Currently, the capability check is done in the default
init_user_ns user namespace. When a process runs in a
non default user namespace, such check fails. Due to this
when a process is running using Podman, it fails to modify
the QP.
Since the RDMA device is a resource within a network namespace,
use the network namespace associated with the RDMA device to
determine its owning user namespace.
Fixes: 0cadb4db79e1 ("RDMA/uverbs: Restrict usage of privileged QKEYs")
Signed-off-by: Parav Pandit <parav@nvidia.com>
Link: https://patch.msgid.link/099eb263622ccdd27014db7e02fec824a3307829.1750963874.git.leon@kernel.org
Signed-off-by: Leon Romanovsky <leon@kernel.org>
 
 bool rdma_nl_get_privileged_qkey(void)
 {
-       return privileged_qkey || capable(CAP_NET_RAW);
+       return privileged_qkey;
 }
 EXPORT_SYMBOL(rdma_nl_get_privileged_qkey);
 
 
                attr->path_mig_state = cmd->base.path_mig_state;
        if (cmd->base.attr_mask & IB_QP_QKEY) {
                if (cmd->base.qkey & IB_QP_SET_QKEY &&
-                   !rdma_nl_get_privileged_qkey()) {
+                   !(rdma_nl_get_privileged_qkey() ||
+                     rdma_uattrs_has_raw_cap(attrs))) {
                        ret = -EPERM;
                        goto release_qp;
                }