1UNSHARE(2)                 Linux Programmer's Manual                UNSHARE(2)
2
3
4

NAME

6       unshare - disassociate parts of the process execution context
7

SYNOPSIS

9       #define _GNU_SOURCE
10       #include <sched.h>
11
12       int unshare(int flags);
13

DESCRIPTION

15       unshare()  allows  a  process  (or thread) to disassociate parts of its
16       execution context that are currently being shared with other  processes
17       (or  threads).  Part of the execution context, such as the mount names‐
18       pace, is shared implicitly when a new process is created using  fork(2)
19       or  vfork(2),  while other parts, such as virtual memory, may be shared
20       by explicit request when creating a process or thread using clone(2).
21
22       The main use of unshare() is to allow a process to control  its  shared
23       execution context without creating a new process.
24
25       The flags argument is a bit mask that specifies which parts of the exe‐
26       cution context should be unshared.  This argument is specified by ORing
27       together zero or more of the following constants:
28
29       CLONE_FILES
30              Reverse  the  effect  of the clone(2) CLONE_FILES flag.  Unshare
31              the file descriptor table, so that the calling process no longer
32              shares its file descriptors with any other process.
33
34       CLONE_FS
35              Reverse  the  effect  of  the  clone(2)  CLONE_FS flag.  Unshare
36              filesystem attributes, so that the  calling  process  no  longer
37              shares   its   root  directory  (chroot(2)),  current  directory
38              (chdir(2)),  or  umask  (umask(2))  attributes  with  any  other
39              process.
40
41       CLONE_NEWCGROUP (since Linux 4.6)
42              This  flag  has  the same effect as the clone(2) CLONE_NEWCGROUP
43              flag.  Unshare the cgroup  namespace.   Use  of  CLONE_NEWCGROUP
44              requires the CAP_SYS_ADMIN capability.
45
46       CLONE_NEWIPC (since Linux 2.6.19)
47              This flag has the same effect as the clone(2) CLONE_NEWIPC flag.
48              Unshare the IPC namespace, so that the  calling  process  has  a
49              private  copy  of the IPC namespace which is not shared with any
50              other  process.   Specifying  this  flag  automatically  implies
51              CLONE_SYSVSEM   as  well.   Use  of  CLONE_NEWIPC  requires  the
52              CAP_SYS_ADMIN capability.
53
54       CLONE_NEWNET (since Linux 2.6.24)
55              This flag has the same effect as the clone(2) CLONE_NEWNET flag.
56              Unshare  the  network  namespace, so that the calling process is
57              moved into a new network namespace which is not shared with  any
58              previously  existing  process.  Use of CLONE_NEWNET requires the
59              CAP_SYS_ADMIN capability.
60
61       CLONE_NEWNS
62              This flag has the same effect as the clone(2) CLONE_NEWNS  flag.
63              Unshare  the  mount namespace, so that the calling process has a
64              private copy of its namespace which is not shared with any other
65              process.  Specifying this flag automatically implies CLONE_FS as
66              well.  Use of CLONE_NEWNS requires the CAP_SYS_ADMIN capability.
67              For further information, see mount_namespaces(7).
68
69       CLONE_NEWPID (since Linux 3.8)
70              This flag has the same effect as the clone(2) CLONE_NEWPID flag.
71              Unshare the PID namespace, so that the calling process has a new
72              PID namespace for its children which is not shared with any pre‐
73              viously existing process.  The calling process is not moved into
74              the  new  namespace.   The  first  child  created by the calling
75              process will have the process ID 1 and will assume the  role  of
76              init(1)   in  the  new  namespace.   CLONE_NEWPID  automatically
77              implies CLONE_THREAD as well.  Use of CLONE_NEWPID requires  the
78              CAP_SYS_ADMIN   capability.    For   further   information,  see
79              pid_namespaces(7).
80
81       CLONE_NEWUSER (since Linux 3.8)
82              This flag has the same  effect  as  the  clone(2)  CLONE_NEWUSER
83              flag.   Unshare  the user namespace, so that the calling process
84              is moved into a new user namespace which is not shared with  any
85              previously  existing process.  As with the child process created
86              by clone(2) with the CLONE_NEWUSER flag, the  caller  obtains  a
87              full set of capabilities in the new namespace.
88
89              CLONE_NEWUSER requires that the calling process is not threaded;
90              specifying  CLONE_NEWUSER  automatically  implies  CLONE_THREAD.
91              Since   Linux  3.9,  CLONE_NEWUSER  also  automatically  implies
92              CLONE_FS.  CLONE_NEWUSER requires that the user ID and group  ID
93              of  the  calling process are mapped to user IDs and group IDs in
94              the user namespace of the calling process at  the  time  of  the
95              call.
96
97              For  further  information  on  user  namespaces, see user_names‐
98              paces(7).
99
100       CLONE_NEWUTS (since Linux 2.6.19)
101              This flag has the same effect as the clone(2) CLONE_NEWUTS flag.
102              Unshare the UTS IPC namespace, so that the calling process has a
103              private copy of the UTS namespace which is not shared  with  any
104              other  process.   Use of CLONE_NEWUTS requires the CAP_SYS_ADMIN
105              capability.
106
107       CLONE_SYSVSEM (since Linux 2.6.26)
108              This flag reverses the  effect  of  the  clone(2)  CLONE_SYSVSEM
109              flag.  Unshare System V semaphore adjustment (semadj) values, so
110              that the calling process has a new empty semadj list that is not
111              shared with any other process.  If this is the last process that
112              has a reference to the process's current semadj list,  then  the
113              adjustments  in that list are applied to the corresponding sema‐
114              phores, as described in semop(2).
115
116       In addition, CLONE_THREAD, CLONE_SIGHAND, and CLONE_VM can be specified
117       in  flags if the caller is single threaded (i.e., it is not sharing its
118       address space with another process or thread).   In  this  case,  these
119       flags have no effect.  (Note also that specifying CLONE_THREAD automat‐
120       ically implies CLONE_VM, and specifying CLONE_VM automatically  implies
121       CLONE_SIGHAND.)  If the process is multithreaded, then the use of these
122       flags results in an error.
123
124       If flags is specified as zero, then unshare() is a  no-op;  no  changes
125       are made to the calling process's execution context.
126

RETURN VALUE

128       On success, zero returned.  On failure, -1 is returned and errno is set
129       to indicate the error.
130

ERRORS

132       EINVAL An invalid bit was specified in flags.
133
134       EINVAL CLONE_THREAD, CLONE_SIGHAND, or CLONE_VM was specified in flags,
135              and the caller is multithreaded.
136
137       EINVAL CLONE_NEWIPC was specified in flags, but the kernel was not con‐
138              figured with the CONFIG_SYSVIPC and CONFIG_IPC_NS options.
139
140       EINVAL CLONE_NEWNET was specified in flags, but the kernel was not con‐
141              figured with the CONFIG_NET_NS option.
142
143       EINVAL CLONE_NEWPID was specified in flags, but the kernel was not con‐
144              figured with the CONFIG_PID_NS option.
145
146       EINVAL CLONE_NEWUSER was specified in flags, but  the  kernel  was  not
147              configured with the CONFIG_USER_NS option.
148
149       EINVAL CLONE_NEWUTS was specified in flags, but the kernel was not con‐
150              figured with the CONFIG_UTS_NS option.
151
152       EINVAL CLONE_NEWPID was specified in flags, but the process has  previ‐
153              ously called unshare() with the CLONE_NEWPID flag.
154
155       ENOMEM Cannot allocate sufficient memory to copy parts of caller's con‐
156              text that need to be unshared.
157
158       ENOSPC (since Linux 3.7)
159              CLONE_NEWPID was specified in flags, but the limit on the  nest‐
160              ing  depth  of  PID  namespaces  would  have  been exceeded; see
161              pid_namespaces(7).
162
163       ENOSPC (since Linux 4.9; beforehand EUSERS)
164              CLONE_NEWUSER was specified in flags, and the call  would  cause
165              the  limit  on  the  number  of  nested  user  namespaces  to be
166              exceeded.  See user_namespaces(7).
167
168              From Linux 3.11 to Linux 4.8, the error diagnosed in  this  case
169              was EUSERS.
170
171       ENOSPC (since Linux 4.9)
172              One  of the values in flags specified the creation of a new user
173              namespace, but doing so would have caused the limit  defined  by
174              the  corresponding  file  in /proc/sys/user to be exceeded.  For
175              further details, see namespaces(7).
176
177       EPERM  The calling process did not have  the  required  privileges  for
178              this operation.
179
180       EPERM  CLONE_NEWUSER  was  specified in flags, but either the effective
181              user ID or the effective group ID of the caller does not have  a
182              mapping in the parent namespace (see user_namespaces(7)).
183
184       EPERM (since Linux 3.9)
185              CLONE_NEWUSER  was  specified  in  flags  and the caller is in a
186              chroot environment (i.e., the caller's root directory  does  not
187              match  the  root  directory  of  the mount namespace in which it
188              resides).
189
190       EUSERS (from Linux 3.11 to Linux 4.8)
191              CLONE_NEWUSER was specified in flags, and the limit on the  num‐
192              ber  of  nested user namespaces would be exceeded.  See the dis‐
193              cussion of the ENOSPC error above.
194

VERSIONS

196       The unshare() system call was added to Linux in kernel 2.6.16.
197

CONFORMING TO

199       The unshare() system call is Linux-specific.
200

NOTES

202       Not all of the process attributes that can be shared when a new process
203       is created using clone(2) can be unshared using unshare().  In particu‐
204       lar, as at kernel 3.8, unshare() does not implement flags that  reverse
205       the  effects  of  CLONE_SIGHAND, CLONE_THREAD, or CLONE_VM.  Such func‐
206       tionality may be added in the future, if required.
207

EXAMPLE

209       The program below provides a simple implementation  of  the  unshare(1)
210       command, which unshares one or more namespaces and executes the command
211       supplied in its command-line arguments.  Here's an example of  the  use
212       of  this program, running a shell in a new mount namespace, and verify‐
213       ing that the original shell and the new shell  are  in  separate  mount
214       namespaces:
215
216           $ readlink /proc/$$/ns/mnt
217           mnt:[4026531840]
218           $ sudo ./unshare -m /bin/bash
219           # readlink /proc/$$/ns/mnt
220           mnt:[4026532325]
221
222       The differing output of the two readlink(1) commands shows that the two
223       shells are in different mount namespaces.
224
225   Program source
226
227       /* unshare.c
228
229          A simple implementation of the unshare(1) command: unshare
230          namespaces and execute a command.
231       */
232       #define _GNU_SOURCE
233       #include <sched.h>
234       #include <unistd.h>
235       #include <stdlib.h>
236       #include <stdio.h>
237
238       /* A simple error-handling function: print an error message based
239          on the value in 'errno' and terminate the calling process */
240
241       #define errExit(msg)    do { perror(msg); exit(EXIT_FAILURE); \
242                               } while (0)
243
244       static void
245       usage(char *pname)
246       {
247           fprintf(stderr, "Usage: %s [options] program [arg...]\n", pname);
248           fprintf(stderr, "Options can be:\n");
249           fprintf(stderr, "    -i   unshare IPC namespace\n");
250           fprintf(stderr, "    -m   unshare mount namespace\n");
251           fprintf(stderr, "    -n   unshare network namespace\n");
252           fprintf(stderr, "    -p   unshare PID namespace\n");
253           fprintf(stderr, "    -u   unshare UTS namespace\n");
254           fprintf(stderr, "    -U   unshare user namespace\n");
255           exit(EXIT_FAILURE);
256       }
257
258       int
259       main(int argc, char *argv[])
260       {
261           int flags, opt;
262
263           flags = 0;
264
265           while ((opt = getopt(argc, argv, "imnpuU")) != -1) {
266               switch (opt) {
267               case 'i': flags |= CLONE_NEWIPC;        break;
268               case 'm': flags |= CLONE_NEWNS;         break;
269               case 'n': flags |= CLONE_NEWNET;        break;
270               case 'p': flags |= CLONE_NEWPID;        break;
271               case 'u': flags |= CLONE_NEWUTS;        break;
272               case 'U': flags |= CLONE_NEWUSER;       break;
273               default:  usage(argv[0]);
274               }
275           }
276
277           if (optind >= argc)
278               usage(argv[0]);
279
280           if (unshare(flags) == -1)
281               errExit("unshare");
282
283           execvp(argv[optind], &argv[optind]);
284           errExit("execvp");
285       }
286

SEE ALSO

288       unshare(1), clone(2),  fork(2),  kcmp(2),  setns(2),  vfork(2),  names‐
289       paces(7)
290
291       Documentation/userspace-api/unshare.rst in the Linux kernel source tree
292       (or Documentation/unshare.txt before Linux 4.12)
293

COLOPHON

295       This page is part of release 5.04 of the Linux  man-pages  project.   A
296       description  of  the project, information about reporting bugs, and the
297       latest    version    of    this    page,    can     be     found     at
298       https://www.kernel.org/doc/man-pages/.
299
300
301
302Linux                             2019-03-06                        UNSHARE(2)
Impressum