unshare(2) System Calls Manual unshare(2) unshare - Standard C library (libc, -lc) #define _GNU_SOURCE #include int unshare(int flags); unshare() ( ) , ( ). , , fork(2) vfork(2), , , clone(2). unshare() -- . flags , . ( OR): CLONE_FILES CLONE_FILES clone(2). , . CLONE_FS CLONE_FS clone(2). , (chroot(2)), (chdir(2)) umask (umask(2)) . CLONE_NEWCGROUP ( Linux 4.6) CLONE_NEWCGROUP clone(2). cgroup. CLONE_NEWCGROUP CAP_SYS_ADMIN. CLONE_NEWIPC ( Linux 2.6.19) CLONE_NEWIPC clone(2). IPC , IPC, . CLONE_SYSVSEM. CLONE_NEWIPC CAP_SYS_ADMIN. CLONE_NEWNET ( Linux 2.6.24) CLONE_NEWNET clone(2). , , . CLONE_NEWNET CAP_SYS_ADMIN. CLONE_NEWNS CLONE_NEWNS clone(2). , , . CLONE_FS. CLONE_NEWNS CAP_SYS_ADMIN. mount_namespaces(7). CLONE_NEWPID ( Linux 3.8) CLONE_NEWPID clone(2). PID; PID , . . , , ID 1 init(1) . CLONE_NEWPID CLONE_THREAD. CLONE_NEWPID CAP_SYS_ADMIN. pid_namespaces(7). CLONE_NEWTIME ( Linux 5.6) Unshare the time namespace, so that the calling process has a new time namespace for its children which is not shared with any previously existing process. The calling process is not moved into the new namespace. Use of CLONE_NEWTIME requires the CAP_SYS_ADMIN capability. For further information, see time_namespaces(7). CLONE_NEWUSER ( Linux 3.8) CLONE_NEWUSER clone(2). ; , . , clone(2) CLONE_NEWUSER, . CLONE_NEWUSER , ; CLONE_NEWUSER CLONE_THREAD. Linux 3.9, CLONE_NEWUSER CLONE_FS. CLONE_NEWUSER , ID ID . user_namespaces(7). CLONE_NEWUTS ( Linux 2.6.19) CLONE_NEWUTS clone(2). UTS IPC , UTS, . CLONE_NEWUTS CAP_SYS_ADMIN. CLONE_SYSVSEM ( Linux 2.6.26) clone(2) CLONE_SYSVSEM. System V (semadj) , semadj, . , semadj , (adjustments) semop(2). flags CLONE_THREAD, CLONE_SIGHAND CLONE_VM, (. ., ). ( , CLONE_THREAD CLONE_VM, CLONE_VM CLONE_SIGHAND). , . flags , unshare() , . 0. -1, errno . EINVAL flags . EINVAL flags CLONE_THREAD, CLONE_SIGHAND CLONE_VM, . EINVAL CLONE_NEWIPC flags, CONFIG_SYSVIPC CONFIG_IPC_NS. EINVAL CLONE_NEWNET flags, CONFIG_NET_NS. EINVAL CLONE_NEWPID flags, CONFIG_PID_NS. EINVAL CLONE_NEWUSER flags, CONFIG_USER_NS. EINVAL CLONE_NEWUTS flags, CONFIG_UTS_NS. EINVAL CLONE_NEWPID flags, unshare() CLONE_NEWPID. ENOMEM , . ENOSPC ( Linux 3.7) CLONE_NEWPID, PID; pid_namespaces(7). ENOSPC ( Linux 4.9; EUSERS) CLONE_NEWUSER flags, . user_namespaces(7). Linux 3.11 Linux 4.8 EUSERS. ENOSPC ( Linux 4.9) flags , , /proc/sys/user. namespaces(7). EPERM . EPERM CLONE_NEWUSER flags, ID ID ( user_namespaces(7)). EPERM ( Linux 3.9) flags CLONE_NEWUSER chroot (. . , ). EUSERS (Linux 3.11 Linux 4.8) CLONE_NEWUSER flags, . ENOSPC, . Linux. Linux 2.6.16. , clone(2), unshare(). , 3.8 unshare() , CLONE_SIGHAND, CLONE_THREAD CLONE_VM. , . Creating all kinds of namespace, except user namespaces, requires the CAP_SYS_ADMIN capability. However, since creating a user namespace automatically confers a full set of capabilities, creating both a user namespace and any other type of namespace in the same unshare() call does not require the CAP_SYS_ADMIN capability in the original namespace. , , unshare(1), , . ; , : $ readlink /proc/$$/ns/mnt mnt:[4026531840] $ sudo ./unshare -m /bin/bash # readlink /proc/$$/ns/mnt mnt:[4026532325] readlink(1) , . /* unshare.c A simple implementation of the unshare(1) command: unshare namespaces and execute a command. */ #define _GNU_SOURCE #include #include #include #include #include static void usage(char *pname) { fprintf(stderr, "Usage: %s [options] program [arg...]\n", pname); fprintf(stderr, "Options can be:\n"); fprintf(stderr, " -C unshare cgroup namespace\n"); fprintf(stderr, " -i unshare IPC namespace\n"); fprintf(stderr, " -m unshare mount namespace\n"); fprintf(stderr, " -n unshare network namespace\n"); fprintf(stderr, " -p unshare PID namespace\n"); fprintf(stderr, " -t unshare time namespace\n"); fprintf(stderr, " -u unshare UTS namespace\n"); fprintf(stderr, " -U unshare user namespace\n"); exit(EXIT_FAILURE); } int main(int argc, char *argv[]) { int flags, opt; flags = 0; while ((opt = getopt(argc, argv, "CimnptuU")) != -1) { switch (opt) { case 'C': flags |= CLONE_NEWCGROUP; break; case 'i': flags |= CLONE_NEWIPC; break; case 'm': flags |= CLONE_NEWNS; break; case 'n': flags |= CLONE_NEWNET; break; case 'p': flags |= CLONE_NEWPID; break; case 't': flags |= CLONE_NEWTIME; break; case 'u': flags |= CLONE_NEWUTS; break; case 'U': flags |= CLONE_NEWUSER; break; default: usage(argv[0]); } } if (optind >= argc) usage(argv[0]); if (unshare(flags) == -1) err(EXIT_FAILURE, "unshare"); execvp(argv[optind], &argv[optind]); err(EXIT_FAILURE, "execvp"); } unshare(1), clone(2), fork(2), kcmp(2), setns(2), vfork(2), namespaces(7) Documentation/userspace-api/unshare.rst Linux ( Documentation/unshare.txt Linux 4.12) () Azamat Hackimov , Dmitriy Ovchinnikov , Dmitry Bolkhovskikh , Katrin Kutepova , Yuri Kozlov , Kirill Rekhov ; GNU (GNU General Public License - GPL, 3 ) , - . - , , () () () <>. Linux man-pages 6.12 23 2024 . unshare(2)