I’m trying to mount overlayfs without being root in my C++ code; I would want to be able to have this mount happen and be visible just for my own process and its descendants:
if(-1 == mount("overlay", "./mnt", "overlay", MS_MGC_VAL, "lowerdir=/,upperdir=./upper,workdir=./work"))
std::cerr << "e: " << errno << std::endl;
....
Unfortunately the error I get is Operation not permitted.
How can I make this happen?
Even a simple tmpfs mount fails not being root; I’m running on a kernel 4.4.0-53.
Advertisement
Answer
One can do programmatically via user namespaces; by invoking:
clone(child_func, ..., CLONE_NEWNS | CLONE_NEWUSER | SIGCHLD, ...);
...
int child_func(void* args) {
mount("overlay", "./mnt", "overlay", MS_MGC_VAL, "lowerdir=/,upperdir=./upper,workdir=./work");
...
}
Ideally you would also want to setup the /proc/<pid>/uid_map and /proc/<id>/gid_map for better execution.
Probably the best example can be found on the man pages.