From: Sukadev Bhattiprolu <sukadev@us.ibm.com>

When setting capabilities, cap_set_all() must skip all threads of the
cgroup_init process - not just the main thread.

Signed-off-by: Sukadev Bhattiprolu <sukadev@us.ibm.com>
Cc: Serge E. Hallyn <serue@us.ibm.com>
Cc: Pavel Emelianov <xemul@openvz.org>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Cedric Le Goater <clg@fr.ibm.com>
Cc: Herbert Poetzel <herbert@13thfloor.at>
Cc: Kirill Korotaev <dev@sw.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 kernel/capability.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff -puN kernel/capability.c~pid-namespaces-define-is_global_init-and-is_container_init-fix-capabilityc-to-work-with-threaded-init kernel/capability.c
--- a/kernel/capability.c~pid-namespaces-define-is_global_init-and-is_container_init-fix-capabilityc-to-work-with-threaded-init
+++ a/kernel/capability.c
@@ -130,7 +130,7 @@ static inline int cap_set_all(kernel_cap
      int found = 0;
 
      do_each_thread(g, target) {
-             if (target == current || is_container_init(target))
+             if (target == current || is_container_init(target->group_leader))
                      continue;
              found = 1;
 	     if (security_capset_check(target, effective, inheritable,
_