setns.2, pid_namespaces.7: Elaborate discussion of the PID namespace descendant limitation

The setns(2) man page already mentions that CLONE_NEWPID may only
be used with descendant namespaces, but this nuance could be
listed in a few more places so it is not missed.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man2/setns.2

@@ -55,7 +55,7 @@ must refer to a mount namespace.
 .TP
 .BR CLONE_NEWPID " (since Linux 3.8)"
 .I fd
-must refer to a PID namespace.
+must refer to a descendant PID namespace.
 .TP
 .BR CLONE_NEWUSER " (since Linux 3.8)"
 .I fd
@@ -157,6 +157,11 @@ refers to a namespace whose type does not match that specified in
 There is problem with reassociating
 the thread with the specified namespace.
 .TP
+.\" See kernel/pid_namespace.c::pidns_install() [kernel 3.18 sources]
+.B EINVAL
+The caller tried to join an ancestor (parent, grandparent, etc...)
+pid namespace.
+.TP
 .B EINVAL
 The caller attempted to join the user namespace
 in which it is already a member.

man7/pid_namespaces.7

@@ -188,6 +188,16 @@ PID namespace from the caller of
 Calls to
 .BR getppid (2)
 for such processes return 0.
+
+While processes may freely descend into children PID namespaces
+(e.g. using
+.BR setns (2)
+with
+.BR CLONE_NEWPID ),
+they may not move in the other direction.
+That is to say, processes may not enter any ancestor namespaces
+(parent, grandparent, etc.).
+Changing PID namespaces is a one way operation.
 .\"
 .\" ============================================================
 .\"