c - Why is unprivileged recursive unshare(CLONE_NEWUSER) not permitted? -


i'm on ubuntu 17.04.

single unprivilleged unshare of mount namespace works. can try using unshare(1) command:

$ unshare -m -u /bin/sh # 

however unshare within unshare not permitted:

$ unshare -m -u /bin/sh # unshare -m -u /bin/sh unshare: operation not permitted # 

here c program same:

#define _gnu_source #include <stdio.h> #include <sched.h> #include <sys/mount.h> #include <unistd.h>  int main(int argc, char *argv[]) {     if(unshare(clone_newuser|clone_newns) == -1) {         perror("unshare");         return -1;     }     if(unshare(clone_newuser|clone_newns) == -1) {         perror("unshare2");         return -1;     }     return 0; } 

why it's not permitted? can find documentation this? failed find information in unshare or clone man page , in kernel unshare documentation.

is there system setting allow this?

what want achieve:

first unshare: want mask few binaries on system own versions.

second unshare: unprivilleged chroot.

i'm guessing here, think reason uid mapping. in order perform it, conditions must met (from user_namespaces man page):

   in  order   process write /proc/[pid]/uid_map (/proc/[pid]/gid_map) file, of following require‐    ments must met:     1. writing process must have cap_setuid (cap_setgid) capability in user namespace of process pid.     2. writing process must either in user namespace of process pid or in parent  user  namespace  of       process pid.     3. mapped user ids (group ids) must in turn have mapping in parent user namespace. 

i believe happens first time run, mapping matches of parent uid. second time, however, not, , fails system call.

from unshare(2) manual page:

   eperm  clone_newuser specified in flags, either effective user id or effective group id of   caller           not have mapping in parent namespace (see user_namespaces(7)). 

Comments

Popular posts from this blog

resizing Telegram inline keyboard -

command line - How can a Python program background itself? -

php - "cURL error 28: Resolving timed out" on Wordpress on Azure App Service on Linux -