Filesystem namespaces

Playing with namespaces in Linux is something that has been on my todo list for a very long time, and now I have finally made use of some spare time and energy I had. So, what is a namespace? Well, for those used to programming and such a namespace is just that: a space for unique names, in other words we will not have the same name for different things within that a namespace. For example “/home/user/myfile” and “/home/user/myfile” will not reference different files as long as it is in the same namespace at the same time. We are used to this being true in more or less all systems, however, if we had two applications running in different namespaces we could have mounted a different file-system on /home with completely different files in them in one of them.

What can we use this for? Some ideas of the top of my head; some services might not need to have /home available, so why not unmount it from its namespace? Make every user have their own /tmp? Maybe even making other users directories not visible with some wizard bind mounting tricks .. these are not new ideas, see how pam_namespace can help you achive this.

This if course begs the question of how do I detect that my namespace is different from the rest or if some other process is running in a different namespace? Rest assured this is easily done, just check /proc/$PID/mounts vs /proc/self/mounts.
So how do you create a new namespace easily? I havn’t really found a user utility to start new process in a new namespace, so if you do please leave a comment. But it is not very hard to write one, this small C-program should do it:

execvp(argv[1], &argv[1]);

And in compilable form: newns.c (gcc newns.c -o newns). You should now be able to execute “newns yourfavoriteshell” and have yourfavoriteshell running in a new copy of a namespace. To check that it works you could unmount /home f.ex. in this new shell, exit and then see that it is still mounted, fun huh?

When the last process in a namespace exits all the mounts in that namespace is of course unmounted, so you should not worry about namespaces out of your reach too much. But it should be noted that if I mount a tmpfs somewhere within a namespace A, how can I reach that mountpoint from outside that namespace? I havn’t been able to figure a way of doing this yet, altough, what you really want to do is join the namespace making it available to your chosen process. There really is no way of enumerating the namespaces either.. so, how do we get into one of the processes of the namespace? Well, we could always debug it, for example run gdb –pid process and x system(“mount someplace ; copy intersting files out”) .. well, it is a thought anyways .. it is not as straightforward, because you cannot rely on functions behaving the way you want running in an enviroment you do not control .. but, being realistic if an attacker already has root, you can often be kept out of the system so that you loose whatever the attacker is keeping from you. Anyways, I may get back to the issue a bit later ..

Leave a Reply