hacktricks/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md
Carlos Polop ed03e5afcf a
2024-07-19 01:15:55 +02:00

7.2 KiB

CGroup Namespace

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Basic Information

A cgroup namespace is a Linux kernel feature that provides isolation of cgroup hierarchies for processes running within a namespace. Cgroups, short for control groups, are a kernel feature that allows organizing processes into hierarchical groups to manage and enforce limits on system resources like CPU, memory, and I/O.

While cgroup namespaces are not a separate namespace type like the others we discussed earlier (PID, mount, network, etc.), they are related to the concept of namespace isolation. Cgroup namespaces virtualize the view of the cgroup hierarchy, so that processes running within a cgroup namespace have a different view of the hierarchy compared to processes running in the host or other namespaces.

How it works:

  1. When a new cgroup namespace is created, it starts with a view of the cgroup hierarchy based on the cgroup of the creating process. This means that processes running in the new cgroup namespace will only see a subset of the entire cgroup hierarchy, limited to the cgroup subtree rooted at the creating process's cgroup.
  2. Processes within a cgroup namespace will see their own cgroup as the root of the hierarchy. This means that, from the perspective of processes inside the namespace, their own cgroup appears as the root, and they cannot see or access cgroups outside of their own subtree.
  3. Cgroup namespaces do not directly provide isolation of resources; they only provide isolation of the cgroup hierarchy view. Resource control and isolation are still enforced by the cgroup subsystems (e.g., cpu, memory, etc.) themselves.

For more information about CGroups check:

{% content-ref url="../cgroups.md" %} cgroups.md {% endcontent-ref %}

Lab:

Create different Namespaces

CLI

sudo unshare -C [--mount-proc] /bin/bash

By mounting a new instance of the /proc filesystem if you use the param --mount-proc, you ensure that the new mount namespace has an accurate and isolated view of the process information specific to that namespace.

Error: bash: fork: Cannot allocate memory

When unshare is executed without the -f option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below:

  1. Problem Explanation:

    • The Linux kernel allows a process to create new namespaces using the unshare system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do.
    • Running %unshare -p /bin/bash% starts /bin/bash in the same process as unshare. Consequently, /bin/bash and its child processes are in the original PID namespace.
    • The first child process of /bin/bash in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace.
  2. Consequence:

    • The exit of PID 1 in a new namespace leads to the cleaning of the PIDNS_HASH_ADDING flag. This results in the alloc_pid function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error.
  3. Solution:

    • The issue can be resolved by using the -f option with unshare. This option makes unshare fork a new process after creating the new PID namespace.
    • Executing %unshare -fp /bin/bash% ensures that the unshare command itself becomes PID 1 in the new namespace. /bin/bash and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation.

By ensuring that unshare runs with the -f flag, the new PID namespace is correctly maintained, allowing /bin/bash and its sub-processes to operate without encountering the memory allocation error.

Docker

docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash

Check which namespace is your process in

ls -l /proc/self/ns/cgroup
lrwxrwxrwx 1 root root 0 Apr  4 21:19 /proc/self/ns/cgroup -> 'cgroup:[4026531835]'

Find all CGroup namespaces

{% code overflow="wrap" %}

sudo find /proc -maxdepth 3 -type l -name cgroup -exec readlink {} \; 2>/dev/null | sort -u
# Find the processes with an specific namespace
sudo find /proc -maxdepth 3 -type l -name cgroup -exec ls -l  {} \; 2>/dev/null | grep <ns-number>

{% endcode %}

Enter inside an CGroup namespace

nsenter -C TARGET_PID --pid /bin/bash

Also, you can only enter in another process namespace if you are root. And you cannot enter in other namespace without a descriptor pointing to it (like /proc/self/ns/cgroup).

References

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}