5

I'm trying to make a sandboxed environment using Linux namespaces. I've found a neat example at https://github.com/swetland/mkbox that roughly does what I want, but I'd like a credible /proc to appear inside the sandbox. How can I do that?

I tried bind mounting the proc FS on "proc", but that fails with EINVAL. When I try to mount "proc" normally, it yields EPERM.

ideas?

chrk
  • 4,037
  • 2
  • 39
  • 47
hanwen
  • 139
  • 6
  • what did you do exactly? ./mkbox sandbox `pwd`/proc ? May be you tried to mount proc over proc without namespace like sandbox ? – resultsway May 01 '14 at 22:52
  • 1
    See https://github.com/hanwen/mkbox/commit/043d6fdf3fe81275c4c184e689faa23d844ee36b for what I tried exactly. – hanwen May 02 '14 at 19:01

2 Answers2

6

A local guru figured this out for me: the proc must use the (undocumented?) MS_REC flag, like so:

    ok(mount, "/proc", "proc", NULL, MS_REC|MS_BIND, NULL);

the bind mount only does something useful if CLONE_PIDNS is not set, obviously.

hanwen
  • 139
  • 6
  • 3
    I just ran into this problem, and it's your StackOverflow answer that solved it and saved me from pulling my hair out. And Swetland actually _wrote_ the mkbox code _at my house_. Small world. PS the reason you need MS_REC (which I now remember after reading this) is because /proc has other things mounted inside it (e.g. /proc/sys/fs/binfmt_misc) and if you don't recursively mount those as well you could be revealing stuff that had been intentionally hidden via mount-over. – Kenton Varda Oct 09 '14 at 09:02
  • I also banged my head for some while about this. For the record: in normal command line shell the same effect would be achieved by calling `mount --rbind /proc proc` – josch Oct 21 '15 at 21:25
0

I didn't look closely enough at your commit to know for sure if this is your issue, but EPERM will happen if you have CLONE_NEWUSER | CLONE_NEWNS but not CLONE_NEWPID. This is because in order to mount proc, you need CAP_SYS_ADMIN in the user namespace corresponding to the current PID namespace, not the current user namespace.

Linux 4.4, fs/proc/root.c, lines 112–117:

ns = task_active_pid_ns(current);
options = data;

/* Does the mounter have privilege over the pid namespace? */
if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN))
        return ERR_PTR(-EPERM);
Reid
  • 1,999
  • 3
  • 17
  • 25