Skip to content

setns

Intro

setns - allows processes to join a namespace or modify an existing namespace

Description

The setns system call is used to join a namespace or modify an existing namespace of a process. The call takes two parameters, a file descriptor to a namespace and the requested label ('nstype') of the namespace. The call fails if the provided namespace isn't supported by the kernel, if the calling process (or thread) had different user and group IDs when it created the namespace, or if the user doesn't have access to joining the namespace. Generally, the user must own the file descriptor and be privileged to change their namespace.

The joined, or modified, namespace can alter the process's view of resources, such as mount points, network devices, and process identifiers. Joining a namespace requires the process to disassociate from the previous namespace. The process's view of its resources is not immediately updated, so the process may experience inconsistent behavior until the update completes.

Arguments

  • fd:int[U] - A file descriptor that refers to an existing namespace.
  • nstype:int[K] - The requested label of the namespace.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_setns

Type

Kprobes + SystemTap

Purpose

Logging/Monitoring of setns syscall - to detect namespace related vulnerabilities or analyze namespace resource usage.

Example Use Case

A system administrator would use setns to join a process to an existing namespace in order to monitor its resource usage.

Issues

setns could be used to bypass kernel resource protection mechanisms. The kernel should prevent unprivileged users from joining namespaces that are owned by privileged users.

  • clone() - to create new namespaces
  • unshare() - to Split away parts of the thread's current execution context into a new unshared execution environment.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.