From b10c74ff2596222e8b353904ae680171282963ac Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Mon, 8 Sep 2014 06:01:40 -0700 Subject: [PATCH] user_namespaces.7: Add "Restrictions on mount namespaces" section Light edits by mtk Signed-off-by: Michael Kerrisk --- man7/user_namespaces.7 | 63 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 61 insertions(+), 2 deletions(-) diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index fc328ae68..2d6530d60 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -1,5 +1,5 @@ -.\" Copyright (c) 2013 by Michael Kerrisk -.\" and Copyright (c) 2012 by Eric W. Biederman +.\" Copyright (c) 2013, 2014 by Michael Kerrisk +.\" and Copyright (c) 2012, 2014 by Eric W. Biederman .\" .\" Permission is granted to make and distribute verbatim copies of this .\" manual provided the copyright notice and this permission notice are @@ -245,6 +245,65 @@ in the user namespace that the kernel associated with the new namespace. .\" .\" ============================================================ .\" +.SS Restrictions on mount namespaces + +Note the following points with respect to mount namespaces: +.IP * 3 +A mount namespace has an owner user namespace. +A mount namespace whose owner user namespace is different from +the owner user namespace of its parent mount namespace is +considered a less privileged mount namespace. +.IP * +When creating a less privileged mount namespace, +shared mounts are reduced to slave mounts. +This ensures that mappings performed in less +privileged mount namespaces will not propagate to more privileged +mount namespaces. +.IP * +.\" FIXME . +.\" What does "come as a single unit from more privileged mount" mean? +Mounts that come as a single unit from more privileged mount are +locked together and may not be separated in a less privileged mount +namespace. +.IP * +The +.BR mount (2) +flags +.BR MS_RDONLY , +.BR MS_NOSUID , +.BR MS_NOEXEC , +and the "atime" flags +.RB ( MS_NOATIME , +.BR MS_NODIRATIME , +.BR MS_RELATIME) +settings become locked +.\" commit 9566d6742852c527bf5af38af5cbb878dad75705 +.\" Author: Eric W. Biederman +.\" Date: Mon Jul 28 17:26:07 2014 -0700 +.\" +.\" mnt: Correct permission checks in do_remount +.\" +when propagated from a more privileged to +a less privileged mount namespace, +and may not be changed in the less privileged mount namespace. +.IP * +.\" (As of 3.18-rc1 (in Al Viro's 2014-08-30 vfs.git#for-next tree)) +A file or directory that is a mount point in one namespace that is not +a mount point in another namespace, may be renamed, unlinked, or removed +.RB ( rmdir (2)) +in the mount namespace in which it is not a mount point +(subject to the usual permission checks). +.IP +Previously, attempting to unlink, rename, or remove a file or directory +that was a mount point in another mount namespace would result in the error +.BR EBUSY . +That behavior had technical problems of enforcement (e.g., for NFS) +and permitted denial-of-service attacks against more privileged users. +(i.e., preventing individual files from being updated +by bind mounting on top of them). +.\" +.\" ============================================================ +.\" .SS User and group ID mappings: uid_map and gid_map When a user namespace is created, it starts out without a mapping of user IDs (group IDs)