1

I'm exploring the namespace feature of linux kernel, using Archlinux. But I got some message that I can't explain the reason, could anyone explain them to me?

xtricman⚓ArchVirtual⏺️~🤐export LANG=en_US.UTF-8
xtricman⚓ArchVirtual⏺️~🤐unshare --propagation private -r bash
Could not get property: Access denied
root⚓⏺️~🤐mount -o remount,ro /
mount: /: permission denied.

Based on ArchWiki, I CAN create an user namespace using my normal account, and I do, but Why do I get the Could not get property: Access denied message?

Based on manpage, Newly created bash process has full capability in the new namespace, so why do I get the "permission denied" message when I tried to do mount? Is there anything related with file capability? How can I check the current capabilities the current bash process have?

Improve this question

1 Answer 1

Reset to default
1

The command you are trying to run would change the root filesystem to read-only. It would affect outside the namespace as well. So you do not have permission.

You only want to change one specific mount, the mount inside the namespace. Use this command:

mount -o remount,bind,ro /
Improve this answer
7
  • Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean? Commented Mar 27, 2019 at 13:00
  • @炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option like journal_dev= work? The ro option applies to the underlying filesystem, unless bind is passed in the same command. Commented Mar 27, 2019 at 13:27
  • I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem? Commented Mar 27, 2019 at 13:31
  • Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro? Commented Mar 27, 2019 at 13:33
  • @炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can do remount,bind,... on any mount. Commented Mar 27, 2019 at 14:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.