1 files changed, 70 insertions, 5 deletions
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 894cda0206bb..81dca96d2be6 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1360,7 +1360,72 @@ retry:
        return err;
 }
-static inline int netlink_capable(const struct socket *sock, unsigned int flag)
+/**
+ * __netlink_ns_capable - General netlink message capability test
+ * @nsp: NETLINK_CB of the socket buffer holding a netlink command from userspace.
+ * @user_ns: The user namespace of the capability to use
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket we received the message
+ * from had when the netlink socket was created and the sender of the
+ * message has has the capability @cap in the user namespace @user_ns.
+ */
+bool __netlink_ns_capable(const struct netlink_skb_parms *nsp,
+                        struct user_namespace *user_ns, int cap)
+{
+        return sk_ns_capable(nsp->sk, user_ns, cap);
+}
+EXPORT_SYMBOL(__netlink_ns_capable);
+/**
+ * netlink_ns_capable - General netlink message capability test
+ * @skb: socket buffer holding a netlink command from userspace
+ * @user_ns: The user namespace of the capability to use
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket we received the message
+ * from had when the netlink socket was created and the sender of the
+ * message has has the capability @cap in the user namespace @user_ns.
+ */
+bool netlink_ns_capable(const struct sk_buff *skb,
+                        struct user_namespace *user_ns, int cap)
+{
+        return __netlink_ns_capable(&NETLINK_CB(skb), user_ns, cap);
+}
+EXPORT_SYMBOL(netlink_ns_capable);
+/**
+ * netlink_capable - Netlink global message capability test
+ * @skb: socket buffer holding a netlink command from userspace
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket we received the message
+ * from had when the netlink socket was created and the sender of the
+ * message has has the capability @cap in all user namespaces.
+ */
+bool netlink_capable(const struct sk_buff *skb, int cap)
+{
+        return netlink_ns_capable(skb, &init_user_ns, cap);
+}
+EXPORT_SYMBOL(netlink_capable);
+/**
+ * netlink_net_capable - Netlink network namespace message capability test
+ * @skb: socket buffer holding a netlink command from userspace
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket we received the message
+ * from had when the netlink socket was created and the sender of the
+ * message has has the capability @cap over the network namespace of
+ * the socket we received the message from.
+ */
+bool netlink_net_capable(const struct sk_buff *skb, int cap)
+{
+        return netlink_ns_capable(skb, sock_net(skb->sk)->user_ns, cap);
+}
+EXPORT_SYMBOL(netlink_net_capable);
+static inline int netlink_allowed(const struct socket *sock, unsigned int flag)
 {
        return (nl_table[sock->sk->sk_protocol].flags & flag) ||
                ns_capable(sock_net(sock->sk)->user_ns, CAP_NET_ADMIN);
@@ -1428,7 +1493,7 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
        /* Only superuser is allowed to listen multicasts */
        if (nladdr->nl_groups) {
-                if (!netlink_capable(sock, NL_CFG_F_NONROOT_RECV))
+                if (!netlink_allowed(sock, NL_CFG_F_NONROOT_RECV))
                        return -EPERM;
                err = netlink_realloc_groups(sk);
                if (err)
@@ -1490,7 +1555,7 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
                return -EINVAL;
        if ((nladdr->nl_groups || nladdr->nl_pid) &&
-            !netlink_capable(sock, NL_CFG_F_NONROOT_SEND))
+            !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
                return -EPERM;
        if (!nlk->portid)
@@ -2096,7 +2161,7 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname,
                break;
        case NETLINK_ADD_MEMBERSHIP:
        case NETLINK_DROP_MEMBERSHIP: {
-                if (!netlink_capable(sock, NL_CFG_F_NONROOT_RECV))
+                if (!netlink_allowed(sock, NL_CFG_F_NONROOT_RECV))
                        return -EPERM;
                err = netlink_realloc_groups(sk);
                if (err)
@@ -2247,7 +2312,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
                dst_group = ffs(addr->nl_groups);
                err =  -EPERM;
                if ((dst_group || dst_portid) &&
-                    !netlink_capable(sock, NL_CFG_F_NONROOT_SEND))
+                    !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
                        goto out;
        } else {
                dst_portid = nlk->dst_portid;

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 894cda0206bb..81dca96d2be6 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c
@@ -1360,7 +1360,72 @@ retry:
1360	return err;	1360	return err;
1361	}	1361	}
1362		1362
1363	static inline int netlink_capable(const struct socket *sock, unsigned int flag)	1363	/**
		1364	* __netlink_ns_capable - General netlink message capability test
		1365	* @nsp: NETLINK_CB of the socket buffer holding a netlink command from userspace.
		1366	* @user_ns: The user namespace of the capability to use
		1367	* @cap: The capability to use
		1368	*
		1369	* Test to see if the opener of the socket we received the message
		1370	* from had when the netlink socket was created and the sender of the
		1371	* message has has the capability @cap in the user namespace @user_ns.
		1372	*/
		1373	bool __netlink_ns_capable(const struct netlink_skb_parms *nsp,
		1374	struct user_namespace *user_ns, int cap)
		1375	{
		1376	return sk_ns_capable(nsp->sk, user_ns, cap);
		1377	}
		1378	EXPORT_SYMBOL(__netlink_ns_capable);
		1379
		1380	/**
		1381	* netlink_ns_capable - General netlink message capability test
		1382	* @skb: socket buffer holding a netlink command from userspace
		1383	* @user_ns: The user namespace of the capability to use
		1384	* @cap: The capability to use
		1385	*
		1386	* Test to see if the opener of the socket we received the message
		1387	* from had when the netlink socket was created and the sender of the
		1388	* message has has the capability @cap in the user namespace @user_ns.
		1389	*/
		1390	bool netlink_ns_capable(const struct sk_buff *skb,
		1391	struct user_namespace *user_ns, int cap)
		1392	{
		1393	return __netlink_ns_capable(&NETLINK_CB(skb), user_ns, cap);
		1394	}
		1395	EXPORT_SYMBOL(netlink_ns_capable);
		1396
		1397	/**
		1398	* netlink_capable - Netlink global message capability test
		1399	* @skb: socket buffer holding a netlink command from userspace
		1400	* @cap: The capability to use
		1401	*
		1402	* Test to see if the opener of the socket we received the message
		1403	* from had when the netlink socket was created and the sender of the
		1404	* message has has the capability @cap in all user namespaces.
		1405	*/
		1406	bool netlink_capable(const struct sk_buff *skb, int cap)
		1407	{
		1408	return netlink_ns_capable(skb, &init_user_ns, cap);
		1409	}
		1410	EXPORT_SYMBOL(netlink_capable);
		1411
		1412	/**
		1413	* netlink_net_capable - Netlink network namespace message capability test
		1414	* @skb: socket buffer holding a netlink command from userspace
		1415	* @cap: The capability to use
		1416	*
		1417	* Test to see if the opener of the socket we received the message
		1418	* from had when the netlink socket was created and the sender of the
		1419	* message has has the capability @cap over the network namespace of
		1420	* the socket we received the message from.
		1421	*/
		1422	bool netlink_net_capable(const struct sk_buff *skb, int cap)
		1423	{
		1424	return netlink_ns_capable(skb, sock_net(skb->sk)->user_ns, cap);
		1425	}
		1426	EXPORT_SYMBOL(netlink_net_capable);
		1427
		1428	static inline int netlink_allowed(const struct socket *sock, unsigned int flag)
1364	{	1429	{
1365	return (nl_table[sock->sk->sk_protocol].flags & flag) \|\|	1430	return (nl_table[sock->sk->sk_protocol].flags & flag) \|\|
1366	ns_capable(sock_net(sock->sk)->user_ns, CAP_NET_ADMIN);	1431	ns_capable(sock_net(sock->sk)->user_ns, CAP_NET_ADMIN);
@@ -1428,7 +1493,7 @@ static int netlink_bind(struct socket sock, struct sockaddr addr,
1428		1493
1429	/* Only superuser is allowed to listen multicasts */	1494	/* Only superuser is allowed to listen multicasts */
1430	if (nladdr->nl_groups) {	1495	if (nladdr->nl_groups) {
1431	if (!netlink_capable(sock, NL_CFG_F_NONROOT_RECV))	1496	if (!netlink_allowed(sock, NL_CFG_F_NONROOT_RECV))
1432	return -EPERM;	1497	return -EPERM;
1433	err = netlink_realloc_groups(sk);	1498	err = netlink_realloc_groups(sk);
1434	if (err)	1499	if (err)
@@ -1490,7 +1555,7 @@ static int netlink_connect(struct socket sock, struct sockaddr addr,
1490	return -EINVAL;	1555	return -EINVAL;
1491		1556
1492	if ((nladdr->nl_groups \|\| nladdr->nl_pid) &&	1557	if ((nladdr->nl_groups \|\| nladdr->nl_pid) &&
1493	!netlink_capable(sock, NL_CFG_F_NONROOT_SEND))	1558	!netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
1494	return -EPERM;	1559	return -EPERM;
1495		1560
1496	if (!nlk->portid)	1561	if (!nlk->portid)
@@ -2096,7 +2161,7 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname,
2096	break;	2161	break;
2097	case NETLINK_ADD_MEMBERSHIP:	2162	case NETLINK_ADD_MEMBERSHIP:
2098	case NETLINK_DROP_MEMBERSHIP: {	2163	case NETLINK_DROP_MEMBERSHIP: {
2099	if (!netlink_capable(sock, NL_CFG_F_NONROOT_RECV))	2164	if (!netlink_allowed(sock, NL_CFG_F_NONROOT_RECV))
2100	return -EPERM;	2165	return -EPERM;
2101	err = netlink_realloc_groups(sk);	2166	err = netlink_realloc_groups(sk);
2102	if (err)	2167	if (err)
@@ -2247,7 +2312,7 @@ static int netlink_sendmsg(struct kiocb kiocb, struct socket sock,
2247	dst_group = ffs(addr->nl_groups);	2312	dst_group = ffs(addr->nl_groups);
2248	err = -EPERM;	2313	err = -EPERM;
2249	if ((dst_group \|\| dst_portid) &&	2314	if ((dst_group \|\| dst_portid) &&
2250	!netlink_capable(sock, NL_CFG_F_NONROOT_SEND))	2315	!netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
2251	goto out;	2316	goto out;
2252	} else {	2317	} else {
2253	dst_portid = nlk->dst_portid;	2318	dst_portid = nlk->dst_portid;