|
|
Log in / Subscribe / Register

Variant for chroot ?

Variant for chroot ?

Posted Mar 13, 2026 5:25 UTC (Fri) by tamiko (subscriber, #115350)
In reply to: Variant for chroot ? by wtarreau
Parent article: Practical uses for a null filesystem

It sounds like you're looking for the $ unshare helper program. Unsharing the current mount namespace and putting a child process into it has exactly the semantics you're looking for: when the child exits the namespace is removed as well.

The new nullfs mount has the advantage that you can start with a truly empty mount namespace instead of mounting over and sealing. That's at least my current understanding.

But out of curiosity: do you know "bubblewrap"? It is a fantastic helper tool to createnlightweight sandboxes via namespaces. Best of all, you can run it as an unprivileged user. And it can do all of the sandboxing you're talking about.

to post comments

Variant for chroot ?

Posted Mar 13, 2026 9:42 UTC (Fri) by wtarreau (subscriber, #51152) [Link] (1 responses)

> It sounds like you're looking for the $ unshare helper program. Unsharing the current mount namespace and putting a child process into it has exactly the semantics you're looking for: when the child exits the namespace is removed as well.

I'm already using it for other stuff, and could indeed call unshare(CLONE_FS) in the program. But I seem to remember that abstract unix socket paths are affected by unshare(CLONE_FS). This could be an acceptable tradeoff for most use cases though.

> But out of curiosity: do you know "bubblewrap"?

No I don't.

> It is a fantastic helper tool to createnlightweight sandboxes via namespaces. Best of all, you can run it as an unprivileged user. And it can do all of the sandboxing you're talking about.

I'm really talking about doing the sandboxing from within the deamon itself. Normally my programs boot, parse config files, load libraries etc, then chroot(), chdir() and drop privileges. Here I could indeed do unshare() instead of the first two steps and it would also work for unprivileged users, but maybe with an abns limitation that I'd need to recheck. Thanks for raising this hint I had just forgotten about!

Variant for chroot ?

Posted Mar 13, 2026 13:57 UTC (Fri) by qyliss (subscriber, #131684) [Link]

> But I seem to remember that abstract unix socket paths are affected by unshare(CLONE_FS). This could be an acceptable tradeoff for most use cases though.

According to network_namespaces(7), those are scoped to network namespace.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds