1SETNS(2) Linux Programmer's Manual SETNS(2)
2
6 setns - reassociate thread with a namespace
7
9 #define _GNU_SOURCE /* See feature_test_macros(7) */
10 #include <sched.h>
11 int setns(int fd, int nstype);
13
15 Given a file descriptor referring to a namespace, reassociate the call‐
16 ing thread with that namespace.
17 The fd argument is a file descriptor referring to one of the namespace
19 entries in a /proc/[pid]/ns/ directory; see namespaces(7) for further
20 information on /proc/[pid]/ns/. The calling thread will be reassoci‐
21 ated with the corresponding namespace, subject to any constraints
22 imposed by the nstype argument.
23 The nstype argument specifies which type of namespace the calling
25 thread may be reassociated with. This argument can have one of the
26 following values:
27 0 Allow any type of namespace to be joined.
29 CLONE_NEWCGROUP (since Linux 4.6)
31 fd must refer to a cgroup namespace.
32 CLONE_NEWIPC (since Linux 3.0)
34 fd must refer to an IPC namespace.
35 CLONE_NEWNET (since Linux 3.0)
37 fd must refer to a network namespace.
38 CLONE_NEWNS (since Linux 3.8)
40 fd must refer to a mount namespace.
41 CLONE_NEWPID (since Linux 3.8)
43 fd must refer to a descendant PID namespace.
44 CLONE_NEWUSER (since Linux 3.8)
46 fd must refer to a user namespace.
47 CLONE_NEWUTS (since Linux 3.0)
49 fd must refer to a UTS namespace.
50 Specifying nstype as 0 suffices if the caller knows (or does not care)
52 what type of namespace is referred to by fd. Specifying a nonzero
53 value for nstype is useful if the caller does not know what type of
54 namespace is referred to by fd and wants to ensure that the namespace
55 is of a particular type. (The caller might not know the type of the
56 namespace referred to by fd if the file descriptor was opened by
57 another process and, for example, passed to the caller via a UNIX
58 domain socket.)
59 Details for specific namespace types
61 Note the following details and restrictions when reassociating with
62 specific namespace types:
63 User namespaces
65 A process reassociating itself with a user namespace must have
66 the CAP_SYS_ADMIN capability in the target user namespace.
67 (This necessarily implies that it is only possible to join a
68 descendant user namespace.) Upon successfully joining a user
69 namespace, a process is granted all capabilities in that names‐
70 pace, regardless of its user and group IDs.
71 A multithreaded process may not change user namespace with
73 setns().
74 It is not permitted to use setns() to reenter the caller's cur‐
76 rent user namespace. This prevents a caller that has dropped
77 capabilities from regaining those capabilities via a call to
78 setns().
79 For security reasons, a process can't join a new user namespace
81 if it is sharing filesystem-related attributes (the attributes
82 whose sharing is controlled by the clone(2) CLONE_FS flag) with
83 another process.
84 For further details on user namespaces, see user_namespaces(7).
86 Mount namespaces
88 Changing the mount namespace requires that the caller possess
89 both CAP_SYS_CHROOT and CAP_SYS_ADMIN capabilities in its own
90 user namespace and CAP_SYS_ADMIN in the user namespace that owns
91 the target mount namespace.
92 A process may not be reassociated with a new mount namespace if
94 it is multithreaded.
95 See user_namespaces(7) for details on the interaction of user
97 namespaces and mount namespaces.
98 PID namespaces
100 In order to reassociate itself with a new PID namespace, the
101 caller must have the CAP_SYS_ADMIN capability both in its own
102 user namespace and in the user namespace that owns the target
103 PID namespace.
104 If fd refers to a PID namespace, the semantics are somewhat dif‐
106 ferent from other namespace types: reassociating the calling
107 thread with a PID namespace changes only the PID namespace that
108 subsequently created child processes of the caller will be
109 placed in; it does not change the PID namespace of the caller
110 itself.
111 Reassociating with a PID namespace is allowed only if the PID
113 namespace specified by fd is a descendant (child, grandchild,
114 etc.) of the PID namespace of the caller.
115 For further details on PID namespaces, see pid_namespaces(7).
117 Cgroup namespaces
119 In order to reassociate itself with a new cgroup namespace, the
120 caller must have the CAP_SYS_ADMIN capability both in its own
121 user namespace and in the user namespace that owns the target
122 cgroup namespace.
123 Using setns() to change the caller's cgroup namespace does not
125 change the caller's cgroup memberships.
126 Network, IPC, and UTS namespaces
128 In order to reassociate itself with a new network, IPC, or UTS
129 namespace, the caller must have the CAP_SYS_ADMIN capability
130 both in its own user namespace and in the user namespace that
131 owns the target namespace.
132
134 On success, setns() returns 0. On failure, -1 is returned and errno is
135 set to indicate the error.
136
138 EBADF fd is not a valid file descriptor.
139 EINVAL fd refers to a namespace whose type does not match that speci‐
141 fied in nstype.
142 EINVAL There is problem with reassociating the thread with the speci‐
144 fied namespace.
145 EINVAL The caller tried to join an ancestor (parent, grandparent, and
147 so on) PID namespace.
148 EINVAL The caller attempted to join the user namespace in which it is
150 already a member.
151 EINVAL The caller shares filesystem (CLONE_FS) state (in particular,
153 the root directory) with other processes and tried to join a new
154 user namespace.
155 EINVAL The caller is multithreaded and tried to join a new user names‐
157 pace.
158 ENOMEM Cannot allocate sufficient memory to change the specified names‐
160 pace.
161 EPERM The calling thread did not have the required capability for this
163 operation.
164
166 The setns() system call first appeared in Linux in kernel 3.0; library
167 support was added to glibc in version 2.14.
168
170 The setns() system call is Linux-specific.
171
173 Not all of the attributes that can be shared when a new thread is cre‐
174 ated using clone(2) can be changed using setns().
175
177 The program below takes two or more arguments. The first argument
178 specifies the pathname of a namespace file in an existing
179 /proc/[pid]/ns/ directory. The remaining arguments specify a command
180 and its arguments. The program opens the namespace file, joins that
181 namespace using setns(), and executes the specified command inside that
182 namespace.
183 The following shell session demonstrates the use of this program (com‐
185 piled as a binary named ns_exec) in conjunction with the CLONE_NEWUTS
186 example program in the clone(2) man page (complied as a binary named
187 newuts).
188 We begin by executing the example program in clone(2) in the back‐
190 ground. That program creates a child in a separate UTS namespace. The
191 child changes the hostname in its namespace, and then both processes
192 display the hostnames in their UTS namespaces, so that we can see that
193 they are different.
194 $ su # Need privilege for namespace operations
196 Password:
197 # ./newuts bizarro &
198 [1] 3549
199 clone() returned 3550
200 uts.nodename in child: bizarro
201 uts.nodename in parent: antero
202 # uname -n # Verify hostname in the shell
203 antero
204 We then run the program shown below, using it to execute a shell.
206 Inside that shell, we verify that the hostname is the one set by the
207 child created by the first program:
208 # ./ns_exec /proc/3550/ns/uts /bin/bash
210 # uname -n # Executed in shell started by ns_exec
211 bizarro
212 Program source
214 #define _GNU_SOURCE
215 #include <fcntl.h>
216 #include <sched.h>
217 #include <unistd.h>
218 #include <stdlib.h>
219 #include <stdio.h>
220 #define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); \
222 } while (0)
223 int
225 main(int argc, char *argv[])
226 {
227 int fd;
228 if (argc < 3) {
230 fprintf(stderr, "%s /proc/PID/ns/FILE cmd args...\n", argv[0]);
231 exit(EXIT_FAILURE);
232 }
233 fd = open(argv[1], O_RDONLY); /* Get file descriptor for namespace */
235 if (fd == -1)
236 errExit("open");
237 if (setns(fd, 0) == -1) /* Join that namespace */
239 errExit("setns");
240 execvp(argv[2], &argv[2]); /* Execute a command in namespace */
242 errExit("execvp");
243 }
244
246 nsenter(1), clone(2), fork(2), unshare(2), vfork(2), namespaces(7),
247 unix(7)
248
250 This page is part of release 5.02 of the Linux man-pages project. A
251 description of the project, information about reporting bugs, and the
252 latest version of this page, can be found at
253 https://www.kernel.org/doc/man-pages/.
254Linux 2019-03-06 SETNS(2)