plucky (3) userbindmount_string.3.gz

Provided by: libuserbindmount-dev_0.1-3_amd64 bug

NAME
       userbindmount,       userbindmount_unshare,      userbindmount_set_cap_sysadm,      userbindmount_string,
       userbindmount_data, userbindmount_fd - bind-mount in user-namespaces


SYNOPSIS
       #include <userbindmount.h>
       int userbindmount(const char *source, const char *target);
       int userbindmount_unshare(void);
       int userbindmount_set_cap_sysadm(void);
       int userbindmount_string(const char *string, const char *target, mode_t mode);
       int userbindmount_data(const void *data, size_t count, const char *target, mode_t mode);
       int userbindmount_fd(int fd, const char *target, mode_t mode);

       These functions are provided by libuserbindmount. Link with -luserbindmount.


DESCRIPTION
       Libuserbindmount is a library providing support for bind mount in user userspaces.

       userbindmount bind mounts source on destination.  If it is not permitted  in  the  current  namespace  it
       creates (unshare) a new user-namespace.

       userbindmount_unshare creates a new user-namespace where bind mount is allowed.

       userbindmount_set_cap_sysadm  add  the  CAP_SYS_ADMIN ambient capability to the current namespace so that
       the ability of bind mount files and directories can be exported to  new  programs  (ambient  capabilities
       survive to execve(2)).

       userbindmount_string  bind-mounts  on  destination  a temporary file whose (text) contents is provided by
       string. The temporary file is automatically deleted when the namespace is closed  or  the  file/directory
       unmounted.

       userbindmount_data  bind-mounts  on  destination  a temporary file whose (binary) contents is provided by
       data and has the size of count bytes. The temporary file is automatically deleted when the  namespace  is
       closed or the file/directory unmounted.

       userbindmount_fd  bind-mounts on destination a temporary file whose contents is read from the by the file
       descriptor fd (up to the end of file). The temporary file is automatically deleted when the namespace  is
       closed or the file/directory unmounted.


RETURN VALUE
       All  the functions provided by libuserbindmount return 0 in case of success.  -1 is returned elseways and
       errno is set appropriately.


NOTES
       Libuserbindmount fails if user namespaces have not been configured in the running kernel and enabled  for
       users.  In Debian the sysctl knob kernel.unprivileged_userns_clone must be set to 1.


EXAMPLES
       The  following excerpts of C code shows the use of libuserbindmount: the inclusion of the header file for
       this library is required:
              #include <usrbindmount.h>

       Bind-mount /tmp/resolv.conf on /etc/resolv.conf:
              userbindmount("/tmp/resolv.conf", "/etc/resolv.conf");

       Bind-mount a string on /etc/resolv.conf:
              userbindmount_string("nameserver 9.9.9.90, "/etc/resolv.conf", 0600);

       Bind-mount a binary data on /proc/self/cmdline:
              static char fakeargv[] = {'c','m','d',0,
                   'a','r','g','1',0,
                   'a','r','g','2',0,
                   0};
              userbindmount_data(fakeargv, sizeof(fakeargv), "/proc/self/cmdline", 0600);

       Bind-mount the data read from a file descriptor on /etc/resolv.conf:
              userbindmount_fd(STDIN_FILENO, "/etc/resolv.conf", 0600);

       Bind-mount several files or directories:
              userbindmount("/tmp/resolv.conf", "/etc/resolv.conf");
              userbindmount("/tmp/passwd", "/etc/passwd");
              userbindmount("/tmp/hosts", "/etc/hosts");
       Only the first userbindmount creates a new namespace if needed.

       The following program creates a namespace and runs a program in it.  In the new namespace  bind-mount  is
       allowed.
              #include <stdio.h>
              #include <unistd.h>
              #include <userbindmount.h>

              int main(int argc, char *argv[]) {
                   userbindmount_unshare();
                   userbindmount_set_cap_sysadm();
                   execvp(argv[1], argv+1);
              }

       It can be compiled and tested in the following way:
              $ gcc -o unshare_sysadm unshare_sysadm.c -luserbindmount
              $ unshare_sysadm bash
              $ cat /etc/resolv.conf
              nameserver 127.0.0.1
              $ echo "nameserver 9.9.9.9" > /tmp/resolv.conf
              $ busybox mount --bind /tmp/resolv.conf /etc/resolv.conf
              $ cat /etc/resolv.conf
              nameserver 9.9.9.9
              $ exit
              $
       please  note that in the example the mount command by busybox has been used instead of the standard mount
       by util-linux. In fact the standard mount command has not been updated to support the  capabilities,  and
       forbids  the  access  to  the  mount system call if the effective user is not root, denying in this way a
       legal operation.


SEE ALSO
       mount(2), mount(8), user_namespaces(7)


BUGS
       Bug reports should be addressed to <info@virtualsquare.org>


AUTHORS
       Renzo Davoli <renzo@cs.unibo.it>