From 99fd2fe3b5104f5d4cec21ef8fc254060c3569e1 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Thu, 27 Dec 2012 11:32:14 +0100 Subject: [PATCH] setns.2: Document the PID, user, and mount namespace support Document CLONE_NEWPID, CLONE_NEWUSER, and CLONE_NEWNS flags. Signed-off-by: Eric W. Biederman Signed-off-by: Michael Kerrisk --- man2/setns.2 | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/man2/setns.2 b/man2/setns.2 index 614cc9cbb..24574c30f 100644 --- a/man2/setns.2 +++ b/man2/setns.2 @@ -49,6 +49,18 @@ must refer to an IPC namespace. .I fd must refer to a network namespace. .TP +.BR CLONE_NEWNS +.I fd +must refer to a mount namespace. +.TP +.BR CLONE_NEWPID +.I fd +must refer to a PID namespace. +.TP +.BR CLONE_NEWUSER +.I fd +must refer to a user namespace. +.TP .BR CLONE_NEWUTS .I fd must refer to a UTS namespace. @@ -67,6 +79,25 @@ and wants to ensure that the namespace is of a particular type. .IR fd if the file descriptor was opened by another process and, for example, passed to the caller via a UNIX domain socket.) + +The pid namespace is a little different. Reassociating the calling +thread with a pid namespace only changes the pid namespace that the +child processes will be created in. + +Changing the pid namespace for child processes is only allowed if the +pid namespace specified by +.IR fd +is a child pid namespace of the pid namespace of the current thread. + +A multi-threaded process may not change user namespace with setns. A +process may not reassociate the thread with the current user +namespace. The process reassociating itself with a user namespace +must have CAP_SYS_ADMIN privileges in the target user namespace. + +A process may not be reassociated with a new mount namespace if it is +multi-threaded or it does not possess both CAP_SYS_CHROOT privileges +and CAP_SYS_ADMIN rights over the target mount namespace. + .SH RETURN VALUE On success, .IR setns () @@ -98,7 +129,8 @@ for this operation. The .BR setns () system call first appeared in Linux in kernel 3.0; -library support was added to glibc in version 2.14. +library support was added to glibc in version 2.14; +Support for PID, user and mount namespaces first appeard in Linux in kernel 3.8. .SH CONFORMING TO The .BR setns ()