LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

setns.2: ffix: add some paragraph breaks 

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2018-05-16 22:35:33 +02:00
parent 8e23f12b17
commit 2e4a22de93
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
man2/setns.2
View File

@ -112,14 +112,17 @@ capability in the target user namespace.
Upon successfully joining a user namespace, Upon successfully joining a user namespace,
a process is granted all capabilities in that namespace, a process is granted all capabilities in that namespace,
regardless of its user and group IDs. regardless of its user and group IDs.
.IP
A multithreaded process may not change user namespace with A multithreaded process may not change user namespace with
.BR setns (). .BR setns ().
.IP
It is not permitted to use It is not permitted to use
.BR setns () .BR setns ()
to reenter the caller's current user namespace. to reenter the caller's current user namespace.
This prevents a caller that has dropped capabilities from regaining This prevents a caller that has dropped capabilities from regaining
those capabilities via a call to those capabilities via a call to
.BR setns (). .BR setns ().
.IP
For security reasons, For security reasons,
.\" commit e66eded8309ebf679d3d3c1f5820d1f2ca332c71 .\" commit e66eded8309ebf679d3d3c1f5820d1f2ca332c71
.\" https://lwn.net/Articles/543273/ .\" https://lwn.net/Articles/543273/
@ -129,6 +132,7 @@ filesystem-related attributes
.BR clone (2) .BR clone (2)
.B CLONE_FS .B CLONE_FS
flag) with another process. flag) with another process.
.IP
For further details on user namespaces, see For further details on user namespaces, see
.BR user_namespaces (7). .BR user_namespaces (7).
.TP .TP
@ -136,6 +140,7 @@ Mount namespaces
A process may not be reassociated with a new mount namespace if it is A process may not be reassociated with a new mount namespace if it is
multithreaded. multithreaded.
.\" Above check is in fs/namespace.c:mntns_install() [3.8 source] .\" Above check is in fs/namespace.c:mntns_install() [3.8 source]
.IP
Changing the mount namespace requires that the caller possess both Changing the mount namespace requires that the caller possess both
.B CAP_SYS_CHROOT .B CAP_SYS_CHROOT
and and
@ -143,6 +148,7 @@ and
capabilities in its own user namespace and capabilities in its own user namespace and
.BR CAP_SYS_ADMIN .BR CAP_SYS_ADMIN
in the the user namespace that owns the target mount namespace. in the the user namespace that owns the target mount namespace.
.IP
See See
.BR user_namespaces (7) .BR user_namespaces (7)
for details on the interaction of user namespaces and mount namespaces. for details on the interaction of user namespaces and mount namespaces.