The following trivial program should really work:
#define _GNU_SOURCE
#include <sched.h>
#include <stdio.h>
#include <errno.h>
int main()
{
if (unshare(CLONE_FILES) == 0)
printf("unshare(CLONE_FILES) worked\n");
else
printf("unshare(CLONE_FILES) failed with errno %d\n", errno);
return 0;
}I'm hitting this while running a software package that otherwise works fine.
I assume that somewhere in the stack, someone wanted to prevent containers from creating Linux namespaces. There is indeed quite a bit of attack surface against the Linux kernel exposed by allowing programs to create namespaces. But unshare(CLONE_FILES) does not create a namespace, and the Linux kernel does not require any permissions at all to unshare the file table. (And preventing clone from unsharing the file table would surely break almost every piece of software in existence!) Similarly, I think that unshare(CLONE_FS) should also be allowed.
If the maintainers agree, I'd be happy to submit a patch.
The following trivial program should really work:
I'm hitting this while running a software package that otherwise works fine.
I assume that somewhere in the stack, someone wanted to prevent containers from creating Linux namespaces. There is indeed quite a bit of attack surface against the Linux kernel exposed by allowing programs to create namespaces. But
unshare(CLONE_FILES)does not create a namespace, and the Linux kernel does not require any permissions at all to unshare the file table. (And preventing clone from unsharing the file table would surely break almost every piece of software in existence!) Similarly, I think thatunshare(CLONE_FS)should also be allowed.If the maintainers agree, I'd be happy to submit a patch.