I'm wondering if devtmpfs is special with respect to namespaces.
Here's my system info (using Vagrant for testing)
vagrant@ubuntu-xenial:~/test$ uname -a Linux ubuntu-xenial 4.4.0-135-generic #161-Ubuntu SMP Mon Aug 27 10:45:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux A basic demonstration explains best:
vagrant@ubuntu-xenial:~/test$ unshare --ipc --uts --user --mount --fork --pid --net --map-root-user root@ubuntu-xenial:~/test# mkdir proc root@ubuntu-xenial:~/test# mkdir sys root@ubuntu-xenial:~/test# mount -t proc proc ./proc/ root@ubuntu-xenial:~/test# mount -t sysfs sysfs ./sys/ root@ubuntu-xenial:~/test# mkdir dev root@ubuntu-xenial:~/test# mount -t devtmpfs devtmpfs ./dev/ mount: permission denied root@ubuntu-xenial:~/test# exit logout I have the rights to mount proc and sys, but not a devtmpfs?
A tmpfs works, though (also run with the same unshare command)
root@ubuntu-xenial:~/test# mount -t tmpfs tmpfs ./dev/ EDITEDIT2:
Might it be related to the file system flag FS_USERNS_MOUNT (https://lwn.net/Articles/652468/)?
A quick grep of the kernel seems Moved previous edit to indicate it's not set for devtmpfs: livegrep.com resultsan answer based on sourcejedi's feedback.