Variant for chroot ? [LWN.net]

Variant for chroot ?

Posted Mar 13, 2026 9:42 UTC (Fri) by wtarreau (subscriber, #51152)
In reply to: Variant for chroot ? by tamiko
Parent article: Practical uses for a null filesystem

> It sounds like you're looking for the $ unshare helper program. Unsharing the current mount namespace and putting a child process into it has exactly the semantics you're looking for: when the child exits the namespace is removed as well.

I'm already using it for other stuff, and could indeed call unshare(CLONE_FS) in the program. But I seem to remember that abstract unix socket paths are affected by unshare(CLONE_FS). This could be an acceptable tradeoff for most use cases though.

> But out of curiosity: do you know "bubblewrap"?

No I don't.

> It is a fantastic helper tool to createnlightweight sandboxes via namespaces. Best of all, you can run it as an unprivileged user. And it can do all of the sandboxing you're talking about.

I'm really talking about doing the sandboxing from within the deamon itself. Normally my programs boot, parse config files, load libraries etc, then chroot(), chdir() and drop privileges. Here I could indeed do unshare() instead of the first two steps and it would also work for unprivileged users, but maybe with an abns limitation that I'd need to recheck. Thanks for raising this hint I had just forgotten about!