[lxc-devel] Nested namespaces

Stéphane Graber stgraber at ubuntu.com
Mon Sep 29 04:24:07 UTC 2014


On Sun, Sep 28, 2014 at 06:31:18PM -0500, riya khanna wrote:
> Hi,
> 
> As I understand, kernel currently supports six namespaces. Is it
> possible for a process inside a container (running with different
> namespaces - all six) to escape the container by unshare() 'ing ?
> 
> Would this be different for privileged/unprivileged containers?
> 
> Thanks,
> Riya

It's certainly possible to unshare namespaces from within a container
but that's a feature, not an issue.

So you can't "escape" by unsharing, you can just get some new namespaces
setup which are children of your current one.

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140929/70060b9e/attachment.sig>


More information about the lxc-devel mailing list