namespaces.7: Document association between userns and other namespace types

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2013-02-26 15:27:49 +01:00 · 2013-02-26 15:27:49 +01:00 · e67b117c39
parent 16fe718f99
commit e67b117c39
1 changed files with 13 additions and 0 deletions
--- a/man7/namespaces.7
+++ b/man7/namespaces.7
@ -555,6 +555,19 @@ namespaces created by the call.
 Thus, it is possible for an unprivileged caller to specify this combination
 of flags.

+When a new IPC,  mount, network, PID, or UTS namespace is created via
+.BR clone (2)
+or
+.BR unshare (2),
+the kernel records the user namespace of the creating process against
+the new namespace.
+When a process in the new namespace subsequently performs
+privileged operations that operate on global
+resources isolated by the namespace,
+the permission checks are performed according to the process's capabilities
+in the user namespace that the kernel associated with the new namespace.
+
+
 The following rules apply with respect to the capabilities granted
 to a process:
 .\" In the 3.8 sources, see security/commoncap.c::cap_capable():