I have looked at the patch and security wise it looks very good to me. For completeness I would also add the O_CLOEXEC i.e.:
netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
I think there is still a functional issue, however. You are using `fstatvfs()` and evaluate `f_fsid`. This is, as far as I understand, a unique identifier for file systems independent of their file system type. It returns zero for pseudo file systems.
To get the file system magic you need to use `fstatfs()` and evaluate `f_type` instead.
I have looked at the patch and security wise it looks very good to me. For completeness I would also add the O_CLOEXEC i.e.:
netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
I think there is still a functional issue, however. You are using `fstatvfs()` and evaluate `f_fsid`. This is, as far as I understand, a unique identifier for file systems independent of their file system type. It returns zero for pseudo file systems.
To get the file system magic you need to use `fstatfs()` and evaluate `f_type` instead.