Mdthbs

Explaining intravenous drug abuse to a small child

Convert Numbers To Emoji Math

How did the Apollo guidance computer handle parity bit errors?

Why would a military not separate its forces into different branches?

Do Jedi mind tricks work on Ewoks?

What does the coin flipping before dying mean?

What happens if I accidentally leave an app running and click "Install Now" in Software Updater?

How to speed up large double sums in a table?

What is more safe for browsing the web: PC or smartphone?

Do quaternary sulfur dications exist?

Some questions about antistatic wrist strap

Lines too long in piece with two sections for different instruments

What do you call a painting painted on a wall?

Is it normal for gliders not to have attitude indicators?

Game artist computer workstation set-up – is this overkill?

Append unique characters read from filecontents to a string

Dimmer switch not connected to ground

How is Pauli's exclusion principle still valid in these cases?

What does the copyright in a dissertation protect exactly?

Efficient deletion of specific list entries

Is there precedent or are there procedures for a US president refusing to concede to an electoral defeat?

Picking a theme as a discovery writer

Python 3 - simple temperature program version 1.3

Does Thanos's ship land in the middle of the battlefield in "Avengers: Endgame"?

About mounting and umounting inherited mounts inside a newly-created mount namespace

Why can't I bind-mount “/” inside a user namespace?Inside a user namespace, why am I not allowed to remount a filesystem I have mounted?Unable to change permissions of file system root“PTY allocation request failed on channel 0 stdin: is not a tty” when SSH'ing into a Debian serverIs Traffic control inside namespace on ports created by OpenvSwitch supported?Recursively unmount Bind mount in both User and Mount namespaceCannot mount newly created Logical VolumeWhy does child with mount namespace affect parent mounts?Freenas iscsi to VMware - Mount newly created disk to UbuntuMounting a file system image inside an unshared namespaceWhy can't I bind-mount “/” inside a user namespace?Running su inside mount namespace

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

1

Experiment 1

From outside the namespace, cat /proc/self/mountinfo gives

291 34 0:37 / /tmp/IMJUSTTMP rw,relatime shared:152 - tmpfs tmpfs rw,size=102400k

34 23 0:32 / /tmp rw,nosuid,nodev shared:16 - tmpfs tmpfs rw

Then I run unshare -mU --map-root-user --propagation private /usr/bin/zsh to get a new shell inside a namespace, but inside the newly-created mount namespace, I can't umount /tmp/IMJUSTTMP, umount just tell me it's not mounted. While I can check the newly-created mount namespace by cat /proc/self/mountinfo, which gives private mount

290 263 0:32 / /tmp rw,nosuid,nodev - tmpfs tmpfs rw

302 290 0:37 / /tmp/IMJUSTTMP rw,relatime - tmpfs tmpfs rw,size=102400k

Then why do I get umount: /tmp/IMJUSTTMP: not mounted. when I try to umount /tmp/IMJUSTTMP inside the namespace?

I'm using 5.0.9-arch1-1-ARCH, with kernel.unprivileged_userns_clone = 1.

Experiment 2

After unshare -mU --map-root-user --propagation private /usr/bin/zsh, trying to create an overlayfs also fail.

mkdir -p /tmp/IMJUSTTMP/work

mkdir /tmp/IMJUSTTEST

mount -t tmpfs -o size=100m tmpfs /tmp/IMJUSTTMP

mount -t tmpfs -o size=200M tmpfs /tmp/IMJUSTTEST

Will all succeed as expected, While all the following would get permission denied inside the namespace.

mount -t overlay -o "lowerdir=/home/xtricman,upperdir=/tmp/IMJUSTTMP/,workdir=/tmp/IMJUSTTMP/work" overlay /home/xtricman

mount -t overlay -o "lowerdir=/tmp/IMJUSTTEST,upperdir=/tmp/IMJUSTTMP,workdir=/tmp/IMJUSTTMP/work" overlay /mnt

Rough Guess of mine

I found these two questions, Inside a user namespace, why am I not allowed to remount a filesystem I have mounted? and Why can't I bind-mount "/" inside a user namespace? It seems that since I inherit the /tmp/IMJUSTTMP and /tmp mount, so I can't umount them even if I got full capabilities in the owning user namespace of the newly-created mount namespace.

Linux kenerl seems to prevent me cancel an overmount by creating a new user and mount namespace like I just did. It seems to regard over mount as a security method to hide some files and prevent me to access overmounted directories.

Creating an overlay mount might also cause the possibility to access overmount-hidden files, so for simplicity, kenerl just refuse to create overlayfs unless I have CAP_SYS_ADMIN in top level user namespace.

Question
Can anyone explain what exactly what's going on of the two experements? Is there any document mentioning detail kernel behavior of mounting and umounting inside a mount namespace? What is the "superblock owner" as mentioned in This Comment and Why can't I bind-mount "/" inside a user namespace? ?

mount linux-kernel namespace

share|improve this question

edited 39 mins ago

炸鱼薯条德里克

asked 3 hours ago

炸鱼薯条德里克炸鱼薯条德里克

6141417

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Have you tried with umount -f ?
  
  – Stephen Harris
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @StephenHarris I repeat the experiment, get wierder result. umount /tmp/IMJUSTTMP and umount /tmp/IMJUSTTMP -f both give umount: /tmp/mountinfo: no mount point specified. and don't umount that mount point. I double checked /proc/self/mountinfo, that mountpoint really exist inside the newly-created mount namespace.
  
  – 炸鱼薯条德里克
  3 hours ago
  

  
  
  
  

add a comment | 

1

Experiment 1

From outside the namespace, cat /proc/self/mountinfo gives

291 34 0:37 / /tmp/IMJUSTTMP rw,relatime shared:152 - tmpfs tmpfs rw,size=102400k

34 23 0:32 / /tmp rw,nosuid,nodev shared:16 - tmpfs tmpfs rw

Then I run unshare -mU --map-root-user --propagation private /usr/bin/zsh to get a new shell inside a namespace, but inside the newly-created mount namespace, I can't umount /tmp/IMJUSTTMP, umount just tell me it's not mounted. While I can check the newly-created mount namespace by cat /proc/self/mountinfo, which gives private mount

290 263 0:32 / /tmp rw,nosuid,nodev - tmpfs tmpfs rw

302 290 0:37 / /tmp/IMJUSTTMP rw,relatime - tmpfs tmpfs rw,size=102400k

Then why do I get umount: /tmp/IMJUSTTMP: not mounted. when I try to umount /tmp/IMJUSTTMP inside the namespace?

I'm using 5.0.9-arch1-1-ARCH, with kernel.unprivileged_userns_clone = 1.

Experiment 2

After unshare -mU --map-root-user --propagation private /usr/bin/zsh, trying to create an overlayfs also fail.

mkdir -p /tmp/IMJUSTTMP/work

mkdir /tmp/IMJUSTTEST

mount -t tmpfs -o size=100m tmpfs /tmp/IMJUSTTMP

mount -t tmpfs -o size=200M tmpfs /tmp/IMJUSTTEST

Will all succeed as expected, While all the following would get permission denied inside the namespace.

mount -t overlay -o "lowerdir=/home/xtricman,upperdir=/tmp/IMJUSTTMP/,workdir=/tmp/IMJUSTTMP/work" overlay /home/xtricman

mount -t overlay -o "lowerdir=/tmp/IMJUSTTEST,upperdir=/tmp/IMJUSTTMP,workdir=/tmp/IMJUSTTMP/work" overlay /mnt

Rough Guess of mine

I found these two questions, Inside a user namespace, why am I not allowed to remount a filesystem I have mounted? and Why can't I bind-mount "/" inside a user namespace? It seems that since I inherit the /tmp/IMJUSTTMP and /tmp mount, so I can't umount them even if I got full capabilities in the owning user namespace of the newly-created mount namespace.

Linux kenerl seems to prevent me cancel an overmount by creating a new user and mount namespace like I just did. It seems to regard over mount as a security method to hide some files and prevent me to access overmounted directories.

Creating an overlay mount might also cause the possibility to access overmount-hidden files, so for simplicity, kenerl just refuse to create overlayfs unless I have CAP_SYS_ADMIN in top level user namespace.

Question
Can anyone explain what exactly what's going on of the two experements? Is there any document mentioning detail kernel behavior of mounting and umounting inside a mount namespace? What is the "superblock owner" as mentioned in This Comment and Why can't I bind-mount "/" inside a user namespace? ?

mount linux-kernel namespace

share|improve this question

edited 39 mins ago

炸鱼薯条德里克

asked 3 hours ago

炸鱼薯条德里克炸鱼薯条德里克

6141417

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Have you tried with umount -f ?
  
  – Stephen Harris
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @StephenHarris I repeat the experiment, get wierder result. umount /tmp/IMJUSTTMP and umount /tmp/IMJUSTTMP -f both give umount: /tmp/mountinfo: no mount point specified. and don't umount that mount point. I double checked /proc/self/mountinfo, that mountpoint really exist inside the newly-created mount namespace.
  
  – 炸鱼薯条德里克
  3 hours ago
  

  
  
  
  

add a comment | 

Experiment 1

From outside the namespace, cat /proc/self/mountinfo gives

291 34 0:37 / /tmp/IMJUSTTMP rw,relatime shared:152 - tmpfs tmpfs rw,size=102400k

34 23 0:32 / /tmp rw,nosuid,nodev shared:16 - tmpfs tmpfs rw

Then I run unshare -mU --map-root-user --propagation private /usr/bin/zsh to get a new shell inside a namespace, but inside the newly-created mount namespace, I can't umount /tmp/IMJUSTTMP, umount just tell me it's not mounted. While I can check the newly-created mount namespace by cat /proc/self/mountinfo, which gives private mount

290 263 0:32 / /tmp rw,nosuid,nodev - tmpfs tmpfs rw

302 290 0:37 / /tmp/IMJUSTTMP rw,relatime - tmpfs tmpfs rw,size=102400k

Then why do I get umount: /tmp/IMJUSTTMP: not mounted. when I try to umount /tmp/IMJUSTTMP inside the namespace?

I'm using 5.0.9-arch1-1-ARCH, with kernel.unprivileged_userns_clone = 1.

Experiment 2

After unshare -mU --map-root-user --propagation private /usr/bin/zsh, trying to create an overlayfs also fail.

mkdir -p /tmp/IMJUSTTMP/work

mkdir /tmp/IMJUSTTEST

mount -t tmpfs -o size=100m tmpfs /tmp/IMJUSTTMP

mount -t tmpfs -o size=200M tmpfs /tmp/IMJUSTTEST

Will all succeed as expected, While all the following would get permission denied inside the namespace.

mount -t overlay -o "lowerdir=/home/xtricman,upperdir=/tmp/IMJUSTTMP/,workdir=/tmp/IMJUSTTMP/work" overlay /home/xtricman

mount -t overlay -o "lowerdir=/tmp/IMJUSTTEST,upperdir=/tmp/IMJUSTTMP,workdir=/tmp/IMJUSTTMP/work" overlay /mnt

Rough Guess of mine

I found these two questions, Inside a user namespace, why am I not allowed to remount a filesystem I have mounted? and Why can't I bind-mount "/" inside a user namespace? It seems that since I inherit the /tmp/IMJUSTTMP and /tmp mount, so I can't umount them even if I got full capabilities in the owning user namespace of the newly-created mount namespace.

Linux kenerl seems to prevent me cancel an overmount by creating a new user and mount namespace like I just did. It seems to regard over mount as a security method to hide some files and prevent me to access overmounted directories.

Creating an overlay mount might also cause the possibility to access overmount-hidden files, so for simplicity, kenerl just refuse to create overlayfs unless I have CAP_SYS_ADMIN in top level user namespace.

Question
Can anyone explain what exactly what's going on of the two experements? Is there any document mentioning detail kernel behavior of mounting and umounting inside a mount namespace? What is the "superblock owner" as mentioned in This Comment and Why can't I bind-mount "/" inside a user namespace? ?

mount linux-kernel namespace

share|improve this question

edited 39 mins ago

炸鱼薯条德里克

asked 3 hours ago

炸鱼薯条德里克炸鱼薯条德里克

6141417

291 34 0:37 / /tmp/IMJUSTTMP rw,relatime shared:152 - tmpfs tmpfs rw,size=102400k

34 23 0:32 / /tmp rw,nosuid,nodev shared:16 - tmpfs tmpfs rw

290 263 0:32 / /tmp rw,nosuid,nodev - tmpfs tmpfs rw

302 290 0:37 / /tmp/IMJUSTTMP rw,relatime - tmpfs tmpfs rw,size=102400k

mkdir -p /tmp/IMJUSTTMP/work

mkdir /tmp/IMJUSTTEST

mount -t tmpfs -o size=100m tmpfs /tmp/IMJUSTTMP

mount -t tmpfs -o size=200M tmpfs /tmp/IMJUSTTEST

mount -t overlay -o "lowerdir=/home/xtricman,upperdir=/tmp/IMJUSTTMP/,workdir=/tmp/IMJUSTTMP/work" overlay /home/xtricman

mount -t overlay -o "lowerdir=/tmp/IMJUSTTEST,upperdir=/tmp/IMJUSTTMP,workdir=/tmp/IMJUSTTMP/work" overlay /mnt

share|improve this question

edited 39 mins ago

炸鱼薯条德里克

asked 3 hours ago

炸鱼薯条德里克炸鱼薯条德里克

6141417

share|improve this question

edited 39 mins ago

炸鱼薯条德里克

asked 3 hours ago

炸鱼薯条德里克炸鱼薯条德里克

6141417

asked 3 hours ago

炸鱼薯条德里克炸鱼薯条德里克

6141417

asked 3 hours ago

炸鱼薯条德里克炸鱼薯条德里克

6141417