mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: Rework terminology describing ownership of nonuser namespaces
Prefer the word "owns" rather than "associated with" when describing the relationship between user namespaces and non-user namespaces. The existing text used a mix of the two terms, with "associated with" being predominant, but to my ear, describing the relationship as "ownership" is more comprehensible. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk
parent
659beec775
commit
29af6f1a59
|
|
@ -227,7 +227,8 @@ permits a process to perform operations (that require privilege)
|
|||
only on resources governed by that namespace.
|
||||
In other words, having a capability in a user namespace permits a process
|
||||
to perform privileged operations on resources that are governed by (nonuser)
|
||||
namespaces associated with the user namespace (see the next subsection).
|
||||
namespaces owned by (associated with) the user namespace
|
||||
(see the next subsection).
|
||||
.PP
|
||||
On the other hand, there are many privileged operations that affect
|
||||
resources that are not associated with any namespace type,
|
||||
|
|
@ -243,7 +244,7 @@ user namespace can perform such operations.
|
|||
.PP
|
||||
Holding
|
||||
.B CAP_SYS_ADMIN
|
||||
within the user namespace associated with a process's mount namespace
|
||||
within the user namespace that owns a process's mount namespace
|
||||
allows that process to create bind mounts
|
||||
and mount the following types of filesystems:
|
||||
.\" fs_flags = FS_USERNS_MOUNT in kernel sources
|
||||
|
|
@ -277,7 +278,7 @@ and mount the following types of filesystems:
|
|||
.PP
|
||||
Holding
|
||||
.B CAP_SYS_ADMIN
|
||||
within the user namespace associated with a process's cgroup namespace
|
||||
within the user namespace that owns a process's cgroup namespace
|
||||
allows (since Linux 4.6)
|
||||
that process to the mount the cgroup version 2 filesystem and
|
||||
cgroup version 1 named hierarchies
|
||||
|
|
@ -287,7 +288,7 @@ option).
|
|||
.PP
|
||||
Holding
|
||||
.B CAP_SYS_ADMIN
|
||||
within the user namespace associated with a process's PID namespace
|
||||
within the user namespace that owns a process's PID namespace
|
||||
allows (since Linux 3.8)
|
||||
that process to mount
|
||||
.I /proc
|
||||
|
|
@ -333,7 +334,7 @@ When a new namespace (other than a user namespace) is created via
|
|||
.BR clone (2)
|
||||
or
|
||||
.BR unshare (2),
|
||||
the kernel records the user namespace of the creating process against
|
||||
the kernel records the user namespace of the creating process as the owner of
|
||||
the new namespace.
|
||||
(This association can't be changed.)
|
||||
When a process in the new namespace subsequently performs
|
||||
|
|
@ -345,7 +346,7 @@ For example, suppose that a process attempts to change the hostname
|
|||
.RB ( sethostname (2)),
|
||||
a resource governed by the UTS namespace.
|
||||
In this case,
|
||||
the kernel will determine which user namespace is associated with
|
||||
the kernel will determine which user namespace owns
|
||||
the process's UTS namespace, and check whether the process has the
|
||||
required capability
|
||||
.RB ( CAP_SYS_ADMIN )
|
||||
|
|
@ -354,8 +355,8 @@ in that user namespace.
|
|||
The
|
||||
.BR NS_GET_USERNS
|
||||
.BR ioctl (2)
|
||||
operation can be used to discover the user namespace with which
|
||||
a non-user namespace is associated; see
|
||||
operation can be used to discover the user namespace
|
||||
that owns a a non-user namespace; see
|
||||
.BR ioctl_ns (2).
|
||||
.\"
|
||||
.\" ============================================================
|
||||
|
|
|
|||
Loading…
Reference in New Issue