namespaces.7: Userns creation associates eff. GID of creator with the userns

[thirdparty/man-pages.git] / man7 / namespaces.7

.\" Copyright (c) 2013 by Michael Kerrisk <mtk.manpages@gmail.com>
.\" and Copyright (c) 2012 by Eric W. Biederman <ebiederm@xmission.com>
.\"
.\" Permission is granted to make and distribute verbatim copies of this
.\" manual provided the copyright notice and this permission notice are
.\" preserved on all copies.
.\"
.\" Permission is granted to copy and distribute modified versions of this
.\" manual under the conditions for verbatim copying, provided that the
.\" entire resulting derived work is distributed under the terms of a
.\" permission notice identical to this one.
.\"
.\" Since the Linux kernel and libraries are constantly changing, this
.\" manual page may be incorrect or out-of-date.  The author(s) assume no
.\" responsibility for errors or omissions, or for damages resulting from
.\" the use of the information contained herein.  The author(s) may not
.\" have taken the same level of care in the production of this manual,
.\" which is licensed free of charge, as they might when working
.\" professionally.
.\"
.\" Formatted or processed versions of this manual, if unaccompanied by
.\" the source, must acknowledge the copyright and authors of this work.
.\"
.\"
.TH NAMESPACES 7 2013-01-14 "Linux" "Linux Programmer's Manual"
.SH NAME
namespaces \- overview of Linux namespaces
.SH DESCRIPTION
A namespace wraps a global system resource in an abstraction that
makes it appear to the processes within the namespace that they
have their own isolated instance of the global resource.
Changes to the global resource are visible to other processes
that are members of the namespace, but are invisible to other processes.
One use of namespaces is to implement containers.

This page describes the various namespaces and the associated
.I /proc
files, and summarizes the APIs for working with namespaces.
.\"
.\" ==================== The namespaces API ====================
.\"
.SS The namespaces API
As well as various
.I /proc
files described below,
the namespaces API includes the following system calls:
.TP
.BR clone (2)
The
.BR clone (2)
system call creates a new process.
If the
.I flags
argument of the call specifies one or more of the
.B CLONE_NEW*
flags listed below, then new namespaces are created for each flag,
and the child process is made a member of those namespaces.
(This system call also implements a number of features
unrelated to namespaces.)
.TP
.BR setns (2)
The
.BR setns (2)
system call allows the calling process to join an existing namespace.
The namespace to join is specified via a file descriptor that refers to
one of the
.IR /proc/[pid]/ns
files described below.
.TP
.BR unshare (2)
The
.BR unshare (2)
system call moves the calling process to a new namespace.
If the
.I flags
argument of the call specifies one or more of the
.B CLONE_NEW*
flags listed below, then new namespaces are created for each flag,
and the calling process is made a member of those namespaces.
(This system call also implements a number of features
unrelated to namespaces.)
.PP
Creation of new namespaces using
.BR clone (2)
and
.BR unshare (2)
in most cases requires the
.BR CAP_SYS_ADMIN
capability.
User namespaces are the exception: since Linux 3.8,
no privilege is required to create a user namespace.
.\"
.\" ==================== The /proc/[pid]/ns/ directory ====================
.\"
.SS The /proc/[pid]/ns/ directory
Each process has a 
.IR /proc/[pid]/ns/
.\" See commit 6b4e306aa3dc94a0545eb9279475b1ab6209a31f
subdirectory containing one entry for each namespace that
supports being manipulated by
.BR setns (2):

.in +4n
.nf
$ \fBls -l /proc/$$/ns\fP
total 0
lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 ipc -> ipc:[4026531839]
lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 mnt -> mnt:[4026531840]
lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 net -> net:[4026531956]
lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 pid -> pid:[4026531836]
lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 user -> user:[4026531837]
lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 uts -> uts:[4026531838]
.fi
.in

Bind mounting (see
.BR mount (2))
one of the files in this directory
to somewhere else in the file system keeps
the corresponding namespace of the process specified by
.I pid
alive even if all processes currently in the namespace terminate.

Opening one of the files in this directory
(or a file that is bind mounted to one of these files)
returns a file handle for
the corresponding namespace of the process specified by
.IR pid .
As long as this file descriptor remains open,
the namespace will remain alive,
even if all processes in the namespace terminate.
The file descriptor can be passed to
.BR setns (2).

In Linux 3.7 and earlier, these files were visible as hard links.
Since Linux 3.8, they appear as symbolic links.
If two processes are in the same namespace, then the inode numbers of their
.IR /proc/[pid]/ns/xxx
symbolic links will be the same; an application can check this using the
.I stat.st_ino
field returned by
.BR stat (2).
The content of this symbolic link is a string containing
the namespace type and inode number as in the following example:

.in +4n
.nf
$ \fBreadlink /proc/$$/ns/uts\fP
uts:[4026531838]
.fi
.in

The files in this subdirectory are as follows:
.TP
.IR /proc/[pid]/ns/ipc " (since Linux 3.0)"
This file is a handle for the IPC namespace of the process.
.TP
.IR /proc/[pid]/ns/mnt " (since Linux 3.8)"
This file is a handle for the mount namespace of the process.
.TP
.IR /proc/[pid]/ns/net " (since Linux 3.0)"
This file is a handle for the network namespace of the process.
.TP
.IR /proc/[pid]/ns/pid " (since Linux 3.8)"
This file is a handle for the PID namespace of the process.
.TP
.IR /proc/[pid]/ns/user " (since Linux 3.8)"
This file is a handle for the user namespace of the process.
.TP
.IR /proc/[pid]/ns/uts " (since Linux 3.0)"
This file is a handle for the IPC namespace of the process.
.\"
.\" ==================== IPC namespaces ====================
.\"
.SS IPC namespaces (CLONE_NEWIPC)
IPC namespaces isolate certain IPC resources,
namely, System V IPC objects (see
.BR svipc (7))
and (since Linux 2.6.30)
.\" commit 7eafd7c74c3f2e67c27621b987b28397110d643f
.\" https://lwn.net/Articles/312232/
POSIX message queues (see
.BR mq_overview (7).
The common characteristic of these IPC mechanisms is that IPC
objects are identified by mechanisms other than file system
pathnames.

Each IPC namespace has its own set of System V IPC identifiers and
its own POSIX message queue file system.
Objects created in an IPC namespace are visible to all other processes
that are members of that namespace,
but are not visible to processes in other IPC namespaces.

When an IPC namespace is destroyed
(i.e., when the last process that is a member of the namespace terminates),
all IPC objects in the namespace are automatically destroyed.

Use of IPC namespaces requires a kernel that is configured with the
.B CONFIG_IPC_NS
option.
.\"
.\" ==================== Network namespaces ====================
.\"
.SS Network namespaces (CLONE_NEWNET)
Network namespaces provide isolation of the system resources associated
with networking: network devices, IP addresses, IP routing tables,
.I /proc/net
directory,
.I /sys/class/net 
directory, port numbers, and so on.

A network namespace provides an isolated view of the networking stack
(network device interfaces, IPv4 and IPv6 protocol stacks,
IP routing tables, firewall rules, the
.I /proc/net
and
.I /sys/class/net
directory trees, sockets, etc.).
A physical network device can live in exactly one
network namespace.
A virtual network device ("veth") pair provides a pipe-like abstraction
.\" FIXME Add pointer to veth(4) page when it is eventually completed
that can be used to create tunnels between network namespaces,
and can be used to create a bridge to a physical network device
in another namespace.

When a network namespace is freed
(i.e., when the last process in the namespace terminates),
its physical network devices are moved back to the
initial network namespace (not to the parent of the process).

Use of network namespaces requires a kernel that is configured with the
.B CONFIG_NET_NS
option.
.\"
.\" ==================== Mount namespaces ====================
.\"
.SS Mount namespaces (CLONE_NEWNS)
Mount namespaces isolate the set of file system mount points,
meaning that processes in different mount namespaces can
have different views of the file system hierarchy.
The set of mounts in a mount namespace is modified using
.BR mount (2)
and
.BR umount (2).

The
.IR /proc/[pid]/mounts
file (present since Linux 2.4.19)
lists all the file systems currently mounted in the
process's mount namespace.
The format of this file is documented in
.BR fstab (5).
Since kernel version 2.6.15, this file is pollable:
after opening the file for reading, a change in this file
(i.e., a file system mount or unmount) causes
.BR select (2)
to mark the file descriptor as readable, and
.BR poll (2)
and
.BR epoll_wait (2)
mark the file as having an error condition.

The
.IR /proc/[pid]/mountstats
file (present since Linux 2.6.17)
exports information (statistics, configuration information)
about the mount points in the process's mount namespace.
This file is only readable by the owner of the process.
Lines in this file have the form:
.RS
.in 12
.nf

device /dev/sda7 mounted on /home with fstype ext3 [statistics]
(       1      )            ( 2 )             (3 ) (4)
.fi
.in

The fields in each line are:
.TP 5
(1)
The name of the mounted device
(or "nodevice" if there is no corresponding device).
.TP
(2)
The mount point within the file system tree.
.TP
(3)
The file system type.
.TP
(4)
Optional statistics and configuration information.
Currently (as at Linux 2.6.26), only NFS file systems export
information via this field.
.RE
.\"
.\" ==================== PID namespaces ====================
.\"
.SS PID namespaces (CLONE_NEWPID)
PID namespaces isolate the process ID number space,
meaning that processes in different PID namespaces can have the same PID.
PID namespaces allow containers to migrate to a new host
while the processes inside the container maintain the same PIDs.

PIDs in a new PID namespace start at 1,
somewhat like a standalone system, and calls to
.BR fork (2),
.BR vfork (2),
or
.BR clone (2)
will produce processes with PIDs that are unique within the namespace.

The first process created in a new namespace
(i.e., the process created using
.BR clone (2)
with the
.BR CLONE_NEWPID
flag, or the first child created by a process after a call to
.BR unshare (2)
using the
.BR CLONE_NEWPID
flag) has the PID 1, and is the "init" process for the namespace (see
.BR init (1)).
Children that are orphaned within the namespace will be reparented
to this process rather than
.BR init (1).

If the "init" process of a PID namespace terminates,
the kernel terminates all of the processes in the namespace via a
.BR SIGKILL
signal.
This behavior reflects the fact that the "init" process
is essential for the correct operation of a PID namespace.
In this case, a subsequent 
.BR fork (2)
into this PID namespace (e.g., from a process that has done a
.BR setns (2)
into the namespace using an open file descriptor for a 
.I /proc/[pid]/ns/pid
file corresponding to a process that was in the namespace)
will fail with the error
.BR ENOMEM ;
it is not possible to create a new processes in a PID namespace whose "init"
process has terminated.

Only signals for which the "init" process has established a signal handler
can be sent to the "init" process by other members of the PID namespace.
This restriction applies even to privileged processes,
and prevents other members of the PID namespace from
accidentally killing the "init" process.

Likewise, a process in an ancestor namespace
can\(emsubject to the usual permission checks described in
.BR kill (2)\(emsend
signals to the "init" process of a child PID namespace only 
if the "init" process has established a handler for that signal.
(Within the handler, the
.I siginfo_t
.I si_pid
field described in
.BR sigaction (2)
will be zero.)
.B SIGKILL
or
.B SIGSTOP
are treated exceptionally:
these signals are forcibly delivered when sent from an ancestor PID namespace.
Neither of these signals can be caught by the "init" process,
and so will result in the usual actions associated with those signals
(respectively, terminating and stopping the process).

PID namespaces can be nested.
When a new PID namespace is created,
the processes in that namespace are visible
in the PID namespace of the process that created the new namespace;
analogously, if the parent PID namespace is itself
the child of another PID namespace,
then processes in the child and parent PID namespaces will both be
visible in the grandparent PID namespace.
Conversely, the processes in the "child" PID namespace do not see
the processes in the parent namespace.
More succinctly: a process can see (e.g., send signals with
.BR kill(2))
only processes contained in its own PID namespace
and the namespaces nested below that PID namespace.

A process will have one PID for each of the layers of the hierarchy
starting from the PID namespace in which it resides
through to the root PID namespace.
A call to
.BR getpid (2)
always returns the PID associated with the namespace in which
the process resides.

Some processes in a PID namespace may have parents
that are outside of the namespace.
For example, the parent of the initial process in the namespace
(i.e.,
the
.BR init (1)
process with PID 1) is necessarily in another namespace.
Likewise, the direct children of a process that uses
.BR setns (2)
to cause its children to join a PID namespace are in a different
PID namespace from the caller of
.BR setns (2).
Calls to
.BR getppid (2)
for such processes return 0.

After creating a new PID namespace,
it is useful for the child to change its root directory
and mount a new procfs instance at
.I /proc
so that tools such as
.BR ps (1)
work correctly.
.\" mount -t proc proc /proc
(If
.BR CLONE_NEWNS
is also included in the
.IR flags 
argument of
.BR clone (2)
or
.BR unshare (2)),
then it isn't necessary to change the root directory:
a new procfs instance can be mounted directly over
.IR /proc .)

Calls to
.BR setns (2)
that specify a PID namespace file descriptor
and calls to
.BR unshare (2)
with the
.BR CLONE_NEWPID
flag cause children subsequently created
by the caller to be placed in a different PID namespace from the caller.
These calls do not, however,
change the PID namespace of the calling process,
because doing so would change the caller's idea of its own PID
(as reported by
.BR getpid ()),
which would break many applications and libraries.
To put things another way:
a process's PID namespace membership is determined when the process is created
and cannot be changed thereafter.

Every thread in a process must be in the same PID namespace.
For this reason, the two following call sequences will fail:

.in +4n
.nf
    unshare(CLONE_NEWPID);
    clone(..., CLONE_VM, ...);    /* Fails */

    setns(fd, CLONE_NEWPID);
    clone(..., CLONE_VM, ...);    /* Fails */
.fi
.in

Because the above
.BR unshare (2)
and
.BR setns (2)
calls only change the PID namespace for created children, the 
.BR clone (2)
calls necessarily put the new thread in a different PID namespace from
the calling thread.

When a process ID is passed over a UNIX domain socket to a 
process in a different PID namespace (see the description of
.B SCM_CREDENTIALS
in
.BR unix (7)),
it is translated into the corresponding PID value in
the receiving process's PID namespace.
.\" FIXME Presumably, a similar thing happens with the UID and GID passed 
.\" via a UNIX domain socket. That needs to be confirmed and documented
.\" under the "User namespaces" section.

Use of PID namespaces requires a kernel that is configured with the
.B CONFIG_PID_NS
option.
.\"
.\" ==================== User namespaces ====================
.\"
.SS User namespaces (CLONE_NEWUSER)
User namespaces isolate security-related identifiers, in particular,
user IDs, group IDs, keys (see
.BR keyctl (2)),
and capabilities.
A process's user and group IDs can be different
inside and outside a user namespace.
In particular,
a process can have a normal unprivileged user ID outside a user namespace
while at the same time having a user ID of 0 inside the namespace;
in other words,
the process has full privileges for operations inside the user namespace,
but is unprivileged for operations outside the namespace.

User namespaces can be nested;
that is, each user namespace has a parent user namespace,
and can have zero or more child user namespaces.
The parent of a user namespace is the user namespace
of the process that creates the user namespace via a call to
.BR unshare (2)
or
.BR clone (2)
with the 
.BR CLONE_NEWUSER
flag.

When a user namespace is created,
it starts out without a mapping of user IDs (group IDs)
to the parent user namespace.
The desired mapping of user IDs (group IDs) to the parent user namespace
may be set by writing into  
.IR /proc/[pid]/uid_map
.RI ( /proc/[pid]/gid_map );
see below.

The first process in a user namespace starts out with a complete set
of capabilities with respect to the new user namespace.  

System calls that return user IDs (group IDs) will return
either the user ID (group ID) mapped into the current
user namespace if there is a mapping, or the overflow user ID (group ID);
the default value for the overflow user ID (group ID) is 65534.
See the descriptions of
.IR /proc/sys/kernel/overflowuid
and
.IR /proc/sys/kernel/overflowgid
in
.BR proc (5).

Starting in Linux 3.8, unprivileged processes can create user namespaces,
and mount, PID, IPC, network, and UTS namespaces can be created with just the
.B CAP_SYS_ADMIN
capability in the caller's user namespace.

If
.BR CLONE_NEWUSER
is specified along with other
.B CLONE_NEW*
flags in a single
.BR clone (2)
or
.BR unshare (2)
call, the user namespace is guaranteed to be created first,
giving the caller privileges over the remaining
namespaces created by the call.
Thus, it is possible for an unprivileged caller to specify this combination
of flags.

The following rules apply with respect to the capabilities granted
to a process:
.\" In the 3.8 sources, see security/commoncap.c::cap_capable():
.IP 1. 3
If a process has a capability in a parent user namespace,
then it has that capability in all child (and further removed descendant)
namespaces as well.
.IP 2.
.\" * The owner of the user namespace in the parent of the
.\" * user namespace has all caps.
When a user namespace is created, the kernel records the effective
user ID of the creating process as being the "owner" of the namespace,
and likewise associates the effective group ID of the creating process
with the namespace.
A process whose effective user ID matches that of the 
owner of a user namespace and which is a member of the parent namespace
(or a further removed namespace that is a direct ancestor)
has all capabilities in the user namespace.
.\" As a rough approximation, this means that
.\" the user who creates a user namespace 
.\" has all capabilities inside that namespace and its descendants.
.PP
Use of user namespaces requires a kernel that is configured with the
.B CONFIG_USER_NS
option.

Over the years, there have been a lot of features that have been added
to the Linux kernel that are only available to privileged users
because of their potential to confuse set-user-ID-root applications.
In general, it becomes safe to allow the root user in a user namespace to
use those features because it is impossible, while in a user namespace,
to gain more privilege than the root user of a user namespace has.

The
.IR /proc/[pid]/uid_map
and
.IR /proc/[pid]/gid_map
files (available since Linux 3.5)
.\" commit 22d917d80e842829d0ca0a561967d728eb1d6303
expose the mappings for user and group IDs
inside the user namespace for the process
.IR pid .
The description here explains the details for
.IR uid_map ;
.IR gid_map
is exactly the same,
but each instance of "user ID" is replaced by "group ID".

The
.I uid_map
file exposes the mapping of user IDs from the user namespace
of the process
.IR pid
to the user namespace of the process that opened
.IR uid_map
(but see a qualification to this point below).
In other words, processes that are in different user namespaces
will potentially see different values when reading from a particular
.I uid_map
file, depending on the user ID mappings for the user namespaces
of the reading processes.

Each line in the
.I uid_map
file specifies a 1-to-1 mapping of a range of contiguous
user IDs between two user namespaces.
(When a user namespace is first created, this file is empty.)
The specification in each line takes the form of
three numbers delimited by white space.
The first two numbers specify the starting user ID in 
each user namespace.
The third number specifies the length of the mapped range.
In detail, the fields are interpreted as follows:
.IP (1) 4
The start of the range of user IDs in
the user namespace of the process
.IR pid .
.IP (2)
The start of the range of user
IDs to which the user IDs specified by field one map.
How field two is interpreted depends on whether the process that opened
.I uid_map
and the process
.IR pid
are in the same user namespace, as follows:
.RS
.IP a) 3
If the two processes are in different user namespaces:
field two is the start of a range of
user IDs in the user namespace of the process that opened
.IR uid_map .
.IP b)
If the two processes are in the same user namespace:
field two is the start of the range of
user IDs in the parent user namespace of the process
.IR pid .
This case enables the opener of
.I uid_map
(the common case here is opening
.IR /proc/self/uid_map )
to see the mapping of user IDs into the user namespace of the process
that created this user namespace.
.RE
.IP (3)
The length of the range of user IDs that is mapped between the two
user namespaces.
.PP
After the creation of a new user namespace, the
.I uid_map
file of
.I one
of the process in the namespace may be written to 
.I once
to define the mapping of user IDs in the new user namespace.
(An attempt to write more than once to a
.I uid_map
file in a user namespace fails with the error
.BR EPERM .)

The lines written to
.IR uid_map
must conform to the following rules:
.IP * 3
The three fields must be valid numbers,
and the last field must be greater than 0.
.IP *
Lines are terminated by newline characters.
.IP *
There is an (arbitrary) limit on the number of lines in the file.
As at Linux 3.8, the limit is five lines.
In addition, the number of bytes written to
the file must be less than the system page size,
.\" FIXME(Eric): the restriction "less than" rather than "less than or equal"
.\" seems strangely arbitrary. Furthermore, the comment does not agree
.\" with the code in kernel/user_namespace.c. Which is correct.
and the write must be performed at the start of the file (i.e.,
.BR lseek (2)
and
.BR pwrite (2)
can't be used to write to nonzero offsets in the file).
.IP *
The range of user IDs specified in each line cannot overlap with the ranges
in any other lines.
In the current implementation (Linux 3.8), this requirement is 
satisfied by a simplistic implementation that imposes the further
requirement that
the values in both field 1 and field 2 of successive lines must be
in ascending numerical order.
.IP *
At least one line must be written to the file.
.PP
Writes that violate the above rules fail with the error
.BR EINVAL .

In order for a process to write to the
.I /proc/[pid]/uid_map
.RI ( /proc/[pid]/gid_map )
file, all of the following requirements must be met:
.IP 1. 3
The writing process must have the
.BR CAP_SETUID
.RB ( CAP_SETGID )
capability in the user namespace of the process
.IR pid .
.\" FIXME(Eric): 
.\" Something isn't quite right in the description here.
.\" Suppose UID 1000 creates a user namespace. At this point, UID 0 in
.\" the parent namespace can write a map of (say) '0 1000 10' to uid_map.
.\" That succeeds. But how is that case covered in the three rules here?
.\" In other words, how does UID 0 in the parent namespace have any
.\" capabilities in the new child namespace? Somewhere on the page,
.\" I think there needs to be a statement about the privileges of
.\" UID 0 when no mapping has yet been defined, right?
.\" Or is it simply the case that UID 0 in the parent namespace
.\" always has all capabilities in the child namespace?
.\"
.IP 2.
The writing process must be in either the user namespace of the process
.I pid
or inside the parent user namespace of the process
.IR pid .
.IP 3.
One of the following is true:
.RS
.IP * 3
The data written to
.I uid_map
.RI ( gid_map )
consists of a single line that maps the writing process's file system user ID
(group ID) in the parent user namespace to a user ID (group ID)
in the user namespace.
The usual case here is that this single line provides a mapping for user ID
of the process that created the namespace.
.IP * 3
The process has the
.BR CAP_SETUID
.RB ( CAP_SETGID )
capability in the parent user namespace.
Thus, a privileged process can make mappings to arbitrary user IDs (group IDs)
in the parent user namespace.
.RE
.PP
Writes that violate the above rules fail with the error
.BR EPERM .
.PP
When a process inside a user namespace executes
a set-user-ID (set-group-ID) program,
the process's effective user (group) ID inside the namespace is changed
to whatever value is mapped for the user (group) ID of the file.
However, if either the user
.I or
the group ID of the file has no mapping inside the namespace,
the set-user-ID (set-group-ID) bit is silently ignored:
the new program is executed,
but the process's effective user (group) ID is left unchanged.
(This mirrors the semantics of executing a set-user-ID or set-group-ID
program that resides on a file system that was mounted with the
.BR MS_NOSUID
flag (see 
.BR mount (2).)
.\"
.\" ==================== UTS namespaces ====================
.\"
.SS UTS namespaces (CLONE_NEWUTS)
UTS namespaces provide isolation of two system identifiers:
the hostname and the NIS domain name.
These identifiers are set using
.BR sethostname (2)
and
.BR setdomainname (2),
and can be retrieved using
.BR uname (2),
.BR gethostname (2),
and
.BR getdomainname (2).

Use of UTS namespaces requires a kernel that is configured with the
.B CONFIG_UTS_NS
option.
.SH CONFORMING TO
Namespaces are a Linux-specific feature.
.SH SEE ALSO
.BR nsenter (1),
.BR readlink (1),
.BR unshare (1),
.BR clone (2),
.BR setns (2),
.BR unshare (2),
.BR proc (5),
.BR credentials (7),
.BR capabilities (7),
.BR switch_root (8)