Comment 11 for bug 1531747

I don't know why #2 is that much grosser than what's there now. It's already only taking the cap for setting the xattr, and taking CAP_SYS_ADMIN in init_user_ns seems to be what it's really wanting to do there. The difference now though is that before that capability would have been required to do the mount and now it isn't.

If we were to use ns_capable, which namespace do we use? current_user_ns? Then that check becomes worthless because any user can make a new namespace to bypass it. If we had the s_user_ns patches it might make sense to use that, but that probably doesn't solve the problem anyway since the lower mount was probably mounted in init_user_ns.