From: Laurent Vivier <laurent@vivier.eu>
To: util-linux@vger.kernel.org
Cc: Laurent Vivier <laurent@vivier.eu>
Subject: [PATCH 0/2] unshare: manage binfmt_misc mounts
Date: Mon, 10 Jun 2024 19:33:47 +0200 [thread overview]
Message-ID: <20240610173349.115913-1-laurent@vivier.eu> (raw)
Since linux v6.7 and
commit 21ca59b365c0 ("binfmt_misc: enable sandboxed mounts"),
binfmt_misc can be mountable in a non-initial user namespace by
a non privileged user.
Extend unshare to manage it:
- add --mount-binfmt[=<dir>] to mount binfmt_misc filesystem, this
results in clearing inherited interpreters from the previous namespace
- add -l, --load-interp <file> to load a binfmt_misc interpreter at startup.
The interpreter is loaded from the initial fileystem if the 'F' flags is
provided, otherwise from inside the new namespace
This makes possible to start a chroot of another architecture without
being root.
For instance:
With 'F' flag, load the interpreter from the initial namespace:
$ /bin/qemu-m68k-static --version
qemu-m68k version 8.2.2 (qemu-8.2.2-1.fc40)
Copyright (c) 2003-2023 Fabrice Bellard and the QEMU Project developers
$ unshare --map-root-user --fork --pid --load-interp=":qemu-m68k:M::\\x7fELF\\x01\\x02\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x04:\\xff\\xff\\xff\\xff\\xff\\xff\\xfe\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xfe\\xff\\xff:/bin/qemu-m68k-static:OCF" --root=chroot/m68k/sid
# QEMU_VERSION= ls
qemu-m68k version 8.2.2 (qemu-8.2.2-1.fc40)
Copyright (c) 2003-2023 Fabrice Bellard and the QEMU Project developers
# /qemu-m68k --version
qemu-m68k version 8.0.50 (v8.0.0-340-gb1cff5e2da95)
Copyright (c) 2003-2022 Fabrice Bellard and the QEMU Project developers
Without 'F' flag, from inside the namespace:
$ unshare --map-root-user --fork --pid --load-interp=":qemu-m68k:M::\\x7fELF\\x01\\x02\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x04:\\xff\\xff\\xff\\xff\\xff\\xff\\xfe\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xfe\\xff\\xff:/qemu-m68k:OC" --root=chroot/m68k/sid
# QEMU_VERSION= ls
qemu-m68k version 8.0.50 (v8.0.0-340-gb1cff5e2da95)
Copyright (c) 2003-2022 Fabrice Bellard and the QEMU Project developers
# /qemu-m68k --version
qemu-m68k version 8.0.50 (v8.0.0-340-gb1cff5e2da95)
Copyright (c) 2003-2022 Fabrice Bellard and the QEMU Project developers
Laurent Vivier (2):
unshare: mount binfmt_misc
unshare: load binfmt_misc interpreter
include/pathnames.h | 2 ++
sys-utils/unshare.1.adoc | 13 ++++++++
sys-utils/unshare.c | 64 +++++++++++++++++++++++++++++++++++++++-
3 files changed, 78 insertions(+), 1 deletion(-)
--
2.45.2
next reply other threads:[~2024-06-10 17:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-10 17:33 Laurent Vivier [this message]
2024-06-10 17:33 ` [PATCH 1/2] unshare: mount binfmt_misc Laurent Vivier
2024-06-10 17:33 ` [PATCH 2/2] unshare: load binfmt_misc interpreter Laurent Vivier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240610173349.115913-1-laurent@vivier.eu \
--to=laurent@vivier.eu \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).