namespaces.7: Clarify details of sending signals to init from ancestor PID namespaces

After email from Eric Biederman Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2013-01-23 04:29:52 +01:00 · 2013-01-23 04:29:52 +01:00 · c0004fb480
parent b16d757dfd
commit c0004fb480
1 changed files with 13 additions and 4 deletions
--- a/man7/namespaces.7
+++ b/man7/namespaces.7
@ -353,14 +353,23 @@ can be sent to the "init" process by other members of the PID namespace.
 This restriction applies even to privileged processes,
 and prevents other members of the PID namespace from
 accidentally killing the "init" process.
-However, within ancestor namespaces
-the "init" process is treated more like a normal user process:
-any process can\(emsubject to the usual permission checks described in
+
+Likewise, a process in an ancestor namespace
+can\(emsubject to the usual permission checks described in
 .BR kill (2)\(emsend
+signals to the "init" process of a child PID namespace only 
+if the "init" process has established a handler for that signal.
+(Within the handler, the
+.I siginfo_t
+.I si_pid
+field described in
+.BR sigaction (2)
+will be zero.)
 .B SIGKILL
 or
 .B SIGSTOP
-to the "init" process.
+are treated exceptionally:
+these signals are forcibly delivered when sent from an ancestor PID namespace.
 Neither of these signals can be caught by the "init" process,
 and so will result in the usual actions associated with those signals
 (respectively, terminating and stopping the process).