From 32efecaab86db8fd18ba8cc730833ab5514d143e Mon Sep 17 00:00:00 2001
From: Michael Kerrisk <mtk.manpages@gmail.com>
Date: Tue, 21 Jun 2016 13:51:24 +0200
Subject: [PATCH] user_namespaces.7: List the mount operations permitted by
 CAP_SYS_ADMIN
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

List the mount operations permitted by CAP_SYS_ADMIN in a
noninitial userns.

See https://bugzilla.kernel.org/show_bug.cgi?id=120671

Reported-by: Michał Zegan <webczat_200@poczta.onet.pl>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
---
 man7/user_namespaces.7 | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
index e223bf300..5c792985e 100644
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@@ -227,6 +227,44 @@ and creating a device (governed by
 Only a process with privileges in the
 .I initial
 user namespace can perform such operations.
+
+Holding
+.B CAP_SYS_ADMIN
+within a (noninitial) user namespace allows the creation of bind mounts,
+and mounting of the following types of filesystems:
+.\" fs_flags = FS_USERNS_MOUNT in kernel sources
+
+.RS 4
+.PD 0
+.IP * 2
+.IR /proc
+(since Linux 3.8)
+.IP *
+.IR /sys
+(since Linux 3.8)
+.IP *
+.IR devpts
+(since Linux 3.9)
+.IP *
+.IR tmpfs
+(since Linux 3.9)
+.IP *
+.IR ramfs
+(since Linux 3.9)
+.IP *
+.IR mqueue
+(since Linux 3.9)
+.IP *
+.IR bpf
+.\" commit b2197755b2633e164a439682fb05a9b5ea48f706
+(since Linux 4.4)
+.PD
+.RE
+.PP
+Note however, that mounting block-based filesystems can be done
+only by a process that holds
+.BR CAP_SYS_ADMIN
+in the initial user namespace.
 .\"
 .\" ============================================================
 .\"