[Bug 216215] New: clone and unshare say CAP_SYS_ADMIN is required to create new namespaces

[Bug 216215] New: clone and unshare say CAP_SYS_ADMIN is required to create new namespaces

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=216215

            Bug ID: 216215
           Summary: clone and unshare say CAP_SYS_ADMIN is required to
                    create new namespaces
           Product: Documentation
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P1
         Component: man-pages
          Assignee: documentation_man-pages@kernel-bugs.osdl.org
          Reporter: linuxkernelbugzilla@pxeger.com
        Regression: No

According to clone(2) and unshare(2), the various CLONE_NEW* flags for creating
new namespaces require CAP_SYS_ADMIN. But this is not the case, and never has
been (as best I can tell from some git log grepping in the kernel).

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 216215] clone and unshare say CAP_SYS_ADMIN is required to create new namespaces

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=216215

Alejandro Colomar (man-pages) (alx.manpages@gmail.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |alx.manpages@gmail.com
         Resolution|---                         |INVALID

--- Comment #1 from Alejandro Colomar (man-pages) (alx.manpages@gmail.com) ---
$ cat unshare.c 
#define _GNU_SOURCE
#include <err.h>
#include <sched.h>
#include <stdlib.h>

int main(void)
{
        if (unshare(CLONE_NEWPID) == -1)
                err(EXIT_FAILURE, "unshare(2)");
        exit(EXIT_SUCCESS);
}

$ cc -Wall -Wextra unshare.c
$ sudo setcap 'cap_sys_admin=' a.out 
$ ./a.out 
a.out: unshare(2): Operation not permitted
$ sudo setcap 'cap_sys_admin=eip' a.out 
$ ./a.out 
$ 


CAP_SYS_ADMIN is required, as the example above demonstrates.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 216215] clone and unshare say CAP_SYS_ADMIN is required to create new namespaces

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=216215

--- Comment #2 from pxeger (linuxkernelbugzilla@pxeger.com) ---
Ah, I understand the confusion I was having now: all namespaces, *except user
namespaces*, require CAP_SYS_ADMIN. But creating a new user namespace
automatically confers a full set of capabilities. So, when using clone(2) with
CLONE_NEWUSER and some other CLONE_NEW* flags for other namespaces, at the same
time, you don't need CAP_SYS_ADMIN in the parent, because it's given to the
child during the clone call.

Is this worth mentioning somewhere?

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 216215] clone and unshare say CAP_SYS_ADMIN is required to create new namespaces

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=216215

Alejandro Colomar (man-pages) (alx.manpages@gmail.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |---

--- Comment #3 from Alejandro Colomar (man-pages) (alx.manpages@gmail.com) ---
Maybe we could add that to NOTES in unshare(2).
Would you mind sending a patch?

Thanks,

Alex

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 216215] clone and unshare say CAP_SYS_ADMIN is required to create new namespaces

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=216215

Alejandro Colomar (man-pages) (alx.manpages@gmail.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|---                         |DOCUMENTED

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.