namespaces.7: Note treatment of PID namespace "init" process with respect to signals

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2013-01-16 01:25:16 +01:00 · 2013-01-16 01:25:16 +01:00 · e17d07c17b
parent 33a3c1b8ec
commit e17d07c17b
1 changed files with 12 additions and 0 deletions
--- a/man7/namespaces.7
+++ b/man7/namespaces.7
@ -345,6 +345,18 @@ the kernel terminates all of the processes in the namespace.
 This behavior reflects the fact that the "init" process
 is essential for the correct operation of a PID namespace.

+Only signals for which the "init" process has established a signal handler
+can be sent to the "init" process by other members of the PID namespace.
+This restriction applies even to privileged processes,
+and prevents other members of the PID namespace from
+accidentally killing the "init" process.
+However, within ancestor namespaces
+the "init" process is treated as a normal user process:
+any process can\(emsubject to the usual permission checks described in
+.BR kill (2)\(emsend
+any signal to the "init" process,
+including signals that may result in its termination.
+
 PID namespaces can be nested.
 When a new PID namespace is created,
 the processes in that namespace are visible