Security Stuff
  • About
  • HackTheBox
    • Windows
      • Forest
      • Escape
      • Timelapse
      • Support
    • Linux
      • TwoMillion
      • Soccer
      • Pollution
      • Pilgrimage
      • Sandworm
  • Windows
    • Authentication
      • Overview
      • Logon
      • Kerberos
      • Credential
    • Active Directory
      • Domain Service
        • LDAP
        • AD Objects
      • Key Distribution Center
      • Certificate Service
    • Windows Protocols
      • SMB
    • Windows Server
      • MSSQL
    • Execution
      • Windows APIs
      • Remote Access
        • WinRM
    • Credential Access
      • Kerberos Ticket
        • Kerberoasting Attack
        • Golden/Silver Ticket Attack
        • AS-REP Roasting Attack
      • OS Credential Dumping
        • DCsync Attack
      • Certified Pre-Owned
  • Linux
    • Management
      • Package
    • Process
      • Namespace
      • Terminal
  • Web
    • Authentication
      • SAML
      • OAuth
    • Enumeration
  • Defense
    • Windows
      • Windows Event Logs
  • Development
    • Programming Language
    • Database
      • MySQL
    • Virtualization
      • Container
    • Cryptography
      • GnuPG
Powered by GitBook
On this page
  • Overview
  • API
  • System Calls
  • The `proc` Filesystem
  • Namespace Types
  1. Linux
  2. Process

Namespace

PreviousProcessNextTerminal

Last updated 1 year ago

Overview

A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.

API

System Calls

We can use various system calls to create, or join a new, or an existing namespace.

The clone(2) system call creates a new process.

If the flags argument of the call specifies one or more of the CLONE_NEW* flags listed below, then new namespaces are created for each flag, and the child process is made a member of those namespaces.

The setns(2) system call allows the calling process to join an existing namespace.

The namespace to join is specified via a file descriptor that refers to one of the /proc/[pid]/ns files described below.

The unshare(2) system call moves the calling process to a new namespace.

If the flags argument of the call specifies one or more of the CLONE_NEW* flags listed below, then new namespaces are created for each flag, and the calling process is made a member of those namespaces.Various ioctl(2) operations can be used to discover information about namespaces. These operations are described in ioctl_ns(2).Various ioctl(2) operations can be used to discover information about namespaces. These operations are described in ioctl_ns(2).

Various ioctl(2) operations can be used to discover information about namespaces. These operations are described in ioctl_ns(2).

The `proc` Filesystem

The kernel assigns each process a symbolic link per namespace kind in /proc/<PID>/ns/. Since Linux 3.8, these files appear as symbolic links.

If two processes are in the same namespace, then the device IDs and inode numbers of their /proc/<pid>/ns/xxx symbolic links will be the same. We can check this using the stat.st_dev and stat.st_ino fields returned by stat(2).

We can use readlink to read the content of the symbolic link:

$ readlink /proc/$$/ns/uts
uts:[4026531838]

Namespace Types

Type
Flag used in APIs
Man Page
Isolates

Cgroup

CLONE_NEWCGROUP

cgroup_namespaces

Cgroup root directory

IPC

CLONE_NEWIPC

ipc_namespaces

System V IPC, POSIX message queues

Network

CLONE_NEWNET

network_namespaces

Network devices, stacks, ports, etc.

Mount

CLONE_NEWNS

mount_namespaces

Mount points

PID

CLONE_NEWPID

pid_namespaces

Process IDs

Time

CLONE_NEWTIME

time_namespaces

Boot and monotonic clocks

User

CLONE_NEWUSER

user_namespaces

User and group IDs

UTS

CLONE_NEWUTS

uts_namespaces

Hostname and NIS domain name

namespaces(7) - Linux manual page