mirror of https://github.com/mkerrisk/man-pages
mount_namespaces.7, user_namespaces.7: Migrate subsection on mount restrictions to mount_namespaces(7)
This section material in the user_namespaces(7) page was written before the creation of the mount_namespaces(7) manual page. Nowadays, this material properly belongs in the newer page. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
466247eb67
commit
4bfc202622
|
@ -65,6 +65,71 @@ in either mount namespace will not (by default) affect the
|
||||||
mount point list seen in the other namespace
|
mount point list seen in the other namespace
|
||||||
(but see the following discussion of shared subtrees).
|
(but see the following discussion of shared subtrees).
|
||||||
.\"
|
.\"
|
||||||
|
.\" ============================================================
|
||||||
|
.\"
|
||||||
|
.SS Restrictions on mount namespaces
|
||||||
|
Note the following points with respect to mount namespaces:
|
||||||
|
.IP * 3
|
||||||
|
A mount namespace has an owner user namespace.
|
||||||
|
A mount namespace whose owner user namespace is different from
|
||||||
|
the owner user namespace of its parent mount namespace is
|
||||||
|
considered a less privileged mount namespace.
|
||||||
|
.IP *
|
||||||
|
When creating a less privileged mount namespace,
|
||||||
|
shared mounts are reduced to slave mounts.
|
||||||
|
This ensures that mappings performed in less
|
||||||
|
privileged mount namespaces will not propagate to more privileged
|
||||||
|
mount namespaces.
|
||||||
|
.IP *
|
||||||
|
.\" FIXME .
|
||||||
|
.\" What does "come as a single unit from more privileged mount" mean?
|
||||||
|
Mounts that come as a single unit from more privileged mount are
|
||||||
|
locked together and may not be separated in a less privileged mount
|
||||||
|
namespace.
|
||||||
|
(The
|
||||||
|
.BR unshare (2)
|
||||||
|
.B CLONE_NEWNS
|
||||||
|
operation brings across all of the mounts from the original
|
||||||
|
mount namespace as a single unit,
|
||||||
|
and recursive mounts that propagate between
|
||||||
|
mount namespaces propagate as a single unit.)
|
||||||
|
.IP *
|
||||||
|
The
|
||||||
|
.BR mount (2)
|
||||||
|
flags
|
||||||
|
.BR MS_RDONLY ,
|
||||||
|
.BR MS_NOSUID ,
|
||||||
|
.BR MS_NOEXEC ,
|
||||||
|
and the "atime" flags
|
||||||
|
.RB ( MS_NOATIME ,
|
||||||
|
.BR MS_NODIRATIME ,
|
||||||
|
.BR MS_RELATIME )
|
||||||
|
settings become locked
|
||||||
|
.\" commit 9566d6742852c527bf5af38af5cbb878dad75705
|
||||||
|
.\" Author: Eric W. Biederman <ebiederm@xmission.com>
|
||||||
|
.\" Date: Mon Jul 28 17:26:07 2014 -0700
|
||||||
|
.\"
|
||||||
|
.\" mnt: Correct permission checks in do_remount
|
||||||
|
.\"
|
||||||
|
when propagated from a more privileged to
|
||||||
|
a less privileged mount namespace,
|
||||||
|
and may not be changed in the less privileged mount namespace.
|
||||||
|
.IP *
|
||||||
|
.\" (As of 3.18-rc1 (in Al Viro's 2014-08-30 vfs.git#for-next tree))
|
||||||
|
A file or directory that is a mount point in one namespace that is not
|
||||||
|
a mount point in another namespace, may be renamed, unlinked, or removed
|
||||||
|
.RB ( rmdir (2))
|
||||||
|
in the mount namespace in which it is not a mount point
|
||||||
|
(subject to the usual permission checks).
|
||||||
|
.IP
|
||||||
|
Previously, attempting to unlink, rename, or remove a file or directory
|
||||||
|
that was a mount point in another mount namespace would result in the error
|
||||||
|
.BR EBUSY .
|
||||||
|
That behavior had technical problems of enforcement (e.g., for NFS)
|
||||||
|
and permitted denial-of-service attacks against more privileged users.
|
||||||
|
(i.e., preventing individual files from being updated
|
||||||
|
by bind mounting on top of them).
|
||||||
|
.\"
|
||||||
.SH SHARED SUBTREES
|
.SH SHARED SUBTREES
|
||||||
After the implementation of mount namespaces was completed,
|
After the implementation of mount namespaces was completed,
|
||||||
experience showed that the isolation that they provided was,
|
experience showed that the isolation that they provided was,
|
||||||
|
|
|
@ -354,71 +354,6 @@ a non-user namespace is associated; see
|
||||||
.\"
|
.\"
|
||||||
.\" ============================================================
|
.\" ============================================================
|
||||||
.\"
|
.\"
|
||||||
.SS Restrictions on mount namespaces
|
|
||||||
Note the following points with respect to mount namespaces:
|
|
||||||
.IP * 3
|
|
||||||
A mount namespace has an owner user namespace.
|
|
||||||
A mount namespace whose owner user namespace is different from
|
|
||||||
the owner user namespace of its parent mount namespace is
|
|
||||||
considered a less privileged mount namespace.
|
|
||||||
.IP *
|
|
||||||
When creating a less privileged mount namespace,
|
|
||||||
shared mounts are reduced to slave mounts.
|
|
||||||
This ensures that mappings performed in less
|
|
||||||
privileged mount namespaces will not propagate to more privileged
|
|
||||||
mount namespaces.
|
|
||||||
.IP *
|
|
||||||
.\" FIXME .
|
|
||||||
.\" What does "come as a single unit from more privileged mount" mean?
|
|
||||||
Mounts that come as a single unit from more privileged mount are
|
|
||||||
locked together and may not be separated in a less privileged mount
|
|
||||||
namespace.
|
|
||||||
(The
|
|
||||||
.BR unshare (2)
|
|
||||||
.B CLONE_NEWNS
|
|
||||||
operation brings across all of the mounts from the original
|
|
||||||
mount namespace as a single unit,
|
|
||||||
and recursive mounts that propagate between
|
|
||||||
mount namespaces propagate as a single unit.)
|
|
||||||
.IP *
|
|
||||||
The
|
|
||||||
.BR mount (2)
|
|
||||||
flags
|
|
||||||
.BR MS_RDONLY ,
|
|
||||||
.BR MS_NOSUID ,
|
|
||||||
.BR MS_NOEXEC ,
|
|
||||||
and the "atime" flags
|
|
||||||
.RB ( MS_NOATIME ,
|
|
||||||
.BR MS_NODIRATIME ,
|
|
||||||
.BR MS_RELATIME )
|
|
||||||
settings become locked
|
|
||||||
.\" commit 9566d6742852c527bf5af38af5cbb878dad75705
|
|
||||||
.\" Author: Eric W. Biederman <ebiederm@xmission.com>
|
|
||||||
.\" Date: Mon Jul 28 17:26:07 2014 -0700
|
|
||||||
.\"
|
|
||||||
.\" mnt: Correct permission checks in do_remount
|
|
||||||
.\"
|
|
||||||
when propagated from a more privileged to
|
|
||||||
a less privileged mount namespace,
|
|
||||||
and may not be changed in the less privileged mount namespace.
|
|
||||||
.IP *
|
|
||||||
.\" (As of 3.18-rc1 (in Al Viro's 2014-08-30 vfs.git#for-next tree))
|
|
||||||
A file or directory that is a mount point in one namespace that is not
|
|
||||||
a mount point in another namespace, may be renamed, unlinked, or removed
|
|
||||||
.RB ( rmdir (2))
|
|
||||||
in the mount namespace in which it is not a mount point
|
|
||||||
(subject to the usual permission checks).
|
|
||||||
.IP
|
|
||||||
Previously, attempting to unlink, rename, or remove a file or directory
|
|
||||||
that was a mount point in another mount namespace would result in the error
|
|
||||||
.BR EBUSY .
|
|
||||||
That behavior had technical problems of enforcement (e.g., for NFS)
|
|
||||||
and permitted denial-of-service attacks against more privileged users.
|
|
||||||
(i.e., preventing individual files from being updated
|
|
||||||
by bind mounting on top of them).
|
|
||||||
.\"
|
|
||||||
.\" ============================================================
|
|
||||||
.\"
|
|
||||||
.SS User and group ID mappings: uid_map and gid_map
|
.SS User and group ID mappings: uid_map and gid_map
|
||||||
When a user namespace is created,
|
When a user namespace is created,
|
||||||
it starts out without a mapping of user IDs (group IDs)
|
it starts out without a mapping of user IDs (group IDs)
|
||||||
|
|
Loading…
Reference in New Issue