From: Lisa Gnedt <lisa+passt-user@gnedt.at>
To: passt-user@passt.top
Subject: Re: Issues when using pasta with bubblewrap
Date: Sun, 6 Jul 2025 19:08:46 +0200 [thread overview]
Message-ID: <e604cee2-5b32-480f-abad-8c6406af1b8e@gnedt.at> (raw)
In-Reply-To: <671252c8-88f6-45b7-b719-b82786e84bb7@gnedt.at>
Hi,
On 2025-07-06 17:15, Lisa Gnedt wrote:
> It might be easier to get it correct when directly controlling all
> syscalls involved and not have to mix and match multiple tools.
> Since Linux 4.9 it seems to be possible to get the owning user namespace
> of a network namespace with the ioctl NS_GET_USERNS [3].
I just wrote a hacky patch as proof-of-concept of this idea.
It is working for me fine in both testcases.
However, in its current form it breaks the --userns parameter. But it should not be too hard to address this issue.
I am not sure, what kernel version compatibility you are targeting, since the ioctl is only available since Linux 4.9.
Would it be an option for you to make it the default behavior when a PID is specified?
From my perspective this should be the expected behavior and should not break any previously working use case.
Best regards,
Lisa Gnedt
diff --git a/conf.c b/conf.c
index 36845e2..cd67e7a 100644
--- a/conf.c
+++ b/conf.c
@@ -642,7 +642,7 @@ static void conf_pasta_ns(int *netns_only, char *userns, char *netns,
if (!*userns) {
if (snprintf_check(userns, PATH_MAX,
- "/proc/%ld/ns/user", pidval))
+ "/proc/%ld/ns/net", pidval))
die_perror("Can't build userns path");
}
}
diff --git a/isolation.c b/isolation.c
index bbcd23b..cbfe0f0 100644
--- a/isolation.c
+++ b/isolation.c
@@ -81,6 +81,7 @@
#include <linux/audit.h>
#include <linux/capability.h>
#include <linux/filter.h>
+#include <linux/nsfs.h>
#include <linux/seccomp.h>
#include "util.h"
@@ -254,6 +255,14 @@ void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns,
if (ufd < 0)
die_perror("Couldn't open user namespace %s", userns);
+ int real_ufd;
+ real_ufd = ioctl(ufd, NS_GET_USERNS);
+ if (real_ufd < 0)
+ die_perror("Couldn't get user namespace from network namespace %s", userns);
+
+ close(ufd);
+ ufd = real_ufd;
+
if (setns(ufd, CLONE_NEWUSER) != 0)
die_perror("Couldn't enter user namespace %s", userns);
next prev parent reply other threads:[~2025-07-06 17:08 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-06 15:15 Issues when using pasta with bubblewrap Lisa Gnedt
2025-07-06 17:08 ` Lisa Gnedt [this message]
[not found] ` <175188240057.3062894.4319502484182397394@maja>
2025-07-07 10:56 ` Stefano Brivio
2025-07-07 16:19 ` Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e604cee2-5b32-480f-abad-8c6406af1b8e@gnedt.at \
--to=lisa+passt-user@gnedt.at \
--cc=passt-user@passt.top \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).