net: Add variants of capable for use on netlink messages

netlink_net_capable - The common case use, for operations that are safe on a network namespace netlink_capable - For operations that are only known to be safe for the global root netlink_ns_capable - The general case of capable used to handle special cases __netlink_ns_capable - Same as netlink_ns_capable except taking a netlink_skb_parms instead of the skbuff of a netlink message. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric W. Biederman <ebiederm@xmission.com> 2014-04-23 17:28:03 -0400
committer: David S. Miller <davem@davemloft.net> 2014-04-24 13:44:54 -0400
commit: aa4cf9452f469f16cea8c96283b641b4576d4a7b (patch)
tree: ef5ed02e14599013bed85144cb9b57653c2f59c3 /net/netlink
parent: a3b299da869d6e78cf42ae0b1b41797bcb8c5e4b (diff)
1 files changed, 65 insertions, 0 deletions
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 7f931fe4d187..81dca96d2be6 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1360,6 +1360,71 @@ retry:
        return err;
 }
+/**
+ * __netlink_ns_capable - General netlink message capability test
+ * @nsp: NETLINK_CB of the socket buffer holding a netlink command from userspace.
+ * @user_ns: The user namespace of the capability to use
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket we received the message
+ * from had when the netlink socket was created and the sender of the
+ * message has has the capability @cap in the user namespace @user_ns.
+ */
+bool __netlink_ns_capable(const struct netlink_skb_parms *nsp,
+                        struct user_namespace *user_ns, int cap)
+{
+        return sk_ns_capable(nsp->sk, user_ns, cap);
+}
+EXPORT_SYMBOL(__netlink_ns_capable);
+/**
+ * netlink_ns_capable - General netlink message capability test
+ * @skb: socket buffer holding a netlink command from userspace
+ * @user_ns: The user namespace of the capability to use
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket we received the message
+ * from had when the netlink socket was created and the sender of the
+ * message has has the capability @cap in the user namespace @user_ns.
+ */
+bool netlink_ns_capable(const struct sk_buff *skb,
+                        struct user_namespace *user_ns, int cap)
+{
+        return __netlink_ns_capable(&NETLINK_CB(skb), user_ns, cap);
+}
+EXPORT_SYMBOL(netlink_ns_capable);
+/**
+ * netlink_capable - Netlink global message capability test
+ * @skb: socket buffer holding a netlink command from userspace
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket we received the message
+ * from had when the netlink socket was created and the sender of the
+ * message has has the capability @cap in all user namespaces.
+ */
+bool netlink_capable(const struct sk_buff *skb, int cap)
+{
+        return netlink_ns_capable(skb, &init_user_ns, cap);
+}
+EXPORT_SYMBOL(netlink_capable);
+/**
+ * netlink_net_capable - Netlink network namespace message capability test
+ * @skb: socket buffer holding a netlink command from userspace
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket we received the message
+ * from had when the netlink socket was created and the sender of the
+ * message has has the capability @cap over the network namespace of
+ * the socket we received the message from.
+ */
+bool netlink_net_capable(const struct sk_buff *skb, int cap)
+{
+        return netlink_ns_capable(skb, sock_net(skb->sk)->user_ns, cap);
+}
+EXPORT_SYMBOL(netlink_net_capable);
 static inline int netlink_allowed(const struct socket *sock, unsigned int flag)
 {
        return (nl_table[sock->sk->sk_protocol].flags & flag) ||
author	Eric W. Biederman <ebiederm@xmission.com>	2014-04-23 17:28:03 -0400
committer	David S. Miller <davem@davemloft.net>	2014-04-24 13:44:54 -0400
commit	aa4cf9452f469f16cea8c96283b641b4576d4a7b (patch)
tree	ef5ed02e14599013bed85144cb9b57653c2f59c3 /net/netlink
parent	a3b299da869d6e78cf42ae0b1b41797bcb8c5e4b (diff)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 7f931fe4d187..81dca96d2be6 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c
@@ -1360,6 +1360,71 @@ retry:
1360	return err;	1360	return err;
1361	}	1361	}
1362		1362
		1363	/**
		1364	* __netlink_ns_capable - General netlink message capability test
		1365	* @nsp: NETLINK_CB of the socket buffer holding a netlink command from userspace.
		1366	* @user_ns: The user namespace of the capability to use
		1367	* @cap: The capability to use
		1368	*
		1369	* Test to see if the opener of the socket we received the message
		1370	* from had when the netlink socket was created and the sender of the
		1371	* message has has the capability @cap in the user namespace @user_ns.
		1372	*/
		1373	bool __netlink_ns_capable(const struct netlink_skb_parms *nsp,
		1374	struct user_namespace *user_ns, int cap)
		1375	{
		1376	return sk_ns_capable(nsp->sk, user_ns, cap);
		1377	}
		1378	EXPORT_SYMBOL(__netlink_ns_capable);
		1379
		1380	/**
		1381	* netlink_ns_capable - General netlink message capability test
		1382	* @skb: socket buffer holding a netlink command from userspace
		1383	* @user_ns: The user namespace of the capability to use
		1384	* @cap: The capability to use
		1385	*
		1386	* Test to see if the opener of the socket we received the message
		1387	* from had when the netlink socket was created and the sender of the
		1388	* message has has the capability @cap in the user namespace @user_ns.
		1389	*/
		1390	bool netlink_ns_capable(const struct sk_buff *skb,
		1391	struct user_namespace *user_ns, int cap)
		1392	{
		1393	return __netlink_ns_capable(&NETLINK_CB(skb), user_ns, cap);
		1394	}
		1395	EXPORT_SYMBOL(netlink_ns_capable);
		1396
		1397	/**
		1398	* netlink_capable - Netlink global message capability test
		1399	* @skb: socket buffer holding a netlink command from userspace
		1400	* @cap: The capability to use
		1401	*
		1402	* Test to see if the opener of the socket we received the message
		1403	* from had when the netlink socket was created and the sender of the
		1404	* message has has the capability @cap in all user namespaces.
		1405	*/
		1406	bool netlink_capable(const struct sk_buff *skb, int cap)
		1407	{
		1408	return netlink_ns_capable(skb, &init_user_ns, cap);
		1409	}
		1410	EXPORT_SYMBOL(netlink_capable);
		1411
		1412	/**
		1413	* netlink_net_capable - Netlink network namespace message capability test
		1414	* @skb: socket buffer holding a netlink command from userspace
		1415	* @cap: The capability to use
		1416	*
		1417	* Test to see if the opener of the socket we received the message
		1418	* from had when the netlink socket was created and the sender of the
		1419	* message has has the capability @cap over the network namespace of
		1420	* the socket we received the message from.
		1421	*/
		1422	bool netlink_net_capable(const struct sk_buff *skb, int cap)
		1423	{
		1424	return netlink_ns_capable(skb, sock_net(skb->sk)->user_ns, cap);
		1425	}
		1426	EXPORT_SYMBOL(netlink_net_capable);
		1427
1363	static inline int netlink_allowed(const struct socket *sock, unsigned int flag)	1428	static inline int netlink_allowed(const struct socket *sock, unsigned int flag)
1364	{	1429	{
1365	return (nl_table[sock->sk->sk_protocol].flags & flag) \|\|	1430	return (nl_table[sock->sk->sk_protocol].flags & flag) \|\|