Re: clone(2) man page CLONE_NEWPID and CLONE_PARENT can be specified at the same time, also CLONE_NEWUSER and CLONE_PARENT

[Carlos O'Donell <carlos@redhat.com>]

On 4/15/25 7:34 AM, hoodit dev wrote:
> In clone(2) man page ERRORS section said EINVAL occur when set
> CLONE_NEWPID and one (or both) of CLONE_THREAD or CLONE_PARENT were
> specified in the flags mask
> but in my test code, it can be specified CLONE_NEWPID and CLONE_PARENT
> at the same time and works well (not in CLONE_THREAD)

The use of CLONE_NEWPID and CLONE_PARENT both creates a new PID namespace
and roots the created process at the parent of the caller.

This doesn't violate any of the rules around having only one process as
the root of the namespace.

The restriction of CLONE_PARENT is relevant to the root of the process tree.

I agree with your analysis that you should be able to use CLONE_NEWPID and
CLONE_PARENT. The outcome is that this creates a new process, whose root is
your parent, and who starts the new namespace as pid 1 (init) for that new
namespace.

> In DESCRIPTION > the flags mask > CLONE_NEWPID, it says that it can't
> be used with CLONE_THREAD only

This is correct.

> So, I search linux github to find really CLONE_PARENT can't be used
> with CLONE_NEWPID but there is no logic like that
> (but I found CLONE_THREAD can't be used with CLONE_NEWUSER,
> https://github.com/torvalds/linux/blob/219d54332a09e8d8741c1e1982f5eae56099de85/kernel/fork.c#L1815)

It does not make logical sense for CLONE_NEWPID to be used wtih CLONE_THREAD.

A new thread shares the same address space, and so should logically share
the same PID namespace. PID namespaces are created by cloning or unsharing
a given process that acts as root of the namespace.

Having a single process with a mixed PID namespace would break several
userspace invariants expected by C library implementations.

I expect the kernel to maintain this invariant.
  
> Similarly, in CLONE_NEWUSER, it says that "This flag can't be
> specified in conjunction with CLONE_THREAD or CLONE_PARENT." but it
> works on my test code with CLONE_PARENT
> Also, in ERROR section only mentioned when CLONE_NEWUSER used with CLONE_THREAD

Just because it works, which might be a bug, doesn't mean that we should
document that it works.

My position is similar here, a new USER namespace that is mixed within a
process that contains multiple threads violates a number of invariants.

The transition to a new user namespace should really start with a process
and all threads should share the same user namespace so ids can be stored
in thread-local objects and shared.
  
> I think CLONE_NEWPID and CLONE_NEWUSER can't be used with CLONE_THREAD only.
> If you think my opinion is reasonable, please let me know. I'll make a patch
  
I agree with this statement, CLONE_NEWPID and CLONE_NEWUSER should not be
usable with CLONE_THREAD.

-- 
Cheers,
Carlos.