From 06c2cc9a3408fef35647776abdc43831d0d91c40 Mon Sep 17 00:00:00 2001
From: priuatus <79643420+priuatus@users.noreply.github.com>
Date: Tue, 20 Jan 2026 21:30:18 +0200
Subject: [PATCH] fix: network namespace detection false negative (#12)

Co-authored-by: netixen <netixen@spaceship>
---
 internal/sandbox/linux_features.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/internal/sandbox/linux_features.go b/internal/sandbox/linux_features.go
index c761b91..a4c78cd 100644
--- a/internal/sandbox/linux_features.go
+++ b/internal/sandbox/linux_features.go
@@ -200,7 +200,8 @@ func (f *LinuxFeatures) detectNetworkNamespace() {
 
 	// Run a minimal bwrap command with --unshare-net to test if it works
 	// We use a very short timeout since this should either succeed or fail immediately
-	cmd := exec.Command("bwrap", "--unshare-net", "--", "/bin/true")
+	// The bind mount is required in some environments
+	cmd := exec.Command("bwrap", "--unshare-net", "--ro-bind", "/", "/", "--", "/bin/true")
 	err := cmd.Run()
 	f.CanUnshareNet = err == nil
 }