1 files changed, 13 insertions, 4 deletions

diff --git a/net/core/dev.c b/net/core/dev.c
index 974199daa911..0afae8ba413e 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -5279,7 +5279,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
         case SIOCGMIIPHY:
         case SIOCGMIIREG:
         case SIOCSIFNAME:
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                         return -EPERM;
                 dev_load(net, ifr.ifr_name);
                 rtnl_lock();
@@ -5300,16 +5300,25 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
          *      - require strict serialization.
          *      - do not return a value
          */
+        case SIOCSIFMAP:
+        case SIOCSIFTXQLEN:
+                if (!capable(CAP_NET_ADMIN))
+                        return -EPERM;
+                /* fall through */
+        /*
+         *      These ioctl calls:
+         *      - require local superuser power.
+         *      - require strict serialization.
+         *      - do not return a value
+         */
         case SIOCSIFFLAGS:
         case SIOCSIFMETRIC:
         case SIOCSIFMTU:
-        case SIOCSIFMAP:
         case SIOCSIFHWADDR:
         case SIOCSIFSLAVE:
         case SIOCADDMULTI:
         case SIOCDELMULTI:
         case SIOCSIFHWBROADCAST:
-        case SIOCSIFTXQLEN:
         case SIOCSMIIREG:
         case SIOCBONDENSLAVE:
         case SIOCBONDRELEASE:
@@ -5318,7 +5327,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
         case SIOCBRADDIF:
         case SIOCBRDELIF:
         case SIOCSHWTSTAMP:
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                         return -EPERM;
                 /* fall through */
         case SIOCBONDSLAVEINFOQUERY: