lsns: show namespaces only kept alive by open file descriptors

[masatake]

Close #1884.

# ip netns add foo
# ls -i /run/netns/foo
4026540683 /run/netns/foo
# sleep 999 4< /run/netns/foo & sleep 2
[1] 1187058

# ip netns delete foo
#  ./lsns -Q 'NPROCS == 0'
        NS TYPE NPROCS PID USER COMMAND
4026540683 net       0     root

Even after removing the nsfs file created by ip-netns-add, lsns successfully reports the namespace.

[karelzak]

Seems not related to the change:

diff-{{{
--- /home/runner/work/util-linux/util-linux/tests/expected/lslocks/lslocks-lease-w+HOLDERS	2024-04-02 15:01:29.920456549 +0000
+++ /home/runner/work/util-linux/util-linux/tests/output/lslocks/lslocks-lease-w+HOLDERS	2024-04-02 15:05:55.229715611 +0000
@@ -1,2 +1,3 @@
 test_mkfds LEASE  WRITE 0 0 1,test_mkfds,17\x0a1,test_mkfds,18
+test_mkfds LEASE  WRITE 0 0 1,test_mkfds,17\x0a1,test_mkfds,18
 # lease-w + COMMAND,TYPE,SIZE,MODE,START,END,HOLDERS + --raw --noheadings: 0
}}}-diff

[masatake]

A test case about the lsns lslocks command failed. Maybe we must add sleep N before reading /proc/locks. I will add a temporary commit to verify my idea.

[masatake]

About the failure of lslocks, a "SLEEP" was already added.
#2624

[axelkar]

Hi. This makes lsns require CONFIG_USER_NS. Is it within the scope of util-linux to support kernel configurations without it enabled?

[karelzak]

Hi. This makes lsns require CONFIG_USER_NS. Is it within the scope of util-linux to support kernel configurations without it enabled?

There are more places in util-linux where user namespaces are expected. The optimal solution is to detect the missing feature and continue without it if possible. From this point of view, I'm not sure if, for example:

	if (stat("/proc/self/ns/user", &st) < 0)
		err(EXIT_FAILURE, _("failed to do stat /proc/self/ns/user"));

is an optimal solution, maybe it would be better not to use err() but return -1 (or so), etc.

@masatake, what do you think?

[masatake]

@karelzak I agree with you; calling err() is too much.

The purpose of the function, including the line, is to get the st_dev of the device on which the "nsfs" file system is. Not only /proc/self/ns/user, but also the other dentries under /proc/self/ns, can be used as arguments for stat(2). Returning 0 or -1 is the last resort.
We can try other namespaces.

I will make a pull request implementing the fallbacks.

@axelkar, how can I quickly test lsns on a non-CONFIG_USER_NS kernel?
Do I have to configure and build a kernel by myself?

[axelkar]

how can I quickly test lsns on a non-CONFIG_USER_NS kernel? Do I have to configure and build a kernel by myself?

You either have to somehow mask out /proc/self/ns/user or build and build a kernel yourself. I actually have no idea why my device's OEM disabled CONFIG_USER_NS, since AOSP seems to have it enabled in defconfigs.

Here is a guide on how to create a userspace:
https://github.com/google/syzkaller/blob/d4d447cd780753901f9e00aa246cc835458a8f06/docs/linux/setup_ubuntu-host_qemu-vm_x86-64-kernel.md#create-debian-bullseye-linux-image

Though I'd do it with NixOS (refs: VM, easy kernel config modification)

$ nix-build '<nixpkgs/nixos>' -A vm -I nixos-config=./configuration.nix
$ QEMU_KERNEL_PARAMS=console=ttyS0 ./result/bin/run-nixos-vm -nographic; reset

# configuration.nix
{ pkgs, ... }:
{
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  users.users.root.initialPassword = "root";

  boot.kernelPatches = [
    {
      name = "disable CONFIG_USER_NS";
      patch = null;
      extraConfig = ''
        USER_NS n
      '';
    }
  ];

  environment.systemPackages = [
    (pkgs.util-linux.overrideAttrs (previousAttrs: {
      patches = previousAttrs.patches ++ [
        ./0001-fix-lsns.patch
      ];
    }))
    # or
    (pkgs.util-linux.overrideAttrs {
      src = ./util-linux;
    })
  ];

  system.stateVersion = "25.05";
}

[masatake]

@axelkar Could you try #3772 ?