crun: open /proc/sys/net/ipv4/ping_group_range: Permission denied: OCI permission denied

[Egoistically]

Hello. I'm trying to run a rootless container using a network namespace I created with podman unshare unshare -n. It works fine when I use the default userns, but when I use keep-id I get the error in the title before the container even starts.

The command I used to test it:
podman unshare unshare -n sh -c 'echo $$ > /tmp/nspid && sleep inf' &
podman run --network=ns:/proc/$(cat /tmp/nspid)/ns/net --userns=keep-id docker.io/bash ip a

Any help will be wholeheartedly appreciated. Below are my podman version and info commands.

podman version

Client:       Podman Engine
Version:      5.5.0-dev
API Version:  5.5.0-dev
Go Version:   go1.23.6
Git Commit:   ac3074e90eba88f9a87520ac54071dc064f15db8-dirty
Built:        Mon Mar 10 01:14:51 2025
OS/Arch:      linux/amd64

podman info

host:
  arch: amd64
  buildahVersion: 1.39.2
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: app-containers/conmon-2.1.10
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.1.10, commit: unknown'
  cpuUtilization:
    idlePercent: 99.11
    systemPercent: 0.37
    userPercent: 0.52
  cpus: 24
  databaseBackend: sqlite
  distribution:
    distribution: gentoo
    version: "2.17"
  eventLogger: file
  freeLocks: 1985
  hostname: joudo
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.12.16-gentoo-dist
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 19609759744
  memTotal: 33555832832
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: app-containers/aardvark-dns-1.12.2-r1
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.12.2
    package: app-containers/netavark-1.12.2-r1
    path: /usr/libexec/podman/netavark
    version: netavark 1.12.2
  ociRuntime:
    name: crun
    package: app-containers/crun-1.17
    path: /usr/bin/crun
    version: |-
      crun version 1.17
      commit: 000fa0d4eeed8938301f3bcf8206405315bc1017
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: net-misc/passt-2025.01.21
    version: |
      pasta 2025.01.21
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 17179865088
  swapTotal: 17179865088
  uptime: 6h 9m 14.00s (Approximately 0.25 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/saku/.config/containers/storage.conf
  containerStore:
    number: 29
    paused: 0
    running: 0
    stopped: 29
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/saku/.local/share/containers/storage
  graphRootAllocated: 448369393664
  graphRootUsed: 99515891712
  graphStatus:
    Backing Filesystem: zfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 4
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/saku/.local/share/containers/storage/volumes
version:
  APIVersion: 5.5.0-dev
  Built: 1741565691
  BuiltTime: Mon Mar 10 01:14:51 2025
  GitCommit: ac3074e90eba88f9a87520ac54071dc064f15db8-dirty
  GoVersion: go1.23.6
  Os: linux
  OsArch: linux/amd64
  Version: 5.5.0-dev

[Luap99]

see https://blog.podman.io/2023/12/interaction-between-user-namespaces-and-capabilities/

It doesn't describe your scenario but it is essentially the same thing. As soon as a new user namespace is created you cannot use any parent namespaces (unless you already happened to be in it but even then you loose all capabilities for it).

[Egoistically]

If I understood correctly, the easiest solution is to modify the network namespace of the container itself (created with network=none), instead of creating one with unshare. Is that right? Thanks a lot for the help, I was completely lost.

[Luap99]

yes that should work