| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20260210-netns-redundant-mount-v1-1-0b1ebfc1c79f@black-desk.cn>
Date: Tue, 10 Feb 2026 12:11:48 +0800
From: Chen Linxuan via B4 Relay <devnull+me.black-desk.cn@...nel.org>
To: Stephen Hemminger <stephen@...workplumber.org>
Cc: David Ahern <dsahern@...nel.org>, netdev@...r.kernel.org,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Lennart Poettering <lennart@...ttering.net>,
Luca Boccassi <bluca@...ian.org>, Chen Linxuan <me@...ck-desk.cn>
Subject: [PATCH iproute2] ip/netns: avoid redundant mounts
From: Chen Linxuan <me@...ck-desk.cn>
On Ubuntu 24.04, I observed redundant mounts after adding a netns with
the commands below:
sudo ip netns add xxx
cat /proc/self/mountinfo | grep /run
Output:
29 31 0:26 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
...
203 29 0:26 /netns /run/netns rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
6443 203 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw
6444 29 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw
There are two mounts (6443 and 6444) related to the "xxx" netns created
above.
This redundancy occurs because systemd changed the default system mount
propagation to "shared" since commit b3ac5f8cb987 ("mount-setup: change
system mount propagation to shared by default"). Consequently, mount
propagation of `/run` is shared.
Link: https://docs.kernel.org/filesystems/sharedsubtree.html
Link: https://github.com/systemd/systemd/commit/b3ac5f8cb98757416d8660023d6564a7c411f0a0
When `ip netns` makes `/run/netns` a mount point, a new bind mount (203)
is created and attached to the same peer group as mount 29. Since mount
29 and 203 are in the same peer group (shared:5), any mount under 203
propagates back to 29, resulting in the redundant mount 6444.
To prevent this, `/run/netns` should be placed in a new peer group. This
can be achieved by reconfiguring `/run/netns` to MS_PRIVATE first, and
then to MS_SHARED again.
With this patch applied, the redundant mount is no longer present, and
`/run/netns` is in a new peer group (917):
29 31 0:26 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
...
203 29 0:26 /netns /run/netns rw,nosuid,nodev,noexec,relatime shared:917 - tmpfs tmpfs ...
6443 203 0:4 net:[4026533578] /run/netns/xxx rw shared:918 - nsfs nsfs rw
I also verified that mount propagation to containers remains functional.
Signed-off-by: Chen Linxuan <me@...ck-desk.cn>
---
ip/ipnetns.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/ip/ipnetns.c b/ip/ipnetns.c
index a20cd8bc7cb8..3a33a3adacee 100644
--- a/ip/ipnetns.c
+++ b/ip/ipnetns.c
@@ -846,6 +846,20 @@ static int netns_add(int argc, char **argv, bool create)
}
return -1;
}
+
+ /* Reconfigure NETNS_RUN_DIR to MS_PRIVATE recursively and later
+ * MS_SAHRED again to make sure it is placed in a new peer group
+ */
+ if (mount(NETNS_RUN_DIR, NETNS_RUN_DIR, "none", MS_PRIVATE | MS_REC, NULL)) {
+ fprintf(stderr, "mount --make-private %s failed: %s\n",
+ NETNS_RUN_DIR, strerror(errno));
+ if (lock != -1) {
+ flock(lock, LOCK_UN);
+ close(lock);
+ }
+ return -1;
+ }
+
made_netns_run_dir_mount = 1;
}
if (lock != -1) {
---
base-commit: 72f679c0d07629fe9e462c2c52bbe48aaeaa7f83
change-id: 20260210-netns-redundant-mount-aa2db50eac7d
Best regards,
--
Chen Linxuan <me@...ck-desk.cn>
Powered by blists - more mailing lists