2 files changed, 12 insertions, 5 deletions

diff --git a/init/Kconfig b/init/Kconfig
index 2660b312ae9d..b44c3a390699 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -943,7 +943,6 @@ config UIDGID_CONVERTED
 
         # Networking
         depends on NET_9P = n
-        depends on NET_CLS_FLOW = n
         depends on NETFILTER_XT_MATCH_OWNER = n
         depends on NETFILTER_XT_MATCH_RECENT = n
         depends on NETFILTER_XT_TARGET_LOG = n
diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c
index ae854f3434b0..ce82d0cb1b47 100644
--- a/net/sched/cls_flow.c
+++ b/net/sched/cls_flow.c
@@ -193,15 +193,19 @@ static u32 flow_get_rtclassid(const struct sk_buff *skb)
 
 static u32 flow_get_skuid(const struct sk_buff *skb)
 {
-        if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file)
-                return skb->sk->sk_socket->file->f_cred->fsuid;
+        if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file) {
+                kuid_t skuid = skb->sk->sk_socket->file->f_cred->fsuid;
+                return from_kuid(&init_user_ns, skuid);
+        }
         return 0;
 }
 
 static u32 flow_get_skgid(const struct sk_buff *skb)
 {
-        if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file)
-                return skb->sk->sk_socket->file->f_cred->fsgid;
+        if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file) {
+                kgid_t skgid = skb->sk->sk_socket->file->f_cred->fsgid;
+                return from_kgid(&init_user_ns, skgid);
+        }
         return 0;
 }
 
@@ -387,6 +391,10 @@ static int flow_change(struct sk_buff *in_skb,
 
                 if (fls(keymask) - 1 > FLOW_KEY_MAX)
                         return -EOPNOTSUPP;
+
+                if ((keymask & (FLOW_KEY_SKUID|FLOW_KEY_SKGID)) &&
+                    sk_user_ns(NETLINK_CB(in_skb).ssk) != &init_user_ns)
+                        return -EOPNOTSUPP;
         }
 
         err = tcf_exts_validate(tp, tb, tca[TCA_RATE], &e, &flow_ext_map);