linux/debian/patches/features/all/vserver/bindmount-dev.patch

--- a/fs/namespace.c	2007-02-07 14:15:28.000000000 +0100
+++ b/fs/namespace.c	2007-02-08 10:57:40.000000000 +0100
@@ -988,6 +988,9 @@ static int do_loopback(struct nameidata 
 	if (!mnt)
 		goto out;
 
+	if (!capable(CAP_SYS_ADMIN) && (old_nd.path.mnt->mnt_flags & MNT_NODEV))
+		mnt_flags |= MNT_NODEV;
+
 	err = graft_tree(mnt, &nd->path);
 	if (err) {
 		LIST_HEAD(umount_list);
@@ -1030,6 +1033,9 @@ static int do_remount(struct nameidata *
 	if (nd->path.dentry != nd->path.mnt->mnt_root)
 		return -EINVAL;
 
+	if (!capable(CAP_SYS_ADMIN))
+		mnt_flags |= MNT_NODEV;
+
 	down_write(&sb->s_umount);
 	if (flags & MS_BIND)
 		err = change_mount_flags(nd->path.mnt, flags);
@@ -1138,6 +1144,9 @@ static int do_new_mount(struct nameidata
 	if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
 		return -EPERM;
 
+	if (!capable(CAP_SYS_ADMIN))
+		mnt_flags |= MNT_NODEV;
+
 	mnt = do_kern_mount(type, flags, name, data);
 	if (IS_ERR(mnt))
 		return PTR_ERR(mnt);
@@ -1489,8 +1498,6 @@ long do_mount(char *dev_name, char *dir_
 	if (flags & MS_RDONLY)
 		mnt_flags |= MNT_READONLY;
 
-	if (!capable(CAP_SYS_ADMIN))
-		mnt_flags |= MNT_NODEV;
 	flags &= ~(MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_ACTIVE |
 		   MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT);