user_namespaces.7: Describe a concrete example of capability checking

Add a concrete example of how the kernel checks capabilities in an associated user namespace when a process attempts a privileged operation. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-06-21 09:49:32 +02:00 · 2016-06-21 09:49:32 +02:00 · 7ea1c45ebd
parent 06999763ba
commit 7ea1c45ebd
1 changed files with 9 additions and 0 deletions
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@ -252,6 +252,15 @@ privileged operations that operate on global
 resources isolated by the namespace,
 the permission checks are performed according to the process's capabilities
 in the user namespace that the kernel associated with the new namespace.
+For example, suppose that a process attempts to change the hostname
+.RB ( sethostname (2)),
+a resource governed by the UTS namespace.
+In this case,
+the kernel will determine which user namespace is associated with
+the process's UTS namespace, and check whether the process has the
+required capability
+.RB ( CAP_SYS_ADMIN )
+in that user namespace.
 .\"
 .\" ============================================================
 .\"