Linux – Mounting and Unmounting Inherited Mounts in New Namespace

linux-kernelmountnamespace

Experiment 1

From outside the namespace, cat /proc/self/mountinfo gives

291 34 0:37 / /tmp/IMJUSTTMP rw,relatime shared:152 - tmpfs tmpfs rw,size=102400k
34 23 0:32 / /tmp rw,nosuid,nodev shared:16 - tmpfs tmpfs rw

Then I run unshare -mU --map-root-user --propagation private /usr/bin/zsh to get a new shell inside a namespace, but inside the newly-created mount namespace, I can't umount /tmp/IMJUSTTMP, umount just tell me it's not mounted. While I can check the newly-created mount namespace by cat /proc/self/mountinfo, which gives private mount

290 263 0:32 / /tmp rw,nosuid,nodev - tmpfs tmpfs rw
302 290 0:37 / /tmp/IMJUSTTMP rw,relatime - tmpfs tmpfs rw,size=102400k

Then why do I get umount: /tmp/IMJUSTTMP: not mounted. when I try to umount /tmp/IMJUSTTMP inside the namespace?

I'm using 5.0.9-arch1-1-ARCH, with kernel.unprivileged_userns_clone = 1.

Experiment 2

After unshare -mU --map-root-user --propagation private /usr/bin/zsh, trying to create an overlayfs also fail.

mkdir -p /tmp/IMJUSTTMP/work
mkdir /tmp/IMJUSTTEST
mount -t tmpfs -o size=100m tmpfs /tmp/IMJUSTTMP
mount -t tmpfs -o size=200M tmpfs /tmp/IMJUSTTEST

Will all succeed as expected, While all the following would get permission denied inside the namespace.

mount -t overlay -o "lowerdir=/home/xtricman,upperdir=/tmp/IMJUSTTMP/,workdir=/tmp/IMJUSTTMP/work" overlay /home/xtricman
mount -t overlay -o "lowerdir=/tmp/IMJUSTTEST,upperdir=/tmp/IMJUSTTMP,workdir=/tmp/IMJUSTTMP/work" overlay /mnt

Rough Guess of mine

I found these two questions, Inside a user namespace, why am I not allowed to remount a filesystem I have mounted? and Why can't I bind-mount "/" inside a user namespace? It seems that since I inherit the /tmp/IMJUSTTMP and /tmp mount, so I can't umount them even if I got full capabilities in the owning user namespace of the newly-created mount namespace.

Question

Can anyone explain what exactly what's going on of the two experiments? Is there any document mentioning detailed kernel behavior of mounting and umounting inside a mount namespace? What is the "superblock owner" as mentioned in this kernel commit and Why can't I bind-mount "/" inside a user namespace? ?

Best Answer

Yes :-). There are three distinct points here.

Experiment 1: Why do I get `umount: /tmp/IMJUSTTMP: not mounted` when I try to `umount /tmp/IMJUSTTMP` inside the namespace?

http://man7.org/linux/man-pages/man7/mount_namespaces.7.html

Restrictions on mount namespaces

Note the following points with respect to mount namespaces:

A mount namespace has an owner user namespace. A mount names‐ pace whose owner user namespace is different from the owner user namespace of its parent mount namespace is considered a less privileged mount namespace.

When creating a less privileged mount namespace, shared mounts are reduced to slave mounts. (Shared and slave mounts are discussed below.) This ensures that mappings performed in less privileged mount namespaces will not propagate to more privileged mount namespaces.

Mounts that come as a single unit from more privileged mount are locked together and may not be separated in a less privi‐ leged mount namespace. (The unshare(2) CLONE_NEWNS operation brings across all of the mounts from the original mount names‐ pace as a single unit, and recursive mounts that propagate between mount namespaces propagate as a single unit.)

The mount(2) flags MS_RDONLY, MS_NOSUID, MS_NOEXEC, and the "atime" flags (MS_NOATIME, MS_NODIRATIME, MS_RELATIME) set‐ tings become locked when propagated from a more privileged to a less privileged mount namespace, and may not be changed in the less privileged mount namespace.

Experiment 2: Trying to create an overlayfs also fails

Attempts to make the mount operation safe for ordinary users are nothing new; LWN covered one patch set back in 2008. That work was never merged, but the effort to allow unprivileged mounts picked up in 2015, when Eric Biederman (along with others, Seth Forshee in particular) got serious about allowing user namespaces to perform filesystem mounts. The initial work was merged in 2016 for the 4.8 kernel, but it was known to not be a complete solution to the problem, so most filesystems can still only be mounted by users who are privileged in the initial namespace.

Unprivileged filesystem mounts, 2018 edition, LWN.net

The 2008 LWN article says filesystems that have been verified as "safe for use within user namespaces" are flagged as FS_USERNS_MOUNT. So we can easily search to find which filesystems are allowed.

What is the "superblock owner" as mentioned in this kernel commit and the question "Why can't I bind-mount "/" inside a user namespace?" ?

The source code in the kernel commit you link to, says that each superblock is considered owned by a specific user namespace. The owner is the user namespace which originally created the superblock.

Related Solutions

Debian – Why does child with mount namespace affect parent mounts

When a child process is created with clone with the CLONE_NEWNS flag, the child process gets its own mount namespace. Mounting operations (mount, umount, mount --bind, etc.) in the child namespace only have an effect inside that namespace, and mount operations in the parent namespace only have an effect outside the new namespace.

Except, that is, for shared mounts. A mount can be shared, in which case operations affect all the namespaces that the mount is shared in. A typical use case for shared mounts is to make removable drives available in child namespaces such as chroots. There are more types of relationships (private mounts, unbindable mounts); for more details, see the kernel documentation.

You can check whether a mount is shared by checking /proc/PID/mountinfo: if the line contains shared:NUMBER then the mount is shared, and the number is a unique value identifying the set of namespaces that it's shared between. If the line contains no such indication, the mount is private.

On your system, /proc is shared. When you mount a new instance of proc in the child namespace, since you're mounting over the parent's /proc, that new instance is also shared, so it's visible in both the child namespace and the parent namespace. When you exit the child namespace, the second instance of /proc remains mounted, since it's shared with the still-active parent namespace.

Two things complicate your scenario: you're also creating a PID namespace, and you're using /proc both as the subject of the experiment and as a means of observation. When ps complains about /proc not being mounted, it's actually displaying a misleading error message — the wrong proc is mounted (a proc for the wrong namespace). You can observe this with ls /proc and cat /proc/1/mountinfo. I recommend doing the experiments with a scratch filesystem, it would be easier to understand what was going on.

parent# ./a.out
child# echo $$
2
child# ls /proc
This is the parent's proc, with /proc/PID in the parent PID namespace
child# ps 1
… init
child# mount -t proc proc /proc
Now /proc in the child mount namespace is for the child PID namespace
child# ps 1
… a.out
child# exit
parent#

So far it didn't matter whether /proc was private or shared, but now it does. If /proc is private, then at this point we're observing the parent's /proc, which was never affected and shows the PID namespace. But if /proc is shared, then the mount command we issued earlier affected both namespaces, thus:

parent# ls /proc
acpi asound buddyinfo …
parent# ps 1
Error, do this: mount -t proc proc /proc
Actually, /proc is mounted, but it's the proc for the PID namespace that we created earlier and now has zero running processes.
parent# grep -c ' /proc ' /proc/mounts
2
parent# umount /proc
We've unmounted the child PID namespace's /proc that was shadowing the parent namespace's /proc, so the “normal” /proc is visible again.
parent# ps 1
… init

Mounting a file system image inside an unshared namespace

In order to run unshare, you have to have root capabilities to create a separate mount space.

I tried this that seems to do what you want (I think):

Ishtar:> mkdir -p /tmp/unshare/home
Ishtar:> cd /tmp/unshare
Ishtar:/tmp/unshare> sudo unshare -m /bin/bash
Ishtar:/tmp/unshare# mount --rbind /home/packages /tmp/unshare/home
Ishtar:/tmp/unshare# tty
/dev/pts/4
Ishtar:/tmp/unshare# # ls home
BUILD@      RPMS@     build/           linux@    sources/           tmp/
BUILDROOT@  SOURCES@  buildroot/       logs/     specs/
OSbuild/    SPECS@    config-scripts/  perlsrc/  srpms/
OTHER/      SRPMS@    debug@           rpms/     sysvinit-288.spec

So the above process has '/home/packages mounted @ /tmp/unshare/home.

In another tty-window, with any user, I can try to see: what is in /tmp/unshare/home:

Ishtar:/> tty
/dev/pts/5
Ishtar:/> ll /tmp/unshare/home
total 0
Ishtar:/> cd tmp/unshare
Ishtar:/tmp/unshare> sudo
Ishtar:/tmp/unshare# ls home
Ishtar:/tmp/unshare# ll home
total 0
# create file in original "bound" dir from 1st usr above:
Ishtar:/tmp/unshare# touch /home/packages/PACKAGES.DIR 
Ishtar:/tmp/unshare# ll home  #home still empty
total 0
Ishtar:/> tty
/dev/pts/5
# now on other user again
Ishtar:/tmp/unshare# tty
/dev/pts/4
Ishtar:/tmp/unshare# ls home
BUILD@        RPMS@     buildroot/       perlsrc/  sysvinit-288.spec
BUILDROOT@    SOURCES@  config-scripts/  rpms/     tmp/
OSbuild/      SPECS@    debug@           sources/
OTHER/        SRPMS@    linux@           specs/
PACKAGES.DIR  build/    logs/            srpms/
#^^^ see PACKAGES.DIR appear (as created in original dir by another
# user

Once you have your "private dir mounted for user in "pts/4" you can change to the UID you want to run under for the program:

Ishtar:/tmp/unshare# su astara
Ishtar:/tmp/unshare> whoami
astara
Ishtar:/tmp/unshare> ls home/PACK*
home/PACKAGES.DIR

Note mount is still there for the unpriv'd user.

To be save, I'd put the 'su to other user' in a script file followed by a 'unmount /tmp/unshare/home', (since when su OTHERUSER exits, it will become root again, and unmount the file in the private space,). Then you can exit.

Does this come close to what you want? -- You have to use 'root' to setup your child env, but then run the child -- and only it has access to the mount created in the new mount namespace.

(update) BTW -- just noticed unshare has a --map-root-user that to specifically allow using either root or caps to setup options in the new namespace. The manpage says (about this switch):

....This makes it possible to  conveniently
gain  capabilities needed to manage various aspects of the newly
created namespaces (such as configuring interfaces in  the  net-
work  namespace  or mounting filesystems in the mount namespace)
even when run unprivileged.

This could allow you to manage your loop dev w/o being root (or so says the manpage). Likely CAP_SYS_ADMIN is the cap needed for doing this.