Reuse namespaces of process started by bubblewrap

Question

Starting a shell with this:

bwrap --unshare-pid --unshare-user --dev-bind / / bash

In another shell on the host we can see this with lsns:

4026532550 user        2 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026532552 mnt         2 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026532562 pid         2 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash

lsns in the namespace reports

4026531834 time        3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026531835 cgroup      3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026531838 uts         3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026531839 ipc         3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026531992 net         3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026532550 user        3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026532552 mnt         3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash
4026532562 pid         3 1799976 user bwrap --unshare-pid --unshare-user --dev-bind / / bash

The main question:

How to start a second shell in the same namespaces as the first?

---

Bonus question:

From my understanding there is also an intermediate namespace (only user namespace?) created by bubblewrap, in most cases

Is it possible to start a shell in the intermediate namespaces created by bubblewrap?

Would it be useless because all privileges are already dropped by bubblewrap from the intermediate namespace?

The idea would be that further mounts/unmounts can be done in the final namespace from the intermediate namespace, or some other privileged stuff

---

Any solution is welcomed, preferable with bubblewrap, otherwise preferable nsenter but also raw setns syscalls for PoC

Note that bwrap is not setuid, I launch bwrap as an unprivileged user, all types of namespaces are enabled in the kernel and they are working correctly as an unprivileged user afaik

According to this issue https://github.com/containers/bubblewrap/issues/253, bubblewrap can only create new mount namespaces, so this problem might not be possible to solve only with bubblewrap alone as of now

Bubblewrap is doing a great job at creating the initial namespaces, simple and enough configuration, if it creates namespaces that can't be correctly re-entered in any way I might be able to patch bubblewrap so that allows it or ditch it altogether and write an own setns wrapper based on how bubblewrap does most things

Flatpak uses bubblewrap and allows entering namespaces, has checks for if bubblewrap creates an intermediate namespace, I tried to understand the code at https://github.com/flatpak/flatpak/blob/4735e3ea90d9cfa7237aa1de7818ba396a45f084/app/flatpak-builtins-enter.c but I couldn't get that to work manually

Answer 1

Like this:

nsenter -U --preserve-credentials -m -p -t 1799976

Where 1799976 is the PID of the process that's currently in that namespace. If you don't want to enter the mount or PID namespace, then leave off the -m or -p, respectively.