To allow processes to have a local view on a resource (such as a filesystem, networking, or even users), Linux introduced namespaces. Namespaces can be used to restrict what a process see (although they are not meant to be a hard boundary from a security perspective)
To create namespaces, you have three relevant syscalls at your disposal:
cloneused to create a child process that can share parts of its execution context with the parent processunshareused to remove a shared execution context from an existing processsetnsused to join an existing process to an existing namespace
Those sysycalls take several flags as parameters, that allow you to control the following namespaces features:
- filesystem mount points
- hostname and domain name
- PIDs
- inter-process communication isolation (posix message queues)
- network
- user
- cgroups
Tip
lsnscan be used by a superuser to list the current namespaces in Linux