2 files changed, 72 insertions, 0 deletions
diff --git a/include/linux/netlink.h b/include/linux/netlink.h
index aad8eeaf416d..f64b01787ddc 100644
--- a/include/linux/netlink.h
+++ b/include/linux/netlink.h
@@ -169,4 +169,11 @@ struct netlink_tap {
 extern int netlink_add_tap(struct netlink_tap *nt);
 extern int netlink_remove_tap(struct netlink_tap *nt);
+bool __netlink_ns_capable(const struct netlink_skb_parms *nsp,
+                          struct user_namespace *ns, int cap);
+bool netlink_ns_capable(const struct sk_buff *skb,
+                        struct user_namespace *ns, int cap);
+bool netlink_capable(const struct sk_buff *skb, int cap);
+bool netlink_net_capable(const struct sk_buff *skb, int cap);
 #endif  /* __LINUX_NETLINK_H */
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 7f931fe4d187..81dca96d2be6 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1360,6 +1360,71 @@ retry:
        return err;
 }
+/**
+ * __netlink_ns_capable - General netlink message capability test
+ * @nsp: NETLINK_CB of the socket buffer holding a netlink command from userspace.
+ * @user_ns: The user namespace of the capability to use
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket we received the message
+ * from had when the netlink socket was created and the sender of the
+ * message has has the capability @cap in the user namespace @user_ns.
+ */
+bool __netlink_ns_capable(const struct netlink_skb_parms *nsp,
+                        struct user_namespace *user_ns, int cap)
+{
+        return sk_ns_capable(nsp->sk, user_ns, cap);
+}
+EXPORT_SYMBOL(__netlink_ns_capable);
+/**
+ * netlink_ns_capable - General netlink message capability test
+ * @skb: socket buffer holding a netlink command from userspace
+ * @user_ns: The user namespace of the capability to use
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket we received the message
+ * from had when the netlink socket was created and the sender of the
+ * message has has the capability @cap in the user namespace @user_ns.
+ */
+bool netlink_ns_capable(const struct sk_buff *skb,
+                        struct user_namespace *user_ns, int cap)
+{
+        return __netlink_ns_capable(&NETLINK_CB(skb), user_ns, cap);
+}
+EXPORT_SYMBOL(netlink_ns_capable);
+/**
+ * netlink_capable - Netlink global message capability test
+ * @skb: socket buffer holding a netlink command from userspace
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket we received the message
+ * from had when the netlink socket was created and the sender of the
+ * message has has the capability @cap in all user namespaces.
+ */
+bool netlink_capable(const struct sk_buff *skb, int cap)
+{
+        return netlink_ns_capable(skb, &init_user_ns, cap);
+}
+EXPORT_SYMBOL(netlink_capable);
+/**
+ * netlink_net_capable - Netlink network namespace message capability test
+ * @skb: socket buffer holding a netlink command from userspace
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket we received the message
+ * from had when the netlink socket was created and the sender of the
+ * message has has the capability @cap over the network namespace of
+ * the socket we received the message from.
+ */
+bool netlink_net_capable(const struct sk_buff *skb, int cap)
+{
+        return netlink_ns_capable(skb, sock_net(skb->sk)->user_ns, cap);
+}
+EXPORT_SYMBOL(netlink_net_capable);
 static inline int netlink_allowed(const struct socket *sock, unsigned int flag)
 {
        return (nl_table[sock->sk->sk_protocol].flags & flag) ||

diff --git a/include/linux/netlink.h b/include/linux/netlink.h index aad8eeaf416d..f64b01787ddc 100644 --- a/include/linux/netlink.h +++ b/include/linux/netlink.h
@@ -169,4 +169,11 @@ struct netlink_tap {
169	extern int netlink_add_tap(struct netlink_tap *nt);	169	extern int netlink_add_tap(struct netlink_tap *nt);
170	extern int netlink_remove_tap(struct netlink_tap *nt);	170	extern int netlink_remove_tap(struct netlink_tap *nt);
171		171
		172	bool __netlink_ns_capable(const struct netlink_skb_parms *nsp,
		173	struct user_namespace *ns, int cap);
		174	bool netlink_ns_capable(const struct sk_buff *skb,
		175	struct user_namespace *ns, int cap);
		176	bool netlink_capable(const struct sk_buff *skb, int cap);
		177	bool netlink_net_capable(const struct sk_buff *skb, int cap);
		178
172	#endif /* __LINUX_NETLINK_H */	179	#endif /* __LINUX_NETLINK_H */


diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 7f931fe4d187..81dca96d2be6 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c
@@ -1360,6 +1360,71 @@ retry:
1360	return err;	1360	return err;
1361	}	1361	}
1362		1362
		1363	/**
		1364	* __netlink_ns_capable - General netlink message capability test
		1365	* @nsp: NETLINK_CB of the socket buffer holding a netlink command from userspace.
		1366	* @user_ns: The user namespace of the capability to use
		1367	* @cap: The capability to use
		1368	*
		1369	* Test to see if the opener of the socket we received the message
		1370	* from had when the netlink socket was created and the sender of the
		1371	* message has has the capability @cap in the user namespace @user_ns.
		1372	*/
		1373	bool __netlink_ns_capable(const struct netlink_skb_parms *nsp,
		1374	struct user_namespace *user_ns, int cap)
		1375	{
		1376	return sk_ns_capable(nsp->sk, user_ns, cap);
		1377	}
		1378	EXPORT_SYMBOL(__netlink_ns_capable);
		1379
		1380	/**
		1381	* netlink_ns_capable - General netlink message capability test
		1382	* @skb: socket buffer holding a netlink command from userspace
		1383	* @user_ns: The user namespace of the capability to use
		1384	* @cap: The capability to use
		1385	*
		1386	* Test to see if the opener of the socket we received the message
		1387	* from had when the netlink socket was created and the sender of the
		1388	* message has has the capability @cap in the user namespace @user_ns.
		1389	*/
		1390	bool netlink_ns_capable(const struct sk_buff *skb,
		1391	struct user_namespace *user_ns, int cap)
		1392	{
		1393	return __netlink_ns_capable(&NETLINK_CB(skb), user_ns, cap);
		1394	}
		1395	EXPORT_SYMBOL(netlink_ns_capable);
		1396
		1397	/**
		1398	* netlink_capable - Netlink global message capability test
		1399	* @skb: socket buffer holding a netlink command from userspace
		1400	* @cap: The capability to use
		1401	*
		1402	* Test to see if the opener of the socket we received the message
		1403	* from had when the netlink socket was created and the sender of the
		1404	* message has has the capability @cap in all user namespaces.
		1405	*/
		1406	bool netlink_capable(const struct sk_buff *skb, int cap)
		1407	{
		1408	return netlink_ns_capable(skb, &init_user_ns, cap);
		1409	}
		1410	EXPORT_SYMBOL(netlink_capable);
		1411
		1412	/**
		1413	* netlink_net_capable - Netlink network namespace message capability test
		1414	* @skb: socket buffer holding a netlink command from userspace
		1415	* @cap: The capability to use
		1416	*
		1417	* Test to see if the opener of the socket we received the message
		1418	* from had when the netlink socket was created and the sender of the
		1419	* message has has the capability @cap over the network namespace of
		1420	* the socket we received the message from.
		1421	*/
		1422	bool netlink_net_capable(const struct sk_buff *skb, int cap)
		1423	{
		1424	return netlink_ns_capable(skb, sock_net(skb->sk)->user_ns, cap);
		1425	}
		1426	EXPORT_SYMBOL(netlink_net_capable);
		1427
1363	static inline int netlink_allowed(const struct socket *sock, unsigned int flag)	1428	static inline int netlink_allowed(const struct socket *sock, unsigned int flag)
1364	{	1429	{
1365	return (nl_table[sock->sk->sk_protocol].flags & flag) \|\|	1430	return (nl_table[sock->sk->sk_protocol].flags & flag) \|\|