user_namespaces.7: Add "Restrictions on mount namespaces" section

Light edits by mtk

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man7/user_namespaces.7

@@ -1,5 +1,5 @@
-.\" Copyright (c) 2013 by Michael Kerrisk <mtk.manpages@gmail.com>
-.\" and Copyright (c) 2012 by Eric W. Biederman <ebiederm@xmission.com>
+.\" Copyright (c) 2013, 2014 by Michael Kerrisk <mtk.manpages@gmail.com>
+.\" and Copyright (c) 2012, 2014 by Eric W. Biederman <ebiederm@xmission.com>
 .\"
 .\" Permission is granted to make and distribute verbatim copies of this
 .\" manual provided the copyright notice and this permission notice are
@@ -245,6 +245,65 @@ in the user namespace that the kernel associated with the new namespace.
 .\"
 .\" ============================================================
 .\"
+.SS Restrictions on mount namespaces
+
+Note the following points with respect to mount namespaces:
+.IP * 3
+A mount namespace has an owner user namespace.
+A mount namespace whose owner user namespace is different from
+the owner user namespace of its parent mount namespace is
+considered a less privileged mount namespace.
+.IP *
+When creating a less privileged mount namespace,
+shared mounts are reduced to slave mounts.
+This ensures that mappings performed in less
+privileged mount namespaces will not propagate to more privileged
+mount namespaces.
+.IP *
+.\" FIXME .
+.\"	What does "come as a single unit from more privileged mount" mean?
+Mounts that come as a single unit from more privileged mount are
+locked together and may not be separated in a less privileged mount
+namespace.
+.IP *
+The
+.BR mount (2)
+flags
+.BR MS_RDONLY ,
+.BR MS_NOSUID ,
+.BR MS_NOEXEC ,
+and the "atime" flags
+.RB ( MS_NOATIME ,
+.BR MS_NODIRATIME ,
+.BR MS_RELATIME)
+settings become locked
+.\" commit 9566d6742852c527bf5af38af5cbb878dad75705
+.\" Author: Eric W. Biederman <ebiederm@xmission.com>
+.\" Date:   Mon Jul 28 17:26:07 2014 -0700
+.\" 
+.\"      mnt: Correct permission checks in do_remount
+.\"
+when propagated from a more privileged to
+a less privileged mount namespace,
+and may not be changed in the less privileged mount namespace.
+.IP *
+.\" (As of 3.18-rc1 (in Al Viro's 2014-08-30 vfs.git#for-next tree))
+A file or directory that is a mount point in one namespace that is not
+a mount point in another namespace, may be renamed, unlinked, or removed
+.RB ( rmdir (2))
+in the mount namespace in which it is not a mount point
+(subject to the usual permission checks).
+.IP
+Previously, attempting to unlink, rename, or remove a file or directory
+that was a mount point in another mount namespace would result in the error
+.BR EBUSY .
+That behavior had technical problems of enforcement (e.g., for NFS)
+and permitted denial-of-service attacks against more privileged users.
+(i.e., preventing individual files from being updated
+by bind mounting on top of them).
+.\"
+.\" ============================================================
+.\"
 .SS User and group ID mappings: uid_map and gid_map
 When a user namespace is created,
 it starts out without a mapping of user IDs (group IDs)