socket: support checking capability in owner namespace.

parth-opensrc · gvisor-bot · commit 89b65f2bcfa7 · 2026-01-29T11:40:19.000-08:00
PiperOrigin-RevId: 859178339
diff --git a/pkg/sentry/socket/hostinet/socket.go b/pkg/sentry/socket/hostinet/socket.go
@@ -867,6 +867,12 @@ func (s *Socket) Type() (family int, skType linux.SockType, protocol int) {
 	return s.family, s.stype, s.protocol
 }
 
+// HasCapability implements socket.Socket.TaskHasCapability.
+func (s *Socket) HasCapability(cp linux.Capability, t *kernel.Task) bool {
+	// Unimplemented.
+	return false
+}
+
 func init() {
 	// Register all families in AllowedSocketTypes and AllowedRawSocket
 	// types. If we don't allow raw sockets, they will be rejected in the
diff --git a/pkg/sentry/socket/netlink/socket.go b/pkg/sentry/socket/netlink/socket.go
@@ -1057,3 +1057,10 @@ func (s *Socket) GetPortID() int32 {
 	defer s.mu.Unlock()
 	return s.portID
 }
+
+// HasCapability implements socket.Socket.HasCapability.
+func (s *Socket) HasCapability(cp linux.Capability, t *kernel.Task) bool {
+	// Unimplemented, only to satisfy the interface.
+	// netlink_net_capable differs from sk_net_capable.
+	return false
+}
diff --git a/pkg/sentry/socket/netstack/netstack.go b/pkg/sentry/socket/netstack/netstack.go
@@ -3861,3 +3861,8 @@ func (s *sock) ConfigureMMap(ctx context.Context, opts *memmap.MMapOpts) error {
 	}
 	return linuxerr.ENODEV
 }
+
+// HasCapability implements socket.Socket.TaskHasCapability.
+func (s *sock) HasCapability(cp linux.Capability, t *kernel.Task) bool {
+	return t.Credentials().HasCapabilityIn(cp, s.namespace.UserNamespace())
+}
diff --git a/pkg/sentry/socket/plugin/stack/socket.go b/pkg/sentry/socket/plugin/stack/socket.go
@@ -855,3 +855,9 @@ func (s *socketOperations) waitEventT(ctx context.Context, event waiter.EventMas
 	s.EventUnregister(&e)
 	return err
 }
+
+// HasCapability implements socket.Socket.TaskHasCapability.
+func (s *socketOperations) HasCapability(cp linux.Capability, t *kernel.Task) bool {
+	// Unimplemented.
+	return false
+}
diff --git a/pkg/sentry/socket/socket.go b/pkg/sentry/socket/socket.go
@@ -260,6 +260,11 @@ type Socket interface {
 	// GetPeerCreds returns the peer credentials of the socket.
 	GetPeerCreds(t *kernel.Task) (marshal.Marshallable, *syserr.Error)
 
+	// HasCapability returns true if the task has the given capability in
+	// the socket opener's user namespace.
+	// Similar to `sk_net_capable` in Linux.
+	HasCapability(cp linux.Capability, t *kernel.Task) bool
+
 	// RecvMsg implements the recvmsg(2) linux unix.
 	//
 	// senderAddrLen is the address length to be returned to the application,
diff --git a/pkg/sentry/socket/unix/unix.go b/pkg/sentry/socket/unix/unix.go
@@ -900,6 +900,12 @@ func (s *Socket) Type() (family int, skType linux.SockType, protocol int) {
 	return linux.AF_UNIX, s.stype, 0
 }
 
+// HasCapability implements socket.Socket.TaskHasCapability.
+func (s *Socket) HasCapability(cp linux.Capability, t *kernel.Task) bool {
+	// Unimplemented.
+	return false
+}
+
 func convertAddress(addr transport.Address) (linux.SockAddr, uint32) {
 	var out linux.SockAddrUnix
 	out.Family = linux.AF_UNIX

Original file line number	Diff line number	Diff line change
`@@ -3861,3 +3861,8 @@ func (s sock) ConfigureMMap(ctx context.Context, opts memmap.MMapOpts) error {`
`3861`	`3861`	`}`
`3862`	`3862`	`return linuxerr.ENODEV`
`3863`	`3863`	`}`
	`3864`	`+`
	`3865`	`+// HasCapability implements socket.Socket.TaskHasCapability.`
	`3866`	`+func (s sock) HasCapability(cp linux.Capability, t kernel.Task) bool {`
	`3867`	`+ return t.Credentials().HasCapabilityIn(cp, s.namespace.UserNamespace())`
	`3868`	`+}`