mirror of https://github.com/mkerrisk/man-pages
user_namespaces.7: Add "Restrictions on mount namespaces" section
Light edits by mtk Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
7aba437aa1
commit
b10c74ff25
|
@ -1,5 +1,5 @@
|
|||
.\" Copyright (c) 2013 by Michael Kerrisk <mtk.manpages@gmail.com>
|
||||
.\" and Copyright (c) 2012 by Eric W. Biederman <ebiederm@xmission.com>
|
||||
.\" Copyright (c) 2013, 2014 by Michael Kerrisk <mtk.manpages@gmail.com>
|
||||
.\" and Copyright (c) 2012, 2014 by Eric W. Biederman <ebiederm@xmission.com>
|
||||
.\"
|
||||
.\" Permission is granted to make and distribute verbatim copies of this
|
||||
.\" manual provided the copyright notice and this permission notice are
|
||||
|
@ -245,6 +245,65 @@ in the user namespace that the kernel associated with the new namespace.
|
|||
.\"
|
||||
.\" ============================================================
|
||||
.\"
|
||||
.SS Restrictions on mount namespaces
|
||||
|
||||
Note the following points with respect to mount namespaces:
|
||||
.IP * 3
|
||||
A mount namespace has an owner user namespace.
|
||||
A mount namespace whose owner user namespace is different from
|
||||
the owner user namespace of its parent mount namespace is
|
||||
considered a less privileged mount namespace.
|
||||
.IP *
|
||||
When creating a less privileged mount namespace,
|
||||
shared mounts are reduced to slave mounts.
|
||||
This ensures that mappings performed in less
|
||||
privileged mount namespaces will not propagate to more privileged
|
||||
mount namespaces.
|
||||
.IP *
|
||||
.\" FIXME .
|
||||
.\" What does "come as a single unit from more privileged mount" mean?
|
||||
Mounts that come as a single unit from more privileged mount are
|
||||
locked together and may not be separated in a less privileged mount
|
||||
namespace.
|
||||
.IP *
|
||||
The
|
||||
.BR mount (2)
|
||||
flags
|
||||
.BR MS_RDONLY ,
|
||||
.BR MS_NOSUID ,
|
||||
.BR MS_NOEXEC ,
|
||||
and the "atime" flags
|
||||
.RB ( MS_NOATIME ,
|
||||
.BR MS_NODIRATIME ,
|
||||
.BR MS_RELATIME)
|
||||
settings become locked
|
||||
.\" commit 9566d6742852c527bf5af38af5cbb878dad75705
|
||||
.\" Author: Eric W. Biederman <ebiederm@xmission.com>
|
||||
.\" Date: Mon Jul 28 17:26:07 2014 -0700
|
||||
.\"
|
||||
.\" mnt: Correct permission checks in do_remount
|
||||
.\"
|
||||
when propagated from a more privileged to
|
||||
a less privileged mount namespace,
|
||||
and may not be changed in the less privileged mount namespace.
|
||||
.IP *
|
||||
.\" (As of 3.18-rc1 (in Al Viro's 2014-08-30 vfs.git#for-next tree))
|
||||
A file or directory that is a mount point in one namespace that is not
|
||||
a mount point in another namespace, may be renamed, unlinked, or removed
|
||||
.RB ( rmdir (2))
|
||||
in the mount namespace in which it is not a mount point
|
||||
(subject to the usual permission checks).
|
||||
.IP
|
||||
Previously, attempting to unlink, rename, or remove a file or directory
|
||||
that was a mount point in another mount namespace would result in the error
|
||||
.BR EBUSY .
|
||||
That behavior had technical problems of enforcement (e.g., for NFS)
|
||||
and permitted denial-of-service attacks against more privileged users.
|
||||
(i.e., preventing individual files from being updated
|
||||
by bind mounting on top of them).
|
||||
.\"
|
||||
.\" ============================================================
|
||||
.\"
|
||||
.SS User and group ID mappings: uid_map and gid_map
|
||||
When a user namespace is created,
|
||||
it starts out without a mapping of user IDs (group IDs)
|
||||
|
|
Loading…
Reference in New Issue