1 files changed, 14 insertions, 11 deletions

diff --git a/executor/common_linux.h b/executor/common_linux.h
index 8b8a5c3f8..9fe76d6bb 100644
--- a/executor/common_linux.h
+++ b/executor/common_linux.h
@@ -859,6 +859,18 @@ static int namespace_sandbox_proc(void* arg)
 	if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid))
 		fail("write of /proc/self/gid_map failed");
 
+	// CLONE_NEWNET must always happen before tun setup,
+	// because we want the tun device in the test namespace.
+	if (unshare(CLONE_NEWNET))
+		fail("unshare(CLONE_NEWNET)");
+#if defined(SYZ_EXECUTOR) || defined(SYZ_TUN_ENABLE)
+	// We setup tun here as it needs to be in the test net namespace,
+	// which in turn needs to be in the test user namespace.
+	// However, IFF_NAPI_FRAGS will fail as we are not root already.
+	// There does not seem to be a call sequence that would satisfy all of that.
+	setup_tun((long)arg >> 1, (long)arg & 1);
+#endif
+
 	if (mkdir("./syz-tmp", 0777))
 		fail("mkdir(syz-tmp) failed");
 	if (mount("", "./syz-tmp", "tmpfs", 0, NULL))
@@ -919,21 +931,12 @@ static int do_sandbox_namespace(int executor_pid, bool enable_tun)
 {
 	int pid;
 
-	// CLONE_NEWNET must always happen before tun setup,
-	// because we want the tun device in the test namespace.
-	if (unshare(CLONE_NEWNET))
-		fail("unshare(CLONE_NEWNET)");
-#if defined(SYZ_EXECUTOR) || defined(SYZ_TUN_ENABLE)
-	// For sandbox namespace we setup tun before dropping privs,
-	// because IFF_NAPI_FRAGS requires root.
-	setup_tun(executor_pid, enable_tun);
-#endif
-
 	real_uid = getuid();
 	real_gid = getgid();
 	mprotect(sandbox_stack, 4096, PROT_NONE); // to catch stack underflows
+	void* arg = (void*)(long)((executor_pid << 1) | enable_tun);
 	pid = clone(namespace_sandbox_proc, &sandbox_stack[sizeof(sandbox_stack) - 64],
-		    CLONE_NEWUSER | CLONE_NEWPID, NULL);
+		    CLONE_NEWUSER | CLONE_NEWPID, arg);
 	if (pid < 0)
 		fail("sandbox clone failed");
 	return pid;