For a while now we have supported file handles for pidfds. This has
proven to be very useful.

Extend the concept to cover namespaces as well. After this patchset it
is possible to encode and decode namespace file handles using the
commong name_to_handle_at() and open_by_handle_at() apis.

Namespaces file descriptors can already be derived from pidfds which
means they aren't subject to overmount protection bugs. IOW, it's
irrelevant if the caller would not have access to an appropriate
/proc/<pid>/ns/ directory as they could always just derive the namespace
based on a pidfd already.

It has the same advantage as pidfds. It's possible to reliably and for
the lifetime of the system refer to a namespace without pinning any
resources and to compare them.

Permission checking is kept simple. If the caller is located in the
namespace the file handle refers to they are able to open it otherwise
they must hold privilege over the owning namespace of the relevant
namespace.

Both the network namespace and the mount namespace already have an
associated cookie that isn't recycled and is fully exposed to userspace.
Move this into ns_common and use the same id space for all namespaces so
they can trivially and reliably be compared.

There's more coming based on the iterator infrastructure but the series
is large enough and focuses on file handles.

Extensive selftests included. I still have various other test-suites to
run but it holds up so far.

Signed-off-by: Christian Brauner <brauner@kernel.org>
---
Christian Brauner (32):
      pidfs: validate extensible ioctls
      nsfs: validate extensible ioctls
      block: use extensible_ioctl_valid()
      ns: move to_ns_common() to ns_common.h
      nsfs: add nsfs.h header
      ns: uniformly initialize ns_common
      mnt: use ns_common_init()
      ipc: use ns_common_init()
      cgroup: use ns_common_init()
      pid: use ns_common_init()
      time: use ns_common_init()
      uts: use ns_common_init()
      user: use ns_common_init()
      net: use ns_common_init()
      ns: remove ns_alloc_inum()
      nstree: make iterator generic
      mnt: support iterator
      cgroup: support iterator
      ipc: support iterator
      net: support iterator
      pid: support iterator
      time: support iterator
      userns: support iterator
      uts: support iterator
      ns: add to_<type>_ns() to respective headers
      nsfs: add current_in_namespace()
      nsfs: support file handles
      nsfs: support exhaustive file handles
      nsfs: add missing id retrieval support
      tools: update nsfs.h uapi header
      selftests/namespaces: add identifier selftests
      selftests/namespaces: add file handle selftests

 block/blk-integrity.c                              |    8 +-
 fs/fhandle.c                                       |    6 +
 fs/internal.h                                      |    1 +
 fs/mount.h                                         |   10 +-
 fs/namespace.c                                     |  156 +--
 fs/nsfs.c                                          |  266 +++-
 fs/pidfs.c                                         |    2 +-
 include/linux/cgroup.h                             |    5 +
 include/linux/exportfs.h                           |    6 +
 include/linux/fs.h                                 |   14 +
 include/linux/ipc_namespace.h                      |    5 +
 include/linux/ns_common.h                          |   29 +
 include/linux/nsfs.h                               |   40 +
 include/linux/nsproxy.h                            |   11 -
 include/linux/nstree.h                             |   89 ++
 include/linux/pid_namespace.h                      |    5 +
 include/linux/proc_ns.h                            |   32 +-
 include/linux/time_namespace.h                     |    9 +
 include/linux/user_namespace.h                     |    5 +
 include/linux/utsname.h                            |    5 +
 include/net/net_namespace.h                        |    6 +
 include/uapi/linux/fcntl.h                         |    1 +
 include/uapi/linux/nsfs.h                          |   12 +-
 init/main.c                                        |    2 +
 ipc/msgutil.c                                      |    1 +
 ipc/namespace.c                                    |   12 +-
 ipc/shm.c                                          |    2 +
 kernel/Makefile                                    |    2 +-
 kernel/cgroup/cgroup.c                             |    2 +
 kernel/cgroup/namespace.c                          |   24 +-
 kernel/nstree.c                                    |  233 ++++
 kernel/pid_namespace.c                             |   13 +-
 kernel/time/namespace.c                            |   23 +-
 kernel/user_namespace.c                            |   17 +-
 kernel/utsname.c                                   |   28 +-
 net/core/net_namespace.c                           |   59 +-
 tools/include/uapi/linux/nsfs.h                    |   23 +-
 tools/testing/selftests/namespaces/.gitignore      |    2 +
 tools/testing/selftests/namespaces/Makefile        |    7 +
 tools/testing/selftests/namespaces/config          |    7 +
 .../selftests/namespaces/file_handle_test.c        | 1410 ++++++++++++++++++++
 tools/testing/selftests/namespaces/nsid_test.c     |  986 ++++++++++++++
 42 files changed, 3306 insertions(+), 270 deletions(-)
---
base-commit: 8f5ae30d69d7543eee0d70083daf4de8fe15d585
change-id: 20250905-work-namespace-c68826dda0d4

syzbot ci has tested the following series

[v1] ns: support file handles
https://lore.kernel.org/all/20250910-work-namespace-v1-0-4dd56e7359d8@kernel.org
* [PATCH 01/32] pidfs: validate extensible ioctls
* [PATCH 02/32] nsfs: validate extensible ioctls
* [PATCH 03/32] block: use extensible_ioctl_valid()
* [PATCH 04/32] ns: move to_ns_common() to ns_common.h
* [PATCH 05/32] nsfs: add nsfs.h header
* [PATCH 06/32] ns: uniformly initialize ns_common
* [PATCH 07/32] mnt: use ns_common_init()
* [PATCH 08/32] ipc: use ns_common_init()
* [PATCH 09/32] cgroup: use ns_common_init()
* [PATCH 10/32] pid: use ns_common_init()
* [PATCH 11/32] time: use ns_common_init()
* [PATCH 12/32] uts: use ns_common_init()
* [PATCH 13/32] user: use ns_common_init()
* [PATCH 14/32] net: use ns_common_init()
* [PATCH 15/32] ns: remove ns_alloc_inum()
* [PATCH 16/32] nstree: make iterator generic
* [PATCH 17/32] mnt: support iterator
* [PATCH 18/32] cgroup: support iterator
* [PATCH 19/32] ipc: support iterator
* [PATCH 20/32] net: support iterator
* [PATCH 21/32] pid: support iterator
* [PATCH 22/32] time: support iterator
* [PATCH 23/32] userns: support iterator
* [PATCH 24/32] uts: support iterator
* [PATCH 25/32] ns: add to_<type>_ns() to respective headers
* [PATCH 26/32] nsfs: add current_in_namespace()
* [PATCH 27/32] nsfs: support file handles
* [PATCH 28/32] nsfs: support exhaustive file handles
* [PATCH 29/32] nsfs: add missing id retrieval support
* [PATCH 30/32] tools: update nsfs.h uapi header
* [PATCH 31/32] selftests/namespaces: add identifier selftests
* [PATCH 32/32] selftests/namespaces: add file handle selftests

and found the following issue:
WARNING in copy_net_ns

Full report is available here:
https://ci.syzbot.org/series/bc3dfd83-98cc-488c-b046-f849c79a6a41

***

WARNING in copy_net_ns

tree:      net-next
URL:       https://kernel.googlesource.com/pub/scm/linux/kernel/git/netdev/net-next.git
base:      deb105f49879dd50d595f7f55207d6e74dec34e6
arch:      amd64
compiler:  Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
config:    https://ci.syzbot.org/builds/a560fd28-b788-4442-a7c8-10c6240b4dbf/config
syz repro: https://ci.syzbot.org/findings/18e91b10-567e-4cae-a279-8a5f2f2cde80/syz_repro

------------[ cut here ]------------
ida_free called for id=1326 which is not allocated.
WARNING: CPU: 0 PID: 6146 at lib/idr.c:592 ida_free+0x280/0x310 lib/idr.c:592
Modules linked in:
CPU: 0 UID: 0 PID: 6146 Comm: syz.1.60 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:ida_free+0x280/0x310 lib/idr.c:592
Code: 00 00 00 00 fc ff df 48 8b 5c 24 10 48 8b 7c 24 40 48 89 de e8 d1 8a 0c 00 90 48 c7 c7 80 ee ba 8c 44 89 fe e8 11 87 12 f6 90 <0f> 0b 90 90 eb 34 e8 95 02 4f f6 49 bd 00 00 00 00 00 fc ff df eb
RSP: 0018:ffffc9000302fba0 EFLAGS: 00010246
RAX: c838d58ce4bb0000 RBX: 0000000000000a06 RCX: ffff88801eac0000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
RBP: ffffc9000302fca0 R08: ffff88804b024293 R09: 1ffff11009604852
R10: dffffc0000000000 R11: ffffed1009604853 R12: 1ffff92000605f78
R13: dffffc0000000000 R14: ffff888026c1fd00 R15: 000000000000052e
FS:  00007f6d7aab16c0(0000) GS:ffff8880b8613000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000004000 CR3: 000000002726e000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 copy_net_ns+0x37a/0x510 net/core/net_namespace.c:593
 create_new_namespaces+0x3f3/0x720 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0x11c/0x170 kernel/nsproxy.c:218
 ksys_unshare+0x4c8/0x8c0 kernel/fork.c:3127
 __do_sys_unshare kernel/fork.c:3198 [inline]
 __se_sys_unshare kernel/fork.c:3196 [inline]
 __x64_sys_unshare+0x38/0x50 kernel/fork.c:3196
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6d79b8eba9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6d7aab1038 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 00007f6d79dd5fa0 RCX: 00007f6d79b8eba9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000062040200
RBP: 00007f6d79c11e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6d79dd6038 R14: 00007f6d79dd5fa0 R15: 00007ffd5ab830f8
 </TASK>


***

If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
  Tested-by: syzbot@syzkaller.appspotmail.com

---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.