From: Daan De Meyer <daan@amutable.com>
Date: Mon, 16 Feb 2026 18:59:10 +0000 (+0100)
Subject: nspawn-mount: Use setns() in wipe_fully_visible_api_fs()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=48c84fe730a1590b2c3ed078283ea283676a2a6f;p=thirdparty%2Fsystemd.git

nspawn-mount: Use setns() in wipe_fully_visible_api_fs()

namespace_enter() now does a is_our_namespace() check, which requires
/proc on older kernels, which is not available anymore after we call
do_wipe_fully_visible_api_fs() in wipe_fully_visible_api_fs().

Let's just call setns() instead as namespace_enter() is overkill to
enter a single namespace anyway.
---

diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
index a996b28fce0..cfb4aac6ff3 100644
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include <linux/magic.h>
+#include <sched.h>
 #include <sys/mount.h>
 #include <unistd.h>
 
@@ -1491,7 +1492,7 @@ static int do_wipe_fully_visible_api_fs(void) {
 
 int wipe_fully_visible_api_fs(int mntns_fd) {
         _cleanup_close_ int orig_mntns_fd = -EBADF;
-        int r, rr;
+        int r;
 
         log_debug("Wiping fully visible API FS");
 
@@ -1499,23 +1500,13 @@ int wipe_fully_visible_api_fs(int mntns_fd) {
         if (orig_mntns_fd < 0)
                 return log_error_errno(orig_mntns_fd, "Failed to pin originating mount namespace: %m");
 
-        r = namespace_enter(/* pidns_fd= */ -EBADF,
-                            mntns_fd,
-                            /* netns_fd= */ -EBADF,
-                            /* userns_fd= */ -EBADF,
-                            /* root_fd= */ -EBADF);
-        if (r < 0)
-                return log_error_errno(r, "Failed to enter mount namespace: %m");
+        if (setns(mntns_fd, CLONE_NEWNS) < 0)
+                return log_error_errno(errno, "Failed to enter mount namespace: %m");
 
-        rr = do_wipe_fully_visible_api_fs();
+        r = do_wipe_fully_visible_api_fs();
 
-        r = namespace_enter(/* pidns_fd= */ -EBADF,
-                            orig_mntns_fd,
-                            /* netns_fd= */ -EBADF,
-                            /* userns_fd= */ -EBADF,
-                            /* root_fd= */ -EBADF);
-        if (r < 0)
-                return log_error_errno(r, "Failed to enter original mount namespace: %m");
+        if (setns(orig_mntns_fd, CLONE_NEWNS) < 0)
+                return log_error_errno(errno, "Failed to enter original mount namespace: %m");
 
-        return rr;
+        return r;
 }