3

If I called unshare ./fooprogram, is there a way to cancel that unshare while fooprogram is running?

Improve this question
1
  • I'm not sure what you're trying to achieve or understand about this but you should probably read the whole man page 2-3 more times if you really need to use this. That said, the short answer is a very obvious no. Commented Jan 5, 2017 at 15:48

1 Answer 1

Reset to default
2

If there would be a way, that would be a kernel vulnerability.

At the time of writing of this comment, the latest kernel (5.7.2), has documentation on that matter:

unshare() system call adds a primitive to the Linux thread model that allows threads to selectively 'unshare' any resources that were being shared at the time of their creation.

[…]

unshare() augments the usefulness of Linux threads for applications that would like to control shared resources without creating a new process. unshare() is a natural addition to the set of available primitives on Linux that implement the concept of process/thread as a virtual machine.

And later continues:

unshare() can be used to implement polyinstantiated directories using the kernel's per-process namespace mechanism. Polyinstantiated directories, such as per-user and/or per-security context instance of /tmp, /var/tmp or per-security context instance of a user's home directory, isolate user processes when working with these directories. Using unshare(), a PAM module can easily setup a private namespace for a user at login.

The documentation does not explicitely says "unshare() can not be reverted", but it does mentions that one legitimate use of unshare() can be used for security purposes.

One could assume that being able to reverse it would defeat that purpose.

Improve this answer
3
  • Actually it is possible, see setns(2) and its tool counterpart nsenter(1) Commented Jun 15, 2020 at 21:54
  • @LL3 if you use nsenter after unshare -U you will get a permission denied, because you don't own the namespace. Commented Jun 16, 2020 at 22:13
  • Certainly, and also some other combinations (eg. pid namespaces or even a few involving mount namespaces) do not allow "escaping the jail", but there are many other combinations that do allow it, while your answer (as far as I get it) seems to suggest that it's never possible. Commented Jun 17, 2020 at 11:12

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.