namespaces.7: Document some disallowed cases for CLONE_NEWPID + CLONE_VM

Based on text from Eric Biederman Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2013-01-14 09:28:37 +01:00 · 2013-01-14 09:28:37 +01:00 · 857c57e70d
parent e7d2eab5d3
commit 857c57e70d
1 changed files with 22 additions and 0 deletions
--- a/man7/namespaces.7
+++ b/man7/namespaces.7
@ -387,6 +387,28 @@ then it isn't necessary to change the root directory:
 a new procfs instance can be mounted directly over
 .IR /proc .)

+Every thread in a process must be in the same PID namespace.
+For this reason, the two following call sequences will fail:
+
+.in +4n
+.nf
+    unshare(CLONE_NEWPID);
+    clone(..., CLONE_VM, ...);    /* Fails */
+
+    setns(fd, CLONE_NEWPID);
+    clone(..., CLONE_VM, ...);    /* Fails */
+.fi
+.in
+
+Because the above
+.BR unshare (2)
+and
+.BR setns (2)
+calls only change the PID namespace for created children, the 
+.BR clone (2)
+calls necessarily put the new thread in a different PID namespace from
+the calling thread.
+
 Use of PID namespaces requires a kernel that is configured with the
 .B CONFIG_PID_NS
 option.