Description: userns: Don't allow CLONE_NEWUSER | CLONE_FS
References:
 http://stealth.openwall.net/xSports/clown-newuser.c
Notes:
 Prior to 3.8, CLONE_NEWUSER required CAP_SYS_ADMIN && CAP_SETUID &&
 CAP_SETGID, so no privilege escalation is possible.
Bugs:
upstream: released (3.9) [e66eded8309ebf679d3d3c1f5820d1f2ca332c71]
2.6.32-upstream-stable: N/A
sid: N/A
2.6.32-squeeze-security: N/A
3.2-upstream-stable: N/A