[CRIU] Can't launch unshare with -U or -r as unprivileged user
Allan Cecil
ac at sonic.net
Wed Jun 4 08:51:49 PDT 2014
Bottom-posted for clarity, please see below.
On 2014-06-04 07:38, Christopher Covington wrote:
> Hi Allan,
>
> On 06/04/2014 01:46 AM, Allan Cecil wrote:
~snip~
>> Unfortunately, this fails on unshare from util-linux 2.24.903-56ce
>> because
>> virtually all of the flags require root privileges. The manpage talks
>> about
>> using -U and -r instead to allow unshare to run without resorting to
>> sudo
>> (which is not available to the unprivileged user account in use). The
>> issue
>> is unshare -U or unshare -r always fails with the following error
>> message:
>> unshare: unshare failed: Invalid argument
~snip~
>
> I've been using `unshare -fp` as root (with some light patches to CRIU
> that I
> need to rebase and resubmit), but I gave the command a try as a regular
> user
> on my Linux 3.2.0 x86_64 box, and reproduced your "Invalid argument"
> error.
> This was my test case:
>
> unshare -fp -- echo hello
>
> With strace I see:
>
> unshare(0x20000000 /* CLONE_??? */) = -1 EINVAL (Invalid argument)
>
> According to the system call man page [1], this should indicate "An
> invalid
> bit was specified in _flags_", rather than insufficient privileges
> (which
> would return EPERM). Indeed, when I run it with sudo I get the same
> error.
>
> 1. http://man7.org/linux/man-pages/man2/unshare.2.html
>
> CLONE_NEWPID (0x20000000) was added in
> 30e49c263e36341b60b735cbef5ca37912549264 which `git describe
> --contains` tells
> me was included in v2.6.24-rc1, so a 3.2 kernel should have it. This
> led me to
> check the kernel configuration. I've got CONFIG_PID_NS=y.
>
> It appears there have been numerous patches since the initial addition
> of
> CLONE_NEWPID tweaking unshare behavior with regard to the flag. My best
> guess
> is that at least one of them is necessary for things to work. As root
> on a
> 3.15 ARM kernel I get no errors from `unshare -fp -- echo hello`.
>
> What is your kernel version? Does -fp or -p work for you as root?
>
> Regards,
> Christopher
Hi Christopher, thanks for your response. This should help:
$ uname -a
Linux silvermine 3.11.0-19-generic #33-Ubuntu SMP Tue Mar 11 18:48:34
UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
$ sudo unshare -fp -- echo hello
[sudo] password for ac:
hello
$ unshare -fp -- echo hello
unshare: unshare failed: Operation not permitted
$
So, with that kernel it's not possible to pass -fp as a normal user.
I'll be upgrading to Linux Mint 17 as soon as the Xfce edition becomes
available but until then I assume I am at the mercy of my existing
kernel. Any suggestions? Thanks for your time,
A.C.
******
More information about the CRIU
mailing list