.\" Copyright (c) 2013 by Michael Kerrisk <mtk.manpages@gmail.com>
.\" and Copyright (c) 2012 by Eric W. Biederman <ebiederm@xmission.com>
.\"
+.\" %%%LICENSE_START(VERBATIM)
.\" Permission is granted to make and distribute verbatim copies of this
.\" manual provided the copyright notice and this permission notice are
.\" preserved on all copies.
.\"
.\" Formatted or processed versions of this manual, if unaccompanied by
.\" the source, must acknowledge the copyright and authors of this work.
+.\" %%%LICENSE_END
.\"
.\"
-.TH NAMESPACES 7 2013-01-14 "Linux" "Linux Programmer's Manual"
+.TH NAMESPACES 7 2019-03-06 "Linux" "Linux Programmer's Manual"
.SH NAME
namespaces \- overview of Linux namespaces
.SH DESCRIPTION
Changes to the global resource are visible to other processes
that are members of the namespace, but are invisible to other processes.
One use of namespaces is to implement containers.
-
+.PP
+Linux provides the following namespaces:
+.TS
+lB lB lB
+l lB l.
+Namespace Constant Isolates
+Cgroup CLONE_NEWCGROUP Cgroup root directory
+IPC CLONE_NEWIPC System V IPC, POSIX message queues
+Network CLONE_NEWNET Network devices, stacks, ports, etc.
+Mount CLONE_NEWNS Mount points
+PID CLONE_NEWPID Process IDs
+User CLONE_NEWUSER User and group IDs
+UTS CLONE_NEWUTS Hostname and NIS domain name
+.TE
+.PP
This page describes the various namespaces and the associated
.I /proc
files, and summarizes the APIs for working with namespaces.
and the calling process is made a member of those namespaces.
(This system call also implements a number of features
unrelated to namespaces.)
+.TP
+.BR ioctl (2)
+Various
+.BR ioctl (2)
+operations can be used to discover information about namespaces.
+These operations are described in
+.BR ioctl_ns (2).
.PP
Creation of new namespaces using
.BR clone (2)
.BR unshare (2)
in most cases requires the
.BR CAP_SYS_ADMIN
-capability.
+capability, since, in the new namespace,
+the creator will have the power to change global resources
+that are visible to other processes that are subsequently created in,
+or join the namespace.
User namespaces are the exception: since Linux 3.8,
no privilege is required to create a user namespace.
.\"
.\" ==================== The /proc/[pid]/ns/ directory ====================
.\"
.SS The /proc/[pid]/ns/ directory
-Each process has a
+Each process has a
.IR /proc/[pid]/ns/
.\" See commit 6b4e306aa3dc94a0545eb9279475b1ab6209a31f
subdirectory containing one entry for each namespace that
supports being manipulated by
.BR setns (2):
-
+.PP
.in +4n
-.nf
-$ \fBls -l /proc/$$/ns\fP
+.EX
+$ \fBls \-l /proc/$$/ns\fP
total 0
-lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 ipc -> ipc:[4026531839]
-lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 mnt -> mnt:[4026531840]
-lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 net -> net:[4026531956]
-lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 pid -> pid:[4026531836]
-lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 user -> user:[4026531837]
-lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 uts -> uts:[4026531838]
-.fi
+lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 cgroup \-> cgroup:[4026531835]
+lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 ipc \-> ipc:[4026531839]
+lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 mnt \-> mnt:[4026531840]
+lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 net \-> net:[4026531969]
+lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid \-> pid:[4026531836]
+lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid_for_children \-> pid:[4026531834]
+lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 user \-> user:[4026531837]
+lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 uts \-> uts:[4026531838]
+.EE
.in
-
+.PP
Bind mounting (see
.BR mount (2))
one of the files in this directory
-to somewhere else in the file system keeps
+to somewhere else in the filesystem keeps
the corresponding namespace of the process specified by
.I pid
alive even if all processes currently in the namespace terminate.
-
+.PP
Opening one of the files in this directory
(or a file that is bind mounted to one of these files)
returns a file handle for
even if all processes in the namespace terminate.
The file descriptor can be passed to
.BR setns (2).
-
+.PP
In Linux 3.7 and earlier, these files were visible as hard links.
-Since Linux 3.8, they appear as symbolic links.
-If two processes are in the same namespace, then the inode numbers of their
+Since Linux 3.8,
+.\" commit bf056bfa80596a5d14b26b17276a56a0dcb080e5
+they appear as symbolic links.
+If two processes are in the same namespace,
+then the device IDs and inode numbers of their
.IR /proc/[pid]/ns/xxx
symbolic links will be the same; an application can check this using the
+.I stat.st_dev
+and
.I stat.st_ino
-field returned by
+fields returned by
.BR stat (2).
The content of this symbolic link is a string containing
the namespace type and inode number as in the following example:
-
+.PP
.in +4n
-.nf
+.EX
$ \fBreadlink /proc/$$/ns/uts\fP
uts:[4026531838]
-.fi
+.EE
.in
-
-The files in this subdirectory are as follows:
+.PP
+The symbolic links in this subdirectory are as follows:
+.TP
+.IR /proc/[pid]/ns/cgroup " (since Linux 4.6)"
+This file is a handle for the cgroup namespace of the process.
.TP
.IR /proc/[pid]/ns/ipc " (since Linux 3.0)"
This file is a handle for the IPC namespace of the process.
.TP
.IR /proc/[pid]/ns/mnt " (since Linux 3.8)"
+.\" commit 8823c079ba7136dc1948d6f6dcb5f8022bde438e
This file is a handle for the mount namespace of the process.
.TP
.IR /proc/[pid]/ns/net " (since Linux 3.0)"
This file is a handle for the network namespace of the process.
.TP
.IR /proc/[pid]/ns/pid " (since Linux 3.8)"
+.\" commit 57e8391d327609cbf12d843259c968b9e5c1838f
This file is a handle for the PID namespace of the process.
+This handle is permanent for the lifetime of the process
+(i.e., a process's PID namespace membership never changes).
+.TP
+.IR /proc/[pid]/ns/pid_for_children " (since Linux 4.12)"
+.\" commit eaa0d190bfe1ed891b814a52712dcd852554cb08
+This file is a handle for the PID namespace of
+child processes created by this process.
+This can change as a consequence of calls to
+.BR unshare (2)
+and
+.BR setns (2)
+(see
+.BR pid_namespaces (7)),
+so the file may differ from
+.IR /proc/[pid]/ns/pid .
+The symbolic link gains a value only after the first child process
+is created in the namespace.
+(Beforehand,
+.BR readlink (2)
+of the symbolic link will return an empty buffer.)
.TP
.IR /proc/[pid]/ns/user " (since Linux 3.8)"
+.\" commit cde1975bc242f3e1072bde623ef378e547b73f91
This file is a handle for the user namespace of the process.
.TP
.IR /proc/[pid]/ns/uts " (since Linux 3.0)"
-This file is a handle for the IPC namespace of the process.
+This file is a handle for the UTS namespace of the process.
+.PP
+Permission to dereference or read
+.RB ( readlink (2))
+these symbolic links is governed by a ptrace access mode
+.B PTRACE_MODE_READ_FSCREDS
+check; see
+.BR ptrace (2).
+.\"
+.\" ==================== The /proc/sys/user directory ====================
+.\"
+.SS The /proc/sys/user directory
+The files in the
+.I /proc/sys/user
+directory (which is present since Linux 4.9) expose limits
+on the number of namespaces of various types that can be created.
+The files are as follows:
+.TP
+.IR max_cgroup_namespaces
+The value in this file defines a per-user limit on the number of
+cgroup namespaces that may be created in the user namespace.
+.TP
+.IR max_ipc_namespaces
+The value in this file defines a per-user limit on the number of
+ipc namespaces that may be created in the user namespace.
+.TP
+.IR max_mnt_namespaces
+The value in this file defines a per-user limit on the number of
+mount namespaces that may be created in the user namespace.
+.TP
+.IR max_net_namespaces
+The value in this file defines a per-user limit on the number of
+network namespaces that may be created in the user namespace.
+.TP
+.IR max_pid_namespaces
+The value in this file defines a per-user limit on the number of
+pid namespaces that may be created in the user namespace.
+.TP
+.IR max_user_namespaces
+The value in this file defines a per-user limit on the number of
+user namespaces that may be created in the user namespace.
+.TP
+.IR max_uts_namespaces
+The value in this file defines a per-user limit on the number of
+uts namespaces that may be created in the user namespace.
+.PP
+Note the following details about these files:
+.IP * 3
+The values in these files are modifiable by privileged processes.
+.IP *
+The values exposed by these files are the limits for the user namespace
+in which the opening process resides.
+.IP *
+The limits are per-user.
+Each user in the same user namespace
+can create namespaces up to the defined limit.
+.IP *
+The limits apply to all users, including UID 0.
+.IP *
+These limits apply in addition to any other per-namespace
+limits (such as those for PID and user namespaces) that may be enforced.
+.IP *
+Upon encountering these limits,
+.BR clone (2)
+and
+.BR unshare (2)
+fail with the error
+.BR ENOSPC .
+.IP *
+For the initial user namespace,
+the default value in each of these files is half the limit on the number
+of threads that may be created
+.RI ( /proc/sys/kernel/threads-max ).
+In all descendant user namespaces, the default value in each file is
+.BR MAXINT .
+.IP *
+When a namespace is created, the object is also accounted
+against ancestor namespaces.
+More precisely:
+.RS
+.IP + 3
+Each user namespace has a creator UID.
+.IP +
+When a namespace is created,
+it is accounted against the creator UIDs in each of the
+ancestor user namespaces,
+and the kernel ensures that the corresponding namespace limit
+for the creator UID in the ancestor namespace is not exceeded.
+.IP +
+The aforementioned point ensures that creating a new user namespace
+cannot be used as a means to escape the limits in force
+in the current user namespace.
+.RE
+.\"
+.\" ==================== Cgroup namespaces ====================
+.\"
+.SS Cgroup namespaces (CLONE_NEWCGROUP)
+See
+.BR cgroup_namespaces (7).
.\"
.\" ==================== IPC namespaces ====================
.\"
.\" commit 7eafd7c74c3f2e67c27621b987b28397110d643f
.\" https://lwn.net/Articles/312232/
POSIX message queues (see
-.BR mq_overview (7).
+.BR mq_overview (7)).
The common characteristic of these IPC mechanisms is that IPC
-objects are identified by mechanisms other than file system
+objects are identified by mechanisms other than filesystem
pathnames.
-
+.PP
Each IPC namespace has its own set of System V IPC identifiers and
-its own POSIX message queue file system.
+its own POSIX message queue filesystem.
Objects created in an IPC namespace are visible to all other processes
that are members of that namespace,
but are not visible to processes in other IPC namespaces.
-
+.PP
+The following
+.I /proc
+interfaces are distinct in each IPC namespace:
+.IP * 3
+The POSIX message queue interfaces in
+.IR /proc/sys/fs/mqueue .
+.IP *
+The System V IPC interfaces in
+.IR /proc/sys/kernel ,
+namely:
+.IR msgmax ,
+.IR msgmnb ,
+.IR msgmni ,
+.IR sem ,
+.IR shmall ,
+.IR shmmax ,
+.IR shmmni ,
+and
+.IR shm_rmid_forced .
+.IP *
+The System V IPC interfaces in
+.IR /proc/sysvipc .
+.PP
When an IPC namespace is destroyed
(i.e., when the last process that is a member of the namespace terminates),
all IPC objects in the namespace are automatically destroyed.
-
+.PP
Use of IPC namespaces requires a kernel that is configured with the
.B CONFIG_IPC_NS
option.
.\" ==================== Network namespaces ====================
.\"
.SS Network namespaces (CLONE_NEWNET)
-Network namespaces provide isolation of the system resources associated
-with networking: network devices, IP addresses, IP routing tables,
-.I /proc/net
-directory,
-.I /sys/class/net
-directory, port numbers, and so on.
-
-A network namespace provides an isolated view of the networking stack
-(network device interfaces, IPv4 and IPv6 protocol stacks,
-IP routing tables, firewall rules, the
-.I /proc/net
-and
-.I /sys/class/net
-directory trees, sockets, etc.).
-A physical network device can live in exactly one
-network namespace.
-A virtual network device ("veth") pair provides a pipe-like abstraction
-.\" FIXME Add pointer to veth(4) page when it is eventually completed
-that can be used to create tunnels between network namespaces,
-and can be used to create a bridge to a physical network device
-in another namespace.
-
-When a network namespace is freed
-(i.e., when the last process in the namespace terminates),
-its physical network devices are moved back to the
-initial network namespace (not to the parent of the process).
-
-Use of network namespaces requires a kernel that is configured with the
-.B CONFIG_NET_NS
-option.
+See
+.BR network_namespaces (7).
.\"
.\" ==================== Mount namespaces ====================
.\"
.SS Mount namespaces (CLONE_NEWNS)
-Mount namespaces isolate the set of file system mount points,
-meaning that processes in different mount namespaces can
-have different views of the file system hierarchy.
-The set of mounts in a mount namespace is modified using
-.BR mount (2)
-and
-.BR umount (2).
-
-The
-.IR /proc/[pid]/mounts
-file (present since Linux 2.4.19)
-lists all the file systems currently mounted in the
-process's mount namespace.
-The format of this file is documented in
-.BR fstab (5).
-Since kernel version 2.6.15, this file is pollable:
-after opening the file for reading, a change in this file
-(i.e., a file system mount or unmount) causes
-.BR select (2)
-to mark the file descriptor as readable, and
-.BR poll (2)
-and
-.BR epoll_wait (2)
-mark the file as having an error condition.
-
-The
-.IR /proc/[pid]/mountstats
-file (present since Linux 2.6.17)
-exports information (statistics, configuration information)
-about the mount points in the process's mount namespace.
-This file is only readable by the owner of the process.
-Lines in this file have the form:
-.RS
-.in 12
-.nf
-
-device /dev/sda7 mounted on /home with fstype ext3 [statistics]
-( 1 ) ( 2 ) (3 ) (4)
-.fi
-.in
-
-The fields in each line are:
-.TP 5
-(1)
-The name of the mounted device
-(or "nodevice" if there is no corresponding device).
-.TP
-(2)
-The mount point within the file system tree.
-.TP
-(3)
-The file system type.
-.TP
-(4)
-Optional statistics and configuration information.
-Currently (as at Linux 2.6.26), only NFS file systems export
-information via this field.
-.RE
+See
+.BR mount_namespaces (7).
.\"
.\" ==================== PID namespaces ====================
.\"
.SS PID namespaces (CLONE_NEWPID)
-PID namespaces isolate the process ID number space,
-meaning that processes in different PID namespaces can have the same PID.
-PID namespaces allow containers to migrate to a new host
-while the processes inside the container maintain the same PIDs.
-
-PIDs in a new PID namespace start at 1,
-somewhat like a standalone system, and calls to
-.BR fork (2),
-.BR vfork (2),
-or
-.BR clone (2)
-will produce processes with PIDs that are unique within the namespace.
-
-The first process created in a new namespace
-(i.e., the process created using
-.BR clone (2)
-with the
-.BR CLONE_NEWPID
-flag, or the first child created by a process after a call to
-.BR unshare (2)
-using the
-.BR CLONE_NEWPID
-flag) has the PID 1, and is the "init" process for the namespace (see
-.BR init (1)).
-Children that are orphaned within the namespace will be reparented
-to this process rather than
-.BR init (1).
-
-If the "init" process of a PID namespace terminates,
-the kernel terminates all of the processes in the namespace via a
-.BR SIGKILL
-signal.
-This behavior reflects the fact that the "init" process
-is essential for the correct operation of a PID namespace.
-In this case, a subsequent
-.BR fork (2)
-into this PID namespace (e.g., from a process that has done a
-.BR setns (2)
-into the namespace using an open file descriptor for a
-.I /proc/[pid]/ns/pid
-file corresponding to a process that was in the namespace)
-will fail with the error
-.BR ENOMEM ;
-it is not possible to create a new processes in a PID namespace whose "init"
-process has terminated.
-
-Only signals for which the "init" process has established a signal handler
-can be sent to the "init" process by other members of the PID namespace.
-This restriction applies even to privileged processes,
-and prevents other members of the PID namespace from
-accidentally killing the "init" process.
-
-Likewise, a process in an ancestor namespace
-can\(emsubject to the usual permission checks described in
-.BR kill (2)\(emsend
-signals to the "init" process of a child PID namespace only
-if the "init" process has established a handler for that signal.
-(Within the handler, the
-.I siginfo_t
-.I si_pid
-field described in
-.BR sigaction (2)
-will be zero.)
-.B SIGKILL
-or
-.B SIGSTOP
-are treated exceptionally:
-these signals are forcibly delivered when sent from an ancestor PID namespace.
-Neither of these signals can be caught by the "init" process,
-and so will result in the usual actions associated with those signals
-(respectively, terminating and stopping the process).
-
-PID namespaces can be nested.
-When a new PID namespace is created,
-the processes in that namespace are visible
-in the PID namespace of the process that created the new namespace;
-analogously, if the parent PID namespace is itself
-the child of another PID namespace,
-then processes in the child and parent PID namespaces will both be
-visible in the grandparent PID namespace.
-Conversely, the processes in the "child" PID namespace do not see
-the processes in the parent namespace.
-More succinctly: a process can see (e.g., send signals with
-.BR kill(2))
-only processes contained in its own PID namespace
-and the namespaces nested below that PID namespace.
-
-A process will have one PID for each of the layers of the hierarchy
-starting from the PID namespace in which it resides
-through to the root PID namespace.
-A call to
-.BR getpid (2)
-always returns the PID associated with the namespace in which
-the process resides.
-
-Some processes in a PID namespace may have parents
-that are outside of the namespace.
-For example, the parent of the initial process in the namespace
-(i.e.,
-the
-.BR init (1)
-process with PID 1) is necessarily in another namespace.
-Likewise, the direct children of a process that uses
-.BR setns (2)
-to cause its children to join a PID namespace are in a different
-PID namespace from the caller of
-.BR setns (2).
-Calls to
-.BR getppid (2)
-for such processes return 0.
-
-After creating a new PID namespace,
-it is useful for the child to change its root directory
-and mount a new procfs instance at
-.I /proc
-so that tools such as
-.BR ps (1)
-work correctly.
-.\" mount -t proc proc /proc
-(If
-.BR CLONE_NEWNS
-is also included in the
-.IR flags
-argument of
-.BR clone (2)
-or
-.BR unshare (2)),
-then it isn't necessary to change the root directory:
-a new procfs instance can be mounted directly over
-.IR /proc .)
-
-Calls to
-.BR setns (2)
-that specify a PID namespace file descriptor
-and calls to
-.BR unshare (2)
-with the
-.BR CLONE_NEWPID
-flag cause children subsequently created
-by the caller to be placed in a different PID namespace from the caller.
-These calls do not, however,
-change the PID namespace of the calling process,
-because doing so would change the caller's idea of its own PID
-(as reported by
-.BR getpid ()),
-which would break many applications and libraries.
-To put things another way:
-a process's PID namespace membership is determined when the process is created
-and cannot be changed thereafter.
-
-Every thread in a process must be in the same PID namespace.
-For this reason, the two following call sequences will fail:
-
-.in +4n
-.nf
- unshare(CLONE_NEWPID);
- clone(..., CLONE_VM, ...); /* Fails */
-
- setns(fd, CLONE_NEWPID);
- clone(..., CLONE_VM, ...); /* Fails */
-.fi
-.in
-
-Because the above
-.BR unshare (2)
-and
-.BR setns (2)
-calls only change the PID namespace for created children, the
-.BR clone (2)
-calls necessarily put the new thread in a different PID namespace from
-the calling thread.
-
-When a process ID is passed over a UNIX domain socket to a
-process in a different PID namespace (see the description of
-.B SCM_CREDENTIALS
-in
-.BR unix (7)),
-it is translated into the corresponding PID value in
-the receiving process's PID namespace.
-.\" FIXME Presumably, a similar thing happens with the UID and GID passed
-.\" via a UNIX domain socket. That needs to be confirmed and documented
-.\" under the "User namespaces" section.
-
-Use of PID namespaces requires a kernel that is configured with the
-.B CONFIG_PID_NS
-option.
+See
+.BR pid_namespaces (7).
.\"
.\" ==================== User namespaces ====================
.\"
.SS User namespaces (CLONE_NEWUSER)
-User namespaces isolate security-related identifiers, in particular,
-user IDs, group IDs, keys (see
-.BR keyctl (2)),
-and capabilities.
-A process's user and group IDs can be different
-inside and outside a user namespace.
-In particular,
-a process can have a normal unprivileged user ID outside a user namespace
-while at the same time having a user ID of 0 inside the namespace;
-in other words,
-the process has full privileges for operations inside the user namespace,
-but is unprivileged for operations outside the namespace.
-
-User namespaces can be nested;
-that is, each user namespace has a parent user namespace,
-and can have zero or more child user namespaces.
-The parent of a user namespace is the user namespace
-of the process that creates the user namespace via a call to
-.BR unshare (2)
-or
-.BR clone (2)
-with the
-.BR CLONE_NEWUSER
-flag.
-
-When a user namespace is created,
-it starts out without a mapping of user IDs (group IDs)
-to the parent user namespace.
-The desired mapping of user IDs (group IDs) to the parent user namespace
-may be set by writing into
-.IR /proc/[pid]/uid_map
-.RI ( /proc/[pid]/gid_map );
-see below.
-
-The first process in a user namespace starts out with a complete set
-of capabilities with respect to the new user namespace.
-
-System calls that return user IDs (group IDs) will return
-either the user ID (group ID) mapped into the current
-user namespace if there is a mapping, or the overflow user ID (group ID);
-the default value for the overflow user ID (group ID) is 65534.
-See the descriptions of
-.IR /proc/sys/kernel/overflowuid
-and
-.IR /proc/sys/kernel/overflowgid
-in
-.BR proc (5).
-
-Starting in Linux 3.8, unprivileged processes can create user namespaces,
-and mount, PID, IPC, network, and UTS namespaces can be created with just the
-.B CAP_SYS_ADMIN
-capability in the caller's user namespace.
-
-If
-.BR CLONE_NEWUSER
-is specified along with other
-.B CLONE_NEW*
-flags in a single
-.BR clone (2)
-or
-.BR unshare (2)
-call, the user namespace is guaranteed to be created first,
-giving the caller privileges over the remaining
-namespaces created by the call.
-Thus, it is possible for an unprivileged caller to specify this combination
-of flags.
-
-When a new IPC, mount, network, PID, or UTS namespace is created via
-.BR clone (2)
-or
-.BR unshare (2),
-the kernel records the user namespace of the creating process against
-the new namespace.
-When a process in the new namespace subsequently performs
-privileged operations that operate on global
-resources isolated by the namespace,
-the permission checks are performed according to the process's capabilities
-in the user namespace that the kernel associated with the new namespace.
-
-
-The following rules apply with respect to the capabilities granted
-to a process:
-.\" In the 3.8 sources, see security/commoncap.c::cap_capable():
-.IP 1. 3
-If a process has a capability in a parent user namespace,
-then it has that capability in all child (and further removed descendant)
-namespaces as well.
-.IP 2.
-.\" * The owner of the user namespace in the parent of the
-.\" * user namespace has all caps.
-When a user namespace is created, the kernel records the effective
-user ID of the creating process as being the "owner" of the namespace,
-and likewise associates the effective group ID of the creating process
-with the namespace.
-A process whose effective user ID matches that of the
-owner of a user namespace and which is a member of the parent namespace
-(or a further removed namespace that is a direct ancestor)
-has all capabilities in the user namespace.
-.\" As a rough approximation, this means that
-.\" the user who creates a user namespace
-.\" has all capabilities inside that namespace and its descendants.
-.PP
-Use of user namespaces requires a kernel that is configured with the
-.B CONFIG_USER_NS
-option.
-
-Over the years, there have been a lot of features that have been added
-to the Linux kernel that are only available to privileged users
-because of their potential to confuse set-user-ID-root applications.
-In general, it becomes safe to allow the root user in a user namespace to
-use those features because it is impossible, while in a user namespace,
-to gain more privilege than the root user of a user namespace has.
-
-The
-.IR /proc/[pid]/uid_map
-and
-.IR /proc/[pid]/gid_map
-files (available since Linux 3.5)
-.\" commit 22d917d80e842829d0ca0a561967d728eb1d6303
-expose the mappings for user and group IDs
-inside the user namespace for the process
-.IR pid .
-The description here explains the details for
-.IR uid_map ;
-.IR gid_map
-is exactly the same,
-but each instance of "user ID" is replaced by "group ID".
-
-The
-.I uid_map
-file exposes the mapping of user IDs from the user namespace
-of the process
-.IR pid
-to the user namespace of the process that opened
-.IR uid_map
-(but see a qualification to this point below).
-In other words, processes that are in different user namespaces
-will potentially see different values when reading from a particular
-.I uid_map
-file, depending on the user ID mappings for the user namespaces
-of the reading processes.
-
-Each line in the
-.I uid_map
-file specifies a 1-to-1 mapping of a range of contiguous
-user IDs between two user namespaces.
-(When a user namespace is first created, this file is empty.)
-The specification in each line takes the form of
-three numbers delimited by white space.
-The first two numbers specify the starting user ID in
-each user namespace.
-The third number specifies the length of the mapped range.
-In detail, the fields are interpreted as follows:
-.IP (1) 4
-The start of the range of user IDs in
-the user namespace of the process
-.IR pid .
-.IP (2)
-The start of the range of user
-IDs to which the user IDs specified by field one map.
-How field two is interpreted depends on whether the process that opened
-.I uid_map
-and the process
-.IR pid
-are in the same user namespace, as follows:
-.RS
-.IP a) 3
-If the two processes are in different user namespaces:
-field two is the start of a range of
-user IDs in the user namespace of the process that opened
-.IR uid_map .
-.IP b)
-If the two processes are in the same user namespace:
-field two is the start of the range of
-user IDs in the parent user namespace of the process
-.IR pid .
-This case enables the opener of
-.I uid_map
-(the common case here is opening
-.IR /proc/self/uid_map )
-to see the mapping of user IDs into the user namespace of the process
-that created this user namespace.
-.RE
-.IP (3)
-The length of the range of user IDs that is mapped between the two
-user namespaces.
-.PP
-After the creation of a new user namespace, the
-.I uid_map
-file of
-.I one
-of the process in the namespace may be written to
-.I once
-to define the mapping of user IDs in the new user namespace.
-(An attempt to write more than once to a
-.I uid_map
-file in a user namespace fails with the error
-.BR EPERM .)
-
-The lines written to
-.IR uid_map
-must conform to the following rules:
-.IP * 3
-The three fields must be valid numbers,
-and the last field must be greater than 0.
-.IP *
-Lines are terminated by newline characters.
-.IP *
-There is an (arbitrary) limit on the number of lines in the file.
-As at Linux 3.8, the limit is five lines.
-In addition, the number of bytes written to
-the file must be less than the system page size,
-.\" FIXME(Eric): the restriction "less than" rather than "less than or equal"
-.\" seems strangely arbitrary. Furthermore, the comment does not agree
-.\" with the code in kernel/user_namespace.c. Which is correct.
-and the write must be performed at the start of the file (i.e.,
-.BR lseek (2)
-and
-.BR pwrite (2)
-can't be used to write to nonzero offsets in the file).
-.IP *
-The range of user IDs specified in each line cannot overlap with the ranges
-in any other lines.
-In the current implementation (Linux 3.8), this requirement is
-satisfied by a simplistic implementation that imposes the further
-requirement that
-the values in both field 1 and field 2 of successive lines must be
-in ascending numerical order.
-.IP *
-At least one line must be written to the file.
-.PP
-Writes that violate the above rules fail with the error
-.BR EINVAL .
-
-In order for a process to write to the
-.I /proc/[pid]/uid_map
-.RI ( /proc/[pid]/gid_map )
-file, all of the following requirements must be met:
-.IP 1. 3
-The writing process must have the
-.BR CAP_SETUID
-.RB ( CAP_SETGID )
-capability in the user namespace of the process
-.IR pid .
-.\" FIXME(Eric):
-.\" Something isn't quite right in the description here.
-.\" Suppose UID 1000 creates a user namespace. At this point, UID 0 in
-.\" the parent namespace can write a map of (say) '0 1000 10' to uid_map.
-.\" That succeeds. But how is that case covered in the three rules here?
-.\" In other words, how does UID 0 in the parent namespace have any
-.\" capabilities in the new child namespace? Somewhere on the page,
-.\" I think there needs to be a statement about the privileges of
-.\" UID 0 when no mapping has yet been defined, right?
-.\" Or is it simply the case that UID 0 in the parent namespace
-.\" always has all capabilities in the child namespace?
-.\"
-.IP 2.
-The writing process must be in either the user namespace of the process
-.I pid
-or inside the parent user namespace of the process
-.IR pid .
-.IP 3.
-One of the following is true:
-.RS
-.IP * 3
-The data written to
-.I uid_map
-.RI ( gid_map )
-consists of a single line that maps the writing process's file system user ID
-(group ID) in the parent user namespace to a user ID (group ID)
-in the user namespace.
-The usual case here is that this single line provides a mapping for user ID
-of the process that created the namespace.
-.IP * 3
-The process has the
-.BR CAP_SETUID
-.RB ( CAP_SETGID )
-capability in the parent user namespace.
-Thus, a privileged process can make mappings to arbitrary user IDs (group IDs)
-in the parent user namespace.
-.RE
-.PP
-Writes that violate the above rules fail with the error
-.BR EPERM .
-.PP
-In order to create a new user namespace,
-there must exist a mapping of the caller's effective
-user and group IDs into the parent namespace.
-If such a mapping does not exist, then
-.BR clone (2)
-and
-.BR unshare (2)
-fail with the error
-.BR EPERM .
-.PP
-When a process inside a user namespace executes
-a set-user-ID (set-group-ID) program,
-the process's effective user (group) ID inside the namespace is changed
-to whatever value is mapped for the user (group) ID of the file.
-However, if either the user
-.I or
-the group ID of the file has no mapping inside the namespace,
-the set-user-ID (set-group-ID) bit is silently ignored:
-the new program is executed,
-but the process's effective user (group) ID is left unchanged.
-(This mirrors the semantics of executing a set-user-ID or set-group-ID
-program that resides on a file system that was mounted with the
-.BR MS_NOSUID
-flag (see
-.BR mount (2).)
+See
+.BR user_namespaces (7).
.\"
.\" ==================== UTS namespaces ====================
.\"
.BR gethostname (2),
and
.BR getdomainname (2).
-
+.PP
Use of UTS namespaces requires a kernel that is configured with the
.B CONFIG_UTS_NS
option.
-.SH CONFORMING TO
-Namespaces are a Linux-specific feature.
+.\"
+.SS Namespace lifetime
+Absent any other factors,
+a namespace is automatically torn down when the last process in
+the namespace terminates or leaves the namespace.
+However, there are a number of other factors that may pin
+a namespace into existence even though it has no member processes.
+These factors include the following:
+.IP * 3
+An open file descriptor or a bind mount exists for the corresponding
+.IR /proc/[pid]/ns/*
+file.
+.IP *
+The namespace is hierarchical (i.e., a PID or user namespace),
+and has a child namespace.
+.IP *
+It is a user namespace that owns one or more nonuser namespaces.
+.IP *
+It is a PID namespace,
+and there is a process that refers to the namespace via a
+.IR /proc/[pid]/ns/pid_for_children
+symbolic link.
+.IP *
+It is an IPC namespace, and a corresponding mount of an
+.I mqueue
+filesystem (see
+.BR mq_overview (7))
+refers to this namespace.
+.IP *
+It is a PID namespace, and a corresponding mount of a
+.BR proc (5)
+filesystem refers to this namespace.
+.SH EXAMPLE
+See
+.BR clone (2)
+and
+.BR user_namespaces (7).
.SH SEE ALSO
.BR nsenter (1),
.BR readlink (1),
.BR unshare (1),
.BR clone (2),
+.BR ioctl_ns (2),
.BR setns (2),
.BR unshare (2),
.BR proc (5),
-.BR credentials (7),
.BR capabilities (7),
+.BR cgroup_namespaces (7),
+.BR cgroups (7),
+.BR credentials (7),
+.BR network_namespaces (7),
+.BR pid_namespaces (7),
+.BR user_namespaces (7),
+.BR lsns (8),
+.BR pam_namespace (8),
.BR switch_root (8)
projects / thirdparty / man-pages.git / blobdiff