c - Why is unprivileged recursive unshare(CLONE_NEWUSER) not permitted? -
i'm on ubuntu 17.04.
single unprivilleged unshare of mount namespace works. can try using unshare(1) command:
$ unshare -m -u /bin/sh #
however unshare within unshare not permitted:
$ unshare -m -u /bin/sh # unshare -m -u /bin/sh unshare: operation not permitted #
here c program same:
#define _gnu_source #include <stdio.h> #include <sched.h> #include <sys/mount.h> #include <unistd.h> int main(int argc, char *argv[]) { if(unshare(clone_newuser|clone_newns) == -1) { perror("unshare"); return -1; } if(unshare(clone_newuser|clone_newns) == -1) { perror("unshare2"); return -1; } return 0; }
why it's not permitted? can find documentation this? failed find information in unshare or clone man page , in kernel unshare documentation.
is there system setting allow this?
what want achieve:
first unshare: want mask few binaries on system own versions.
second unshare: unprivilleged chroot.
i'm guessing here, think reason uid mapping. in order perform it, conditions must met (from user_namespaces
man page):
in order process write /proc/[pid]/uid_map (/proc/[pid]/gid_map) file, of following require‐ ments must met: 1. writing process must have cap_setuid (cap_setgid) capability in user namespace of process pid. 2. writing process must either in user namespace of process pid or in parent user namespace of process pid. 3. mapped user ids (group ids) must in turn have mapping in parent user namespace.
i believe happens first time run, mapping matches of parent uid. second time, however, not, , fails system call.
from unshare(2) manual page:
eperm clone_newuser specified in flags, either effective user id or effective group id of caller not have mapping in parent namespace (see user_namespaces(7)).
Comments
Post a Comment