LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity
22,909 Commits 1 Branch 197 Tags 93 MiB
Commit Graph

180 Commits

Author SHA1 Message Date
Michael Kerrisk d916d9d073 user_namespaces.7: Rewrote and reorganized various pieces 
Mainly the pieces on capabilities, nested namespaces
and namespace membership.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk c9195dede4 user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 3a9ff754df user_namespaces.7: SEE ALSO: remove unshare(1) (which is mentioned in namespaces(7)) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 96ec9d12e6 user_namespaces.7: Clarify that the child of clone() gets all privileges in new userns 
Nothing special happens for the children of unshare(2).

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk c94eb4a68d user_namespaces.7: Add reference to Documentation/namespaces/resource-control.txt 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk cf7d22a535 user_namespaces.7: Further reworking of text on nested namespaces and capabilities 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk c0098e767d user_namespaces.7: Relocate text on capabilities of initial process in userns 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 20e4a14719 user_namespaces.7: Explain uid_map and gid_map in the initial user namespace 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 3e2a37ec85 user_namespaces.7: Add more detail on unmapped UIDs and GIDs exposed to user space 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 6eda94413b user_namespaces.7: Reorganize various pieces of DESCRIPTION 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 30f3ddd6dd user_namespaces.7: Remove duplicated text on EPERM + mapping required in parent userns 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 1863e45128 user_namespaces.7: Move a misplaced rule re writing to map files 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 8d36d80cc3 user_namespaces.7: Add an example program 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk df23ae04d6 user_namespaces.7: Linux 3.9 provides a better implementation of nonoverlapping map checks 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk e4f4f2e125 user_namespaces.7: Clarify discussion on privileges of child after clone() by UID 0 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 1b3d5347f5 user_namespaces.7: Clarify that rules for writing to map files also apply to gid_map 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 0f069d0c69 user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk d45d012859 user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 54ead6d395 user_namespaces.7: Describe effect of mappings in the context of file-system operations 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 4332e54d27 user_namespaces.7: wfix + ffix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 674c23884e user_namespaces.7: Note some interfaces that return overflowuid and overflowgid 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 0df0f26dcc user_namespaces.7: srcfix: remove obsolete FIXME 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 27a6ff6ee6 user_namespaces.7: Describe handling of UIDs+GIDs when passed across a UNIX domain socket 
UIDs and GIDs are mapped to receiver's userns when passed across
a UNIX domain socket

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 5ba153e7ac user_namespaces.7: The initial process in a userns has no capabilities outside the userns 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk d6842bf18d user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 627e4074b4 user_namespaces.7: Fix description of inheritance of capabilities across nested namespaces 
Based on input from Eric Biederman

    Calling cap_capable asks: Does the current process have
    capability X in userns U.

    I see three ways you can have that capability.

    1) The current process can be in user namespace U and directly
       have capability X.

    2) The current process can be in the parent of namespace U and
       its euid can be the euid that created user namespace U.

    3) You can have be have the capability X in a user namespace
       that is an ancestor of U.

    Coming from the direction of your manpage text.

    With respect to capabilities, the following rules apply to
    nested user namespaces.

    1.  If a process has a capability in a user namespace has that
        capability in all descendant user namespaces as well.

    2.  The user that creates a user namespace while in the parent
        namespace has all capabilities in the created namespace
        and in all descendent user namespaces.

    So having said that part of my problem with your original
    text is that it actually switches directions.  One one rule
    it is looking into the descendent user namespaces, and in the
    other rule it is looking at ancestor user namespaces.

    So perhaps the text should read:

    With respect to capabilities, the following rules are used to
    answer the question does a process P have a capability C in a
    user namespace U.

    1. P has the capability C if P is in user namespace U and
       capability C is in process P's capability set.

    2. P has the capability C if P is in the parent of user
       namespace U and the euid of P is the euid that created user
       namespace U.

    3. P has the capability C if P has the capability C in some
       user namespace V that is an ancestor of U.

    Which probably gets a little extra mathematical, but it is
    precise.

Reported-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 7ae693d017 user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 03611be8d7 user_namespaces.7: Add some references to other pages 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 62a5214c57 user_namespaces.7: Reorganize and add some subheadings 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 046de6a7d7 user_namespaces.7: New page splitting user namespace material out of namespaces(7) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00