3 files changed, 8 insertions, 6 deletions

diff --git a/conf.c b/conf.c
index ab91b7f..6810144 100644
--- a/conf.c
+++ b/conf.c
@@ -347,8 +347,8 @@ static int conf_ns_check(void *arg)
 {
 	struct ctx *c = (struct ctx *)arg;
 
-	if ((!c->netns_only && setns(c->pasta_userns_fd, 0)) ||
-	    setns(c->pasta_netns_fd, 0))
+	if ((!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER)) ||
+	    setns(c->pasta_netns_fd, CLONE_NEWNET))
 		c->pasta_userns_fd = c->pasta_netns_fd = -1;
 
 	return 0;
diff --git a/pasta.c b/pasta.c
index a2b842b..bcc1261 100644
--- a/pasta.c
+++ b/pasta.c
@@ -148,13 +148,15 @@ static int pasta_wait_for_ns(void *arg)
 	snprintf(ns, PATH_MAX, "/proc/%i/ns/user", pasta_child_pid);
 	do
 		while ((c->pasta_userns_fd = open(ns, O_RDONLY)) < 0);
-	while (setns(c->pasta_userns_fd, 0) && !close(c->pasta_userns_fd));
+	while (setns(c->pasta_userns_fd, CLONE_NEWUSER) &&
+	       !close(c->pasta_userns_fd));
 
 netns:
 	snprintf(ns, PATH_MAX, "/proc/%i/ns/net", pasta_child_pid);
 	do
 		while ((c->pasta_netns_fd = open(ns, O_RDONLY)) < 0);
-	while (setns(c->pasta_netns_fd, 0) && !close(c->pasta_netns_fd));
+	while (setns(c->pasta_netns_fd, CLONE_NEWNET) &&
+	       !close(c->pasta_netns_fd));
 
 	return 0;
 }
diff --git a/util.c b/util.c
index d172ad8..7a3ea51 100644
--- a/util.c
+++ b/util.c
@@ -469,10 +469,10 @@ void procfs_scan_listen(char *name, uint8_t *map, uint8_t *exclude)
  */
 int ns_enter(struct ctx *c)
 {
-	if (!c->netns_only && setns(c->pasta_userns_fd, 0))
+	if (!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER))
 		return -errno;
 
-	if (setns(c->pasta_netns_fd, 0))
+	if (setns(c->pasta_netns_fd, CLONE_NEWNET))
 		return -errno;
 
 	return 0;