uffd: suggest vm.unprivileged_userfaultfd on EPERM

When restoring inside a user namespace on a host where userfaultfd
is restricted to privileged callers, 'criu restore --lazy-pages'
fails to open a userfaultfd descriptor with EPERM. This patch improves
the error message to suggests how to fix this.

Assisted-by: Claude Code:claude-opus-4-8

Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>

Author: rst0git

criu/uffd.c

@@ -299,6 +299,7 @@ int uffd_open(int flags, unsigned long *features, int *err)
 int setup_uffd(int pid, struct task_restore_args *task_args)
 {
 	unsigned long features = kdat.uffd_features & NEED_UFFD_API_FEATURES;
+	int err = 0;
 
 	if (!opts.lazy_pages) {
 		task_args->uffd = -1;
@@ -309,9 +310,14 @@ int setup_uffd(int pid, struct task_restore_args *task_args)
 	 * Open userfaulfd FD which is passed to the restorer blob and
 	 * to a second process handling the userfaultfd page faults.
 	 */
-	task_args->uffd = uffd_open(O_CLOEXEC | O_NONBLOCK, &features, NULL);
+	task_args->uffd = uffd_open(O_CLOEXEC | O_NONBLOCK, &features, &err);
 	if (task_args->uffd < 0) {
-		pr_perror("Unable to open an userfaultfd descriptor");
+		if (err)
+			errno = err;
+		pr_perror("Unable to open a userfaultfd descriptor");
+		if (err == EPERM)
+			pr_err("To use --lazy-pages, run with CAP_SYS_PTRACE in the root "
+			       "user namespace or set 'sysctl -w vm.unprivileged_userfaultfd=1'\n");
 		return -1;
 	}