mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: Document restrictions on CLONE_NEWUSER with other CLONE_* flags
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
1f1d2a8d2b
commit
714e9a7874
|
@ -541,6 +541,37 @@ flag, as described in
|
||||||
.\"
|
.\"
|
||||||
.\" ============================================================
|
.\" ============================================================
|
||||||
.\"
|
.\"
|
||||||
|
.SS Restrictions with other CLONE_* flags
|
||||||
|
.PP
|
||||||
|
Various restrictions apply when specifying
|
||||||
|
.BR CLONE_NEWUSER
|
||||||
|
in calls to
|
||||||
|
.BR clone (2)
|
||||||
|
and
|
||||||
|
.BR unshare (2).
|
||||||
|
The restrictions are as follows:
|
||||||
|
.IP * 3
|
||||||
|
.BR CLONE_NEWUSER
|
||||||
|
cannot be specified in conjunction with
|
||||||
|
.BR CLONE_THREAD
|
||||||
|
or
|
||||||
|
.BR CLONE_PARENT .
|
||||||
|
.IP *
|
||||||
|
For security reasons,
|
||||||
|
.\" commit e66eded8309ebf679d3d3c1f5820d1f2ca332c71
|
||||||
|
.\" https://lwn.net/Articles/543273/
|
||||||
|
.\" The fix actually went into 3.9 and into 3.8.3. However, user namespaces
|
||||||
|
.\" were, for practical purposes, unusable in earlier 3.8.x because of the
|
||||||
|
.\" various file systems that didn't support userns.
|
||||||
|
.BR CLONE_NEWUSER
|
||||||
|
cannot be specified in conjunction with
|
||||||
|
.BR CLONE_FS .
|
||||||
|
.PP
|
||||||
|
The error in each of the above cases is
|
||||||
|
.BR EINVAL .
|
||||||
|
.\"
|
||||||
|
.\" ============================================================
|
||||||
|
.\"
|
||||||
.SS Miscellaneous
|
.SS Miscellaneous
|
||||||
.PP
|
.PP
|
||||||
When a process's user and group IDs are passed over a UNIX domain socket
|
When a process's user and group IDs are passed over a UNIX domain socket
|
||||||
|
|
Loading…
Reference in New Issue