- if (lgss_prepare_cred(cred)) {
- logmsg(LL_ERR, "key %08x: failed to prepare credentials "
- "for user %d\n", keyid, uparam.kup_uid);
- return 1;
- }
+#ifdef HAVE_SETNS
+ /* Is caller in different namespace? */
+ snprintf(path, sizeof(path), "/proc/%d/ns/mnt", getpid());
+ if (stat(path, &parent_ns))
+ logmsg(LL_ERR, "cannot stat %s: %s\n", path, strerror(errno));
+ snprintf(path, sizeof(path), "/proc/%d/ns/mnt", uparam.kup_pid);
+ if (stat(path, &caller_ns))
+ logmsg(LL_ERR, "cannot stat %s: %s\n", path, strerror(errno));
+ if (caller_ns.st_ino != parent_ns.st_ino) {
+ /*
+ * do credentials preparation in caller's namespace
+ */
+ if (associate_with_ns(path) != 0) {
+ logmsg(LL_ERR, "failed to attach to pid %d namespace: "
+ "%s\n", uparam.kup_pid, strerror(errno));
+ return 1;
+ }
+ logmsg(LL_TRACE, "working in namespace of pid %d\n",
+ uparam.kup_pid);
+ } else {
+ logmsg(LL_TRACE, "caller's namespace is the same\n");
+ }
+#endif /* HAVE_SETNS */
+
+ if (lgss_prepare_cred(cred)) {
+ logmsg(LL_ERR, "key %08x: failed to prepare credentials "
+ "for user %d\n", keyid, uparam.kup_uid);
+ return 1;
+ }