From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=reject dis=none) header.from=gnedt.at
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gnedt.at header.i=@gnedt.at header.a=rsa-sha256 header.s=rsa-1 header.b=W/hBfjkn;
	dkim=pass header.d=gnedt.at header.i=@gnedt.at header.a=ed25519-sha256 header.s=ed25519-1 header.b=NwwrXSIj;
	dkim-atps=neutral
Received: from mail.davizone.at (mail.davizone.at [IPv6:2a01:4f8:190:7398::1])
	by passt.top (Postfix) with ESMTPS id 2A2315A0282
	for <passt-user@passt.top>; Sun, 06 Jul 2025 19:08:48 +0200 (CEST)
Received: by mail.davizone.at (Postfix) with ESMTPSA id B77591200E7
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	for <passt-user@passt.top>; Sun,  6 Jul 2025 19:08:47 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gnedt.at; s=rsa-1;
	t=1751821727;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=CMBzWDHX3P/e4EbXdaGHgxkBKdaC7Npmb4pmJ6OmyfQ=;
	b=W/hBfjknfY6OYjyGh5I9FJXDxj18JK75yGhZxkao4ndQkmka04izXspoYbRqlJiTFdhWGY
	ooEXF1D96G8tUe1QMT69t2vg8a7oI+f2tyiVuGvOuEtIZgoba3fONJwKwKtjSMvB0EpBU5
	23Vp4ZJXAaSh4qjum0eMJSkDGKpKFzQl8kIAWHmddnZ4dyC+q0AxwjCpDww7zOmra4eNKT
	SEy27ZthEU2pSkq/HifgmDm2EAyEY4SLVfrVBdVvGERAvnkpNy/FnCc6EZadNk70srwp14
	sPaQo7HzpIEr9md0cq1nrIa87bxBzKXltyXjZQHKXjhao8bw7689OOk1K55/tA==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=gnedt.at;
	s=ed25519-1; t=1751821727;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=CMBzWDHX3P/e4EbXdaGHgxkBKdaC7Npmb4pmJ6OmyfQ=;
	b=NwwrXSIjjUg1YOIo1QrU59W8eMH7KC+XY6SMZSrQDfZpfeXWenxw5Dq9AcZREm+B2ApGjL
	ZCH3SZmBRDcEfMAw==
X-Davizone-Smtp-Source: UAPkKwqJ5xDBiUS0oGkqMq0uHvZ91NOLzqAaTqMp7+liKWZv/60NjkOGlN0/t6bAr6ur7X3n
	yGZaygl29Wo1t6IYH/M1OFAdELj6E3Z+Pw9JKYCPnrojJ1LUR/1z7a5in5tYo9vHt2tByoa+
	2/lAGeZ9Iwbk5OfyWhfsFlQnPFp8CEPLATOoPmOKttxAEAHEkvDhvvN4gNb4h+LdO42xiQeW
	u0J2gS0eoqUlpuPa4BM09YLU4T/M0+scNwMSaWTU528cil3cZ7hSErJiSg==
Message-ID: <e604cee2-5b32-480f-abad-8c6406af1b8e@gnedt.at>
Date: Sun, 6 Jul 2025 19:08:46 +0200
MIME-Version: 1.0
From: Lisa Gnedt <lisa+passt-user@gnedt.at>
Subject: Re: Issues when using pasta with bubblewrap
To: passt-user@passt.top
References: <671252c8-88f6-45b7-b719-b82786e84bb7@gnedt.at>
Content-Language: en-US, de-AT
In-Reply-To: <671252c8-88f6-45b7-b719-b82786e84bb7@gnedt.at>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-MailFrom: lisa+passt-user@gnedt.at
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation
Message-ID-Hash: L4YATOAMLM3Y5B7NT4OOPHAXRRZO2LMF
X-Message-ID-Hash: L4YATOAMLM3Y5B7NT4OOPHAXRRZO2LMF
X-Mailman-Approved-At: Mon, 07 Jul 2025 12:00:00 +0200
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: "For passt users: support, questions and answers" <passt-user.passt.top>
Archived-At: <https://archives.passt.top/passt-user/e604cee2-5b32-480f-abad-8c6406af1b8e@gnedt.at/>
Archived-At: <https://passt.top/hyperkitty/list/passt-user@passt.top/message/L4YATOAMLM3Y5B7NT4OOPHAXRRZO2LMF/>
List-Archive: <https://archives.passt.top/passt-user/>
List-Archive: <https://passt.top/hyperkitty/list/passt-user@passt.top/>
List-Help: <mailto:passt-user-request@passt.top?subject=help>
List-Owner: <mailto:passt-user-owner@passt.top>
List-Post: <mailto:passt-user@passt.top>
List-Subscribe: <mailto:passt-user-join@passt.top>
List-Unsubscribe: <mailto:passt-user-leave@passt.top>

Hi,

On 2025-07-06 17:15, Lisa Gnedt wrote:
> It might be easier to get it correct when directly controlling all
> syscalls involved and not have to mix and match multiple tools.
> Since Linux 4.9 it seems to be possible to get the owning user namespace
> of a network namespace with the ioctl NS_GET_USERNS [3].

I just wrote a hacky patch as proof-of-concept of this idea.
It is working for me fine in both testcases.
However, in its current form it breaks the --userns parameter. But it should not be too hard to address this issue.

I am not sure, what kernel version compatibility you are targeting, since the ioctl is only available since Linux 4.9.
Would it be an option for you to make it the default behavior when a PID is specified?
>From my perspective this should be the expected behavior and should not break any previously working use case.

Best regards,
Lisa Gnedt


diff --git a/conf.c b/conf.c
index 36845e2..cd67e7a 100644
--- a/conf.c
+++ b/conf.c
@@ -642,7 +642,7 @@ static void conf_pasta_ns(int *netns_only, char *userns, char *netns,
 
 			if (!*userns) {
 				if (snprintf_check(userns, PATH_MAX,
-						   "/proc/%ld/ns/user", pidval))
+						   "/proc/%ld/ns/net", pidval))
 					die_perror("Can't build userns path");
 			}
 		}
diff --git a/isolation.c b/isolation.c
index bbcd23b..cbfe0f0 100644
--- a/isolation.c
+++ b/isolation.c
@@ -81,6 +81,7 @@
 #include <linux/audit.h>
 #include <linux/capability.h>
 #include <linux/filter.h>
+#include <linux/nsfs.h>
 #include <linux/seccomp.h>
 
 #include "util.h"
@@ -254,6 +255,14 @@ void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns,
 		if (ufd < 0)
 			die_perror("Couldn't open user namespace %s", userns);
 
+		int real_ufd;
+		real_ufd = ioctl(ufd, NS_GET_USERNS);
+		if (real_ufd < 0)
+			die_perror("Couldn't get user namespace from network namespace %s", userns);
+
+		close(ufd);
+		ufd = real_ufd;
+
 		if (setns(ufd, CLONE_NEWUSER) != 0)
 			die_perror("Couldn't enter user namespace %s", userns);