clone.2: Describe the user namespace (CLONE_NEWUSER)

[thirdparty/man-pages.git] / man2 / clone.2

.\" Copyright (c) 1992 Drew Eckhardt <drew@cs.colorado.edu>, March 28, 1992
.\" and Copyright (c) Michael Kerrisk, 2001, 2002, 2005, 2013
.\"
.\" %%%LICENSE_START(GPL_NOVERSION_ONELINE)
.\" May be distributed under the GNU General Public License.
.\" %%%LICENSE_END
.\"
.\" Modified by Michael Haardt <michael@moria.de>
.\" Modified 24 Jul 1993 by Rik Faith <faith@cs.unc.edu>
.\" Modified 21 Aug 1994 by Michael Chastain <mec@shell.portal.com>:
.\"   New man page (copied from 'fork.2').
.\" Modified 10 June 1995 by Andries Brouwer <aeb@cwi.nl>
.\" Modified 25 April 1998 by Xavier Leroy <Xavier.Leroy@inria.fr>
.\" Modified 26 Jun 2001 by Michael Kerrisk
.\"     Mostly upgraded to 2.4.x
.\"     Added prototype for sys_clone() plus description
.\"	Added CLONE_THREAD with a brief description of thread groups
.\"	Added CLONE_PARENT and revised entire page remove ambiguity
.\"		between "calling process" and "parent process"
.\"	Added CLONE_PTRACE and CLONE_VFORK
.\"	Added EPERM and EINVAL error codes
.\"	Renamed "__clone" to "clone" (which is the prototype in <sched.h>)
.\"	various other minor tidy ups and clarifications.
.\" Modified 26 Jun 2001 by Michael Kerrisk <mtk.manpages@gmail.com>
.\"	Updated notes for 2.4.7+ behavior of CLONE_THREAD
.\" Modified 15 Oct 2002 by Michael Kerrisk <mtk.manpages@gmail.com>
.\"	Added description for CLONE_NEWNS, which was added in 2.4.19
.\" Slightly rephrased, aeb.
.\" Modified 1 Feb 2003 - added CLONE_SIGHAND restriction, aeb.
.\" Modified 1 Jan 2004 - various updates, aeb
.\" Modified 2004-09-10 - added CLONE_PARENT_SETTID etc. - aeb.
.\" 2005-04-12, mtk, noted the PID caching behavior of NPTL's getpid()
.\"	wrapper under BUGS.
.\" 2005-05-10, mtk, added CLONE_SYSVSEM, CLONE_UNTRACED, CLONE_STOPPED.
.\" 2005-05-17, mtk, Substantially enhanced discussion of CLONE_THREAD.
.\" 2008-11-18, mtk, order CLONE_* flags alphabetically
.\" 2008-11-18, mtk, document CLONE_NEWPID
.\" 2008-11-19, mtk, document CLONE_NEWUTS
.\" 2008-11-19, mtk, document CLONE_NEWIPC
.\" 2008-11-19, Jens Axboe, mtk, document CLONE_IO
.\"
.\" FIXME Document CLONE_NEWUSER, which is new in 2.6.23
.\"       (also supported for unshare()?)
.\"
.TH CLONE 2 2014-08-19 "Linux" "Linux Programmer's Manual"
.SH NAME
clone, __clone2 \- create a child process
.SH SYNOPSIS
.nf
/* Prototype for the glibc wrapper function */

.B #include <sched.h>

.BI "int clone(int (*" "fn" ")(void *), void *" child_stack ,
.BI "          int " flags ", void *" "arg" ", ... "
.BI "          /* pid_t *" ptid ", struct user_desc *" tls \
", pid_t *" ctid " */ );"

/* Prototype for the raw system call */

.BI "long clone(unsigned long " flags ", void *" child_stack ,
.BI "          void *" ptid ", void *" ctid ,
.BI "          struct pt_regs *" regs );
.fi
.sp
.in -4n
Feature Test Macro Requirements for glibc wrapper function (see
.BR feature_test_macros (7)):
.in
.sp
.BR clone ():
.ad l
.RS 4
.PD 0
.TP 4
Since glibc 2.14:
_GNU_SOURCE
.TP 4
.\" See http://sources.redhat.com/bugzilla/show_bug.cgi?id=4749
Before glibc 2.14:
_BSD_SOURCE || _SVID_SOURCE
    /* _GNU_SOURCE also suffices */
.PD
.RE
.ad b
.SH DESCRIPTION
.BR clone ()
creates a new process, in a manner similar to
.BR fork (2).

This page describes both the glibc
.BR clone ()
wrapper function and the underlying system call on which it is based.
The main text describes the wrapper function;
the differences for the raw system call
are described toward the end of this page.

Unlike
.BR fork (2),
.BR clone ()
allows the child process to share parts of its execution context with
the calling process, such as the memory space, the table of file
descriptors, and the table of signal handlers.
(Note that on this manual
page, "calling process" normally corresponds to "parent process".
But see the description of
.B CLONE_PARENT
below.)

The main use of
.BR clone ()
is to implement threads: multiple threads of control in a program that
run concurrently in a shared memory space.

When the child process is created with
.BR clone (),
it executes the function
.IR fn ( arg ).
(This differs from
.BR fork (2),
where execution continues in the child from the point
of the
.BR fork (2)
call.)
The
.I fn
argument is a pointer to a function that is called by the child
process at the beginning of its execution.
The
.I arg
argument is passed to the
.I fn
function.

When the
.IR fn ( arg )
function application returns, the child process terminates.
The integer returned by
.I fn
is the exit code for the child process.
The child process may also terminate explicitly by calling
.BR exit (2)
or after receiving a fatal signal.

The
.I child_stack
argument specifies the location of the stack used by the child process.
Since the child and calling process may share memory,
it is not possible for the child process to execute in the
same stack as the calling process.
The calling process must therefore
set up memory space for the child stack and pass a pointer to this
space to
.BR clone ().
Stacks grow downward on all processors that run Linux
(except the HP PA processors), so
.I child_stack
usually points to the topmost address of the memory space set up for
the child stack.

The low byte of
.I flags
contains the number of the
.I "termination signal"
sent to the parent when the child dies.
If this signal is specified as anything other than
.BR SIGCHLD ,
then the parent process must specify the
.B __WALL
or
.B __WCLONE
options when waiting for the child with
.BR wait (2).
If no signal is specified, then the parent process is not signaled
when the child terminates.

.I flags
may also be bitwise-or'ed with zero or more of the following constants,
in order to specify what is shared between the calling process
and the child process:
.TP
.BR CLONE_CHILD_CLEARTID " (since Linux 2.5.49)"
Erase child thread ID at location
.I ctid
in child memory when the child exits, and do a wakeup on the futex
at that address.
The address involved may be changed by the
.BR set_tid_address (2)
system call.
This is used by threading libraries.
.TP
.BR CLONE_CHILD_SETTID " (since Linux 2.5.49)"
Store child thread ID at location
.I ctid
in child memory.
.TP
.BR CLONE_FILES " (since Linux 2.0)"
If
.B CLONE_FILES
is set, the calling process and the child process share the same file
descriptor table.
Any file descriptor created by the calling process or by the child
process is also valid in the other process.
Similarly, if one of the processes closes a file descriptor,
or changes its associated flags (using the
.BR fcntl (2)
.B F_SETFD
operation), the other process is also affected.

If
.B CLONE_FILES
is not set, the child process inherits a copy of all file descriptors
opened in the calling process at the time of
.BR clone ().
(The duplicated file descriptors in the child refer to the
same open file descriptions (see
.BR open (2))
as the corresponding file descriptors in the calling process.)
Subsequent operations that open or close file descriptors,
or change file descriptor flags,
performed by either the calling
process or the child process do not affect the other process.
.TP
.BR CLONE_FS " (since Linux 2.0)"
If
.B CLONE_FS
is set, the caller and the child process share the same filesystem
information.
This includes the root of the filesystem, the current
working directory, and the umask.
Any call to
.BR chroot (2),
.BR chdir (2),
or
.BR umask (2)
performed by the calling process or the child process also affects the
other process.

If
.B CLONE_FS
is not set, the child process works on a copy of the filesystem
information of the calling process at the time of the
.BR clone ()
call.
Calls to
.BR chroot (2),
.BR chdir (2),
.BR umask (2)
performed later by one of the processes do not affect the other process.
.TP
.BR CLONE_IO " (since Linux 2.6.25)"
If
.B CLONE_IO
is set, then the new process shares an I/O context with
the calling process.
If this flag is not set, then (as with
.BR fork (2))
the new process has its own I/O context.

.\" The following based on text from Jens Axboe
The I/O context is the I/O scope of the disk scheduler (i.e,
what the I/O scheduler uses to model scheduling of a process's I/O).
If processes share the same I/O context,
they are treated as one by the I/O scheduler.
As a consequence, they get to share disk time.
For some I/O schedulers,
.\" the anticipatory and CFQ scheduler
if two processes share an I/O context,
they will be allowed to interleave their disk access.
If several threads are doing I/O on behalf of the same process
.RB ( aio_read (3),
for instance), they should employ
.BR CLONE_IO
to get better I/O performance.
.\" with CFQ and AS.

If the kernel is not configured with the
.B CONFIG_BLOCK
option, this flag is a no-op.
.TP
.BR CLONE_NEWIPC " (since Linux 2.6.19)"
If
.B CLONE_NEWIPC
is set, then create the process in a new IPC namespace.
If this flag is not set, then (as with
.BR fork (2)),
the process is created in the same IPC namespace as
the calling process.
This flag is intended for the implementation of containers.

An IPC namespace provides an isolated view of System\ V IPC objects (see
.BR svipc (7))
and (since Linux 2.6.30)
.\" commit 7eafd7c74c3f2e67c27621b987b28397110d643f
.\" https://lwn.net/Articles/312232/
POSIX message queues
(see
.BR mq_overview (7)).
The common characteristic of these IPC mechanisms is that IPC
objects are identified by mechanisms other than filesystem
pathnames.

Objects created in an IPC namespace are visible to all other processes
that are members of that namespace,
but are not visible to processes in other IPC namespaces.

When an IPC namespace is destroyed
(i.e., when the last process that is a member of the namespace terminates),
all IPC objects in the namespace are automatically destroyed.

Use of this flag requires: a kernel configured with the
.B CONFIG_SYSVIPC
and
.B CONFIG_IPC_NS
options and that the process be privileged
.RB ( CAP_SYS_ADMIN ).
This flag can't be specified in conjunction with
.BR CLONE_SYSVSEM .
.TP
.BR CLONE_NEWNET " (since Linux 2.6.24)"
(The implementation of this flag was completed only
by about kernel version 2.6.29.)

If
.B CLONE_NEWNET
is set, then create the process in a new network namespace.
If this flag is not set, then (as with
.BR fork (2)),
the process is created in the same network namespace as
the calling process.
This flag is intended for the implementation of containers.

A network namespace provides an isolated view of the networking stack
(network device interfaces, IPv4 and IPv6 protocol stacks,
IP routing tables, firewall rules, the
.I /proc/net
and
.I /sys/class/net
directory trees, sockets, etc.).
A physical network device can live in exactly one
network namespace.
A virtual network device ("veth") pair provides a pipe-like abstraction
.\" FIXME . Add pointer to veth(4) page when it is eventually completed
that can be used to create tunnels between network namespaces,
and can be used to create a bridge to a physical network device
in another namespace.

When a network namespace is freed
(i.e., when the last process in the namespace terminates),
its physical network devices are moved back to the
initial network namespace (not to the parent of the process).

Use of this flag requires: a kernel configured with the
.B CONFIG_NET_NS
option and that the process be privileged
.RB ( CAP_SYS_ADMIN ).
.TP
.BR CLONE_NEWNS " (since Linux 2.4.19)"
Start the child in a new mount namespace.

Every process lives in a mount namespace.
The
.I namespace
of a process is the data (the set of mounts) describing the file hierarchy
as seen by that process.
After a
.BR fork (2)
or
.BR clone ()
where the
.B CLONE_NEWNS
flag is not set, the child lives in the same mount
namespace as the parent.
The system calls
.BR mount (2)
and
.BR umount (2)
change the mount namespace of the calling process, and hence affect
all processes that live in the same namespace, but do not affect
processes in a different mount namespace.

After a
.BR clone ()
where the
.B CLONE_NEWNS
flag is set, the cloned child is started in a new mount namespace,
initialized with a copy of the namespace of the parent.

Only a privileged process (one having the \fBCAP_SYS_ADMIN\fP capability)
may specify the
.B CLONE_NEWNS
flag.
It is not permitted to specify both
.B CLONE_NEWNS
and
.B CLONE_FS
in the same
.BR clone ()
call.
.TP
.BR CLONE_NEWUSER " (since Linux 3.6)"
If
.B CLONE_NEWUSER
is set, the create the process in a new user namespace.  If this flag is not set, then (as with
.BR fork (2)),
the process is created in the same user namespace as the calling process.

A user namespace provides an isolated environment for security related identifiers in particular
uids, gids, keys (see
.BR keyctl (2)),
and capabilities.

When a user namespace is created it initially starts out without a mapping of uids and gids
to the parent user namespace.  The desired mapping of uids to the parent user namespace
may be set by writting into  
.IR /proc/[pid]/uid_map.
The desired mapping of gids to the parent user namespace may be set by writinng into
.IR /proc/[pid]/gid_map.

The first process in a user namespace starts out with a complete set of capabilities with
respect to the new user namespace.  

syscalls that return uids and gids will either return the uid or gid mapped into the current
user namespace if there is a mapping or depending on the context will return either
the overflowuid (default 65534) or the overflowgid (default 65534). See
.IR /proc/sys/kernel/overflowuid, /proc/sys/kernel/overflowgid

As of Linux 3.8 no priviliges are needed to create a user namespace,
and mount, pid, ipc, net, uts namespaces can be created with just
CAP_SYS_ADMIN privileges in your current user namespace.

Over the years there have been a lot of features that have been added
to the linux kernel that are only available to privileged users
because of their potential to confuse setuid root applications.  In
general it becomes safe to allow the root user in a user namespace to
use those features because it is impossible while in a user namespace
to gain more privilege than the root user of a user namespace has.

.TP
.BR CLONE_NEWPID " (since Linux 2.6.24)"
.\" This explanation draws a lot of details from
.\" http://lwn.net/Articles/259217/
.\" Authors: Pavel Emelyanov <xemul@openvz.org>
.\" and Kir Kolyshkin <kir@openvz.org>
.\"
.\" The primary kernel commit is 30e49c263e36341b60b735cbef5ca37912549264
.\" Author: Pavel Emelyanov <xemul@openvz.org>
If
.B CLONE_NEWPID
is set, then create the process in a new PID namespace.
If this flag is not set, then (as with
.BR fork (2)),
the process is created in the same PID namespace as
the calling process.
This flag is intended for the implementation of containers.

A PID namespace provides an isolated environment for PIDs:
PIDs in a new namespace start at 1,
somewhat like a standalone system, and calls to
.BR fork (2),
.BR vfork (2),
or
.BR clone ()
will produce processes with PIDs that are unique within the namespace.

The first process created in a new namespace
(i.e., the process created using the
.BR CLONE_NEWPID
flag) has the PID 1, and is the "init" process for the namespace.
Children that are orphaned within the namespace will be reparented
to this process rather than
.BR init (8).
Unlike the traditional
.B init
process, the "init" process of a PID namespace can terminate,
and if it does, all of the processes in the namespace are terminated.

PID namespaces form a hierarchy.