With Linux user namespaces, why can clone() mount /proc, but unshare() cannot?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite
1












I am trying to get a non-root user to mount /proc in a Linux user namespace.



If I create a namespace via clone(), then I can mount /proc.



However, if I create a namespace via unshare(), then the call to mount() fails with Operation not permitted.



Why does mount() behave differently when the namespace is created with clone() as opposed to unshare()?



The below code demonstrates the difference.



#define _GNU_SOURCE
#include <errno.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <fcntl.h>


#define STACK_SIZE (1024 * 1024)

static char child_stack[STACK_SIZE]; /* Space for child's stack */


void try ( const char * msg, int rv ) 
 printf ( "%-8s %6d %sn", msg, rv, strerror ( rv < 0 ? errno : 0 ) );



int child ( void * arg ) 
 try( "mount_1", mount ( "PROC", "/proc", "proc", 0, NULL ));
 try( "umount_1", umount ( "/proc" ));
 return 0;



int main () 

 int clone_flags = 0;

 clone_flags


Output:



clone 31478 Success
mount_1 0 Success
umount_1 0 Success
wait 31478 Success
unshare 0 Success
mount_2 -1 Operation not permitted


I am running on Ubuntu 18.04 with kernel Linux 4.15.0-20-generic. I am running the above code as non-root.






mount proc namespace unshare clone







share|improve this question

























    up vote
    0
    down vote

    favorite
    1












    I am trying to get a non-root user to mount /proc in a Linux user namespace.



    If I create a namespace via clone(), then I can mount /proc.



    However, if I create a namespace via unshare(), then the call to mount() fails with Operation not permitted.



    Why does mount() behave differently when the namespace is created with clone() as opposed to unshare()?



    The below code demonstrates the difference.



    #define _GNU_SOURCE
    #include <errno.h>
    #include <sched.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    #include <sys/syscall.h>
    #include <sys/mount.h>
    #include <sys/types.h>
    #include <sys/stat.h>
    #include <sys/wait.h>
    #include <fcntl.h>


    #define STACK_SIZE (1024 * 1024)

    static char child_stack[STACK_SIZE]; /* Space for child's stack */


    void try ( const char * msg, int rv ) 
     printf ( "%-8s %6d %sn", msg, rv, strerror ( rv < 0 ? errno : 0 ) );



    int child ( void * arg ) 
     try( "mount_1", mount ( "PROC", "/proc", "proc", 0, NULL ));
     try( "umount_1", umount ( "/proc" ));
     return 0;



    int main () 

     int clone_flags = 0;

     clone_flags


    Output:



    clone 31478 Success
    mount_1 0 Success
    umount_1 0 Success
    wait 31478 Success
    unshare 0 Success
    mount_2 -1 Operation not permitted


    I am running on Ubuntu 18.04 with kernel Linux 4.15.0-20-generic. I am running the above code as non-root.






    mount proc namespace unshare clone







    share|improve this question























      up vote
      0
      down vote

      favorite
      1









      up vote
      0
      down vote

      favorite
      1






      1





      I am trying to get a non-root user to mount /proc in a Linux user namespace.



      If I create a namespace via clone(), then I can mount /proc.



      However, if I create a namespace via unshare(), then the call to mount() fails with Operation not permitted.



      Why does mount() behave differently when the namespace is created with clone() as opposed to unshare()?



      The below code demonstrates the difference.



      #define _GNU_SOURCE
      #include <errno.h>
      #include <sched.h>
      #include <stdio.h>
      #include <stdlib.h>
      #include <string.h>
      #include <unistd.h>
      #include <sys/syscall.h>
      #include <sys/mount.h>
      #include <sys/types.h>
      #include <sys/stat.h>
      #include <sys/wait.h>
      #include <fcntl.h>


      #define STACK_SIZE (1024 * 1024)

      static char child_stack[STACK_SIZE]; /* Space for child's stack */


      void try ( const char * msg, int rv ) 
       printf ( "%-8s %6d %sn", msg, rv, strerror ( rv < 0 ? errno : 0 ) );



      int child ( void * arg ) 
       try( "mount_1", mount ( "PROC", "/proc", "proc", 0, NULL ));
       try( "umount_1", umount ( "/proc" ));
       return 0;



      int main () 

       int clone_flags = 0;

       clone_flags


      Output:



      clone 31478 Success
      mount_1 0 Success
      umount_1 0 Success
      wait 31478 Success
      unshare 0 Success
      mount_2 -1 Operation not permitted


      I am running on Ubuntu 18.04 with kernel Linux 4.15.0-20-generic. I am running the above code as non-root.






      mount proc namespace unshare clone







      share|improve this question













      I am trying to get a non-root user to mount /proc in a Linux user namespace.



      If I create a namespace via clone(), then I can mount /proc.



      However, if I create a namespace via unshare(), then the call to mount() fails with Operation not permitted.



      Why does mount() behave differently when the namespace is created with clone() as opposed to unshare()?



      The below code demonstrates the difference.



      #define _GNU_SOURCE
      #include <errno.h>
      #include <sched.h>
      #include <stdio.h>
      #include <stdlib.h>
      #include <string.h>
      #include <unistd.h>
      #include <sys/syscall.h>
      #include <sys/mount.h>
      #include <sys/types.h>
      #include <sys/stat.h>
      #include <sys/wait.h>
      #include <fcntl.h>


      #define STACK_SIZE (1024 * 1024)

      static char child_stack[STACK_SIZE]; /* Space for child's stack */


      void try ( const char * msg, int rv ) 
       printf ( "%-8s %6d %sn", msg, rv, strerror ( rv < 0 ? errno : 0 ) );



      int child ( void * arg ) 
       try( "mount_1", mount ( "PROC", "/proc", "proc", 0, NULL ));
       try( "umount_1", umount ( "/proc" ));
       return 0;



      int main () 

       int clone_flags = 0;

       clone_flags


      Output:



      clone 31478 Success
      mount_1 0 Success
      umount_1 0 Success
      wait 31478 Success
      unshare 0 Success
      mount_2 -1 Operation not permitted


      I am running on Ubuntu 18.04 with kernel Linux 4.15.0-20-generic. I am running the above code as non-root.






      mount proc namespace unshare clone




      mount proc namespace unshare clone






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 3 hours ago









      mpb

      379110




      379110




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted










          Maybe because you're still in the "wrong" PID namespace, and that means you don't have permission to mount the procfs instance?




          CLONE_NEWPID [...] The calling process is
          not moved into the new namespace. The first child created by
          the calling process will have the process ID 1 and will assume
          the role of init(1) in the new namespace.



          http://man7.org/linux/man-pages/man2/unshare.2.html




          Compare




          CLONE_NEWPID [...]
          If CLONE_NEWPID is set, then create the process in a new PID
          namespace.



          http://man7.org/linux/man-pages/man2/clone.2.html







          share|improve this answer




















          • It certainly appears you are correct. If I unshare() followed by a fork(), then the child process can mount /proc. Thanks!
            – mpb
            58 mins ago











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f480873%2fwith-linux-user-namespaces-why-can-clone-mount-proc-but-unshare-cannot%23new-answer', 'question_page');

          );

          Post as a guest

















          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote



          accepted










          Maybe because you're still in the "wrong" PID namespace, and that means you don't have permission to mount the procfs instance?




          CLONE_NEWPID [...] The calling process is
          not moved into the new namespace. The first child created by
          the calling process will have the process ID 1 and will assume
          the role of init(1) in the new namespace.



          http://man7.org/linux/man-pages/man2/unshare.2.html




          Compare




          CLONE_NEWPID [...]
          If CLONE_NEWPID is set, then create the process in a new PID
          namespace.



          http://man7.org/linux/man-pages/man2/clone.2.html







          share|improve this answer




















          • It certainly appears you are correct. If I unshare() followed by a fork(), then the child process can mount /proc. Thanks!
            – mpb
            58 mins ago















          up vote
          2
          down vote



          accepted










          Maybe because you're still in the "wrong" PID namespace, and that means you don't have permission to mount the procfs instance?




          CLONE_NEWPID [...] The calling process is
          not moved into the new namespace. The first child created by
          the calling process will have the process ID 1 and will assume
          the role of init(1) in the new namespace.



          http://man7.org/linux/man-pages/man2/unshare.2.html




          Compare




          CLONE_NEWPID [...]
          If CLONE_NEWPID is set, then create the process in a new PID
          namespace.



          http://man7.org/linux/man-pages/man2/clone.2.html







          share|improve this answer




















          • It certainly appears you are correct. If I unshare() followed by a fork(), then the child process can mount /proc. Thanks!
            – mpb
            58 mins ago













          up vote
          2
          down vote



          accepted







          up vote
          2
          down vote



          accepted






          Maybe because you're still in the "wrong" PID namespace, and that means you don't have permission to mount the procfs instance?




          CLONE_NEWPID [...] The calling process is
          not moved into the new namespace. The first child created by
          the calling process will have the process ID 1 and will assume
          the role of init(1) in the new namespace.



          http://man7.org/linux/man-pages/man2/unshare.2.html




          Compare




          CLONE_NEWPID [...]
          If CLONE_NEWPID is set, then create the process in a new PID
          namespace.



          http://man7.org/linux/man-pages/man2/clone.2.html







          share|improve this answer












          Maybe because you're still in the "wrong" PID namespace, and that means you don't have permission to mount the procfs instance?




          CLONE_NEWPID [...] The calling process is
          not moved into the new namespace. The first child created by
          the calling process will have the process ID 1 and will assume
          the role of init(1) in the new namespace.



          http://man7.org/linux/man-pages/man2/unshare.2.html




          Compare




          CLONE_NEWPID [...]
          If CLONE_NEWPID is set, then create the process in a new PID
          namespace.



          http://man7.org/linux/man-pages/man2/clone.2.html








          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 3 hours ago









          sourcejedi

          21.5k43396




          21.5k43396











          • It certainly appears you are correct. If I unshare() followed by a fork(), then the child process can mount /proc. Thanks!
            – mpb
            58 mins ago

















          • It certainly appears you are correct. If I unshare() followed by a fork(), then the child process can mount /proc. Thanks!
            – mpb
            58 mins ago
















          It certainly appears you are correct. If I unshare() followed by a fork(), then the child process can mount /proc. Thanks!
          – mpb
          58 mins ago





          It certainly appears you are correct. If I unshare() followed by a fork(), then the child process can mount /proc. Thanks!
          – mpb
          58 mins ago


















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f480873%2fwith-linux-user-namespaces-why-can-clone-mount-proc-but-unshare-cannot%23new-answer', 'question_page');

          );

          Post as a guest
































































          -

          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this questi...
          Read more

          Running qemu-guest-agent on windows server 2008

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I know how I need to configure any linux guestvm in order to make qemu-guest-agent work. This is because there is a lot of documentation on it available, this is not the same with a windows guest. I wanted to know what steps I need to take to make qemu-GA work with a windows guest. I know I need to specify a channel type in the xml file of my windows vm, but further than that?? Does somebody has some more experience with this? Thanks. Running system: Debian 9 (on VMware) 3GB ram & 100GB DISK Running libvirt Daemon Several other guest vms running in background Windows guest: Windows server 2012 512MB RAM & 32GB DISK Virtio drivers working windows virtual-machine kvm qemu libvirtd share | improve this question asked Jan 13 at 0:02 codenerd123 1 1 add a comment  |  up vote 0 down vote favorite I know how I need to configure any linux guestvm in...
          Read more

          Christian Cage

          Image
          Christian Cage Christian in March 2015 Birth name William Jason Reso Born ( 1973-11-30 ) November 30, 1973 (age 45) Kitchener, Ontario, Canada Residence Tampa, Florida, United States Spouse(s) Denise Hartmann ( m.   2001 ) Children 1 Professional wrestling career Ring name(s) Christian [1] Christian Cage [2] Conquistador Dos [3] Male Nurse [4] Billed height 6 ft 1 in (1.85 m) [1] Billed weight 212 lb (96 kg) [1] Billed from Tampa, Florida (WM18, TNA) Toronto, Ontario, Canada [1] Trained by Dory Funk Jr. [2] Ron Hutchison [5] Debut 1995 [5] Retired 2014 [6] William Jason Reso (born November 30, 1973) is a Canadian actor, podcaster and retired professional wrestler best known for his time in WWE under the ring name Christian , a shortened version of his original ring name Christian Cage that was also used during his tenure in Total Nonstop Action Wrestling (TNA). Reso was trained by former professional wrestlers Ron Hutchison and Dory Funk Jr. and m...
          Read more