mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: List the mount operations permitted by CAP_SYS_ADMIN
List the mount operations permitted by CAP_SYS_ADMIN in a noninitial userns. See https://bugzilla.kernel.org/show_bug.cgi?id=120671 Reported-by: Michał Zegan <webczat_200@poczta.onet.pl> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
2304b0d740
commit
32efecaab8
|
@ -227,6 +227,44 @@ and creating a device (governed by
|
||||||
Only a process with privileges in the
|
Only a process with privileges in the
|
||||||
.I initial
|
.I initial
|
||||||
user namespace can perform such operations.
|
user namespace can perform such operations.
|
||||||
|
|
||||||
|
Holding
|
||||||
|
.B CAP_SYS_ADMIN
|
||||||
|
within a (noninitial) user namespace allows the creation of bind mounts,
|
||||||
|
and mounting of the following types of filesystems:
|
||||||
|
.\" fs_flags = FS_USERNS_MOUNT in kernel sources
|
||||||
|
|
||||||
|
.RS 4
|
||||||
|
.PD 0
|
||||||
|
.IP * 2
|
||||||
|
.IR /proc
|
||||||
|
(since Linux 3.8)
|
||||||
|
.IP *
|
||||||
|
.IR /sys
|
||||||
|
(since Linux 3.8)
|
||||||
|
.IP *
|
||||||
|
.IR devpts
|
||||||
|
(since Linux 3.9)
|
||||||
|
.IP *
|
||||||
|
.IR tmpfs
|
||||||
|
(since Linux 3.9)
|
||||||
|
.IP *
|
||||||
|
.IR ramfs
|
||||||
|
(since Linux 3.9)
|
||||||
|
.IP *
|
||||||
|
.IR mqueue
|
||||||
|
(since Linux 3.9)
|
||||||
|
.IP *
|
||||||
|
.IR bpf
|
||||||
|
.\" commit b2197755b2633e164a439682fb05a9b5ea48f706
|
||||||
|
(since Linux 4.4)
|
||||||
|
.PD
|
||||||
|
.RE
|
||||||
|
.PP
|
||||||
|
Note however, that mounting block-based filesystems can be done
|
||||||
|
only by a process that holds
|
||||||
|
.BR CAP_SYS_ADMIN
|
||||||
|
in the initial user namespace.
|
||||||
.\"
|
.\"
|
||||||
.\" ============================================================
|
.\" ============================================================
|
||||||
.\"
|
.\"
|
||||||
|
|
Loading…
Reference in New Issue