setns.2: Document the PID, user, and mount namespace support

Document CLONE_NEWPID, CLONE_NEWUSER, and CLONE_NEWNS flags.

Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man2/setns.2

@@ -49,6 +49,18 @@ must refer to an IPC namespace.
 .I fd
 must refer to a network namespace.
 .TP
+.BR CLONE_NEWNS
+.I fd
+must refer to a mount namespace.
+.TP
+.BR CLONE_NEWPID
+.I fd
+must refer to a PID namespace.
+.TP
+.BR CLONE_NEWUSER
+.I fd
+must refer to a user namespace.
+.TP
 .BR CLONE_NEWUTS
 .I fd
 must refer to a UTS namespace.
@@ -67,6 +79,25 @@ and wants to ensure that the namespace is of a particular type.
 .IR fd
 if the file descriptor was opened by another process and, for example,
 passed to the caller via a UNIX domain socket.)
+
+The pid namespace is a little different.  Reassociating the calling
+thread with a pid namespace only changes the pid namespace that the
+child processes will be created in.
+
+Changing the pid namespace for child processes is only allowed if the
+pid namespace specified by
+.IR fd
+is a child pid namespace of the pid namespace of the current thread.
+
+A multi-threaded process may not change user namespace with setns.  A
+process may not reassociate the thread with the current user
+namespace.  The process reassociating itself with a user namespace
+must have CAP_SYS_ADMIN privileges in the target user namespace.
+
+A process may not be reassociated with a new mount namespace if it is
+multi-threaded or it does not possess both CAP_SYS_CHROOT privileges
+and CAP_SYS_ADMIN rights over the target mount namespace.
+
 .SH RETURN VALUE
 On success,
 .IR setns ()
@@ -98,7 +129,8 @@ for this operation.
 The
 .BR setns ()
 system call first appeared in Linux in kernel 3.0;
-library support was added to glibc in version 2.14.
+library support was added to glibc in version 2.14;
+Support for PID, user and mount namespaces first appeard in Linux in kernel 3.8.
 .SH CONFORMING TO
 The
 .BR setns ()