Comment 9 for bug 1465724

I've verified that the proposed fix in comment #8 does work. I'll need to look at other ns_capable() call sites and get upstream's opinion before I can be confident in its correctness. Here's the raw patch:

diff --git a/net/sysctl_net.c b/net/sysctl_net.c
index e7000be..77e6bbf 100644
--- a/net/sysctl_net.c
+++ b/net/sysctl_net.c
@@ -46,8 +46,8 @@ static int net_ctl_permissions(struct ctl_table_header *head,
  kgid_t root_gid = make_kgid(net->user_ns, 0);

  /* Allow network administrator to have same access as root. */
- if (ns_capable(net->user_ns, CAP_NET_ADMIN) ||
- uid_eq(root_uid, current_euid())) {
+ if (uid_eq(root_uid, current_euid()) ||
+ ns_capable(net->user_ns, CAP_NET_ADMIN)) {
   int mode = (table->mode >> 6) & 7;
   return (mode << 6) | (mode << 3) | mode;
  }