CLONE_NEWPID|CLONE_PARENT was only prohibited during a short period. That prohibition was introduced in Linux 3.12, in commit 40a0d32d1eaf ("fork: unify and tighten up CLONE_NEWUSER/CLONE_NEWPID checks"), but was a regression, and was fixed in Linux 3.13, in commit 1f7f4dde5c94 ("fork: Allow CLONE_PARENT after setns(CLONE_NEWPID)"). In this test program, one can see that it works: #include <err.h> #include <linux/sched.h> #include <sched.h> #include <stdio.h> #include <stdlib.h> #include <sys/syscall.h> #include <unistd.h> static pid_t sys_clone3(struct clone_args *args); int main(void) { int ret; struct clone_args args = { .flags = CLONE_PARENT | CLONE_NEWPID, }; printf("main program: pid: %d, and ppid: %d\n", getpid(), getppid()); ret = sys_clone3(&args); switch (ret) { case -1: err(EXIT_FAILURE, "clone3"); case 0: printf("child: pid: %d, and ppid: %d\n", getpid(), getppid()); exit(EXIT_SUCCESS); default: exit(EXIT_SUCCESS); } } static pid_t sys_clone3(struct clone_args *args) { fflush(stdout); fflush(stderr); return syscall(SYS_clone3, args, sizeof(*args)); } This test program (successfully) outputs: # ./a.out main program: pid: 34663, and ppid: 34662 child: pid: 1, and ppid: 0 Fixes: f00071920ec3 ("clone.2: EINVAL if (CLONE_NEWUSER|CLONE_NEWPID) && (CLONE_THREAD|CLONE_PARENT)") Cowritten-by: Sargun Dhillon <sargun@sargun.me> Cc: Serge Hallyn <serge@hallyn.com> Cc: John Watts <contact@jookia.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>