Starting a shell with this:
bwrap --unshare-pid --unshare-user --dev-bind / / bash
In another shell on the host we can see this with lsns:
4026532550 user 2 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026532552 mnt 2 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026532562 pid 2 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
lsns in the namespace reports
4026531834 time 3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026531835 cgroup 3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026531838 uts 3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026531839 ipc 3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026531992 net 3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026532550 user 3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026532552 mnt 3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026532562 pid 3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
The main question:
How to start a second shell in the same namespaces as the first?
Bonus question:
From my understanding there is also an intermediate namespace (only user namespace?) created by bubblewrap, in most cases
Is it possible to start a shell in the intermediate namespaces created by bubblewrap?
Would it be useless because all privileges are already dropped by bubblewrap from the intermediate namespace?
The idea would be that further mounts/unmounts can be done in the final namespace from the intermediate namespace, or some other privileged stuff
Any solution is welcomed, preferable with bubblewrap, otherwise preferable nsenter but also raw setns syscalls for PoC
Note that bwrap is not setuid, I launch bwrap as an unprivileged user, all types of namespaces are enabled in the kernel and they are working correctly as an unprivileged user afaik
According to this issue https://github.com/containers/bubblewrap/issues/253, bubblewrap can only create new mount namespaces, so this problem might not be possible to solve only with bubblewrap alone as of now
Bubblewrap is doing a great job at creating the initial namespaces, simple and enough configuration, if it creates namespaces that can't be correctly re-entered in any way I might be able to patch bubblewrap so that allows it or ditch it altogether and write an own setns wrapper based on how bubblewrap does most things
Flatpak uses bubblewrap and allows entering namespaces, has checks for if bubblewrap creates an intermediate namespace, I tried to understand the code at https://github.com/flatpak/flatpak/blob/4735e3ea90d9cfa7237aa1de7818ba396a45f084/app/flatpak-builtins-enter.c but I couldn't get that to work manually
