From: Jef Steelant <jef.steelant_ext@softathome.com>
Date: Fri, 6 Dec 2024 10:20:20 +0000 (+0100)
Subject: lxccontainer: fix enter_net_ns helper to work when netns is inherited
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=87dcdecf524bc3218b9380dab696ff4a153dfbe0;p=thirdparty%2Flxc.git

lxccontainer: fix enter_net_ns helper to work when netns is inherited

If a network namespace is shared by setting lxc.namespace.share.net and
the container is unprivileged, then the network namespace should be
entered before entering the user namespace. However, if an unprivileged
user started a container, then the network namespace should be entered
after entering the user namespace. To solve this, we try to enter the
network namespace before entering the user namespace. If it did not
succeed, it will be tried again inside the uder namespace.

Signed-off-by: Jef Steelant <jef.steelant_ext@softathome.com>
---

diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 0d71cfad8..0bc446cdb 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -2219,17 +2219,23 @@ WRAP_API_1(bool, lxcapi_clear_config_item, const char *)
 
 static inline bool enter_net_ns(struct lxc_container *c)
 {
+	bool net_ns_entered;
 	pid_t pid = do_lxcapi_init_pid(c);
 
 	if (pid < 0)
 		return false;
 
+	net_ns_entered = switch_to_ns(pid, "net");
+
 	if ((geteuid() != 0 || (c->lxc_conf && !list_empty(&c->lxc_conf->id_map))) &&
 	    (access("/proc/self/ns/user", F_OK) == 0))
 		if (!switch_to_ns(pid, "user"))
 			return false;
 
-	return switch_to_ns(pid, "net");
+	if (!net_ns_entered)
+		return switch_to_ns(pid, "net");
+
+	return true;
 }
 
 /* Used by qsort and bsearch functions for comparing names. */