user_namespaces.7: Document restrictions on CLONE_NEWUSER with other CLONE_* flags

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2013-03-22 08:08:31 +01:00 · 2013-03-22 08:08:31 +01:00 · 714e9a7874
parent 1f1d2a8d2b
commit 714e9a7874
1 changed files with 31 additions and 0 deletions
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@ -541,6 +541,37 @@ flag, as described in
 .\"
 .\" ============================================================
 .\"
+.SS Restrictions with other CLONE_* flags
+.PP
+Various restrictions apply when specifying
+.BR CLONE_NEWUSER
+in calls to
+.BR clone (2)
+and
+.BR unshare (2).
+The restrictions are as follows:
+.IP * 3
+.BR CLONE_NEWUSER
+cannot be specified in conjunction with
+.BR CLONE_THREAD
+or
+.BR CLONE_PARENT .
+.IP *
+For security reasons,
+.\" commit e66eded8309ebf679d3d3c1f5820d1f2ca332c71
+.\" https://lwn.net/Articles/543273/
+.\" The fix actually went into 3.9 and into 3.8.3. However, user namespaces
+.\" were, for practical purposes, unusable in earlier 3.8.x because of the
+.\" various file systems that didn't support userns.
+.BR CLONE_NEWUSER
+cannot be specified in conjunction with
+.BR CLONE_FS .
+.PP
+The error in each of the above cases is
+.BR EINVAL .
+.\"
+.\" ============================================================
+.\"
 .SS Miscellaneous
 .PP
 When a process's user and group IDs are passed over a UNIX domain socket