user_namespaces.7: Clarify some capabilities details

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2013-03-08 16:54:50 +01:00
parent 0666f549da
commit d68c5f1184
1 changed files with 9 additions and 4 deletions

View File

@ -108,7 +108,13 @@ or joins an existing user namespace using
gains a full set of capabilities in that namespace, gains a full set of capabilities in that namespace,
and its securebits flags are cleared. and its securebits flags are cleared.
On the other hand, On the other hand,
that process has no capabilities outside that user namespace, that process has no capabilities in the parent (in the case of
.BR clone (2))
or previous (in the case of
.BR unshare (2)
and
.BR setns (2))
user namespace,
even if the new namespace is created or joined by the root user even if the new namespace is created or joined by the root user
(i.e., a process with user ID 0 in the root namespace). (i.e., a process with user ID 0 in the root namespace).
(Nevertheless, a process owned by the root user (Nevertheless, a process owned by the root user
@ -133,9 +139,8 @@ or caller (for
.BR unshare (2), .BR unshare (2),
or or
.BR setns (2)). .BR setns (2)).
Note that Note that because the caller no longer has capabilities
because the caller no longer has capabilities in its original user namespace in its original user namespace after a call to
after a call to
.BR setns (2), .BR setns (2),
it is not possible for a process to reset its "securebits" flags while it is not possible for a process to reset its "securebits" flags while
retaining its user namespace membership by using a pair of retaining its user namespace membership by using a pair of