8 files changed, 9 insertions, 9 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 08897a3c7ec7..5b426a646544 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -141,7 +141,7 @@ static int pfkey_create(struct net *net, struct socket *sock, int protocol,
        struct sock *sk;
        int err;
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                return -EPERM;
        if (sock->type != SOCK_RAW)
                return -ESOCKTNOSUPPORT;
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index c2190005a114..88709882c464 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -160,7 +160,7 @@ static int llc_ui_create(struct net *net, struct socket *sock, int protocol,
        struct sock *sk;
        int rc = -ESOCKTNOSUPPORT;
-        if (!capable(CAP_NET_RAW))
+        if (!ns_capable(net->user_ns, CAP_NET_RAW))
                return -EPERM;
        if (!net_eq(net, &init_net))
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 778465f217fa..fed899f600b2 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1643,7 +1643,7 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
        void *data;
        int copylen = *len, ret = 0;
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
                return -EPERM;
        if (optval != SO_IP_SET)
                return -EBADF;
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index c6cebd560936..ec664cbb119f 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2339,7 +2339,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
        struct ip_vs_dest_user_kern udest;
        struct netns_ipvs *ipvs = net_ipvs(net);
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
                return -EPERM;
        if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
@@ -2632,7 +2632,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
        struct netns_ipvs *ipvs = net_ipvs(net);
        BUG_ON(!net);
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
                return -EPERM;
        if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX)
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index ffb92c03a358..58a09b7c3f6d 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -138,7 +138,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        const struct nfnetlink_subsystem *ss;
        int type, err;
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                return -EPERM;
        /* All the messages must at least contain nfgenmsg */
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 4da797fa5ec5..c8a1eb6eca2d 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -612,7 +612,7 @@ retry:
 static inline int netlink_capable(const struct socket *sock, unsigned int flag)
 {
        return (nl_table[sock->sk->sk_protocol].flags & flag) ||
-               capable(CAP_NET_ADMIN);
+                ns_capable(sock_net(sock->sk)->user_ns, CAP_NET_ADMIN);
 }
 static void
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index f262dbfc7f06..e639645e8fec 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2504,7 +2504,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
        __be16 proto = (__force __be16)protocol; /* weird, but documented */
        int err;
-        if (!capable(CAP_NET_RAW))
+        if (!ns_capable(net->user_ns, CAP_NET_RAW))
                return -EPERM;
        if (sock->type != SOCK_DGRAM && sock->type != SOCK_RAW &&
            sock->type != SOCK_PACKET)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 421f98444335..eb872b2e366e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2349,7 +2349,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        link = &xfrm_dispatch[type];
        /* All operations require privileges, even GET */
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                return -EPERM;
        if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) ||

diff --git a/net/key/af_key.c b/net/key/af_key.c index 08897a3c7ec7..5b426a646544 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c
@@ -141,7 +141,7 @@ static int pfkey_create(struct net net, struct socket sock, int protocol,
141	struct sock *sk;	141	struct sock *sk;
142	int err;	142	int err;
143		143
144	if (!capable(CAP_NET_ADMIN))	144	if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
145	return -EPERM;	145	return -EPERM;
146	if (sock->type != SOCK_RAW)	146	if (sock->type != SOCK_RAW)
147	return -ESOCKTNOSUPPORT;	147	return -ESOCKTNOSUPPORT;


diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c index c2190005a114..88709882c464 100644 --- a/net/llc/af_llc.c +++ b/net/llc/af_llc.c
@@ -160,7 +160,7 @@ static int llc_ui_create(struct net net, struct socket sock, int protocol,
160	struct sock *sk;	160	struct sock *sk;
161	int rc = -ESOCKTNOSUPPORT;	161	int rc = -ESOCKTNOSUPPORT;
162		162
163	if (!capable(CAP_NET_RAW))	163	if (!ns_capable(net->user_ns, CAP_NET_RAW))
164	return -EPERM;	164	return -EPERM;
165		165
166	if (!net_eq(net, &init_net))	166	if (!net_eq(net, &init_net))


diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index 778465f217fa..fed899f600b2 100644 --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c
@@ -1643,7 +1643,7 @@ ip_set_sockfn_get(struct sock sk, int optval, void __user user, int *len)
1643	void *data;	1643	void *data;
1644	int copylen = *len, ret = 0;	1644	int copylen = *len, ret = 0;
1645		1645
1646	if (!capable(CAP_NET_ADMIN))	1646	if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1647	return -EPERM;	1647	return -EPERM;
1648	if (optval != SO_IP_SET)	1648	if (optval != SO_IP_SET)
1649	return -EBADF;	1649	return -EBADF;


diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index c6cebd560936..ec664cbb119f 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2339,7 +2339,7 @@ do_ip_vs_set_ctl(struct sock sk, int cmd, void __user user, unsigned int len)
2339	struct ip_vs_dest_user_kern udest;	2339	struct ip_vs_dest_user_kern udest;
2340	struct netns_ipvs *ipvs = net_ipvs(net);	2340	struct netns_ipvs *ipvs = net_ipvs(net);
2341		2341
2342	if (!capable(CAP_NET_ADMIN))	2342	if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2343	return -EPERM;	2343	return -EPERM;
2344		2344
2345	if (cmd < IP_VS_BASE_CTL \|\| cmd > IP_VS_SO_SET_MAX)	2345	if (cmd < IP_VS_BASE_CTL \|\| cmd > IP_VS_SO_SET_MAX)
@@ -2632,7 +2632,7 @@ do_ip_vs_get_ctl(struct sock sk, int cmd, void __user user, int *len)
2632	struct netns_ipvs *ipvs = net_ipvs(net);	2632	struct netns_ipvs *ipvs = net_ipvs(net);
2633		2633
2634	BUG_ON(!net);	2634	BUG_ON(!net);
2635	if (!capable(CAP_NET_ADMIN))	2635	if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2636	return -EPERM;	2636	return -EPERM;
2637		2637
2638	if (cmd < IP_VS_BASE_CTL \|\| cmd > IP_VS_SO_GET_MAX)	2638	if (cmd < IP_VS_BASE_CTL \|\| cmd > IP_VS_SO_GET_MAX)


diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index ffb92c03a358..58a09b7c3f6d 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c
@@ -138,7 +138,7 @@ static int nfnetlink_rcv_msg(struct sk_buff skb, struct nlmsghdr nlh)
138	const struct nfnetlink_subsystem *ss;	138	const struct nfnetlink_subsystem *ss;
139	int type, err;	139	int type, err;
140		140
141	if (!capable(CAP_NET_ADMIN))	141	if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
142	return -EPERM;	142	return -EPERM;
143		143
144	/* All the messages must at least contain nfgenmsg */	144	/* All the messages must at least contain nfgenmsg */


diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 4da797fa5ec5..c8a1eb6eca2d 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c
@@ -612,7 +612,7 @@ retry:
612	static inline int netlink_capable(const struct socket *sock, unsigned int flag)	612	static inline int netlink_capable(const struct socket *sock, unsigned int flag)
613	{	613	{
614	return (nl_table[sock->sk->sk_protocol].flags & flag) \|\|	614	return (nl_table[sock->sk->sk_protocol].flags & flag) \|\|
615	capable(CAP_NET_ADMIN);	615	ns_capable(sock_net(sock->sk)->user_ns, CAP_NET_ADMIN);
616	}	616	}
617		617
618	static void	618	static void


diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index f262dbfc7f06..e639645e8fec 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c
@@ -2504,7 +2504,7 @@ static int packet_create(struct net net, struct socket sock, int protocol,
2504	__be16 proto = (__force __be16)protocol; /* weird, but documented */	2504	__be16 proto = (__force __be16)protocol; /* weird, but documented */
2505	int err;	2505	int err;
2506		2506
2507	if (!capable(CAP_NET_RAW))	2507	if (!ns_capable(net->user_ns, CAP_NET_RAW))
2508	return -EPERM;	2508	return -EPERM;
2509	if (sock->type != SOCK_DGRAM && sock->type != SOCK_RAW &&	2509	if (sock->type != SOCK_DGRAM && sock->type != SOCK_RAW &&
2510	sock->type != SOCK_PACKET)	2510	sock->type != SOCK_PACKET)


diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 421f98444335..eb872b2e366e 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c
@@ -2349,7 +2349,7 @@ static int xfrm_user_rcv_msg(struct sk_buff skb, struct nlmsghdr nlh)
2349	link = &xfrm_dispatch[type];	2349	link = &xfrm_dispatch[type];
2350		2350
2351	/* All operations require privileges, even GET */	2351	/* All operations require privileges, even GET */
2352	if (!capable(CAP_NET_ADMIN))	2352	if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
2353	return -EPERM;	2353	return -EPERM;
2354		2354
2355	if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) \|\|	2355	if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) \|\|