User Namespace and Capability Source Code Pointers

Task credentials include such information as a process's real, saved, effective, and filesystem user and group IDs; its permitted, effective, and inheritable capabilities; as well as its user namespace.

The task_struct structure, defined in include/linux/sched.h, has as an element a pointer to a cred structure, defined in the include/linux/cred.h header. This structure associates the process with its user and group IDs and capabilities.

The cred structure contains a pointer to a user_namespace structure, defined in include/linux/user_namespace.h. This associates the process with its user namespace, an association which is missing from the nsproxy structure.

Several system calls, including clone, unshare, and setns control the namespaces to which a process belongs. Here, we provide pointers to functions, called during execution of these system calls, that pertain to user namespaces.

The kernel/fork.c file provides the clone syscall, which itself calls the copy_process() function, which performs the bulk of the work of copying a process, including any namespaces specified by the corresponding flags.

Among the functions called by copy_process() is the copy_creds() function, defined in the kernel/cred.c file.

The copy_creds() function copies the process's cred structure, and (if necessary) creates a new user namespace with the create_user_ns() function, defined in the kernel/user_namespace.c file.

The kernel/fork.c file also provides the unshare syscall, which itself calls the ksys_unshare() function, which performs the bulk of the work of unsharing namespaces.

Among the functions called by ksys_unshare() is the unshare_userns() function, also defined in the kernel/user_namespace.c file.

The libcap library, which provides (among others) the cap_get_proc, cap_set_flag, cap_set_proc, and cap_free functions, as well as the getcap and setcap utilities, provides a framework for programmatically modifying capability sets.

Under the hood, libcap uses the capget and capset syscalls, defined in the kernel/capability.c file.

The CAP_* constants corresponding to each capability are defined in the include/uapi/linux/capability.h header.