What capabilities can open /proc/pid/ns/net?

Question

setcap cap_net_raw,cap_net_admin,cap_sys_admin,cap_dac_override,cap_dac_read_search,cap_fowner+eip

I want a process running by normal user, switch to another process's netns, another process is running by root user. What I need to do is to open /proc/pid/ns/net and then call setns. I have given many capabilities to the executable as above, but it still says Permission denied. Any ideas?

score 2 · Answer 1 · answered Jun 02 '22 at 23:32

You need SYS_PTRACE and SYS_ADMIN capabilities.

This is documented in https://man7.org/linux/man-pages/man7/namespaces.7.html (the reference for SYS_ADMIN was already given in the other answer)

The /proc/[pid]/ns/ directory

[...]

   Permission to dereference or read (readlink(2)) these symbolic
   links is governed by a ptrace access mode
   PTRACE_MODE_READ_FSCREDS check; see ptrace(2).

score 1 · Answer 2 · answered Jul 16 '21 at 04:20

https://man7.org/linux/man-pages/man2/setns.2.html suggests:

Network, IPC, time, and UTS namespaces
              In order to reassociate itself with a new network, IPC,
              time, or UTS namespace, the caller must have the
              CAP_SYS_ADMIN capability both in its own user namespace
              and in the user namespace that owns the target namespace.

What capabilities can open /proc/pid/ns/net?

2 Answers2