is one allowed to reenter a user namespace?

public inbox for util-linux@vger.kernel.org
 help / color / mirror / Atom feed

* is one allowed to reenter a user namespace?
@ 2013-01-20 23:36 Zbigniew Jędrzejewski-Szmek
  2013-01-21  0:47 ` Eric W. Biederman
  0 siblings, 1 reply; 2+ messages in thread
From: Zbigniew Jędrzejewski-Szmek @ 2013-01-20 23:36 UTC (permalink / raw)
  To: util-linux, Eric W. Biederman

Hi,
when trying to enter a namespace, the behaviour wrt. to entering an
existing namespace that the process is _already_ a part of is
different for user names and all other namespaces. For user namespaces
one gets EINVAL, while for other namespaces it succeeds. In other
words, for user namespaces only, entering the namspace is not idempotent.

# unshare --mount sleep 10000 &

# nsenter --target=$(pgrep sleep) --mount /bin/true
# nsenter --target=$(pgrep sleep) --ipc /bin/true
# nsenter --target=$(pgrep sleep) --net /bin/true
# nsenter --target=$(pgrep sleep) --uts /bin/true
# nsenter --target=$(pgrep sleep) --user /bin/true
nsenter: setns of 'ns/user' failed: Invalid argument
(and the EINVAL is from setns())

Is this difference intended?

-
Zbyszek

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: is one allowed to reenter a user namespace?
  2013-01-20 23:36 is one allowed to reenter a user namespace? Zbigniew Jędrzejewski-Szmek
@ 2013-01-21  0:47 ` Eric W. Biederman
  0 siblings, 0 replies; 2+ messages in thread
From: Eric W. Biederman @ 2013-01-21  0:47 UTC (permalink / raw)
  To: Zbigniew Jędrzejewski-Szmek; +Cc: util-linux

Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> writes:

> Hi,
> when trying to enter a namespace, the behaviour wrt. to entering an
> existing namespace that the process is _already_ a part of is
> different for user names and all other namespaces. For user namespaces
> one gets EINVAL, while for other namespaces it succeeds. In other
> words, for user namespaces only, entering the namspace is not idempotent.
>
> # unshare --mount sleep 10000 &
>
> # nsenter --target=$(pgrep sleep) --mount /bin/true
> # nsenter --target=$(pgrep sleep) --ipc /bin/true
> # nsenter --target=$(pgrep sleep) --net /bin/true
> # nsenter --target=$(pgrep sleep) --uts /bin/true
> # nsenter --target=$(pgrep sleep) --user /bin/true
> nsenter: setns of 'ns/user' failed: Invalid argument
> (and the EINVAL is from setns())
>
> Is this difference intended?

Yes.

The definition of setns on a user namespace is that the process gains
all capabilities in that namespace.  As such if you could reenter your
current user namespace you would gain all capabilities which would
defeat the purpose of the capability bits.

Eric

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-01-21  0:47 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-20 23:36 is one allowed to reenter a user namespace? Zbigniew Jędrzejewski-Szmek
2013-01-21  0:47 ` Eric W. Biederman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox