git.ipfire.org Git - thirdparty/systemd.git/commit

author	Daan De Meyer <daan@amutable.com>
	Thu, 21 May 2026 11:34:44 +0000 (11:34 +0000)
committer	Daan De Meyer <daan@amutable.com>
	Thu, 21 May 2026 14:26:35 +0000 (14:26 +0000)
commit	01e6465b558570d2e33ebeb514b39cedde96014f
tree	c19035e1e14b384045ccdcd3b5e2e7132a2845ad	tree \| snapshot
parent	e64337ee10e1c31b619ef64ae663afb1bb1e8a70	commit \| diff

nsresourced: Verify user namespace identity on registry lookup

When a user namespace dies and its registry entry is torn down, the kernel
can recycle its inode number for a freshly-created namespace. A subsequent
registration or operation request can therefore find a stale registry entry
keyed by the same inode that actually belongs to a different, now-dead user
namespace.

Use NS_GET_ID to compare the kernel-assigned namespace identifier against
the stored one whenever we look up the registry from a live userns fd
(AddMount/AddControlGroup/AddNetworkInterface, plus the two registration
paths). Extract release_userns_by_info()/release_userns_by_inode() into
userns-registry.c so nsresourcework can fully clean up stale entries
(BPF allowlist, fdstore fd, cgroups, netifs, on-disk record) before reusing
the slot, and remove the now-unused userns_registry_inode_exists().

Co-developed-by: Claude Opus 4.7 <noreply@anthropic.com>

src/nsresourced/nsresourced-manager.c		diff \| blob \| blame \| history
src/nsresourced/nsresourcework.c		diff \| blob \| blame \| history
src/nsresourced/userns-registry.c		diff \| blob \| blame \| history
src/nsresourced/userns-registry.h		diff \| blob \| blame \| history