7.1 KiB
IPC Namespace
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
An IPC (Inter-Process Communication) namespace is a Linux kernel feature that provides isolation of System V IPC objects, such as message queues, shared memory segments, and semaphores. This isolation ensures that processes in different IPC namespaces cannot directly access or modify each other's IPC objects, providing an additional layer of security and privacy between process groups.
How it works:
- When a new IPC namespace is created, it starts with a completely isolated set of System V IPC objects. This means that processes running in the new IPC namespace cannot access or interfere with the IPC objects in other namespaces or the host system by default.
- IPC objects created within a namespace are visible and accessible only to processes within that namespace. Each IPC object is identified by a unique key within its namespace. Although the key may be identical in different namespaces, the objects themselves are isolated and cannot be accessed across namespaces.
- Processes can move between namespaces using the
setns()
system call or create new namespaces using theunshare()
orclone()
system calls with theCLONE_NEWIPC
flag. When a process moves to a new namespace or creates one, it will start using the IPC objects associated with that namespace.
Lab:
Create different Namespaces
CLI
sudo unshare -i [--mount-proc] /bin/bash
By mounting a new instance of the /proc
filesystem if you use the param --mount-proc
, you ensure that the new mount namespace has an accurate and isolated view of the process information specific to that namespace.
Error: bash: fork: Cannot allocate memory
When unshare
is executed without the -f
option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below:
-
Problem Explanation:
- The Linux kernel allows a process to create new namespaces using the
unshare
system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - Running
%unshare -p /bin/bash%
starts/bin/bash
in the same process asunshare
. Consequently,/bin/bash
and its child processes are in the original PID namespace. - The first child process of
/bin/bash
in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace.
- The Linux kernel allows a process to create new namespaces using the
-
Consequence:
- The exit of PID 1 in a new namespace leads to the cleaning of the
PIDNS_HASH_ADDING
flag. This results in thealloc_pid
function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error.
- The exit of PID 1 in a new namespace leads to the cleaning of the
-
Solution:
- The issue can be resolved by using the
-f
option withunshare
. This option makesunshare
fork a new process after creating the new PID namespace. - Executing
%unshare -fp /bin/bash%
ensures that theunshare
command itself becomes PID 1 in the new namespace./bin/bash
and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation.
- The issue can be resolved by using the
By ensuring that unshare
runs with the -f
flag, the new PID namespace is correctly maintained, allowing /bin/bash
and its sub-processes to operate without encountering the memory allocation error.
Docker
docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash
Check which namespace is your process in
ls -l /proc/self/ns/ipc
lrwxrwxrwx 1 root root 0 Apr 4 20:37 /proc/self/ns/ipc -> 'ipc:[4026531839]'
Find all IPC namespaces
{% code overflow="wrap" %}
sudo find /proc -maxdepth 3 -type l -name ipc -exec readlink {} \; 2>/dev/null | sort -u
# Find the processes with an specific namespace
sudo find /proc -maxdepth 3 -type l -name ipc -exec ls -l {} \; 2>/dev/null | grep <ns-number>
{% endcode %}
Enter inside an IPC namespace
nsenter -i TARGET_PID --pid /bin/bash
Also, you can only enter in another process namespace if you are root. And you cannot enter in other namespace without a descriptor pointing to it (like /proc/self/ns/net
).
Create IPC object
# Container
sudo unshare -i /bin/bash
ipcmk -M 100
Shared memory id: 0
ipcs -m
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x2fba9021 0 root 644 100 0
# From the host
ipcs -m # Nothing is seen
References
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.