mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: Add a subsection heading for effects of capabilities in user NS
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
89070c1a7c
commit
2304b0d740
|
@ -205,13 +205,17 @@ has all capabilities in the namespace.
|
|||
By virtue of the previous rule,
|
||||
this means that the process has all capabilities in all
|
||||
further removed descendant user namespaces as well.
|
||||
.PP
|
||||
.\"
|
||||
.\" ============================================================
|
||||
.\"
|
||||
.SS Effect of capabilities within a user namespace
|
||||
Having a capability inside a user namespace
|
||||
permits a process to perform operations (that require privilege)
|
||||
only on resources governed by that namespace.
|
||||
In other words, having a capability in a user namespace permits a process
|
||||
to perform privileged operations on resources that are governed by (nonuser)
|
||||
namespaces associated with the user namespace (see the next subsection).
|
||||
|
||||
On the other hand, there are many privileged operations that affect
|
||||
resources that are not associated with any namespace type,
|
||||
for example, changing the system time (governed by
|
||||
|
|
Loading…
Reference in New Issue