From: Laurent Vivier <laurent@vivier.eu>
To: util-linux@vger.kernel.org
Cc: Laurent Vivier <laurent@vivier.eu>
Subject: [PATCH v2 0/2] unshare: manage binfmt_misc mounts
Date: Tue, 11 Jun 2024 10:43:12 +0200 [thread overview]
Message-ID: <20240611084314.183913-1-laurent@vivier.eu> (raw)
Since linux v6.7 and
commit 21ca59b365c0 ("binfmt_misc: enable sandboxed mounts"),
binfmt_misc can be mountable in a non-initial user namespace by
a non privileged user.
Extend unshare to manage it:
- add --mount-binfmt[=<dir>] to mount binfmt_misc filesystem, this
results in clearing inherited interpreters from the previous namespace
- add -l, --load-interp <file> to load a binfmt_misc interpreter at startup.
The interpreter is loaded from the initial fileystem if the 'F' flags is
provided, otherwise from inside the new namespace
This makes possible to start a chroot of another architecture without
being root.
For instance:
With 'F' flag, load the interpreter from the initial namespace:
$ /bin/qemu-m68k-static --version
qemu-m68k version 8.2.2 (qemu-8.2.2-1.fc40)
Copyright (c) 2003-2023 Fabrice Bellard and the QEMU Project developers
$ unshare --map-root-user --fork --pid --load-interp=":qemu-m68k:M::\\x7fELF\\x01\\x02\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x04:\\xff\\xff\\xff\\xff\\xff\\xff\\xfe\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xfe\\xff\\xff:/bin/qemu-m68k-static:OCF" --root=chroot/m68k/sid
# QEMU_VERSION= ls
qemu-m68k version 8.2.2 (qemu-8.2.2-1.fc40)
Copyright (c) 2003-2023 Fabrice Bellard and the QEMU Project developers
# /qemu-m68k --version
qemu-m68k version 8.0.50 (v8.0.0-340-gb1cff5e2da95)
Copyright (c) 2003-2022 Fabrice Bellard and the QEMU Project developers
Without 'F' flag, from inside the namespace:
$ unshare --map-root-user --fork --pid --load-interp=":qemu-m68k:M::\\x7fELF\\x01\\x02\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x04:\\xff\\xff\\xff\\xff\\xff\\xff\\xfe\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xfe\\xff\\xff:/qemu-m68k:OC" --root=chroot/m68k/sid
# QEMU_VERSION= ls
qemu-m68k version 8.0.50 (v8.0.0-340-gb1cff5e2da95)
Copyright (c) 2003-2022 Fabrice Bellard and the QEMU Project developers
# /qemu-m68k --version
qemu-m68k version 8.0.50 (v8.0.0-340-gb1cff5e2da95)
Copyright (c) 2003-2022 Fabrice Bellard and the QEMU Project developers
v2:
- use <binfmt_mnt>/register rather than _PATH_PROC_BINFMT_MISC_REGISTER to load the interpreter
Laurent Vivier (2):
unshare: mount binfmt_misc
unshare: load binfmt_misc interpreter
include/pathnames.h | 1 +
sys-utils/unshare.1.adoc | 13 ++++++++
sys-utils/unshare.c | 71 +++++++++++++++++++++++++++++++++++++++-
3 files changed, 84 insertions(+), 1 deletion(-)
--
2.45.2
next reply other threads:[~2024-06-11 8:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-11 8:43 Laurent Vivier [this message]
2024-06-11 8:43 ` [PATCH v2 1/2] unshare: mount binfmt_misc Laurent Vivier
2024-06-11 8:43 ` [PATCH v2 2/2] unshare: load binfmt_misc interpreter Laurent Vivier
2024-06-18 9:51 ` Karel Zak
2024-06-18 10:13 ` Laurent Vivier
2024-06-18 11:58 ` Karel Zak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240611084314.183913-1-laurent@vivier.eu \
--to=laurent@vivier.eu \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).