Open tsalminenforce opened 1 month ago
Minimal reproducing:
sudo ./nsjail -R /usr/sbin -R /lib -R /lib64 -R /usr/bin -R /usr/lib -R /usr/share/zoneinfo -R /var/run/netns -- /usr/bin/bash
[I][2024-05-15T12:49:23+0300] Mode: STANDALONE_ONCE
[I][2024-05-15T12:49:23+0300] Jail parameters: hostname:'NSJAIL', chroot:'', process:'/usr/bin/bash', bind:[::]:0, max_conns:0, max_conns_per_ip:0, time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clone_newuts:true, clone_newcgroup:true, clone_newtime:false, keep_caps:false, disable_no_new_privs:false, max_cpus:0
[I][2024-05-15T12:49:23+0300] Mount: '/' flags:MS_RDONLY type:'tmpfs' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Mount: '/usr/sbin' -> '/usr/sbin' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Mount: '/lib' -> '/lib' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Mount: '/lib64' -> '/lib64' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Mount: '/usr/bin' -> '/usr/bin' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Mount: '/usr/lib' -> '/usr/lib' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Mount: '/usr/share/zoneinfo' -> '/usr/share/zoneinfo' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Mount: '/var/run/netns' -> '/var/run/netns' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Mount: '/proc' flags:MS_RDONLY type:'proc' options:'' dir:true
[I][2024-05-15T12:49:23+0300] Uid map: inside_uid:0 outside_uid:0 count:1 newuidmap:false
[W][2024-05-15T12:49:23+0300][63653] logParams():313 Process will be UID/EUID=0 in the global user namespace, and will have user root-level access to files
[I][2024-05-15T12:49:23+0300] Gid map: inside_gid:0 outside_gid:0 count:1 newgidmap:false
[W][2024-05-15T12:49:23+0300][63653] logParams():323 Process will be GID/EGID=0 in the global user namespace, and will have group root-level access to files
[I][2024-05-15T12:49:23+0300] Executing '/usr/bin/bash' for '[STANDALONE MODE]'
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-5.1# cat /var/run/netns/netns_before
cat: /var/run/netns/netns_before: Invalid argument
bash-5.1# cat /var/run/netns/netns_after
cat: /var/run/netns/netns_after: Permission denied
Bumped into this issue with current master (and older ones), where if there's a mount
then if I start bash in nsjail, create the namespace and try to access the namespace:
But if I stop the nsjail process and start it again:
I know cat isn't the correct way to enter no namespace, but just here illustrating that (at least) network namespace created after the nsjail process started cannot be accessed.