12 files changed, 28 insertions, 25 deletions

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index e21bdb92565d..67ac9f8d1976 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -2413,7 +2413,7 @@ int addrconf_add_ifaddr(struct net *net, void __user *arg)
         struct in6_ifreq ireq;
         int err;
 
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                 return -EPERM;
 
         if (copy_from_user(&ireq, arg, sizeof(struct in6_ifreq)))
@@ -2432,7 +2432,7 @@ int addrconf_del_ifaddr(struct net *net, void __user *arg)
         struct in6_ifreq ireq;
         int err;
 
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                 return -EPERM;
 
         if (copy_from_user(&ireq, arg, sizeof(struct in6_ifreq)))
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 7bafc51cda11..4b29f6b52c11 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -160,7 +160,8 @@ lookup_protocol:
         }
 
         err = -EPERM;
-        if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
+        if (sock->type == SOCK_RAW && !kern &&
+            !ns_capable(net->user_ns, CAP_NET_RAW))
                 goto out_rcu_unlock;
 
         sock->ops = answer->ops;
diff --git a/net/ipv6/anycast.c b/net/ipv6/anycast.c
index 4963c769a13f..2f4f584d796d 100644
--- a/net/ipv6/anycast.c
+++ b/net/ipv6/anycast.c
@@ -64,7 +64,7 @@ int ipv6_sock_ac_join(struct sock *sk, int ifindex, const struct in6_addr *addr)
         int     ishost = !net->ipv6.devconf_all->forwarding;
         int     err = 0;
 
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                 return -EPERM;
         if (ipv6_addr_is_multicast(addr))
                 return -EINVAL;
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 93cbad2c0aa7..8edf2601065a 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -701,7 +701,7 @@ int datagram_send_ctl(struct net *net, struct sock *sk,
                                 err = -EINVAL;
                                 goto exit_f;
                         }
-                        if (!capable(CAP_NET_RAW)) {
+                        if (!ns_capable(net->user_ns, CAP_NET_RAW)) {
                                 err = -EPERM;
                                 goto exit_f;
                         }
@@ -721,7 +721,7 @@ int datagram_send_ctl(struct net *net, struct sock *sk,
                                 err = -EINVAL;
                                 goto exit_f;
                         }
-                        if (!capable(CAP_NET_RAW)) {
+                        if (!ns_capable(net->user_ns, CAP_NET_RAW)) {
                                 err = -EPERM;
                                 goto exit_f;
                         }
@@ -746,7 +746,7 @@ int datagram_send_ctl(struct net *net, struct sock *sk,
                                 err = -EINVAL;
                                 goto exit_f;
                         }
-                        if (!capable(CAP_NET_RAW)) {
+                        if (!ns_capable(net->user_ns, CAP_NET_RAW)) {
                                 err = -EPERM;
                                 goto exit_f;
                         }
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index 90bbefb57943..29124b7a04c8 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -519,7 +519,8 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
                 }
                 read_unlock_bh(&ip6_sk_fl_lock);
 
-                if (freq.flr_share == IPV6_FL_S_NONE && capable(CAP_NET_ADMIN)) {
+                if (freq.flr_share == IPV6_FL_S_NONE &&
+                    ns_capable(net->user_ns, CAP_NET_ADMIN)) {
                         fl = fl_lookup(net, freq.flr_label);
                         if (fl) {
                                 err = fl6_renew(fl, freq.flr_linger, freq.flr_expires);
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 823fd64d0136..867466c96aac 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1146,7 +1146,7 @@ static int ip6gre_tunnel_ioctl(struct net_device *dev,
         case SIOCADDTUNNEL:
         case SIOCCHGTUNNEL:
                 err = -EPERM;
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                         goto done;
 
                 err = -EFAULT;
@@ -1194,7 +1194,7 @@ static int ip6gre_tunnel_ioctl(struct net_device *dev,
 
         case SIOCDELTUNNEL:
                 err = -EPERM;
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                         goto done;
 
                 if (dev == ign->fb_tunnel_dev) {
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index bf3a549267d3..fb828e9fe8e0 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1350,7 +1350,7 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
         case SIOCADDTUNNEL:
         case SIOCCHGTUNNEL:
                 err = -EPERM;
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                         break;
                 err = -EFAULT;
                 if (copy_from_user(&p, ifr->ifr_ifru.ifru_data, sizeof (p)))
@@ -1383,7 +1383,7 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
                 break;
         case SIOCDELTUNNEL:
                 err = -EPERM;
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                         break;
 
                 if (dev == ip6n->fb_tnl_dev) {
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index f7c7c6319720..d7330f8ea6d4 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1583,7 +1583,7 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
                 return -ENOENT;
 
         if (optname != MRT6_INIT) {
-                if (sk != mrt->mroute6_sk && !capable(CAP_NET_ADMIN))
+                if (sk != mrt->mroute6_sk && !ns_capable(net->user_ns, CAP_NET_ADMIN))
                         return -EACCES;
         }
 
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 4b4172dbbe64..ee94d31c9d4d 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -343,7 +343,8 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
                 break;
 
         case IPV6_TRANSPARENT:
-                if (valbool && !capable(CAP_NET_ADMIN) && !capable(CAP_NET_RAW)) {
+                if (valbool && !ns_capable(net->user_ns, CAP_NET_ADMIN) &&
+                    !ns_capable(net->user_ns, CAP_NET_RAW)) {
                         retv = -EPERM;
                         break;
                 }
@@ -381,7 +382,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
 
                 /* hop-by-hop / destination options are privileged option */
                 retv = -EPERM;
-                if (optname != IPV6_RTHDR && !capable(CAP_NET_RAW))
+                if (optname != IPV6_RTHDR && !ns_capable(net->user_ns, CAP_NET_RAW))
                         break;
 
                 opt = ipv6_renew_options(sk, np->opt, optname,
@@ -754,7 +755,7 @@ done:
         case IPV6_IPSEC_POLICY:
         case IPV6_XFRM_POLICY:
                 retv = -EPERM;
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                         break;
                 retv = xfrm_user_policy(sk, optname, optval, optlen);
                 break;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 10ce76a2cb94..74cadd0719a5 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1854,7 +1854,7 @@ compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
 {
         int ret;
 
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
                 return -EPERM;
 
         switch (cmd) {
@@ -1969,7 +1969,7 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 {
         int ret;
 
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
                 return -EPERM;
 
         switch (cmd) {
@@ -1991,7 +1991,7 @@ do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
 {
         int ret;
 
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
                 return -EPERM;
 
         switch (cmd) {
@@ -2016,7 +2016,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 {
         int ret;
 
-        if (!capable(CAP_NET_ADMIN))
+        if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
                 return -EPERM;
 
         switch (cmd) {
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index c6215e2b9d7f..a86b65599328 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2036,7 +2036,7 @@ int ipv6_route_ioctl(struct net *net, unsigned int cmd, void __user *arg)
         switch(cmd) {
         case SIOCADDRT:         /* Add a route */
         case SIOCDELRT:         /* Delete a route */
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                         return -EPERM;
                 err = copy_from_user(&rtmsg, arg,
                                      sizeof(struct in6_rtmsg));
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index ca6c2c8e71d2..fee21c6c3ebf 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -988,7 +988,7 @@ ipip6_tunnel_ioctl (struct net_device *dev, struct ifreq *ifr, int cmd)
         case SIOCADDTUNNEL:
         case SIOCCHGTUNNEL:
                 err = -EPERM;
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                         goto done;
 
                 err = -EFAULT;
@@ -1032,7 +1032,7 @@ ipip6_tunnel_ioctl (struct net_device *dev, struct ifreq *ifr, int cmd)
 
         case SIOCDELTUNNEL:
                 err = -EPERM;
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                         goto done;
 
                 if (dev == sitn->fb_tunnel_dev) {
@@ -1065,7 +1065,7 @@ ipip6_tunnel_ioctl (struct net_device *dev, struct ifreq *ifr, int cmd)
         case SIOCDELPRL:
         case SIOCCHGPRL:
                 err = -EPERM;
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                         goto done;
                 err = -EINVAL;
                 if (dev == sitn->fb_tunnel_dev)
@@ -1094,7 +1094,7 @@ ipip6_tunnel_ioctl (struct net_device *dev, struct ifreq *ifr, int cmd)
         case SIOCCHG6RD:
         case SIOCDEL6RD:
                 err = -EPERM;
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                         goto done;
 
                 err = -EFAULT;