Wouldn't it be much nicer if we could call fsmount(fsopen("procfs")) and then use the temporary mount via *at() syscalls?

This is already possible by calling fork()+CLONE_NEWUSER+CLONE_NEWMOUNT and then calling fsmount(fsopen("procfs")). But the requirement for this fork is annoying, and the kernel currently magically hides procfs if not already visible via other means.

So, maybe instead of providing duplicate APIs that /proc already has, we can instead ensure that access to at least /proc/self/ is readily available?

(I am no huge fan of file-system based APIs like /proc, but I mean... it is there... we have it, so we can just make use of it)

That would indeed do the trick, and in my case I already have a user and mountns, so let me close this.

Nooooo, I need someone to push this forward! :'(

But the requirement for this fork is annoying,

Can't you merely unshare(CLONE_NEWUSER|CLONE_NEWMOUNT) without the fork?

But the requirement for this fork is annoying,

Can't you merely unshare(CLONE_NEWUSER|CLONE_NEWMOUNT) without the fork?

Yes, I can, but then I cannot switch back to my original user-namespace. Even if I retain a namespace-fd to the original user-ns, a setns(2) call is not allowed, since it always grants full privileges and wouldn't be allowed for an unprivileged caller.

So yes, I can get access to proc by dropping namespaces, but it would lock you out from joining the previous user-namespace. By doing this in a fork, you can pass back the FD but retain your namespaces in the parent process.