You've already forked runc
mirror of
https://github.com/opencontainers/runc.git
synced 2025-07-30 17:43:06 +03:00
2cd9c31b99
Depending on your SELinux setup, the order in which you join namespaces can be important. In general, user namespaces should *always* be joined and unshared first because then the other namespaces are correctly pinned and you have the right priviliges within them. This also is very useful for rootless containers, as well as older kernels that had essentially broken unshare(2) and clone(2) implementations. This also includes huge refactorings in how we spawn processes for complicated reasons that I don't want to get into because it will make me spiral into a cloud of rage. The reasoning is in the giant comment in clone_parent. Have fun. In addition, because we now create multiple children with CLONE_PARENT, we cannot wait for them to SIGCHLD us in the case of a death. Thus, we have to resort to having a child kindly send us their exit code before they die. Hopefully this all works okay, but at this point there's not much more than we can do. Signed-off-by: Aleksa Sarai <asarai@suse.de>
33 lines
841 B
C
33 lines
841 B
C
#ifndef NSENTER_NAMESPACE_H
|
|
#define NSENTER_NAMESPACE_H
|
|
|
|
#ifndef _GNU_SOURCE
|
|
# define _GNU_SOURCE
|
|
#endif
|
|
#include <sched.h>
|
|
|
|
/* All of these are taken from include/uapi/linux/sched.h */
|
|
#ifndef CLONE_NEWNS
|
|
# define CLONE_NEWNS 0x00020000 /* New mount namespace group */
|
|
#endif
|
|
#ifndef CLONE_NEWCGROUP
|
|
# define CLONE_NEWCGROUP 0x02000000 /* New cgroup namespace */
|
|
#endif
|
|
#ifndef CLONE_NEWUTS
|
|
# define CLONE_NEWUTS 0x04000000 /* New utsname namespace */
|
|
#endif
|
|
#ifndef CLONE_NEWIPC
|
|
# define CLONE_NEWIPC 0x08000000 /* New ipc namespace */
|
|
#endif
|
|
#ifndef CLONE_NEWUSER
|
|
# define CLONE_NEWUSER 0x10000000 /* New user namespace */
|
|
#endif
|
|
#ifndef CLONE_NEWPID
|
|
# define CLONE_NEWPID 0x20000000 /* New pid namespace */
|
|
#endif
|
|
#ifndef CLONE_NEWNET
|
|
# define CLONE_NEWNET 0x40000000 /* New network namespace */
|
|
#endif
|
|
|
|
#endif /* NSENTER_NAMESPACE_H */
|