namespaces.7: Move text on capabilities in user namespaces

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2013-02-25 20:42:45 +01:00
parent 7f76dc3079
commit 5eb7f09d7c
1 changed files with 20 additions and 20 deletions

View File

@ -555,6 +555,26 @@ namespaces created by the call.
Thus, it is possible for an unprivileged caller to specify this combination
of flags.
The following rules apply with respect to the capabilities granted
to a process:
.\" In the 3.8 sources, see security/commoncap.c::cap_capable():
.IP 1. 3
If a process has a capability in a parent user namespace,
then it has that capability in all child (and further removed descendant)
namespaces as well.
.IP 2.
.\" * The owner of the user namespace in the parent of the
.\" * user namespace has all caps.
When a user namespace is created, the kernel records the effective
user ID of the creating process as being the "owner" of the namespace.
A process whose effective user ID matches that of the
owner of a user namespace and which is a member of the parent namespace
(or a further removed namespace that is a direct ancestor)
has all capabilities in the user namespace.
.\" As a rough approximation, this means that
.\" the user who creates a user namespace
.\" has all capabilities inside that namespace and its descendants.
.PP
Use of user namespaces requires a kernel that is configured with the
.B CONFIG_USER_NS
option.
@ -737,26 +757,6 @@ in the parent user namespace.
.PP
Writes that violate the above rules fail with the error
.BR EPERM .
The following rules apply with respect to the capabilities granted
to a process:
.\" In the 3.8 sources, see security/commoncap.c::cap_capable():
.IP 1. 3
If a process has a capability in a parent user namespace,
then it has that capability in all child (and further removed descendant)
namespaces as well.
.IP 2.
.\" * The owner of the user namespace in the parent of the
.\" * user namespace has all caps.
When a user namespace is created, the kernel records the effective
user ID of the creating process as being the "owner" of the namespace.
A process whose effective user ID matches that of the
owner of a user namespace and which is a member of the parent namespace
(or a further removed namespace that is a direct ancestor)
has all capabilities in the user namespace.
.\" As a rough approximation, this means that
.\" the user who creates a user namespace
.\" has all capabilities inside that namespace and its descendants.
.PP
When a process inside a user namespace executes
a set-user-ID (set-group-ID) program,