Move the defitions of CLONE_NEWNS, CLONE_NEWUTS, CLONE_NEWIPC,
CLONE_NEWNET, CLONE_NEWUSER, CLONE_NEWPID into namespace.h in case
sched.h does not provide those definitions. Are there systems
around that are old enough that still need this?
Move the definitions of unshare() and setns() into namespace.h
for supporting old versions of libc that does not provice these.
I have tested this support with setns as I still have systems
old enough that glibc does not wrap setns.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
- Update the unshare application to support the pid and user namespaces.
- Update the man page for the new options
- Fix typo in the man page where UTS was spelled UTC.
- Remove the vestigal support for running a suid unshare.
After unsharing a user namespace setuid(getuid()) won't work because
no uid or gid mappings have been specified yet. So it is just easier not
to have any support for running suid.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
In addition to the unshare syscall, there exists the setns syscall, which
allows processes to migrate to the namepsaces of other processes. Add this
functionality into the unshare command, as they operate in a fairly simmilar
fashion.
Note: There was discussion of adding a path based namespace argument to unshare
in the origional discussion thread, but I opted to leave that out as it didn't
seem to fit in nicely with the current argument pattern. I figure we can always
add that in later if we need to
[kzak@redhat.com: - fix optional arguments
- do not call unshare if no flag specified
- use O_CLOEXEC
- codding style cleanup]
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Karel Zak <kzak@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
Solaris lacks err, errx, warn and warnx. This also means the err.h header
doesn't exist. Removed err.h include from all files, and included err.h from
c.h instead if it exists, otherwise alternatives are provided.
Signed-off-by: Fabian Groffen <grobian@gentoo.org>
This patch drops potential euid privileges before executing the target
program. This allows to setuid unshare.
The unshare(1) is still distributed as non-setuid program.
Based on patch from Martin Pohlack <mp26@os.inf.tu-dresden.de>.
Signed-off-by: Karel Zak <kzak@redhat.com>
New utility allows to run process with separate mount, UTC, IPC or
network namespaces.
[kzak@redhat.com: - some cosmetic changes in usage() and err() usage
- move "if BUILD_UNSHARE" to separate place in Makefile.am
- add unshare to .gitignore]
Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Signed-off-by: Karel Zak <kzak@redhat.com>
Sami Kerola
Eric W. Biederman
Karel Zak
Neil Horman
Fabian Groffen
Alexey Gladkov
Mikhail Gusarov