1 files changed, 12 insertions, 4 deletions

diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c
index ae854f3434b0..ce82d0cb1b47 100644
--- a/net/sched/cls_flow.c
+++ b/net/sched/cls_flow.c
@@ -193,15 +193,19 @@ static u32 flow_get_rtclassid(const struct sk_buff *skb)
 
 static u32 flow_get_skuid(const struct sk_buff *skb)
 {
-        if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file)
-                return skb->sk->sk_socket->file->f_cred->fsuid;
+        if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file) {
+                kuid_t skuid = skb->sk->sk_socket->file->f_cred->fsuid;
+                return from_kuid(&init_user_ns, skuid);
+        }
         return 0;
 }
 
 static u32 flow_get_skgid(const struct sk_buff *skb)
 {
-        if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file)
-                return skb->sk->sk_socket->file->f_cred->fsgid;
+        if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file) {
+                kgid_t skgid = skb->sk->sk_socket->file->f_cred->fsgid;
+                return from_kgid(&init_user_ns, skgid);
+        }
         return 0;
 }
 
@@ -387,6 +391,10 @@ static int flow_change(struct sk_buff *in_skb,
 
                 if (fls(keymask) - 1 > FLOW_KEY_MAX)
                         return -EOPNOTSUPP;
+
+                if ((keymask & (FLOW_KEY_SKUID|FLOW_KEY_SKGID)) &&
+                    sk_user_ns(NETLINK_CB(in_skb).ssk) != &init_user_ns)
+                        return -EOPNOTSUPP;
         }
 
         err = tcf_exts_validate(tp, tb, tca[TCA_RATE], &e, &flow_ext_map);