diff -u linux-2.6.16.8-vs2.0.2-rc17/fs/namespace.c linux-2.6.16.11-vs2.0.2-rc18/fs/namespace.c
--- linux-2.6.16.8-vs2.0.2-rc17/fs/namespace.c	2006-03-20 17:34:49 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/fs/namespace.c	2006-04-28 01:59:36 +0200
@@ -676,7 +676,7 @@
 		goto dput_and_out;
 
 	retval = -EPERM;
-	if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT))
+	if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
 		goto dput_and_out;
 
 	retval = do_umount(nd.mnt, flags);
@@ -700,9 +700,7 @@
 
 static int mount_is_safe(struct nameidata *nd)
 {
-	if (capable(CAP_SYS_ADMIN))
-		return 0;
-	if (vx_ccaps(VXC_SECURE_MOUNT))
+	if (vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
 		return 0;
 	return -EPERM;
 #ifdef notyet
@@ -996,7 +994,7 @@
 	int err;
 	struct super_block *sb = nd->mnt->mnt_sb;
 
-	if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_REMOUNT))
+	if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_REMOUNT))
 		return -EPERM;
 
 	if (!check_mnt(nd->mnt))
@@ -1030,7 +1028,7 @@
 	struct nameidata old_nd, parent_nd;
 	struct vfsmount *p;
 	int err = 0;
-	if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT))
+	if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
 		return -EPERM;
 	if (!old_name || !*old_name)
 		return -EINVAL;
@@ -1110,7 +1108,7 @@
 		return -EINVAL;
 
 	/* we need capabilities... */
-	if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT))
+	if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
 		return -EPERM;
 
 	mnt = do_kern_mount(type, flags, name, data);
@@ -1502,7 +1500,7 @@
 	if (!(flags & CLONE_NEWNS))
 		return 0;
 
-	if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT)) {
+	if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT)) {
 		err = -EPERM;
 		goto out;
 	}
diff -u linux-2.6.16.8-vs2.0.2-rc17/fs/quota.c linux-2.6.16.11-vs2.0.2-rc18/fs/quota.c
--- linux-2.6.16.8-vs2.0.2-rc17/fs/quota.c	2006-03-20 17:34:49 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/fs/quota.c	2006-04-28 01:59:36 +0200
@@ -84,11 +84,11 @@
 	if (cmd == Q_GETQUOTA) {
 		if (((type == USRQUOTA && current->euid != id) ||
 		     (type == GRPQUOTA && !in_egroup_p(id))) &&
-		    !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+		    !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
 			return -EPERM;
 	}
 	else if (cmd != Q_GETFMT && cmd != Q_SYNC && cmd != Q_GETINFO)
-		if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+		if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
 			return -EPERM;
 
 	return 0;
@@ -135,10 +135,10 @@
 	if (cmd == Q_XGETQUOTA) {
 		if (((type == XQM_USRQUOTA && current->euid != id) ||
 		     (type == XQM_GRPQUOTA && !in_egroup_p(id))) &&
-		     !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+		     !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
 			return -EPERM;
 	} else if (cmd != Q_XGETQSTAT && cmd != Q_XQUOTASYNC) {
-		if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+		if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
 			return -EPERM;
 	}
 
diff -u linux-2.6.16.8-vs2.0.2-rc17/fs/super.c linux-2.6.16.11-vs2.0.2-rc18/fs/super.c
--- linux-2.6.16.8-vs2.0.2-rc17/fs/super.c	2006-03-20 17:34:49 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/fs/super.c	2006-04-28 01:59:36 +0200
@@ -815,7 +815,7 @@
 
 	sb = ERR_PTR(-EPERM);
 	if ((type->fs_flags & FS_BINARY_MOUNTDATA) &&
-		!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_BINARY_MOUNT))
+		!vx_capable(CAP_SYS_ADMIN, VXC_BINARY_MOUNT))
 		goto out;
 
 	sb = ERR_PTR(-ENOMEM);
diff -u linux-2.6.16.8-vs2.0.2-rc17/fs/xfs/quota/xfs_qm_syscalls.c linux-2.6.16.11-vs2.0.2-rc18/fs/xfs/quota/xfs_qm_syscalls.c
--- linux-2.6.16.8-vs2.0.2-rc17/fs/xfs/quota/xfs_qm_syscalls.c	2006-03-20 17:34:49 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/fs/xfs/quota/xfs_qm_syscalls.c	2006-04-28 01:59:36 +0200
@@ -215,7 +215,7 @@
 	xfs_qoff_logitem_t	*qoffstart;
 	int			nculprits;
 
-	if (!force && !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+	if (!force && !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
 		return XFS_ERROR(EPERM);
 	/*
 	 * No file system can have quotas enabled on disk but not in core.
@@ -384,7 +384,7 @@
 	int		error;
 	xfs_inode_t	*qip;
 
-	if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+	if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
 		return XFS_ERROR(EPERM);
 	error = 0;
 	if (!XFS_SB_VERSION_HASQUOTA(&mp->m_sb) || flags == 0) {
@@ -429,7 +429,7 @@
 	uint		accflags;
 	__int64_t	sbflags;
 
-	if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+	if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
 		return XFS_ERROR(EPERM);
 
 	flags &= (XFS_ALL_QUOTA_ACCT | XFS_ALL_QUOTA_ENFD);
@@ -600,7 +600,7 @@
 	int			error;
 	xfs_qcnt_t		hard, soft;
 
-	if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+	if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
 		return XFS_ERROR(EPERM);
 
 	if ((newlim->d_fieldmask &
diff -u linux-2.6.16.8-vs2.0.2-rc17/include/linux/vs_base.h linux-2.6.16.11-vs2.0.2-rc18/include/linux/vs_base.h
--- linux-2.6.16.8-vs2.0.2-rc17/include/linux/vs_base.h	2006-03-20 17:34:50 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/include/linux/vs_base.h	2006-04-28 02:00:37 +0200
@@ -97,6 +97,9 @@
 	(current->vx_info && \
 	(current->vx_info->vx_initpid == (n)))
 
+#define vx_capable(b,c) (capable(b) || \
+	((current->euid == 0) && vx_ccaps(c)))
+
 
 #else
 #warning duplicate inclusion
diff -u linux-2.6.16.8-vs2.0.2-rc17/include/net/route.h linux-2.6.16.11-vs2.0.2-rc18/include/net/route.h
--- linux-2.6.16.8-vs2.0.2-rc17/include/net/route.h	2006-03-20 17:34:50 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/include/net/route.h	2006-04-26 19:12:32 +0200
@@ -229,6 +229,8 @@
 			return err;
 		if (fl.fl4_dst == IPI_LOOPBACK && !vx_check(0, VX_ADMIN))
 			fl.fl4_dst = nx_info->ipv4[0];
+		if (fl.fl4_src == IPI_LOOPBACK && !vx_check(0, VX_ADMIN))
+			fl.fl4_src = nx_info->ipv4[0];
 	}
 	if (!fl.fl4_dst || !fl.fl4_src) {
 		err = __ip_route_output_key(rp, &fl);
diff -u linux-2.6.16.8-vs2.0.2-rc17/kernel/sys.c linux-2.6.16.11-vs2.0.2-rc18/kernel/sys.c
--- linux-2.6.16.8-vs2.0.2-rc17/kernel/sys.c	2006-04-18 02:12:08 +0200
+++ linux-2.6.16.11-vs2.0.2-rc18/kernel/sys.c	2006-04-28 01:59:36 +0200
@@ -1547,7 +1547,7 @@
 	int errno;
 	char tmp[__NEW_UTS_LEN];
 
-	if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SET_UTSNAME))
+	if (!vx_capable(CAP_SYS_ADMIN, VXC_SET_UTSNAME))
 		return -EPERM;
 	if (len < 0 || len > __NEW_UTS_LEN)
 		return -EINVAL;
@@ -1596,7 +1596,7 @@
 	int errno;
 	char tmp[__NEW_UTS_LEN];
 
-	if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SET_UTSNAME))
+	if (!vx_capable(CAP_SYS_ADMIN, VXC_SET_UTSNAME))
 		return -EPERM;
 	if (len < 0 || len > __NEW_UTS_LEN)
 		return -EINVAL;
@@ -1664,7 +1664,7 @@
                return -EINVAL;
 	old_rlim = current->signal->rlim + resource;
 	if ((new_rlim.rlim_max > old_rlim->rlim_max) &&
-	    !capable(CAP_SYS_RESOURCE) && !vx_ccaps(VXC_SET_RLIMIT))
+	    !vx_capable(CAP_SYS_RESOURCE, VXC_SET_RLIMIT))
 		return -EPERM;
 	if (resource == RLIMIT_NOFILE && new_rlim.rlim_max > NR_OPEN)
 			return -EPERM;
diff -u linux-2.6.16.8-vs2.0.2-rc17/kernel/vserver/legacy.c linux-2.6.16.11-vs2.0.2-rc18/kernel/vserver/legacy.c
--- linux-2.6.16.8-vs2.0.2-rc17/kernel/vserver/legacy.c	2006-03-20 17:34:50 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/kernel/vserver/legacy.c	2006-04-28 03:18:07 +0200
@@ -31,6 +31,7 @@
 	if (!init)
 		return -ESRCH;
 
+	vxi->vx_flags &= ~VXF_STATE_INIT;
 	return vx_set_init(vxi, init);
 }
 
@@ -88,7 +89,7 @@
 		vx_info_flags(new_vxi, VX_INFO_PRIVATE, 0))
 		goto out_put;
 
-	new_vxi->vx_flags &= ~(VXF_STATE_SETUP|VXF_STATE_INIT);
+	new_vxi->vx_flags &= ~VXF_STATE_SETUP;
 
 	ret = vx_migrate_task(current, new_vxi);
 	if (ret == 0) {
@@ -102,6 +103,9 @@
 		if (vc_data.flags & VX_INFO_NPROC)
 			new_vxi->limit.rlim[RLIMIT_NPROC] =
 				current->signal->rlim[RLIMIT_NPROC].rlim_max;
+
+		/* tweak some defaults for legacy */
+		new_vxi->vx_flags |= (VXF_HIDE_NETIF|VXF_INFO_INIT);
 		ret = new_vxi->vx_id;
 	}
 out_put:
diff -u linux-2.6.16.8-vs2.0.2-rc17/kernel/vserver/sched.c linux-2.6.16.11-vs2.0.2-rc18/kernel/vserver/sched.c
--- linux-2.6.16.8-vs2.0.2-rc17/kernel/vserver/sched.c	2006-03-24 16:50:48 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/kernel/vserver/sched.c	2006-04-28 01:39:59 +0200
@@ -117,7 +117,7 @@
 		vavavoom = 0;
 
 	vxi->sched.vavavoom = vavavoom;
-	return vavavoom;
+	return vavavoom + vxi->sched.priority_bias;
 }
 
 
diff -u linux-2.6.16.8-vs2.0.2-rc17/net/ipv4/devinet.c linux-2.6.16.11-vs2.0.2-rc18/net/ipv4/devinet.c
--- linux-2.6.16.8-vs2.0.2-rc17/net/ipv4/devinet.c	2006-04-17 20:56:32 +0200
+++ linux-2.6.16.11-vs2.0.2-rc18/net/ipv4/devinet.c	2006-04-26 19:09:22 +0200
@@ -607,6 +607,9 @@
 		*colon = ':';
 
 	if ((in_dev = __in_dev_get_rtnl(dev)) != NULL) {
+		struct nx_info *nxi = current->nx_info;
+		int hide_netif = vx_flags(VXF_HIDE_NETIF, 0);
+
 		if (tryaddrmatch) {
 			/* Matthias Andree */
 			/* compare label and address (4.4BSD style) */
@@ -615,6 +618,8 @@
 			   This is checked above. */
 			for (ifap = &in_dev->ifa_list; (ifa = *ifap) != NULL;
 			     ifap = &ifa->ifa_next) {
+				if (hide_netif && !ifa_in_nx_info(ifa, nxi))
+					continue;
 				if (!strcmp(ifr.ifr_name, ifa->ifa_label) &&
 				    sin_orig.sin_addr.s_addr ==
 							ifa->ifa_address) {
@@ -627,18 +632,18 @@
 		   comparing just the label */
 		if (!ifa) {
 			for (ifap = &in_dev->ifa_list; (ifa = *ifap) != NULL;
-			     ifap = &ifa->ifa_next)
+			     ifap = &ifa->ifa_next) {
+				if (hide_netif && !ifa_in_nx_info(ifa, nxi))
+					continue;
 				if (!strcmp(ifr.ifr_name, ifa->ifa_label))
 					break;
+			}
 		}
 	}
 
 	ret = -EADDRNOTAVAIL;
 	if (!ifa && cmd != SIOCSIFADDR && cmd != SIOCSIFFLAGS)
 		goto done;
-	if (vx_flags(VXF_HIDE_NETIF, 0) &&
-		!ifa_in_nx_info(ifa, current->nx_info))
-		goto done;
 
 	switch(cmd) {
 	case SIOCGIFADDR:	/* Get interface address */
diff -u linux-2.6.16.8-vs2.0.2-rc17/net/ipv4/udp.c linux-2.6.16.11-vs2.0.2-rc18/net/ipv4/udp.c
--- linux-2.6.16.8-vs2.0.2-rc17/net/ipv4/udp.c	2006-03-20 17:34:50 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/net/ipv4/udp.c	2006-04-26 19:08:56 +0200
@@ -216,16 +216,6 @@
 	write_unlock_bh(&udp_hash_lock);
 }
 
-static inline int udp_in_list(struct nx_info *nx_info, u32 addr)
-{
-	int n = nx_info->nbipv4;
-	int i;
-
-	for (i=0; i<n; i++)
-		if (nx_info->ipv4[i] == addr)
-			return 1;
-	return 0;
-}
 
 /* UDP is nearly always wildcards out the wazoo, it makes no sense to try
  * harder than this. -DaveM
@@ -248,7 +238,7 @@
 					continue;
 				score+=2;
 			} else if (sk->sk_nx_info) {
-				if (udp_in_list(sk->sk_nx_info, daddr))
+				if (addr_in_nx_info(sk->sk_nx_info, daddr))
 					score+=2;
 				else
 					continue;
diff -u linux-2.6.16.8-vs2.0.2-rc17/security/commoncap.c linux-2.6.16.11-vs2.0.2-rc18/security/commoncap.c
--- linux-2.6.16.8-vs2.0.2-rc17/security/commoncap.c	2006-03-20 17:34:50 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/security/commoncap.c	2006-04-28 01:59:36 +0200
@@ -313,7 +313,7 @@
 int cap_syslog (int type)
 {
 	if ((type != 3 && type != 10) &&
-		!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SYSLOG))
+		!vx_capable(CAP_SYS_ADMIN, VXC_SYSLOG))
 		return -EPERM;
 	return 0;
 }
diff -u linux-2.6.16.8-vs2.0.2-rc17/security/security.c linux-2.6.16.11-vs2.0.2-rc18/security/security.c
--- linux-2.6.16.8-vs2.0.2-rc17/security/security.c	2006-03-20 17:34:50 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/security/security.c	2006-04-28 01:59:36 +0200
@@ -200,22 +200,8 @@
 
-int vx_capable(int cap, int ccap)
-{
-	if (security_ops->capable(current, cap)) {
-		/* capability denied */
-		return 0;
-	}
-	if (!vx_ccaps(ccap))
-		return 0;
-
-	/* capability granted */
-	current->flags |= PF_SUPERPRIV;
-	return 1;
-}
 
 EXPORT_SYMBOL_GPL(register_security);
 EXPORT_SYMBOL_GPL(unregister_security);
 EXPORT_SYMBOL_GPL(mod_reg_security);
 EXPORT_SYMBOL_GPL(mod_unreg_security);
 EXPORT_SYMBOL(capable);
-EXPORT_SYMBOL(vx_capable);
 EXPORT_SYMBOL(security_ops);