Add check for disabled unprivileged user namespace

2026-01-23 02:34:30 +00:00 · 2018-10-28 17:34:45 +11:00 · 2018-10-28 17:34:45 +11:00 · cc351f419d
commit cc351f419d
parent 5172093fe2
4 changed files with 55 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -425,17 +425,31 @@ Troubleshooting
 > since JuNest will try to preserve the JuNest environment by assigning ownership
 > of the files to the real user.

-## Not enabled User namespace or kernel too old ##
+## Unprivileged user namespace disable at kernel compile time or kernel too old ##

-> **Q**: Why do I get warning when I run JuNest via Linux namespaces?
+> **Q**: Why do I get this warning when I run JuNest via Linux namespaces?

    $> junest -u
-    User namespace is not enabled or Kernel too old (<3.8). Proceeding anyway...
+    Unprivileged user namespace is disabled at kernel compile time or kernel too old (<3.8). Proceeding anyway...
+
+> **A**: This means that JuNest detected that the host OS either
+> does not have a newer kernel version or the unprivileged user namespace
+> is not enabled at kernel compile time.
+> JuNest does not stop the execution of the program but it attempts to run it
+> anyway. Try to use Proot as backend program in case is not possible to invoke namespaces.
+
+## Unprivileged user namespace disabled
+
+> **Q**: Why do I get this warning when I run JuNest via Linux namespaces?
+
+    $> junest -u
+    Unprivileged user namespace disabled. Root permissions are required to enable it: sudo sysctl kernel.unprivileged_userns_clone=1

 > **A**: This means that JuNest detected that the host OS either
 > does not have a newer Linux version or the user namespace is not enabled.
 > JuNest does not stop the execution of the program but it attempts to run it
-> anyway. Try to use Proot as backend program in case is not possible to invoke namespaces.
+> anyway. If you have root permissions try to enable it, otherwise try to use
+> Proot as backend program.

 More documentation
 ==================
--- a/lib/core/common.sh
+++ b/lib/core/common.sh
@ -18,6 +18,7 @@ ROOT_ACCESS_ERROR=105
 NESTED_ENVIRONMENT=106
 VARIABLE_NOT_SET=107
 NO_CONFIG_FOUND=108
+UNPRIVILEGED_USERNS_DISABLED=109

 JUNEST_HOME=${JUNEST_HOME:-~/.${CMD}}
 JUNEST_BASE=${JUNEST_BASE:-${JUNEST_HOME}/opt/junest}
--- a/lib/core/namespace.sh
+++ b/lib/core/namespace.sh
@ -13,6 +13,7 @@

 CONFIG_PROC_FILE="/proc/config.gz"
 CONFIG_BOOT_FILE="/boot/config-$($UNAME -r)"
+PROC_USERNS_CLONE_FILE="/proc/sys/kernel/unprivileged_userns_clone"

 function _is_user_namespace_enabled() {
    local config_file=""
@ -30,6 +31,18 @@ function _is_user_namespace_enabled() {
    then
        return $NO_CONFIG_FOUND
    fi
+
+    if [[ ! -e $PROC_USERNS_CLONE_FILE ]]
+    then
+        return 0
+    fi
+
+    if ! zgrep_cmd -q "1" $PROC_USERNS_CLONE_FILE
+    then
+        return $UNPRIVILEGED_USERNS_DISABLED
+    fi
+
+    return 0
 }

 function _check_user_namespace() {
@ -37,7 +50,8 @@ function _check_user_namespace() {
    _is_user_namespace_enabled
    case $? in
        $NOT_EXISTING_FILE) warn "Could not understand if user namespace is enabled. No config.gz file found. Proceeding anyway..." ;;
-        $NO_CONFIG_FOUND) warn "User namespace is not enabled or Kernel too old (<3.8). Proceeding anyway..." ;;
+        $NO_CONFIG_FOUND) warn "Unprivileged user namespace is disabled at kernel compile time or kernel too old (<3.8). Proceeding anyway..." ;;
+        $UNPRIVILEGED_USERNS_DISABLED) warn "Unprivileged user namespace disabled. Root permissions are required to enable it: sudo sysctl kernel.unprivileged_userns_clone=1" ;;
    esac
    set -e
 }
--- a/tests/unit-tests/test-namespace.sh
+++ b/tests/unit-tests/test-namespace.sh
@ -75,6 +75,27 @@ function test_is_user_namespace_enabled_with_config(){
    gzip config
    CONFIG_PROC_FILE="config.gz"
    CONFIG_BOOT_FILE="blah"
+    PROC_USERNS_CLONE_FILE="not-existing-file"
+    assertCommandSuccess _is_user_namespace_enabled
+}
+
+function test_is_user_namespace_enabled_with_userns_clone_file_disabled(){
+    echo "CONFIG_USER_NS=y" > config
+    gzip config
+    CONFIG_PROC_FILE="config.gz"
+    CONFIG_BOOT_FILE="blah"
+    PROC_USERNS_CLONE_FILE="unprivileged_userns_clone"
+    echo "0" > $PROC_USERNS_CLONE_FILE
+    assertCommandFailOnStatus $UNPRIVILEGED_USERNS_DISABLED _is_user_namespace_enabled
+}
+
+function test_is_user_namespace_enabled_with_userns_clone_file_enabled(){
+    echo "CONFIG_USER_NS=y" > config
+    gzip config
+    CONFIG_PROC_FILE="config.gz"
+    CONFIG_BOOT_FILE="blah"
+    PROC_USERNS_CLONE_FILE="unprivileged_userns_clone"
+    echo "1" > $PROC_USERNS_CLONE_FILE
    assertCommandSuccess _is_user_namespace_enabled
 }