1UNSHARE(2) Linux Programmer's Manual UNSHARE(2)
2
3
4
6 unshare - disassociate parts of the process execution context
7
9 #define _GNU_SOURCE
10 #include <sched.h>
11
12 int unshare(int flags);
13
15 unshare() allows a process (or thread) to disassociate parts of its
16 execution context that are currently being shared with other processes
17 (or threads). Part of the execution context, such as the mount names‐
18 pace, is shared implicitly when a new process is created using fork(2)
19 or vfork(2), while other parts, such as virtual memory, may be shared
20 by explicit request when creating a process or thread using clone(2).
21
22 The main use of unshare() is to allow a process to control its shared
23 execution context without creating a new process.
24
25 The flags argument is a bit mask that specifies which parts of the exe‐
26 cution context should be unshared. This argument is specified by ORing
27 together zero or more of the following constants:
28
29 CLONE_FILES
30 Reverse the effect of the clone(2) CLONE_FILES flag. Unshare
31 the file descriptor table, so that the calling process no longer
32 shares its file descriptors with any other process.
33
34 CLONE_FS
35 Reverse the effect of the clone(2) CLONE_FS flag. Unshare
36 filesystem attributes, so that the calling process no longer
37 shares its root directory (chroot(2)), current directory
38 (chdir(2)), or umask (umask(2)) attributes with any other
39 process.
40
41 CLONE_NEWCGROUP (since Linux 4.6)
42 This flag has the same effect as the clone(2) CLONE_NEWCGROUP
43 flag. Unshare the cgroup namespace. Use of CLONE_NEWCGROUP
44 requires the CAP_SYS_ADMIN capability.
45
46 CLONE_NEWIPC (since Linux 2.6.19)
47 This flag has the same effect as the clone(2) CLONE_NEWIPC flag.
48 Unshare the IPC namespace, so that the calling process has a
49 private copy of the IPC namespace which is not shared with any
50 other process. Specifying this flag automatically implies
51 CLONE_SYSVSEM as well. Use of CLONE_NEWIPC requires the
52 CAP_SYS_ADMIN capability.
53
54 CLONE_NEWNET (since Linux 2.6.24)
55 This flag has the same effect as the clone(2) CLONE_NEWNET flag.
56 Unshare the network namespace, so that the calling process is
57 moved into a new network namespace which is not shared with any
58 previously existing process. Use of CLONE_NEWNET requires the
59 CAP_SYS_ADMIN capability.
60
61 CLONE_NEWNS
62 This flag has the same effect as the clone(2) CLONE_NEWNS flag.
63 Unshare the mount namespace, so that the calling process has a
64 private copy of its namespace which is not shared with any other
65 process. Specifying this flag automatically implies CLONE_FS as
66 well. Use of CLONE_NEWNS requires the CAP_SYS_ADMIN capability.
67 For further information, see mount_namespaces(7).
68
69 CLONE_NEWPID (since Linux 3.8)
70 This flag has the same effect as the clone(2) CLONE_NEWPID flag.
71 Unshare the PID namespace, so that the calling process has a new
72 PID namespace for its children which is not shared with any pre‐
73 viously existing process. The calling process is not moved into
74 the new namespace. The first child created by the calling
75 process will have the process ID 1 and will assume the role of
76 init(1) in the new namespace. CLONE_NEWPID automatically
77 implies CLONE_THREAD as well. Use of CLONE_NEWPID requires the
78 CAP_SYS_ADMIN capability. For further information, see
79 pid_namespaces(7).
80
81 CLONE_NEWUSER (since Linux 3.8)
82 This flag has the same effect as the clone(2) CLONE_NEWUSER
83 flag. Unshare the user namespace, so that the calling process
84 is moved into a new user namespace which is not shared with any
85 previously existing process. As with the child process created
86 by clone(2) with the CLONE_NEWUSER flag, the caller obtains a
87 full set of capabilities in the new namespace.
88
89 CLONE_NEWUSER requires that the calling process is not threaded;
90 specifying CLONE_NEWUSER automatically implies CLONE_THREAD.
91 Since Linux 3.9, CLONE_NEWUSER also automatically implies
92 CLONE_FS. CLONE_NEWUSER requires that the user ID and group ID
93 of the calling process are mapped to user IDs and group IDs in
94 the user namespace of the calling process at the time of the
95 call.
96
97 For further information on user namespaces, see user_names‐
98 paces(7).
99
100 CLONE_NEWUTS (since Linux 2.6.19)
101 This flag has the same effect as the clone(2) CLONE_NEWUTS flag.
102 Unshare the UTS IPC namespace, so that the calling process has a
103 private copy of the UTS namespace which is not shared with any
104 other process. Use of CLONE_NEWUTS requires the CAP_SYS_ADMIN
105 capability.
106
107 CLONE_SYSVSEM (since Linux 2.6.26)
108 This flag reverses the effect of the clone(2) CLONE_SYSVSEM
109 flag. Unshare System V semaphore adjustment (semadj) values, so
110 that the calling process has a new empty semadj list that is not
111 shared with any other process. If this is the last process that
112 has a reference to the process's current semadj list, then the
113 adjustments in that list are applied to the corresponding sema‐
114 phores, as described in semop(2).
115
116 In addition, CLONE_THREAD, CLONE_SIGHAND, and CLONE_VM can be specified
117 in flags if the caller is single threaded (i.e., it is not sharing its
118 address space with another process or thread). In this case, these
119 flags have no effect. (Note also that specifying CLONE_THREAD automat‐
120 ically implies CLONE_VM, and specifying CLONE_VM automatically implies
121 CLONE_SIGHAND.) If the process is multithreaded, then the use of these
122 flags results in an error.
123
124 If flags is specified as zero, then unshare() is a no-op; no changes
125 are made to the calling process's execution context.
126
128 On success, zero returned. On failure, -1 is returned and errno is set
129 to indicate the error.
130
132 EINVAL An invalid bit was specified in flags.
133
134 EINVAL CLONE_THREAD, CLONE_SIGHAND, or CLONE_VM was specified in flags,
135 and the caller is multithreaded.
136
137 EINVAL CLONE_NEWIPC was specified in flags, but the kernel was not con‐
138 figured with the CONFIG_SYSVIPC and CONFIG_IPC_NS options.
139
140 EINVAL CLONE_NEWNET was specified in flags, but the kernel was not con‐
141 figured with the CONFIG_NET_NS option.
142
143 EINVAL CLONE_NEWPID was specified in flags, but the kernel was not con‐
144 figured with the CONFIG_PID_NS option.
145
146 EINVAL CLONE_NEWUSER was specified in flags, but the kernel was not
147 configured with the CONFIG_USER_NS option.
148
149 EINVAL CLONE_NEWUTS was specified in flags, but the kernel was not con‐
150 figured with the CONFIG_UTS_NS option.
151
152 EINVAL CLONE_NEWPID was specified in flags, but the process has previ‐
153 ously called unshare() with the CLONE_NEWPID flag.
154
155 ENOMEM Cannot allocate sufficient memory to copy parts of caller's con‐
156 text that need to be unshared.
157
158 ENOSPC (since Linux 3.7)
159 CLONE_NEWPID was specified in flags, but the limit on the nest‐
160 ing depth of PID namespaces would have been exceeded; see
161 pid_namespaces(7).
162
163 ENOSPC (since Linux 4.9; beforehand EUSERS)
164 CLONE_NEWUSER was specified in flags, and the call would cause
165 the limit on the number of nested user namespaces to be
166 exceeded. See user_namespaces(7).
167
168 From Linux 3.11 to Linux 4.8, the error diagnosed in this case
169 was EUSERS.
170
171 ENOSPC (since Linux 4.9)
172 One of the values in flags specified the creation of a new user
173 namespace, but doing so would have caused the limit defined by
174 the corresponding file in /proc/sys/user to be exceeded. For
175 further details, see namespaces(7).
176
177 EPERM The calling process did not have the required privileges for
178 this operation.
179
180 EPERM CLONE_NEWUSER was specified in flags, but either the effective
181 user ID or the effective group ID of the caller does not have a
182 mapping in the parent namespace (see user_namespaces(7)).
183
184 EPERM (since Linux 3.9)
185 CLONE_NEWUSER was specified in flags and the caller is in a
186 chroot environment (i.e., the caller's root directory does not
187 match the root directory of the mount namespace in which it
188 resides).
189
190 EUSERS (from Linux 3.11 to Linux 4.8)
191 CLONE_NEWUSER was specified in flags, and the limit on the num‐
192 ber of nested user namespaces would be exceeded. See the dis‐
193 cussion of the ENOSPC error above.
194
196 The unshare() system call was added to Linux in kernel 2.6.16.
197
199 The unshare() system call is Linux-specific.
200
202 Not all of the process attributes that can be shared when a new process
203 is created using clone(2) can be unshared using unshare(). In particu‐
204 lar, as at kernel 3.8, unshare() does not implement flags that reverse
205 the effects of CLONE_SIGHAND, CLONE_THREAD, or CLONE_VM. Such func‐
206 tionality may be added in the future, if required.
207
209 The program below provides a simple implementation of the unshare(1)
210 command, which unshares one or more namespaces and executes the command
211 supplied in its command-line arguments. Here's an example of the use
212 of this program, running a shell in a new mount namespace, and verify‐
213 ing that the original shell and the new shell are in separate mount
214 namespaces:
215
216 $ readlink /proc/$$/ns/mnt
217 mnt:[4026531840]
218 $ sudo ./unshare -m /bin/bash
219 # readlink /proc/$$/ns/mnt
220 mnt:[4026532325]
221
222 The differing output of the two readlink(1) commands shows that the two
223 shells are in different mount namespaces.
224
225 Program source
226
227 /* unshare.c
228
229 A simple implementation of the unshare(1) command: unshare
230 namespaces and execute a command.
231 */
232 #define _GNU_SOURCE
233 #include <sched.h>
234 #include <unistd.h>
235 #include <stdlib.h>
236 #include <stdio.h>
237
238 /* A simple error-handling function: print an error message based
239 on the value in 'errno' and terminate the calling process */
240
241 #define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); \
242 } while (0)
243
244 static void
245 usage(char *pname)
246 {
247 fprintf(stderr, "Usage: %s [options] program [arg...]\n", pname);
248 fprintf(stderr, "Options can be:\n");
249 fprintf(stderr, " -i unshare IPC namespace\n");
250 fprintf(stderr, " -m unshare mount namespace\n");
251 fprintf(stderr, " -n unshare network namespace\n");
252 fprintf(stderr, " -p unshare PID namespace\n");
253 fprintf(stderr, " -u unshare UTS namespace\n");
254 fprintf(stderr, " -U unshare user namespace\n");
255 exit(EXIT_FAILURE);
256 }
257
258 int
259 main(int argc, char *argv[])
260 {
261 int flags, opt;
262
263 flags = 0;
264
265 while ((opt = getopt(argc, argv, "imnpuU")) != -1) {
266 switch (opt) {
267 case 'i': flags |= CLONE_NEWIPC; break;
268 case 'm': flags |= CLONE_NEWNS; break;
269 case 'n': flags |= CLONE_NEWNET; break;
270 case 'p': flags |= CLONE_NEWPID; break;
271 case 'u': flags |= CLONE_NEWUTS; break;
272 case 'U': flags |= CLONE_NEWUSER; break;
273 default: usage(argv[0]);
274 }
275 }
276
277 if (optind >= argc)
278 usage(argv[0]);
279
280 if (unshare(flags) == -1)
281 errExit("unshare");
282
283 execvp(argv[optind], &argv[optind]);
284 errExit("execvp");
285 }
286
288 unshare(1), clone(2), fork(2), kcmp(2), setns(2), vfork(2), names‐
289 paces(7)
290
291 Documentation/userspace-api/unshare.rst in the Linux kernel source tree
292 (or Documentation/unshare.txt before Linux 4.12)
293
295 This page is part of release 5.04 of the Linux man-pages project. A
296 description of the project, information about reporting bugs, and the
297 latest version of this page, can be found at
298 https://www.kernel.org/doc/man-pages/.
299
300
301
302Linux 2019-03-06 UNSHARE(2)