3 files changed, 19 insertions, 18 deletions
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
index 7222fe1d5460..cd8c3a44ab7d 100644
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -85,13 +85,14 @@ static int get_fdb_entries(struct net_bridge *br, void __user *userbuf,
 /* called with RTNL */
 static int add_del_if(struct net_bridge *br, int ifindex, int isadd)
 {
+        struct net *net = dev_net(br->dev);
        struct net_device *dev;
        int ret;
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                return -EPERM;
-        dev = __dev_get_by_index(dev_net(br->dev), ifindex);
+        dev = __dev_get_by_index(net, ifindex);
        if (dev == NULL)
                return -EINVAL;
@@ -178,25 +179,25 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
        }
        case BRCTL_SET_BRIDGE_FORWARD_DELAY:
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
                        return -EPERM;
                return br_set_forward_delay(br, args[1]);
        case BRCTL_SET_BRIDGE_HELLO_TIME:
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
                        return -EPERM;
                return br_set_hello_time(br, args[1]);
        case BRCTL_SET_BRIDGE_MAX_AGE:
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
                        return -EPERM;
                return br_set_max_age(br, args[1]);
        case BRCTL_SET_AGEING_TIME:
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
                        return -EPERM;
                br->ageing_time = clock_t_to_jiffies(args[1]);
@@ -236,14 +237,14 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
        }
        case BRCTL_SET_BRIDGE_STP_STATE:
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
                        return -EPERM;
                br_stp_set_enabled(br, args[1]);
                return 0;
        case BRCTL_SET_BRIDGE_PRIORITY:
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
                        return -EPERM;
                spin_lock_bh(&br->lock);
@@ -256,7 +257,7 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
                struct net_bridge_port *p;
                int ret;
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
                        return -EPERM;
                spin_lock_bh(&br->lock);
@@ -273,7 +274,7 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
                struct net_bridge_port *p;
                int ret;
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
                        return -EPERM;
                spin_lock_bh(&br->lock);
@@ -330,7 +331,7 @@ static int old_deviceless(struct net *net, void __user *uarg)
        {
                char buf[IFNAMSIZ];
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                        return -EPERM;
                if (copy_from_user(buf, (void __user *)args[1], IFNAMSIZ))
@@ -360,7 +361,7 @@ int br_ioctl_deviceless_stub(struct net *net, unsigned int cmd, void __user *uar
        {
                char buf[IFNAMSIZ];
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                        return -EPERM;
                if (copy_from_user(buf, uarg, IFNAMSIZ))
diff --git a/net/bridge/br_sysfs_br.c b/net/bridge/br_sysfs_br.c
index cffb76e2161c..5913a3a0047b 100644
--- a/net/bridge/br_sysfs_br.c
+++ b/net/bridge/br_sysfs_br.c
@@ -37,7 +37,7 @@ static ssize_t store_bridge_parm(struct device *d,
        unsigned long val;
        int err;
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(dev_net(br->dev)->user_ns, CAP_NET_ADMIN))
                return -EPERM;
        val = simple_strtoul(buf, &endp, 0);
@@ -133,7 +133,7 @@ static ssize_t store_stp_state(struct device *d,
        char *endp;
        unsigned long val;
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(dev_net(br->dev)->user_ns, CAP_NET_ADMIN))
                return -EPERM;
        val = simple_strtoul(buf, &endp, 0);
@@ -166,7 +166,7 @@ static ssize_t store_group_fwd_mask(struct device *d,
        char *endp;
        unsigned long val;
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(dev_net(br->dev)->user_ns, CAP_NET_ADMIN))
                return -EPERM;
        val = simple_strtoul(buf, &endp, 0);
@@ -301,7 +301,7 @@ static ssize_t store_group_addr(struct device *d,
        u8 new_addr[6];
        int i;
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(dev_net(br->dev)->user_ns, CAP_NET_ADMIN))
                return -EPERM;
        if (sscanf(buf, "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx",
@@ -333,7 +333,7 @@ static ssize_t store_flush(struct device *d,
 {
        struct net_bridge *br = to_bridge(d);
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(dev_net(br->dev)->user_ns, CAP_NET_ADMIN))
                return -EPERM;
        br_fdb_flush(br);
diff --git a/net/bridge/br_sysfs_if.c b/net/bridge/br_sysfs_if.c
index 80a4fc5d96ab..7ff95ba21982 100644
--- a/net/bridge/br_sysfs_if.c
+++ b/net/bridge/br_sysfs_if.c
@@ -221,7 +221,7 @@ static ssize_t brport_store(struct kobject * kobj,
        char *endp;
        unsigned long val;
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(dev_net(p->dev)->user_ns, CAP_NET_ADMIN))
                return -EPERM;
        val = simple_strtoul(buf, &endp, 0);