Unprivileged containers: mount namespace

The mount namespace isolates the filesystem mount points for a process, so you can have different mounted filesystems.


We are using the same base class as in part 2 of this series. All code is available at bitbucket

import os

from base import ContainerBase
from system import libc

cb = ContainerBase()
cb.namespace_flags = libc.CLONE_NEWUSER | libc.CLONE_NEWNS
cb.run(os.system, 'bash')

Note that the flag for a mount namespaces is CLONE_NEWNS and not CLONE_NEWMOUNT or similar. This is for historical reasons; it was the first namespace.

Running this short script will put you in a shell with both a new user namespace and a new mount namespace.

You can now create a new directory and try various mount commands. It will become apparent that not all commands will work as a regular user. The following sections will discuss what will work and what will not.

Directory and file bind mounts

It is possible to use bind mounts. A directory can be bind mounted to another directory and the directory will appear to be at both places in the file system hierarchy.

$ mkdir mnt
$ mount --bind /etc mnt
$ ls mnt
DIR_COLORS                grub.d        printcap
DIR_COLORS.256color       grub2.cfg     profile
DIR_COLORS.lightbgcolor   gshadow       profile.d
GREP_COLORS               gshadow-      protocols
ImageMagick-6             gss           pulse

Can also bind mount a file on to a file

$ echo > fmnt
$ mount --bind /etc/passwd fmnt
$ head -2 fmnt

From an another terminal in the root namespace you will just see the empty file and directory.

When done detach the mount points with umount:

$ umount mnt
$ umount fmnt

Or just exiting the namespaced shell will also destroy the mount points.

There is no need for the file or directory that you are covering to be owned or have any particular permissions.

$ ls -l /etc/shadow
----------. 1 nfsnobody nfsnobody 1722 Sep 29 14:18 /etc/shadow
$ mount --bind passwd /etc/shadow
$ cat /etc/shadow

Of course this change to /etc/shadow is only visible in your namespace, it has no effect on the rest of the system!


If you are really root, rather than just root in a user namespace, then you can bind mount a directory that has other file systems mounted beneath it. The bind mount does not include those other filesystems and any file that is 'under' the mounted file system will be visible.

For example if /home is a separate file system, then if you mounted / onto a directory 'mnt', then you would usually see an empty directory at mnt/home.

In a user namespace however, it is simply not possible to bind mount a file system that has other file systems mounted beneath it by itself. You can however user the --rbind option to recursively bind the filesystem and the other filesystems beneath it.

Why? I speculate that this is done to prevent revealing files that are beneath the mounted filesystem.

Other file system that can be mounted

At this stage you are also able to mount the tmpfs, ramfs and devpts filesystems. Later on in this series it will be possible to mount the proc and sysfs filesystems.

It is worth noting that overlayfs filesystems can be mounted on Ubuntu but not on Fedora, as Ubuntu modifies the standard kernel to allow that.

What is not possible

  • You cannot mount regular filesystems even from file images that you can access.
  • In a non-user mount namespace you can un-mount a filesystem that is mounted in the parent namespace. You cannot do this in a user namespace.