LIBUSERBINDMOUNT(3) | Linux Programmer's Manual | LIBUSERBINDMOUNT(3) |
userbindmount, userbindmount_unshare, userbindmount_set_cap_sysadm, userbindmount_string, userbindmount_data, userbindmount_fd - bind-mount in user-namespaces
#include <userbindmount.h>
int userbindmount(const char *source, const char
*target);
int userbindmount_unshare(void);
int userbindmount_set_cap_sysadm(void);
int userbindmount_string(const char *string, const char
*target, mode_t mode);
int userbindmount_data(const void *data, size_t
count, const char *target, mode_t
mode);
int userbindmount_fd(int fd, const char
*target, mode_t mode);
These functions are provided by libuserbindmount. Link with -luserbindmount.
Libuserbindmount is a library providing support for bind mount in user userspaces.
userbindmount bind mounts source on destination. If it is not permitted in the current namespace it creates (unshare) a new user-namespace.
userbindmount_unshare creates a new user-namespace where bind mount is allowed.
userbindmount_set_cap_sysadm add the CAP_SYS_ADMIN ambient capability to the current namespace so that the ability of bind mount files and directories can be exported to new programs (ambient capabilities survive to execve(2)).
userbindmount_string bind-mounts on destination a temporary file whose (text) contents is provided by string. The temporary file is automatically deleted when the namespace is closed or the file/directory unmounted.
userbindmount_data bind-mounts on destination a temporary file whose (binary) contents is provided by data and has the size of count bytes. The temporary file is automatically deleted when the namespace is closed or the file/directory unmounted.
userbindmount_fd bind-mounts on destination a temporary file whose contents is read from the by the file descriptor fd (up to the end of file). The temporary file is automatically deleted when the namespace is closed or the file/directory unmounted.
All the functions provided by libuserbindmount return 0 in case of success. -1 is returned elseways and errno is set appropriately.
Libuserbindmount fails if user namespaces have not been configured in the running kernel and enabled for users. In Debian the sysctl knob kernel.unprivileged_userns_clone must be set to 1.
The following excerpts of C code shows the use of libuserbindmount: the inclusion of the header file for this library is required:
#include <usrbindmount.h>
Bind-mount /tmp/resolv.conf on /etc/resolv.conf:
userbindmount("/tmp/resolv.conf", "/etc/resolv.conf");
Bind-mount a string on /etc/resolv.conf:
userbindmount_string("nameserver 9.9.9.90, "/etc/resolv.conf", 0600);
Bind-mount a binary data on /proc/self/cmdline:
static char fakeargv[] = {'c','m','d',0, 'a','r','g','1',0, 'a','r','g','2',0, 0}; userbindmount_data(fakeargv, sizeof(fakeargv), "/proc/self/cmdline", 0600);
Bind-mount the data read from a file descriptor on /etc/resolv.conf:
userbindmount_fd(STDIN_FILENO, "/etc/resolv.conf", 0600);
Bind-mount several files or directories:
userbindmount("/tmp/resolv.conf", "/etc/resolv.conf"); userbindmount("/tmp/passwd", "/etc/passwd"); userbindmount("/tmp/hosts", "/etc/hosts");
The following program creates a namespace and runs a program in it. In the new namespace bind-mount is allowed.
#include <stdio.h> #include <unistd.h> #include <userbindmount.h> int main(int argc, char *argv[]) { userbindmount_unshare(); userbindmount_set_cap_sysadm(); execvp(argv[1], argv+1); }
It can be compiled and tested in the following way:
$ gcc -o unshare_sysadm unshare_sysadm.c -luserbindmount $ unshare_sysadm bash $ cat /etc/resolv.conf nameserver 127.0.0.1 $ echo "nameserver 9.9.9.9" > /tmp/resolv.conf $ busybox mount --bind /tmp/resolv.conf /etc/resolv.conf $ cat /etc/resolv.conf nameserver 9.9.9.9 $ exit $
Bug reports should be addressed to <info@virtualsquare.org>
Renzo Davoli <renzo@cs.unibo.it>
2017-08-22 | VirtualSquare |