From: Daan De Meyer <daan@amutable.com>
Date: Mon, 16 Feb 2026 10:26:41 +0000 (+0100)
Subject: namespace-util: Merge namespace_enter_delegated() into namespace_enter() (#40669)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4e40c2a515de2fc5559312df5d3b7754dd3d3e56;p=thirdparty%2Fsystemd.git

namespace-util: Merge namespace_enter_delegated() into namespace_enter() (#40669)

There's no need to pass in a boolean to decide whether we use
namespace_enter_delegated() or not. Instead, we can just check if we
have CAP_SYS_ADMIN in our own user namespace. If we don't, then we have
to insist on a child user namespace being passed in and we have to enter
it first to get CAP_SYS_ADMIN as without CAP_SYS_ADMIN we wouldn't be
able
to call setns() in the first place. If we do have CAP_SYS_ADMIN, we can
always enter the other namespaces first before entering the user
namespace.

Additionally, we don't fail anymore if we can't reset the UID/GID since
a
root user might not always be available in every user namespace we might
enter.
---

4e40c2a515de2fc5559312df5d3b7754dd3d3e56