mirror of https://github.com/mkerrisk/man-pages
namespaces.7: Document association between userns and other namespace types
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
16fe718f99
commit
e67b117c39
|
@ -555,6 +555,19 @@ namespaces created by the call.
|
|||
Thus, it is possible for an unprivileged caller to specify this combination
|
||||
of flags.
|
||||
|
||||
When a new IPC, mount, network, PID, or UTS namespace is created via
|
||||
.BR clone (2)
|
||||
or
|
||||
.BR unshare (2),
|
||||
the kernel records the user namespace of the creating process against
|
||||
the new namespace.
|
||||
When a process in the new namespace subsequently performs
|
||||
privileged operations that operate on global
|
||||
resources isolated by the namespace,
|
||||
the permission checks are performed according to the process's capabilities
|
||||
in the user namespace that the kernel associated with the new namespace.
|
||||
|
||||
|
||||
The following rules apply with respect to the capabilities granted
|
||||
to a process:
|
||||
.\" In the 3.8 sources, see security/commoncap.c::cap_capable():
|
||||
|
|
Loading…
Reference in New Issue