0 vc_data; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; - nxi = lookup_nx_info(id); if (!nxi) return -ESRCH; @@ -729,8 +717,6 @@ int vc_set_nflags(uint32_t id, void __us struct vcmd_net_flags_v0 vc_data; uint64_t mask, trigger; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; if (copy_from_user (&vc_data, data, sizeof(vc_data))) return -EFAULT; @@ -756,9 +742,6 @@ int vc_get_ncaps(uint32_t id, void __use struct nx_info *nxi; struct vcmd_net_caps_v0 vc_data; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; - nxi = lookup_nx_info(id); if (!nxi) return -ESRCH; @@ -777,8 +760,6 @@ int vc_set_ncaps(uint32_t id, void __use struct nx_info *nxi; struct vcmd_net_caps_v0 vc_data; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; if (copy_from_user (&vc_data, data, sizeof(vc_data))) return -EFAULT;