--- linux-2.6.18.2/fs/namei.c	2006-09-20 16:58:35 +0200
+++ linux-2.6.18.2-vs2.1.1/fs/namei.c	2006-11-04 08:24:09 +0100
@@ -712,7 +746,8 @@ static __always_inline void follow_dotdo
 		if (nd->dentry == current->fs->root &&
 		    nd->mnt == current->fs->rootmnt) {
                         read_unlock(&current->fs->lock);
-			break;
+			/* for sane '/' avoid follow_mount() */
+			return;
 		}
                 read_unlock(&current->fs->lock);
 		spin_lock(&dcache_lock);
--- linux-2.6.18.2/fs/namespace.c	2006-09-20 16:58:35 +0200
+++ linux-2.6.18.2-vs2.1.1/fs/namespace.c	2006-09-25 15:40:02 +0200
@@ -249,6 +251,7 @@ static struct vfsmount *clone_mnt(struct
 		mnt->mnt_root = dget(root);
 		mnt->mnt_mountpoint = mnt->mnt_root;
 		mnt->mnt_parent = mnt;
+		mnt->mnt_tag = old->mnt_tag;
 
 		if (flag & CL_SLAVE) {
 			list_add(&mnt->mnt_slave, &old->mnt_slave_list);
--- linux-2.6.18.2/fs/namespace.c	2006-09-20 16:58:35 +0200
+++ linux-2.6.18.2-vs2.1.1/fs/namespace.c	2006-09-25 15:40:02 +0200
@@ -357,6 +360,32 @@ static inline void mangle(struct seq_fil
 	seq_escape(m, s, " \t\n\\");
 }
 
+static int mnt_is_reachable(struct vfsmount *mnt)
+{
+	struct vfsmount *root_mnt;
+	struct dentry *root, *point;
+	int ret;
+
+	if (mnt == mnt->mnt_namespace->root)
+		return 1;
+
+	spin_lock(&dcache_lock);
+	root_mnt = current->fs->rootmnt;
+	root = current->fs->root;
+	point = root;
+
+	while ((mnt != mnt->mnt_parent) && (mnt != root_mnt)) {
+		point = mnt->mnt_mountpoint;
+		mnt = mnt->mnt_parent;
+	}
+
+	ret = (mnt == root_mnt) && is_subdir(point, root);
+
+	spin_unlock(&dcache_lock);
+
+	return ret;
+}
+
 static int show_vfsmnt(struct seq_file *m, void *v)
 {
 	struct vfsmount *mnt = v;
--- linux-2.6.18.2/fs/namespace.c	2006-09-20 16:58:35 +0200
+++ linux-2.6.18.2-vs2.1.1/fs/namespace.c	2006-09-25 15:40:02 +0200
@@ -412,17 +457,27 @@ static int show_vfsstat(struct seq_file 
 	struct vfsmount *mnt = v;
 	int err = 0;
 
-	/* device */
-	if (mnt->mnt_devname) {
-		seq_puts(m, "device ");
-		mangle(m, mnt->mnt_devname);
-	} else
-		seq_puts(m, "no device");
+	if (vx_flags(VXF_HIDE_MOUNT, 0))
+		return 0;
+	if (!mnt_is_reachable(mnt) && !vx_check(0, VX_WATCH_P))
+		return 0;
 
-	/* mount point */
-	seq_puts(m, " mounted on ");
-	seq_path(m, mnt, mnt->mnt_root, " \t\n\\");
-	seq_putc(m, ' ');
+	if (!vx_check(0, VX_ADMIN|VX_WATCH) &&
+		mnt == current->fs->rootmnt) {
+		seq_puts(m, "device /dev/root mounted on / ");
+	} else {
+		/* device */
+		if (mnt->mnt_devname) {
+			seq_puts(m, "device ");
+			mangle(m, mnt->mnt_devname);
+		} else
+			seq_puts(m, "no device");
+
+		/* mount point */
+		seq_puts(m, " mounted on ");
+		seq_path(m, mnt, mnt->mnt_root, " \t\n\\");
+		seq_putc(m, ' ');
+	}
 
 	/* file system type */
 	seq_puts(m, "with fstype ");
--- linux-2.6.18.2/fs/namespace.c	2006-09-20 16:58:35 +0200
+++ linux-2.6.18.2-vs2.1.1/fs/namespace.c	2006-09-25 15:40:02 +0200
@@ -676,7 +731,7 @@ asmlinkage long sys_oldumount(char __use
 
 static int mount_is_safe(struct nameidata *nd)
 {
-	if (capable(CAP_SYS_ADMIN))
+	if (vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
 		return 0;
 	return -EPERM;
 #ifdef notyet
--- linux-2.6.18.2/fs/namespace.c	2006-09-20 16:58:35 +0200
+++ linux-2.6.18.2-vs2.1.1/fs/namespace.c	2006-09-25 15:40:02 +0200
@@ -905,7 +960,8 @@ static int do_change_type(struct nameida
 /*
  * do loopback mount.
  */
-static int do_loopback(struct nameidata *nd, char *old_name, int recurse)
+static int do_loopback(struct nameidata *nd, char *old_name, tag_t tag,
+	unsigned long flags, int mnt_flags)
 {
 	struct nameidata old_nd;
 	struct vfsmount *mnt = NULL;
--- linux-2.6.18.2/fs/namespace.c	2006-09-20 16:58:35 +0200
+++ linux-2.6.18.2-vs2.1.1/fs/namespace.c	2006-09-25 15:40:02 +0200
@@ -910,6 +966,7 @@ *****
 	struct nameidata old_nd;
 	struct vfsmount *mnt = NULL;
 	int err = mount_is_safe(nd);
+	int recurse = flags & MS_REC;
 	if (err)
 		return err;
 	if (!old_name || !*old_name)
--- linux-2.6.18.2/fs/namespace.c	2006-09-20 16:58:35 +0200
+++ linux-2.6.18.2-vs2.1.1/fs/namespace.c	2006-09-25 15:40:02 +0200
@@ -935,6 +992,12 @@ static int do_loopback(struct nameidata 
 	if (!mnt)
 		goto out;
 
+	mnt->mnt_flags = mnt_flags;
+	if (flags & MS_TAGID) {
+		mnt->mnt_tag = tag;
+		mnt->mnt_flags |= MNT_TAGID;
+	}
+
 	err = graft_tree(mnt, nd);
 	if (err) {
 		LIST_HEAD(umount_list);
--- linux-2.6.18.2/fs/namespace.c	2006-09-20 16:58:35 +0200
+++ linux-2.6.18.2-vs2.1.1/fs/namespace.c	2006-09-25 15:40:02 +0200
@@ -943,6 +1006,7 @@ static int do_loopback(struct nameidata 
 		spin_unlock(&vfsmount_lock);
 		release_mounts(&umount_list);
 	}
+	mnt->mnt_flags = mnt_flags;
 
 out:
 	up_write(&namespace_sem);
--- linux-2.6.18.2/fs/namespace.c	2006-09-20 16:58:35 +0200
+++ linux-2.6.18.2-vs2.1.1/fs/namespace.c	2006-09-25 15:40:02 +0200
@@ -956,7 +1020,7 @@ out:
  * on it - tough luck.
  */
 static int do_remount(struct nameidata *nd, int flags, int mnt_flags,
-		      void *data)
+		      void *data, xid_t xid)
 {
 	int err;
 	struct super_block *sb = nd->mnt->mnt_sb;
--- linux-2.6.18.2/fs/namespace.c	2006-09-20 16:58:35 +0200
+++ linux-2.6.18.2-vs2.1.1/fs/namespace.c	2006-09-25 15:40:02 +0200
@@ -1387,6 +1451,7 @@ long do_mount(char *dev_name, char *dir_
 	struct nameidata nd;
 	int retval = 0;
 	int mnt_flags = 0;
+	tag_t tag = 0;
 
 	/* Discard magic */
 	if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
--- linux-2.6.18.2/fs/namespace.c	2006-09-20 16:58:35 +0200
+++ linux-2.6.18.2-vs2.1.1/fs/namespace.c	2006-09-25 15:40:02 +0200
@@ -1414,6 +1491,8 @@ long do_mount(char *dev_name, char *dir_
 	if (flags & MS_NODIRATIME)
 		mnt_flags |= MNT_NODIRATIME;
 
+	if (!capable(CAP_SYS_ADMIN))
+		mnt_flags |= MNT_NODEV;
 	flags &= ~(MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_ACTIVE |
 		   MS_NOATIME | MS_NODIRATIME);
 
--- linux-2.6.18.2/fs/namespace.c	2006-09-20 16:58:35 +0200
+++ linux-2.6.18.2-vs2.1.1/fs/namespace.c	2006-09-25 15:40:02 +0200
@@ -1428,9 +1507,9 @@ long do_mount(char *dev_name, char *dir_
 
 	if (flags & MS_REMOUNT)
 		retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
-				    data_page);
+				    data_page, tag);
 	else if (flags & MS_BIND)
-		retval = do_loopback(&nd, dev_name, flags & MS_REC);
+		retval = do_loopback(&nd, dev_name, tag, flags, mnt_flags);
 	else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | MS_UNBINDABLE))
 		retval = do_change_type(&nd, flags);
 	else if (flags & MS_MOVE)
--- linux-2.6.18.2/include/linux/vserver/namespace.h	1970-01-01 01:00:00 +0100
+++ linux-2.6.18.2-vs2.1.1/include/linux/vserver/namespace.h	2006-09-20 17:01:45 +0200
@@ -0,0 +1,15 @@
+#ifndef _VX_NAMESPACE_H
+#define _VX_NAMESPACE_H
+
+
+#include <linux/types.h>
+
+struct vx_info;
+struct namespace;
+struct fs_struct;
+
+extern int vx_set_namespace(struct vx_info *, struct namespace *, struct fs_struct *);
+
+#else	/* _VX_NAMESPACE_H */
+#warning duplicate inclusion
+#endif	/* _VX_NAMESPACE_H */
--- linux-2.6.18.2/kernel/vserver/namespace.c	1970-01-01 01:00:00 +0100
+++ linux-2.6.18.2-vs2.1.1/kernel/vserver/namespace.c	2006-09-25 15:40:02 +0200
@@ -0,0 +1,101 @@
+/*
+ *  linux/kernel/vserver/namespace.c
+ *
+ *  Virtual Server: Context Namespace Support
+ *
+ *  Copyright (C) 2003-2006  Herbert Pötzl
+ *
+ *  V0.01  broken out from context.c 0.07
+ *  V0.02  added task locking for namespace
+ *  V0.03  broken out vx_enter_namespace
+ *
+ */
+
+#include <linux/utsname.h>
+#include <linux/sched.h>
+#include <linux/vs_context.h>
+#include <linux/vserver/namespace.h>
+#include <linux/vserver/namespace_cmd.h>
+#include <linux/dcache.h>
+#include <linux/mount.h>
+#include <linux/fs.h>
+
+#include <asm/errno.h>
+#include <asm/uaccess.h>
+
+
+/* namespace functions */
+
+#include <linux/namespace.h>
+
+int vx_enter_namespace(struct vx_info *vxi)
+{
+	struct fs_struct *old_fs, *fs;
+	struct namespace *old_ns;
+
+	if (vx_info_flags(vxi, VXF_INFO_LOCK, 0))
+		return -EACCES;
+	if (!vxi->vx_namespace)
+		return -EINVAL;
+
+	fs = copy_fs_struct(vxi->vx_fs);
+	if (!fs)
+		return -ENOMEM;
+
+	task_lock(current);
+	old_ns = current->namespace;
+	old_fs = current->fs;
+	get_namespace(vxi->vx_namespace);
+	current->namespace = vxi->vx_namespace;
+	current->fs = fs;
+	task_unlock(current);
+
+	put_namespace(old_ns);
+	put_fs_struct(old_fs);
+	return 0;
+}
+
+int vx_set_namespace(struct vx_info *vxi, struct namespace *ns, struct fs_struct *fs)
+{
+	struct fs_struct *fs_copy;
+
+	if (vxi->vx_namespace)
+		return -EPERM;
+	if (!ns || !fs)
+		return -EINVAL;
+
+	fs_copy = copy_fs_struct(fs);
+	if (!fs_copy)
+		return -ENOMEM;
+
+	get_namespace(ns);
+	vxi->vx_namespace = ns;
+	vxi->vx_fs = fs_copy;
+	return 0;
+}
+
+int vc_enter_namespace(struct vx_info *vxi, void __user *data)
+{
+	return vx_enter_namespace(vxi);
+}
+
+int vc_set_namespace(struct vx_info *vxi, void __user *data)
+{
+	struct fs_struct *fs;
+	struct namespace *ns;
+	int ret;
+
+	task_lock(current);
+	fs = current->fs;
+	atomic_inc(&fs->count);
+	ns = current->namespace;
+	get_namespace(current->namespace);
+	task_unlock(current);
+
+	ret = vx_set_namespace(vxi, ns, fs);
+
+	put_namespace(ns);
+	put_fs_struct(fs);
+	return ret;
+}
+