libnetwork/rootlessnetns: do not use rootless-netns when not re-exec

The IsRootless() check is dangerous in a sense that it may not do what
you think it does. It also returns true even when podman is run as root
and not in the podman userns but as part of a different userns. Could be
a other container manager that configured the userns.

This results in us doing the rootless-netns logic even when we should
not need to. To fix this we now check for the
_CONTAINERS_USERNS_CONFIGURED env var to make sure we are not
re-exe'ed. This is what we actually care about.

This is a regression compared to podman 4.X, because the code was moved
into c/common the IsRootless() check was changed to the c/storage
version which has the userns special case.

Fixes containers/podman#22218

Signed-off-by: Paul Holzinger <[email protected]>

libnetwork/netavark/network.go

@@ -135,7 +135,11 @@ func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 	}
 
 	var netns *rootlessnetns.Netns
-	if unshare.IsRootless() {
+	// Do not use unshare.IsRootless() here. We only care if we are running re-exec in the userns,
+	// IsRootless() also returns true if we are root in a userns which is not what we care about and
+	// causes issues as this slower more complicated rootless-netns logic should not be used as root.
+	_, useRootlessNetns := os.LookupEnv(unshare.UsernsEnvName)
+	if useRootlessNetns {
 		netns, err = rootlessnetns.New(conf.NetworkRunDir, rootlessnetns.Netavark, conf.Config)
 		if err != nil {
 			return nil, err
@@ -147,7 +151,7 @@ func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		networkRunDir:      conf.NetworkRunDir,
 		netavarkBinary:     conf.NetavarkBinary,
 		aardvarkBinary:     conf.AardvarkBinary,
-		networkRootless:    unshare.IsRootless(),
+		networkRootless:    useRootlessNetns,
 		ipamDBPath:         filepath.Join(conf.NetworkRunDir, "ipam.db"),
 		firewallDriver:     conf.Config.Network.FirewallDriver,
 		defaultNetwork:     defaultNetworkName,