From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 19 Jan 2024 02:34:17 +0000 (+0900)
Subject: namespace-util: introduce netns_acquire()
X-Git-Tag: v256-rc1~1103^2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3f53332d4e3681582569f401b7e299bebe7fa751;p=thirdparty%2Fsystemd.git

namespace-util: introduce netns_acquire()

Similar to userns_acquire(), but for network namespace.
---

diff --git a/src/basic/namespace-util.c b/src/basic/namespace-util.c
index 2ecce5fa614..d517263b36b 100644
--- a/src/basic/namespace-util.c
+++ b/src/basic/namespace-util.c
@@ -255,6 +255,33 @@ int userns_acquire(const char *uid_map, const char *gid_map) {
         return TAKE_FD(userns_fd);
 }
 
+int netns_acquire(void) {
+        _cleanup_(sigkill_waitp) pid_t pid = 0;
+        _cleanup_close_ int netns_fd = -EBADF;
+        int r;
+
+        /* Forks off a process in a new network namespace, acquires a network namespace fd, and then kills
+         * the process again. This way we have a netns fd that is not bound to any process. */
+
+        r = safe_fork("(sd-mknetns)", FORK_CLOSE_ALL_FDS|FORK_DEATHSIG_SIGKILL|FORK_NEW_NETNS, &pid);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to fork process (sd-mknetns): %m");
+        if (r == 0)
+                /* Child. We do nothing here, just freeze until somebody kills us. */
+                freeze();
+
+        r = namespace_open(pid,
+                           /* ret_pidns_fd = */ NULL,
+                           /* ret_mntns_fd = */ NULL,
+                           &netns_fd,
+                           /* ret_userns_fd = */ NULL,
+                           /* ret_root_fd = */ NULL);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to open netns fd: %m");
+
+        return TAKE_FD(netns_fd);
+}
+
 int in_same_namespace(pid_t pid1, pid_t pid2, NamespaceType type) {
         const char *ns_path;
         struct stat ns_st1, ns_st2;
diff --git a/src/basic/namespace-util.h b/src/basic/namespace-util.h
index cd5b8ecab59..d1d015612fd 100644
--- a/src/basic/namespace-util.h
+++ b/src/basic/namespace-util.h
@@ -51,4 +51,5 @@ static inline bool userns_shift_range_valid(uid_t shift, uid_t range) {
 }
 
 int userns_acquire(const char *uid_map, const char *gid_map);
+int netns_acquire(void);
 int in_same_namespace(pid_t pid1, pid_t pid2, NamespaceType type);