mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: Describe a concrete example of capability checking
Add a concrete example of how the kernel checks capabilities in an associated user namespace when a process attempts a privileged operation. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
06999763ba
commit
7ea1c45ebd
|
@ -252,6 +252,15 @@ privileged operations that operate on global
|
|||
resources isolated by the namespace,
|
||||
the permission checks are performed according to the process's capabilities
|
||||
in the user namespace that the kernel associated with the new namespace.
|
||||
For example, suppose that a process attempts to change the hostname
|
||||
.RB ( sethostname (2)),
|
||||
a resource governed by the UTS namespace.
|
||||
In this case,
|
||||
the kernel will determine which user namespace is associated with
|
||||
the process's UTS namespace, and check whether the process has the
|
||||
required capability
|
||||
.RB ( CAP_SYS_ADMIN )
|
||||
in that user namespace.
|
||||
.\"
|
||||
.\" ============================================================
|
||||
.\"
|
||||
|
|
Loading…
Reference in New Issue