From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Date: Mon, 28 Jul 2025 17:00:29 +0000 (+0200)
Subject: lxc/lxccontainer: stop printing misleading errors in enter_net_ns()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a53589e0636b42a2816375c9a2c1c4be09100297;p=thirdparty%2Flxc.git

lxc/lxccontainer: stop printing misleading errors in enter_net_ns()

In enter_net_ns() we try to enter network namespace at first, before
entering a user namespace to support inherited netns case properly.
It is expected to get EPERM for unprivileged container with non-shared
network namespace at first try. Let's take this into account
and stop misleading users with these error messages.

Link: https://discuss.linuxcontainers.org/t/lxc-ls-fancy-command-shows-operation-not-permitted/24080
Fixes: 3011e79f92ef ("lxccontainer: fix enter_net_ns helper to work when netns is inherited")
Fixes: #4560
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
---

diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 7b9ff9641..6c80065a6 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -2220,7 +2220,7 @@ static inline bool enter_net_ns(struct lxc_container *c)
 	if (pid < 0)
 		return false;
 
-	net_ns_entered = switch_to_ns(pid, "net");
+	net_ns_entered = try_switch_to_ns(pid, "net", true);
 
 	if ((geteuid() != 0 || (c->lxc_conf && !list_empty(&c->lxc_conf->id_map))) &&
 	    (access("/proc/self/ns/user", F_OK) == 0))
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 60f2b7000..af276a3b5 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -878,7 +878,7 @@ int detect_shared_rootfs(void)
 	return 0;
 }
 
-bool switch_to_ns(pid_t pid, const char *ns)
+bool try_switch_to_ns(pid_t pid, const char *ns, bool optional)
 {
 	__do_close int fd = -EBADF;
 	int ret;
@@ -896,8 +896,12 @@ bool switch_to_ns(pid_t pid, const char *ns)
 		return log_error_errno(false, errno, "Failed to open \"%s\"", nspath);
 
 	ret = setns(fd, 0);
-	if (ret)
-		return log_error_errno(false, errno, "Failed to set process %d to \"%s\" of %d", pid, ns, fd);
+	if (ret) {
+		if (optional)
+			return log_trace_errno(false, errno, "Failed to set process %d to \"%s\" of %d", pid, ns, fd);
+		else
+			return log_error_errno(false, errno, "Failed to set process %d to \"%s\" of %d", pid, ns, fd);
+	}
 
 	return true;
 }
diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index 0007b51a6..e72582aa2 100644
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -134,7 +134,13 @@ __hidden extern bool is_shared_mountpoint(const char *path);
 __hidden extern int detect_shared_rootfs(void);
 __hidden extern bool detect_ramfs_rootfs(void);
 __hidden extern char *on_path(const char *cmd, const char *rootfs);
-__hidden extern bool switch_to_ns(pid_t pid, const char *ns);
+
+__hidden extern bool try_switch_to_ns(pid_t pid, const char *ns, bool optional);
+inline static bool switch_to_ns(pid_t pid, const char *ns)
+{
+	return try_switch_to_ns(pid, ns, false);
+}
+
 __hidden extern char *get_template_path(const char *t);
 __hidden extern int safe_mount(const char *src, const char *dest, const char *fstype,
 			       unsigned long flags, const void *data, const char *rootfs);