Comment 3 for bug 1692543

yes something like this should work. However 600 will not be the correct check, as in some cases the owner may differ, especially in the virtualized case because vfs doesn't let us virtualize the file's owner.

Currently this file isn't virtualized to the poilicy namespace, and that is why the restriction was put in place to keep containers from doing things they shouldn't with other policy namespaces. It will be virtualized by 4.14, we can land that change in Ubuntu for 17.10 and SRU.

We have no plans to require/use bind mounts to get around owner virtualization, but with the 4.13 we added the ability for securityfs to do magic symlinks, which allows a virtualization like nsfs is doing. We could make this a magic symlink to a file owned by the correct user if need be, in which case 600 would be sufficient.

I think for now the test needs to be for any possible write, 222, so we will need to do some masking on the returned value.