From 2e4a22de9354433c0f72782a0369627de23a6993 Mon Sep 17 00:00:00 2001 From: Michael Kerrisk Date: Wed, 16 May 2018 22:35:33 +0200 Subject: [PATCH] setns.2: ffix: add some paragraph breaks Signed-off-by: Michael Kerrisk --- man2/setns.2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/man2/setns.2 b/man2/setns.2 index 714027f31..4d9d5dfb4 100644 --- a/man2/setns.2 +++ b/man2/setns.2 @@ -112,14 +112,17 @@ capability in the target user namespace. Upon successfully joining a user namespace, a process is granted all capabilities in that namespace, regardless of its user and group IDs. +.IP A multithreaded process may not change user namespace with .BR setns (). +.IP It is not permitted to use .BR setns () to reenter the caller's current user namespace. This prevents a caller that has dropped capabilities from regaining those capabilities via a call to .BR setns (). +.IP For security reasons, .\" commit e66eded8309ebf679d3d3c1f5820d1f2ca332c71 .\" https://lwn.net/Articles/543273/ @@ -129,6 +132,7 @@ filesystem-related attributes .BR clone (2) .B CLONE_FS flag) with another process. +.IP For further details on user namespaces, see .BR user_namespaces (7). .TP @@ -136,6 +140,7 @@ Mount namespaces A process may not be reassociated with a new mount namespace if it is multithreaded. .\" Above check is in fs/namespace.c:mntns_install() [3.8 source] +.IP Changing the mount namespace requires that the caller possess both .B CAP_SYS_CHROOT and @@ -143,6 +148,7 @@ and capabilities in its own user namespace and .BR CAP_SYS_ADMIN in the the user namespace that owns the target mount namespace. +.IP See .BR user_namespaces (7) for details on the interaction of user namespaces and mount namespaces.