user_namespaces.7: List the mount operations permitted by CAP_SYS_ADMIN

List the mount operations permitted by CAP_SYS_ADMIN in a noninitial userns. See https://bugzilla.kernel.org/show_bug.cgi?id=120671 Reported-by: Michał Zegan <webczat_200@poczta.onet.pl> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-06-21 13:51:24 +02:00 · 2016-06-21 13:51:24 +02:00 · 32efecaab8
parent 2304b0d740
commit 32efecaab8
1 changed files with 38 additions and 0 deletions
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@ -227,6 +227,44 @@ and creating a device (governed by
 Only a process with privileges in the
 .I initial
 user namespace can perform such operations.
+
+Holding
+.B CAP_SYS_ADMIN
+within a (noninitial) user namespace allows the creation of bind mounts,
+and mounting of the following types of filesystems:
+.\" fs_flags = FS_USERNS_MOUNT in kernel sources
+
+.RS 4
+.PD 0
+.IP * 2
+.IR /proc
+(since Linux 3.8)
+.IP *
+.IR /sys
+(since Linux 3.8)
+.IP *
+.IR devpts
+(since Linux 3.9)
+.IP *
+.IR tmpfs
+(since Linux 3.9)
+.IP *
+.IR ramfs
+(since Linux 3.9)
+.IP *
+.IR mqueue
+(since Linux 3.9)
+.IP *
+.IR bpf
+.\" commit b2197755b2633e164a439682fb05a9b5ea48f706
+(since Linux 4.4)
+.PD
+.RE
+.PP
+Note however, that mounting block-based filesystems can be done
+only by a process that holds
+.BR CAP_SYS_ADMIN
+in the initial user namespace.
 .\"
 .\" ============================================================
 .\"