Michael Kerrisk
54ead6d395
user_namespaces.7: Describe effect of mappings in the context of file-system operations
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
4332e54d27
user_namespaces.7: wfix + ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
674c23884e
user_namespaces.7: Note some interfaces that return overflowuid and overflowgid
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
0df0f26dcc
user_namespaces.7: srcfix: remove obsolete FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
27a6ff6ee6
user_namespaces.7: Describe handling of UIDs+GIDs when passed across a UNIX domain socket
...
UIDs and GIDs are mapped to receiver's userns when passed across
a UNIX domain socket
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
01ce1ceaa1
pid_namespaces.7: srcfix: Removed FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
5ba153e7ac
user_namespaces.7: The initial process in a userns has no capabilities outside the userns
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
d6842bf18d
user_namespaces.7: srcfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
627e4074b4
user_namespaces.7: Fix description of inheritance of capabilities across nested namespaces
...
Based on input from Eric Biederman
Calling cap_capable asks: Does the current process have
capability X in userns U.
I see three ways you can have that capability.
1) The current process can be in user namespace U and directly
have capability X.
2) The current process can be in the parent of namespace U and
its euid can be the euid that created user namespace U.
3) You can have be have the capability X in a user namespace
that is an ancestor of U.
Coming from the direction of your manpage text.
With respect to capabilities, the following rules apply to
nested user namespaces.
1. If a process has a capability in a user namespace has that
capability in all descendant user namespaces as well.
2. The user that creates a user namespace while in the parent
namespace has all capabilities in the created namespace
and in all descendent user namespaces.
So having said that part of my problem with your original
text is that it actually switches directions. One one rule
it is looking into the descendent user namespaces, and in the
other rule it is looking at ancestor user namespaces.
So perhaps the text should read:
With respect to capabilities, the following rules are used to
answer the question does a process P have a capability C in a
user namespace U.
1. P has the capability C if P is in user namespace U and
capability C is in process P's capability set.
2. P has the capability C if P is in the parent of user
namespace U and the euid of P is the euid that created user
namespace U.
3. P has the capability C if P has the capability C in some
user namespace V that is an ancestor of U.
Which probably gets a little extra mathematical, but it is
precise.
Reported-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
7ae693d017
user_namespaces.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
03611be8d7
user_namespaces.7: Add some references to other pages
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
6c3db75479
pid_namespaces.7: readlink(2) on /proc/self gives the caller's PID in the pidns of /proc
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
6e377abf9c
pid_namespaces.7: Parent process relationships mirror parent PID namespace relationships
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
7a9ab60197
pid_namespaces.7: srcfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
546fb4eefe
pid_namespaces.7: Rewrite discussion of nested PID namespaces
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
4085d4cde3
pid_namespaces.7: srcfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
963e117faf
pid_namespaces.7: Minor wording fix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
84030779d2
pid_namespaces.7: Reorganize and add some subheadings
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
7e0e902b55
clone.2, getpid.2, credentials.7: Replace reference to namespaces(7) with pid_namespaces(7)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
024d6a8449
namespaces.7: Remove PID namespaces material shifted to pid_namespaces(7)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
a79bacf5f1
pid_namespaces.7: New page splitting PID namespace material out of namespaces(7)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
f58fb24f16
clone.2, seteuid.2, setgid.2, setresuid.2, setreuid.2, setuid.2, unshare.2, capabilities.7, credentials.7: Change reference to namespaces(7) to user_namespaces(7)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
62a5214c57
user_namespaces.7: Reorganize and add some subheadings
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
67d1131fd9
namespaces.7: Remove userns material shifted to user_namespaces(7)
...
The user namespaces section was getting long and unwieldy.
Split it into its own page, so that it can be better
structured with subtitles, etc.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
046de6a7d7
user_namespaces.7: New page splitting user namespace material out of namespaces(7)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
9552196ecb
namespaces.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
e67b117c39
namespaces.7: Document association between userns and other namespace types
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
16fe718f99
setns.2: wfix
2014-09-13 20:15:59 -07:00
Michael Kerrisk
e57c3979fe
setns.2: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
ec66fbfff5
setns.2: Reorganize text on user namespaces
...
And add reference to user_namespaces(7).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
5c8d010b84
setns.2, unshare.2: Add reference to pid_namespaces(7)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
5c67baab4f
setns.2: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
7fc8e5ece2
setns.2: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
edc3c3b4c0
setns.2: Attempt to rejoin current user namespace gives EINVAL
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
365d292a3c
clone.2, unshare.2, namespaces.7: clone() and unshare() fail (EPERM) if caller's UID/GID are not mapped
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
1d5adb6f9e
namespaces.7: Userns creation associates eff. GID of creator with the userns
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
5eb7f09d7c
namespaces.7: Move text on capabilities in user namespaces
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
7f76dc3079
namespaces.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
cda377d2bc
namespaces.7: Clarify use of 'single line' case when writing userns map files
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
e2eb61370e
namespaces.7: Note rules regarding capabilities and nested namespaces
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
9a80f81d04
namespaces.7: Clarify explanation of nested user namespaces
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
6be09bd882
namespaces.7: srcfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
fd4eb520d6
namespaces.7: srcfix: Added FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
aa49742066
namespaces.7: Mapping files are empty when a user namespace is first created
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
b87dd2afb0
namespaces.7: User namespace ID mappings can be defined via any member process's map
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
b2e73e0ce8
namespaces.7: Clarify max # of bytes that can be written to a user namespace map
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
3fe8d14797
namespaces.7: Describe semantics of set-user/group-ID programs in a user namespace
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
e420879421
namespaces.7: Rewrite EPERM rules for writing to user namespace map file
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:58 -07:00
Michael Kerrisk
1879c18c63
namespaces.7: spfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:58 -07:00
Michael Kerrisk
d70ee6ff45
namespaces.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:58 -07:00