mount_namespaces will allow you to do mount --bind
not seen by other processes. But normally mount --bind
is restricted to the root user only (for security reasons). So, for mount_namespaces to be of some use to a non-root user, you should first use user_namespaces to become a "local root" in a new namespace, where this operation would be allowed then.
You can play with this in your shell like this -- this examples specifically shows the use of user&mount spaces in preparation of a chroot directory (and the chroot
operation is normally privileged, too):
unshare --user --map-root-user --mount-proc --pid --fork
mkdir -p newroot/dev
mount --rbind /dev newroot/dev
....other chroot preparation....
chroot newroot
su - user1
Note, that I'm using mount --rbind
(instead of mount --bind
), because only this will work in the new user&mount namespace, if the directory includes other mount points (and /dev/
does in my case).
Perhaps the explanation for this is that the user should not get a way to see something what normally an unprivileged user wouldn't see, i.e., the subdirectories hidden by the "submounts". Not to strip the submounts, only --rbind
is allowed.