git.ipfire.org Git - thirdparty/systemd.git/commit

author	Malformed C <enderman08@gmail.com>
	Wed, 27 May 2026 19:43:35 +0000 (22:43 +0300)
committer	Yu Watanabe <watanabe.yu+github@gmail.com>
	Thu, 28 May 2026 07:53:23 +0000 (16:53 +0900)
commit	d35fa257eb109395ea6532eeeb9fc0327a946002
tree	cccdadfb358a3dfe967042374cbac233a94bc19c	tree \| snapshot
parent	68af89e61913fb3c9cbd0d2f3068807d476ea351	commit \| diff

nspawn: join network namespace before cloning user namespace

When both --private-users and --network-namespace-path are
specified, systemd-nspawn fails to start with "Operation not
permitted" during the setns() call.

This occurs because of the following execution sequence:
1. The outer child calls raw_clone() with CLONE_NEWUSER to create
the new user namespace.
2. The inner child is spawned inside this new user namespace.
3. The inner child then attempts to call setns() to join the
external network namespace.

Because the inner child is already running inside
the restricted user namespace, the kernel rejects
the setns() call to join a network namespace owned by
a different (host/more privileged) user namespace.

Fix this by moving the setns() call to the outer child, executing it
just before the raw_clone() call. This ensures the network namespace
is joined while the process still has the necessary privileges, which
also aligns with the inner child's expectation that the network
namespace is already set up upon entry.

src/nspawn/nspawn.c		diff \| blob \| blame \| history
test/units/TEST-13-NSPAWN.nspawn.sh		diff \| blob \| blame \| history