From 4bfc2026227451fabc02bf131f231c4b2dd17982 Mon Sep 17 00:00:00 2001 From: Michael Kerrisk Date: Sun, 11 Dec 2016 16:13:14 +0100 Subject: [PATCH] mount_namespaces.7, user_namespaces.7: Migrate subsection on mount restrictions to mount_namespaces(7) This section material in the user_namespaces(7) page was written before the creation of the mount_namespaces(7) manual page. Nowadays, this material properly belongs in the newer page. Signed-off-by: Michael Kerrisk --- man7/mount_namespaces.7 | 65 +++++++++++++++++++++++++++++++++++++++++ man7/user_namespaces.7 | 65 ----------------------------------------- 2 files changed, 65 insertions(+), 65 deletions(-) diff --git a/man7/mount_namespaces.7 b/man7/mount_namespaces.7 index 6f9e25cdc..542af9e25 100644 --- a/man7/mount_namespaces.7 +++ b/man7/mount_namespaces.7 @@ -65,6 +65,71 @@ in either mount namespace will not (by default) affect the mount point list seen in the other namespace (but see the following discussion of shared subtrees). .\" +.\" ============================================================ +.\" +.SS Restrictions on mount namespaces +Note the following points with respect to mount namespaces: +.IP * 3 +A mount namespace has an owner user namespace. +A mount namespace whose owner user namespace is different from +the owner user namespace of its parent mount namespace is +considered a less privileged mount namespace. +.IP * +When creating a less privileged mount namespace, +shared mounts are reduced to slave mounts. +This ensures that mappings performed in less +privileged mount namespaces will not propagate to more privileged +mount namespaces. +.IP * +.\" FIXME . +.\" What does "come as a single unit from more privileged mount" mean? +Mounts that come as a single unit from more privileged mount are +locked together and may not be separated in a less privileged mount +namespace. +(The +.BR unshare (2) +.B CLONE_NEWNS +operation brings across all of the mounts from the original +mount namespace as a single unit, +and recursive mounts that propagate between +mount namespaces propagate as a single unit.) +.IP * +The +.BR mount (2) +flags +.BR MS_RDONLY , +.BR MS_NOSUID , +.BR MS_NOEXEC , +and the "atime" flags +.RB ( MS_NOATIME , +.BR MS_NODIRATIME , +.BR MS_RELATIME ) +settings become locked +.\" commit 9566d6742852c527bf5af38af5cbb878dad75705 +.\" Author: Eric W. Biederman +.\" Date: Mon Jul 28 17:26:07 2014 -0700 +.\" +.\" mnt: Correct permission checks in do_remount +.\" +when propagated from a more privileged to +a less privileged mount namespace, +and may not be changed in the less privileged mount namespace. +.IP * +.\" (As of 3.18-rc1 (in Al Viro's 2014-08-30 vfs.git#for-next tree)) +A file or directory that is a mount point in one namespace that is not +a mount point in another namespace, may be renamed, unlinked, or removed +.RB ( rmdir (2)) +in the mount namespace in which it is not a mount point +(subject to the usual permission checks). +.IP +Previously, attempting to unlink, rename, or remove a file or directory +that was a mount point in another mount namespace would result in the error +.BR EBUSY . +That behavior had technical problems of enforcement (e.g., for NFS) +and permitted denial-of-service attacks against more privileged users. +(i.e., preventing individual files from being updated +by bind mounting on top of them). +.\" .SH SHARED SUBTREES After the implementation of mount namespaces was completed, experience showed that the isolation that they provided was, diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index 15732739d..5af09c48e 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -354,71 +354,6 @@ a non-user namespace is associated; see .\" .\" ============================================================ .\" -.SS Restrictions on mount namespaces -Note the following points with respect to mount namespaces: -.IP * 3 -A mount namespace has an owner user namespace. -A mount namespace whose owner user namespace is different from -the owner user namespace of its parent mount namespace is -considered a less privileged mount namespace. -.IP * -When creating a less privileged mount namespace, -shared mounts are reduced to slave mounts. -This ensures that mappings performed in less -privileged mount namespaces will not propagate to more privileged -mount namespaces. -.IP * -.\" FIXME . -.\" What does "come as a single unit from more privileged mount" mean? -Mounts that come as a single unit from more privileged mount are -locked together and may not be separated in a less privileged mount -namespace. -(The -.BR unshare (2) -.B CLONE_NEWNS -operation brings across all of the mounts from the original -mount namespace as a single unit, -and recursive mounts that propagate between -mount namespaces propagate as a single unit.) -.IP * -The -.BR mount (2) -flags -.BR MS_RDONLY , -.BR MS_NOSUID , -.BR MS_NOEXEC , -and the "atime" flags -.RB ( MS_NOATIME , -.BR MS_NODIRATIME , -.BR MS_RELATIME ) -settings become locked -.\" commit 9566d6742852c527bf5af38af5cbb878dad75705 -.\" Author: Eric W. Biederman -.\" Date: Mon Jul 28 17:26:07 2014 -0700 -.\" -.\" mnt: Correct permission checks in do_remount -.\" -when propagated from a more privileged to -a less privileged mount namespace, -and may not be changed in the less privileged mount namespace. -.IP * -.\" (As of 3.18-rc1 (in Al Viro's 2014-08-30 vfs.git#for-next tree)) -A file or directory that is a mount point in one namespace that is not -a mount point in another namespace, may be renamed, unlinked, or removed -.RB ( rmdir (2)) -in the mount namespace in which it is not a mount point -(subject to the usual permission checks). -.IP -Previously, attempting to unlink, rename, or remove a file or directory -that was a mount point in another mount namespace would result in the error -.BR EBUSY . -That behavior had technical problems of enforcement (e.g., for NFS) -and permitted denial-of-service attacks against more privileged users. -(i.e., preventing individual files from being updated -by bind mounting on top of them). -.\" -.\" ============================================================ -.\" .SS User and group ID mappings: uid_map and gid_map When a user namespace is created, it starts out without a mapping of user IDs (group IDs)