nsresourced: Ensure that all user namespaces are cleaned-up

nsresourced: Ensure that all user namespaces are cleaned-up

The code here assumes that free_user_ns() is called for every single
user namespace. That however has never been the case and the logic for
free_user_ns() is a bit more involved.

A nested user namespace pins its parent user namespace. IOW, the
lifetime of the parent user namespaces is at least as long as the child
user namespaces.

If a parent user namespace becomes unused (no namespace file descriptors
or task using it anymore) then it will stick around and its lifetime
still bound to the child user namespace.

free_user_ns() takes advantage of that behavior. If a child user
namespace is freed and its parent user namespace is already unused then
then free_user_ns() will free both the child and the parent user
namespace. This means a single free_user_ns() frees two user namespaces.
Hence, the bpf program never sees the parent user namespace being freed.

We can fix this by piggy-backing on another function that is called for
every single user namespace being freed. This requires CONFIG_SYSCTL but
systemd doesn't work without that anyway.

The return type needs to change to a scalar type as required by libbpf.

Long-term what we need is appropriate LSM infrastructure for this
including hooks that get called on namespace destruction.

Thanks to Daan DeMeyer for figuring out that the cast is needed.

Signed-off-by: Christian Brauner <brauner@kernel.org>